@@ -12,7 +12,7 @@ traditional system services, making two specific facets of container management
1212available to system services more readily. Specifically:
1313
14141 . The bundling of applications, i.e. packing up multiple services, their
15- binaries and all their dependencies in a single image, and running them
15+ binaries and all their dependencies in an image, and running them
1616 directly from it.
1717
18182 . Stricter default security policies, i.e. sand-boxing of applications.
@@ -29,12 +29,13 @@ of use-cases in a nicer way.
2929## So, what * is* a "Portable Service"?
3030
3131A portable service is ultimately just an OS tree, either inside of a directory
32- tree, or inside a raw disk image containing a Linux file system. This tree is
33- called the "image". It can be "attached" or "detached" from the system. When
34- "attached" specific systemd units from the image are made available on the host
35- system, then behaving pretty much exactly like locally installed system
36- services. When "detached" these units are removed again from the host, leaving
37- no artifacts around (except maybe messages they might have logged).
32+ tree, or inside a raw disk image (or a set of images that get layered, see
33+ [ Layered Images] ( #layered-images ) ) containing a Linux file system. This tree is called the
34+ "image". It can be "attached" or "detached" from the system. When "attached"
35+ specific systemd units from the image are made available on the host system,
36+ then behaving pretty much exactly like locally installed system services. When
37+ "detached" these units are removed again from the host, leaving no artifacts
38+ around (except maybe messages they might have logged).
3839
3940The OS tree/image can be created with any tool of your choice. For example, you
4041can use ` dnf --installroot= ` if you like, or ` debootstrap ` , the image format is
@@ -145,8 +146,14 @@ the drop-ins and the unit files associated with the image, and removes them
145146again.
146147
147148Note that ` portablectl attach ` won't enable or start any of the units it copies
148- out. This still has to take place in a second, separate step. (That said We
149- might add options to do this automatically later on.).
149+ out by default, but ` --enable ` and ` --now ` parameter are available as shortcuts.
150+ The same is true for the opposite ` detach ` operation.
151+
152+ A ` portablectl reattach ` command is made available to combine a ` detach ` with an
153+ ` attach ` , and it is useful in case an image gets upgraded, as it allows a to
154+ perform a ` restart ` operation on the unit(s) instead of ` stop ` plus ` start ` ,
155+ thus providing lower downtime and avoiding losing runtime state associated with
156+ the unit such as the file descriptor store.
150157
151158## Requirements on Images
152159
@@ -243,6 +250,34 @@ image. To facility 3 and 4 you also need to include a boot loader in the
243250image. As mentioned ` mkosi -b ` takes care of all of that for you, but any other
244251image generator should work too.
245252
253+ ## Extension Images
254+
255+ Portable services can be delivered as one or multiple images that extend the base
256+ image, and are combined with OverlayFS at runtime, when they are attached. This
257+ enables a workflow that splits the base 'runtime' from the daemon, so that multiple
258+ portable services can share the same 'runtime' image (libraries, tools) without
259+ having to include everything each time, with the layering happening only at runtime.
260+ The ` --extension ` parameter of ` portablectl ` can be used to specify as many upper
261+ layers as desired. On top of the requirements listed in the previous section, the
262+ following must be also be observed.
263+
264+ 1 . The base/OS image must contain an os-release file, either in ` /etc/os-release ` or
265+ ` /usr/lib/os-release ` . The file should follow the standard format.
266+
267+ 2 . The upper extension(s) image(s) must contain an extension-release file in
268+ ` /usr/lib/extension-release.d/ ` , with an ` ID= ` and ` SYSEXT_LEVEL= ` /` VERSION_ID= `
269+ matching the base image.
270+
271+ 3 . The base/OS image does not need to have any unit files.
272+
273+ 4 . The upper extension(s) image(s) must at least contain one matching unit file each,
274+ with the right name prefix and suffix (see above).
275+
276+ ```
277+ # /usr/lib/systemd/portablectl attach --extension foobar_0.7.23.raw debian-runtime_11.1.raw foobar
278+ # /usr/lib/systemd/portablectl attach --extension barbaz_7.0.23.raw debian-runtime_11.1.raw barbaz
279+ ```
280+
246281## Execution Environment
247282
248283Note that the code in portable service images is run exactly like regular
0 commit comments