discover-image: Follow symlinks in a given root#39843
Merged
yuwata merged 3 commits intosystemd:mainfrom Jan 30, 2026
Merged
Conversation
pothos
commented
Nov 21, 2025
pothos
commented
Dec 10, 2025
a756479 to
0fe08a8
Compare
Contributor
Author
|
This also changes the reported path in systemd-sysext list to be resolved. This is a change in behavior that I think makes sense because, e.g., for a sysupdate-managed "current" symlink this will then show which image version this is. But we could also change the image struct to have two have two paths, the real one which is resolved and the display ("entry"?) path which is the |
12643ff to
5a6cc4e
Compare
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 16, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
5a6cc4e to
620e8e8
Compare
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 17, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 18, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Dec 18, 2025
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
620e8e8 to
51a1ab5
Compare
daandemeyer
requested changes
Dec 23, 2025
51a1ab5 to
557e97a
Compare
poettering
reviewed
Jan 16, 2026
poettering
reviewed
Jan 16, 2026
8f1e542 to
5dafa63
Compare
daandemeyer
reviewed
Jan 21, 2026
daandemeyer
reviewed
Jan 21, 2026
daandemeyer
reviewed
Jan 21, 2026
5dafa63 to
f40a4a9
Compare
daandemeyer
approved these changes
Jan 25, 2026
a03d8e6 to
90983a2
Compare
YHNdnzj
requested changes
Jan 25, 2026
| _cleanup_free_ char *search_path = NULL; | ||
|
|
||
| r = chase_and_opendir(*s, root, CHASE_PREFIX_ROOT, &resolved, &d); | ||
| r = chase_and_opendirat(rfd, *s, CHASE_AT_RESOLVE_IN_ROOT, &search_path, &d); |
Member
There was a problem hiding this comment.
hmm? are you sure this actually works? chaseat() needs to be invoked with a path under root. It won't prefix root automatically. only the symlinks are resolved under rootfd...
Collaborator
There was a problem hiding this comment.
chase() needs to be invoked with a path under root. chaseat() doesn't ;)
yuwata
approved these changes
Jan 28, 2026
Member
yuwata
left a comment
There was a problem hiding this comment.
LGTM.
(Still I'd like to drop unnecessary free, but OK.)
So far systemd-sysext with --root= specified didn't follow extension symlinks (such as the "current" symlinks managed by systemd-sysupdate). The main use case is running systemd-sysext --root=/sysroot for setting up the overlay mounts already from the initrd. Resolve symlinks correctly but don't defend against later symlink races that would access a path outside of the given root. Malicous live modifications are not a realistic threat model and anyway for that one would need to rework how the image entry is passed over up to the point when the loop device is set up. This change here does not introduce this weakness nor does it expose it more than before. Thus, make it explicit that setting up the extensions for a given --root= implies a certain trust into this given root tree that it does not try do race conditions with symlinks to trick systemd-sysext to mount a file outside --root=. Without a strict --image-policy= set we would anyway mount filesystems right away which is another attack vector but, again, the main use case is to do this for the final system which is trusted at this stage.
For the extension release check the image name is needed and was derived from the backing file of the loop device. However, this can have a different name when symlinks were resolved. The surprising behavior was that it worked when the target name started with the extension name and _ because that's what's supported to chop off version suffixes. However, we should not have such strict requirements for the target name and also allow - as version separator and entirely different names/prefixes, the same way as we also do for directories instead of raw images. Do not use the image name derived from the backing file of the loop device but directly the extension name we have at hand.
When we now allow following symlinks inside a --root= we should also test that it works in various cases from simple relative and absolute symlinks to .v being a symlink itself or its contents, both for directory and for .raw image extensions. While at it, also add a simple test for .v without symlinks which wasn't there for direct usage of systemd-sysext.
