Hi,
while playing with soft-reboot and services surviving this:
A standard service file works, but if I use a service template (e.g.
test@.service), the service get's stopped during soft-reboot.
Reasons is:
-Slice=system.slice
+Slice=system-test.slice
Is it somehow possible, that also "test@.serv
Hey all,
testing a bit the systemd-sysext with verity+signature, running a sample
like this:
systemd-repart -S -s extension/ /run/extensions/k3sv1.30.0+k3s1.sysext.raw
--private-key=db.key --certificate=db.pem
This generates a nice sysextension with verity and signed! (Nice work there
BTW, its d
Hello. I have tried with headless=yes. The issue with this is that
systemd-cryptsetup ends, so I can not provide the password for decryption
through socket provided in /run/systemd/ask-password/sck.numbers
I miss an option where systemd-cryptsetup is executed headless, but
continues running, witho
On Wed, 5 Jun 2024 at 14:45, Thorsten Kukuk wrote:
>
> Hi,
>
> while playing with soft-reboot and services surviving this:
> A standard service file works, but if I use a service template (e.g.
> test@.service), the service get's stopped during soft-reboot.
> Reasons is:
> -Slice=system.slice
> +S
On Wed, 5 Jun 2024 at 15:15, Itxaka Serrano Garcia
wrote:
>
> Hey all,
>
> testing a bit the systemd-sysext with verity+signature, running a sample like
> this:
>
> systemd-repart -S -s extension/ /run/extensions/k3sv1.30.0+k3s1.sysext.raw
> --private-key=db.key --certificate=db.pem
>
> This gen
Ooh I see.
Thanks for the heads up, I'll have a look to see which upstream kernels
have this enabled as we are using upstream kernels directly.
On the meantime it's trivial to extract the certs ourselves so it still
works as expected :)
Thanks Luca! I'll write an extra thread now with some more
Hello again!
A few sysext questions that have arisen from our testing
- image policy is configurable but it's there a single config file where
we can put that so it's used system wide? For example to only allow
verity+signed? Service override?
- I can't see anything preventing a manual call to
> The kernel needs to be built with some non-default kconfigs, so if
> it's a custom build or distro check that those are all enabled, they
> are listed here:
>
> https://github.com/systemd/systemd/blob/main/README#L131
Just for posterity, here is the permalink:
https://github.com/systemd/systemd/
