New systemd 248 feature 'extension images' updates immutable file systems without really updating them
Plus other improvements to the Linux service manager
Version 248 of systemd, a widely used system and service manager for Linux, adds a feature called system extension images, designed to allow system files to be added, or appear to be added, even on read-only file systems.
As developer Lennart Poettering explained: "When a system extension image is activated, its /usr/ and /opt/ hierarchies and os-release information are combined via overlayfs with the file system hierarchy of the host OS."
The primary use case for system extension images is for immutable operating systems like Red Hat's Silverblue and Kinoite. In these OSes, the file system is read-only and is updated by replacing it with a new image rather than being patched, which is better both for security and stability.
Kinoite: Immutable Fedora variant with KDE Plasma desktop on the wayREAD MORE
It does cause compatibility issues for applications that need updated system files, and is difficult for developers who need more flexibility. Typically, these problems are overcome by running virtual machines or containers, but system extension images let users and developers update or add system files without actually modifying the immutable file system. Developers could add debugging tools, or install a newly compiled build including system files.
"System extension images should not be misunderstood as a generic software packaging framework, as no dependency scheme is available: system extensions should carry all files they need themselves, except for those already shipped in the underlying host system image.
"Typically, system extension images are built at the same time as the base OS image – within the same build system," say the docs. System extension images may be provided as plan directories or as disk images, activated or deactivated with the systemd-sysext command.
Poettering lists other new features in his post. There is a new configuration file, /etc/veritytab, for configuring dm-verity integrity protection, for cryptographic checking of the integrity of block devices, as well as a new kernel command-line option, systemd.verity.root_options.
There are also improvements to systemd-oomd, designed to take corrective action when free memory is running very low. There is "a new DefaultMemoryPressureDurationSec=setting to configure the time a unit's cgroup needs to exceed memory pressure limits before action will be taken," said Poettering, adding: "systemd-oomd is now considered fully supported (the usual backwards-compatiblity promises apply)."
New releases of systemd appear around every four months, the previous one being in November 2020. ®