90983a2 to
da6d189
Compare
Contributor
Author
|
Thanks everybody :) |
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Feb 2, 2026
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Feb 28, 2026
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Feb 28, 2026
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
pothos
added a commit
to flatcar/scripts
that referenced
this pull request
Mar 3, 2026
For A/B-updated /etc contents we used a custom overlay mount that provides the default files through a lowerdir loaded from /usr. Since then we upstreamed mutable systemd-confext support and now we can switch to it. This pulls in flatcar/init#138 and flatcar/bootengine#115 together with backported systemd patches that have opened or merged upstream PRs to fix --root= issues and add a refresh skip check to prevent boot disruptions due to the multiple daemon reloads and - more important - the missing atomic remount that would mean /etc is gone for a few milliseconds during boot. The skip logic works best with verity hashes and thus the default confext must be a verity extension image. User-provided confext don't work well yet unless they use verity due to the missing atomic remount and reliance on the skipping logic. We also need to look into stacking order and other mutabiliy settings. The backported systemd patches relate to the following upstream PRs: systemd/systemd#39843 for vpick-Don-t-use-openat-directly-but-resolve-symlinks discover-image-Follow-symlinks-in-a-given-root sysext-Use-correct-image-name-for-extension-release test-Add-tests-for-handling-symlinks-with-systemd-sy Note that the patch in the PR relies on 0859fe3f32774f1e0c787974cc252ff922a1b868 but the backport patch not. systemd/systemd#39980 for sysext-Create-mutable-directory-with-the-right-mode sysext-Skip-refresh-if-no-changes-are-found systemd/systemd#39991 for sysext-Get-verity-user-certs-from-given-root systemd/systemd#40063 for sysext-Fix-config-file-support-with-root which relies on systemd/systemd#38250 for man-sysext.conf-add-systemd-sysext-config-files sysext-introduce-global-config-file sysext-support-ImagePolicy-global-config-option Signed-off-by: Kai Lueke <kailuke@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is needed to set up extension images from the initrd with
systemd-sysext --root=/sysroot/ merge.vpick: Don't use openat directly but resolve symlinks in given root
With systemd-sysext --root= all symlinks should be followed relative to
the given root and direct openat usage doesn't work.
Remove the openat call and let pin_choice do the work with the chase
helper function to resolve the symlink in the given root.
discover-image: Follow symlinks in a given root
So far systemd-sysext with --root= specified didn't follow extension
symlinks (such as the "current" symlinks managed by systemd-sysupdate).
The main use case is running systemd-sysext --root=/sysroot for setting
up the overlay mounts already from the initrd.
Resolve symlinks correctly but don't defend against later symlink races
that would access a path outside of the given root. Malicous live
modifications are not a realistic threat model and anyway for that one
would need to rework how the image entry is passed over up to the point
when the loop device is set up. This change here does not introduce this
weakness nor does it expose it more than before. Thus, make it explicit
that setting up the extensions for a given --root= implies a certain
trust into this given root tree that it does not try do race conditions
with symlinks to trick systemd-sysext to mount a file outside --root=.
Without a strict --image-policy= set we would anyway mount filesystems
right away which is another attack vector but, again, the main use case
is to do this for the final system which is trusted at this stage.
sysext: Use correct image name for extension release checks
For the extension release check the image name is needed and was derived
from the backing file of the loop device. However, this can have a
different name when symlinks were resolved. The surprising behavior was
that it worked when the target name started with the extension name and
_ because that's what's supported to chop off version suffixes. However,
we should not have such strict requirements for the target name and also
allow - as version separator and entirely different names/prefixes, the
same way as we also do for directories instead of raw images.
Do not use the image name derived from the backing file of the loop
device but directly the extension name we have at hand.
test: Add tests for handling symlinks with systemd-sysext
When we now allow following symlinks inside a --root= we should also
test that it works in various cases from simple relative and absolute
symlinks to .v being a symlink itself or its contents, both for
directory and for .raw image extensions. While at it, also add a simple
test for .v without symlinks which wasn't there for direct usage of
systemd-sysext.