On 05/11/2022 10:36, Mantas Mikulėnas wrote:
On Sat, Nov 5, 2022 at 12:06 PM TJ <systemd@xxxxxx> wrote:Just seen this announcement in the v252 changelog: "We intend to remove support for split-usr (/usr mounted separately during boot) ..." How does this align with support for separate /usr/ with dm-verity ? For example, this will affect nspawn. See "man 1 systemd-nspawn" and "--root-hash=" where in respect of /usr/ it says: "Note that this configures the root hash for the root file system. Disk images may also contain separate file systems for the /usr/ hierarchy, which may be Verity protected as well. The root hash for this protection may be configured via the "user.verity.usrhash" extended file attribute or via a .usrhash file adjacent to the disk image, following the same format and logic as for the root hash for the root file system described here."/usr can remain on a separate partition as long as it's mounted *by the initrd* (the same way initrd currently mounts your rootfs), so that by the time systemd starts it already has the full filesystem.
How does this work when systemd is used inside the initrd, as "recommended" / discussed at, for example "Using systemd inside an initrd" :
https://systemd.io/INITRD_INTERFACE/
What's finally being removed is support for having the rootfs itself mount /usr halfway through, which requires many things that normally are on /usr/lib to be split between it and /lib instead (such as on Debian). Using the initrd to mount /usr isn't new. <https://web.archive.org/web/20150906203654if_/https://www.gentoo.org/support/news-items/2013-09-27-initramfs-required.html>
Does it also affect the command-line options "mount.usr=, mount.usrfstype=, mount.usrflags=, usrhash=, systemd.verity_usr_data=, systemd.verity_usr_hash=, systemd.verity_usr_options=" as per "man 7 kernel-command-line" ?
Attachment:
OpenPGP_0xEFEC37A429CD6080.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
