systemd/units/systemd-journal-catalog-update.service.in
Jonathan Lebon 8e729d511e units: update catalog after systemd-tmpfiles runs
`systemd-journal-catalog-update.service` writes to `/var`. However, it's
not explicitly ordered wrt `systemd-tmpfiles-setup.service`, which means
that it may run before or after.

This is an issue for Fedora CoreOS, which uses Ignition. We want to be
able to prepare `/var` on first boot from the initrd, where the SELinux
policy is not loaded yet. This means that the hierarchy under `/var` is
not correctly labeled. We add a `Z /var - - -` tmpfiles entry so that it
gets relabeled once `/var` gets mounted post-switchroot.

So any service that tries to access `/var` before `systemd-tmpfiles`
relabels it is likely to hit `EACCES`.

Fix this by simply ordering `systemd-journal-catalog-update.service`
after `systemd-tmpfiles-setup.service`. This is also clearer since the
tmpfiles entries are the canonical source of how `/var` should be
populated.

For more context on this, see:
https://github.com/coreos/ignition/issues/635#issuecomment-446620297
2019-03-14 11:28:19 +01:00

24 lines
746 B
SYSTEMD

# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Rebuild Journal Catalog
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
DefaultDependencies=no
Conflicts=shutdown.target
After=local-fs.target systemd-tmpfiles-setup.service
Before=sysinit.target shutdown.target systemd-update-done.service
ConditionNeedsUpdate=/var
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=@rootbindir@/journalctl --update-catalog
TimeoutSec=90s