systemd: Add condition to only run on ostree systems #1319
Conversation
Add ConditionKernelCommandLine=ostree to prevent zincati from running on systems that aren't using ostree, where the update agent wouldn't be applicable. This is motivated by having the service not run in `bcvk ephemeral` as well as `podman run /sbin/init`. Signed-off-by: Colin Walters <[email protected]>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a systemd condition to ensure the Zincati agent only runs on ostree-based systems, using ConditionKernelCommandLine=ostree. My review points out that this approach can cause issues in containerized environments on an ostree host. I've suggested using ConditionPathExists=/ostree/repo instead, as it's a more robust and standard method for this check, aligning with other core ostree services.
| # This ensures compatibility with `bcvk ephemeral` today; compatibility | ||
| # with a bootc+composefs future is still TBD. | ||
| ConditionKernelCommandLine=ostree |
There was a problem hiding this comment.
Using ConditionKernelCommandLine=ostree to detect an ostree-based system might not be the most robust method. A key issue is that when running in a container on an ostree host (e.g. via podman run /sbin/init), this condition will be met because it reads the host's kernel command line. This could lead to the agent unexpectedly running inside the container, which is likely not the desired behavior.
A more standard and reliable way to check for an ostree system is ConditionPathExists=/ostree/repo. This is the approach used by other core ostree services like rpm-ostreed.service. It would correctly identify the environment and avoid running inside a container unless the ostree repository is explicitly available.
For better robustness, I recommend using this condition instead.
ConditionPathExists=/ostree/repo
There was a problem hiding this comment.
Hah, wow it's right. docker/podman not masking the kernel commandline is really a giant footgun in all of this (unlike LXC among others IIRC).
But this isn't a new problem, and really wants a nicer system in general.
A more standard and reliable way to check for an ostree system is ConditionPathExists=/ostree/repo.
Yeah, though in some corner cases this will be wrong, such as having co-installed bootc/ostree alongside a package system and doing a rollback.
I guess we probably do need a consistent /run/bootc-booted or so that's always set even in the bootc+composefs case.
There was a problem hiding this comment.
Is there a consensus on the path forward?
There was a problem hiding this comment.
Merge this as is and we'll come back to the composefs problem later.
There was a problem hiding this comment.
specifically for podman run /sbin/init (not sure about bcvk) would ConditionVirtualization=!container work?
2 participants
Add ConditionKernelCommandLine=ostree to prevent zincati from running on systems that aren't using ostree, where the update agent wouldn't be applicable.
This is motivated by having the service not run in
bcvk ephemeralas well aspodman run /sbin/init.