unit: add units for new "systemd-sysupdate" tool

These unit (if enabled) will try to update the OS in regular intervals. Moreover, every day in the early morning this will attempt to reboot the system if there's a newer version installed than running.
2024-11-23 02:03:37 +08:00 · 2021-06-16 12:00:34 +02:00 · 2021-06-16 12:00:34 +02:00 · 4a05d7ed72
commit 4a05d7ed72
parent 43cc7a3ef4
5 changed files with 108 additions and 0 deletions
--- a/units/meson.build
+++ b/units/meson.build
@ -140,6 +140,8 @@ units = [
        ['systemd-reboot.service',              ''],
        ['systemd-rfkill.socket',               'ENABLE_RFKILL'],
        ['systemd-sysext.service',              'ENABLE_SYSEXT'],
+        ['systemd-sysupdate.timer',             'ENABLE_SYSUPDATE'],
+        ['systemd-sysupdate-reboot.timer',      'ENABLE_SYSUPDATE'],
        ['systemd-sysusers.service',            'ENABLE_SYSUSERS',
         'sysinit.target.wants/'],
        ['systemd-tmpfiles-clean.service',      'ENABLE_TMPFILES'],
@ -236,6 +238,8 @@ in_units = [
        ['systemd-suspend.service',              ''],
        ['systemd-sysctl.service',               '',
         'sysinit.target.wants/'],
+        ['systemd-sysupdate.service',            'ENABLE_SYSUPDATE'],
+        ['systemd-sysupdate-reboot.service',     'ENABLE_SYSUPDATE'],
        ['systemd-timedated.service',            'ENABLE_TIMEDATED',
         'dbus-org.freedesktop.timedate1.service'],
        ['systemd-timesyncd.service',            'ENABLE_TIMESYNCD'],
--- a/units/systemd-sysupdate-reboot.service.in
+++ b/units/systemd-sysupdate-reboot.service.in
@ -0,0 +1,20 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Reboot Automatically After System Update
+Documentation=man:systemd-sysupdate-reboot.service(8)
+ConditionVirtualization=!container
+
+[Service]
+Type=oneshot
+ExecStart={{ROOTLIBEXECDIR}}/systemd-sysupdate reboot
+
+[Install]
+Also=systemd-sysupdate-reboot.timer
--- a/units/systemd-sysupdate-reboot.timer
+++ b/units/systemd-sysupdate-reboot.timer
@ -0,0 +1,20 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Reboot Automatically After System Update
+Documentation=man:systemd-sysupdate-reboot.service(8)
+ConditionVirtualization=!container
+
+[Timer]
+OnCalendar=4:10
+RandomizedDelaySec=30min
+
+[Install]
+WantedBy=timers.target
--- a/units/systemd-sysupdate.service.in
+++ b/units/systemd-sysupdate.service.in
@ -0,0 +1,34 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Automatic System Update
+Documentation=man:systemd-sysupdate.service(8)
+Wants=network-online.target
+After=network-online.target
+ConditionVirtualization=!container
+
+[Service]
+Type=simple
+NotifyAccess=main
+ExecStart={{ROOTLIBEXECDIR}}/systemd-sysupdate update
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=yes
+ProtectHostname=yes
+RestrictRealtime=yes
+RestrictNamespaces=net
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallFilter=@system-service @mount
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+LockPersonality=yes
+
+[Install]
+Also=systemd-sysupdate.timer
--- a/units/systemd-sysupdate.timer
+++ b/units/systemd-sysupdate.timer
@ -0,0 +1,30 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Automatic System Update
+Documentation=man:systemd-sysupdate.service(8)
+
+# For containers we assume that the manager will handle updates. And we likely
+# can't even access our backing block device anyway.
+ConditionVirtualization=!container
+
+[Timer]
+# Trigger the update 15min after boot, and then – on average – every 6h, but
+# randomly distributed in a 2h…6h interval. In addition trigger things
+# persistently once on each saturday, to ensure that even on systems that are
+# never booted up for long we have a chance to to do the update.
+OnBootSec=15min
+OnUnitActiveSec=2h
+OnCalendar=Sat
+RandomizedDelaySec=4h
+Persistent=yes
+
+[Install]
+WantedBy=timers.target