From 4a05d7ed72be443c40d5bf9a21bc4352c0d7fbb5 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 16 Jun 2021 12:00:34 +0200 Subject: [PATCH] unit: add units for new "systemd-sysupdate" tool These unit (if enabled) will try to update the OS in regular intervals. Moreover, every day in the early morning this will attempt to reboot the system if there's a newer version installed than running. --- units/meson.build | 4 +++ units/systemd-sysupdate-reboot.service.in | 20 +++++++++++++ units/systemd-sysupdate-reboot.timer | 20 +++++++++++++ units/systemd-sysupdate.service.in | 34 +++++++++++++++++++++++ units/systemd-sysupdate.timer | 30 ++++++++++++++++++++ 5 files changed, 108 insertions(+) create mode 100644 units/systemd-sysupdate-reboot.service.in create mode 100644 units/systemd-sysupdate-reboot.timer create mode 100644 units/systemd-sysupdate.service.in create mode 100644 units/systemd-sysupdate.timer diff --git a/units/meson.build b/units/meson.build index 2bb0a8e845d..8a3bd0da512 100644 --- a/units/meson.build +++ b/units/meson.build @@ -140,6 +140,8 @@ units = [ ['systemd-reboot.service', ''], ['systemd-rfkill.socket', 'ENABLE_RFKILL'], ['systemd-sysext.service', 'ENABLE_SYSEXT'], + ['systemd-sysupdate.timer', 'ENABLE_SYSUPDATE'], + ['systemd-sysupdate-reboot.timer', 'ENABLE_SYSUPDATE'], ['systemd-sysusers.service', 'ENABLE_SYSUSERS', 'sysinit.target.wants/'], ['systemd-tmpfiles-clean.service', 'ENABLE_TMPFILES'], @@ -236,6 +238,8 @@ in_units = [ ['systemd-suspend.service', ''], ['systemd-sysctl.service', '', 'sysinit.target.wants/'], + ['systemd-sysupdate.service', 'ENABLE_SYSUPDATE'], + ['systemd-sysupdate-reboot.service', 'ENABLE_SYSUPDATE'], ['systemd-timedated.service', 'ENABLE_TIMEDATED', 'dbus-org.freedesktop.timedate1.service'], ['systemd-timesyncd.service', 'ENABLE_TIMESYNCD'], diff --git a/units/systemd-sysupdate-reboot.service.in b/units/systemd-sysupdate-reboot.service.in new file mode 100644 index 00000000000..9d7b7d1657a --- /dev/null +++ b/units/systemd-sysupdate-reboot.service.in @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Reboot Automatically After System Update +Documentation=man:systemd-sysupdate-reboot.service(8) +ConditionVirtualization=!container + +[Service] +Type=oneshot +ExecStart={{ROOTLIBEXECDIR}}/systemd-sysupdate reboot + +[Install] +Also=systemd-sysupdate-reboot.timer diff --git a/units/systemd-sysupdate-reboot.timer b/units/systemd-sysupdate-reboot.timer new file mode 100644 index 00000000000..95a44bfea7e --- /dev/null +++ b/units/systemd-sysupdate-reboot.timer @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Reboot Automatically After System Update +Documentation=man:systemd-sysupdate-reboot.service(8) +ConditionVirtualization=!container + +[Timer] +OnCalendar=4:10 +RandomizedDelaySec=30min + +[Install] +WantedBy=timers.target diff --git a/units/systemd-sysupdate.service.in b/units/systemd-sysupdate.service.in new file mode 100644 index 00000000000..085a9c4a22c --- /dev/null +++ b/units/systemd-sysupdate.service.in @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Automatic System Update +Documentation=man:systemd-sysupdate.service(8) +Wants=network-online.target +After=network-online.target +ConditionVirtualization=!container + +[Service] +Type=simple +NotifyAccess=main +ExecStart={{ROOTLIBEXECDIR}}/systemd-sysupdate update +CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE +NoNewPrivileges=yes +MemoryDenyWriteExecute=yes +ProtectHostname=yes +RestrictRealtime=yes +RestrictNamespaces=net +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallFilter=@system-service @mount +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes + +[Install] +Also=systemd-sysupdate.timer diff --git a/units/systemd-sysupdate.timer b/units/systemd-sysupdate.timer new file mode 100644 index 00000000000..d998765e21f --- /dev/null +++ b/units/systemd-sysupdate.timer @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Automatic System Update +Documentation=man:systemd-sysupdate.service(8) + +# For containers we assume that the manager will handle updates. And we likely +# can't even access our backing block device anyway. +ConditionVirtualization=!container + +[Timer] +# Trigger the update 15min after boot, and then – on average – every 6h, but +# randomly distributed in a 2h…6h interval. In addition trigger things +# persistently once on each saturday, to ensure that even on systems that are +# never booted up for long we have a chance to to do the update. +OnBootSec=15min +OnUnitActiveSec=2h +OnCalendar=Sat +RandomizedDelaySec=4h +Persistent=yes + +[Install] +WantedBy=timers.target