From 9c0c670125ff065c22c12bb82f1f20c7b2c8c46d Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 6 Jun 2023 17:44:09 +0200
Subject: core: Add RootEphemeral= setting

This setting allows services to run in an ephemeral copy of the root
directory or root image. To make sure the ephemeral copies are always
cleaned up, we add a tmpfiles snippet to unconditionally clean up
/var/lib/systemd/ephemeral. To prevent in use ephemeral copies from
being cleaned up by tmpfiles, we use the newly added COPY_LOCK_BSD
and BTRFS_SNAPSHOT_LOCK_BSD flags to take a BSD lock on the ephemeral
copies which instruct tmpfiles to not touch those ephemeral copies as
long as the BSD lock is held.
---
 tmpfiles.d/systemd.conf.in | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'tmpfiles.d')

diff --git a/tmpfiles.d/systemd.conf.in b/tmpfiles.d/systemd.conf.in
index fa838d8d06..3781c579e0 100644
--- a/tmpfiles.d/systemd.conf.in
+++ b/tmpfiles.d/systemd.conf.in
@@ -60,6 +60,10 @@ a+ /var/log/journal/%m/system.journal - - - - group:wheel:r--
 
 d /var/lib/systemd 0755 root root -
 d /var/lib/systemd/coredump 0755 root root 3d
+# Files and directories in /var/lib/systemd/ephemeral-trees are locked by pid 1 to prevent tmpfiles from
+# removing them, and tmpfiles is told to clean up anything in /var/lib/systemd/ephemeral-trees that isn't
+# locked unconditionally.
+d /var/lib/systemd/ephemeral-trees 0755 root root 0
 
 d /var/lib/private 0700 root root -
 d /var/log/private 0700 root root -
-- 
cgit v1.2.3