summaryrefslogtreecommitdiff
path: root/man/systemd.exec.xml
diff options
context:
space:
mode:
authorLuca Boccassi <luca.boccassi@microsoft.com>2021-02-22 12:20:33 +0000
committerLuca Boccassi <luca.boccassi@microsoft.com>2021-02-23 15:34:46 +0000
commit93f597013a82298c5922f2f06de98be22b635e7b (patch)
tree963d5f91e083841912ab1a9eba67a96acbd81951 /man/systemd.exec.xml
parent82fb2da21347b750b3de53cde588ee1189f7acb7 (diff)
downloadsystemd-93f597013a82298c5922f2f06de98be22b635e7b.tar.gz
Add ExtensionImages directive to form overlays
Add support for overlaying images for services on top of their root fs, using a read-only overlay.
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml42
1 files changed, 42 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 1ebce6188e..bac8f9cdff 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -433,6 +433,48 @@
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>ExtensionImages=</varname></term>
+
+ <listitem><para>This setting is similar to <varname>MountImages=</varname> in that it mounts a file
+ system hierarchy from a block device node or loopback file, but instead of providing a destination path,
+ an overlay will be set up. This option expects a whitespace separated list of mount definitions. Each
+ definition consists of a source path, optionally followed by a colon and a list of mount options.</para>
+
+ <para>A read-only OverlayFS will be set up on top of <filename>/usr/</filename> and
+ <filename>/opt/</filename> hierarchies from the root. The order in which the images are listed
+ will determine the order in which the overlay is laid down: images specified first to last will result
+ in overlayfs layers bottom to top.</para>
+
+ <para>Mount options may be defined as a single comma-separated list of options, in which case they
+ will be implicitly applied to the root partition on the image, or a series of colon-separated tuples
+ of partition name and mount options. Valid partition names and mount options are the same as for
+ <varname>RootImageOptions=</varname> setting described above.</para>
+
+ <para>Each mount definition may be prefixed with <literal>-</literal>, in which case it will be
+ ignored when its source path does not exist. The source argument is a path to a block device node or
+ regular file. If the source path contains a <literal>:</literal>, it needs to be escaped as
+ <literal>\:</literal>. The device node or file system image file needs to follow the same rules as
+ specified for <varname>RootImage=</varname>. Any mounts created with this option are specific to the
+ unit, and are not visible in the host's mount table.</para>
+
+ <para>These settings may be used more than once, each usage appends to the unit's list of image
+ paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
+ reset.</para>
+
+ <para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or
+ <literal>strict</literal>, or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is
+ set, then this setting adds <filename>/dev/loop-control</filename> with <constant>rw</constant> mode,
+ <literal>block-loop</literal> and <literal>block-blkext</literal> with <constant>rwm</constant> mode
+ to <varname>DeviceAllow=</varname>. See
+ <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>. Also, see
+ <varname>PrivateDevices=</varname> below, as it may change the setting of
+ <varname>DevicePolicy=</varname>.</para>
+
+ <xi:include href="system-only.xml" xpointer="singular"/></listitem>
+ </varlistentry>
</variablelist>
</refsect1>