[PATCH] vm/app/systemd-sysupdate: fix mounting overlay

[PATCH] vm/app/systemd-sysupdate: fix mounting overlay

[Alyssa Ross]

This assumed it would be run as root, so has been broken since we
stopped running application scripts as root inside img/app VMs.

Reported-by: Johannes Süllner <johannes.suellner@mailbox.org>
Link: https://matrix.to/#/!xSysqhzbOZImdvGpix:fairydust.space/$9psDI3BIP00EIzW-qOqzJswkwzgYyQLKpbfDDp0uo6k?via=fairydust.space&via=matrix.org&via=dataaturservice.se
Fixes: 8bfcbf9 ("img/app: run applications as non-root")
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 vm/app/systemd-sysupdate/download-update | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
index eada41c..335e389 100755
--- a/vm/app/systemd-sysupdate/download-update
+++ b/vm/app/systemd-sysupdate/download-update
@@ -3,6 +3,7 @@
 # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
 export LC_ALL C
 export LANGUAGE C
+unshare -rUm
 if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
 backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX }
 # Not a useless use of cat: if there are NUL bytes in the URL

base-commit: 9f33ec29d39df59589ed7c1b85d54e116e135df8
-- 
2.51.0

[PATCH 2/2] vm/app/systemd-sysupdate: retry a few times

[Alyssa Ross]

It takes time for the network to come up, so it's likely that the
download will fail immediately after the VM boots.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 vm/app/systemd-sysupdate/download-update | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
index 335e389..c462d65 100755
--- a/vm/app/systemd-sysupdate/download-update
+++ b/vm/app/systemd-sysupdate/download-update
@@ -1,5 +1,6 @@
 #!/usr/bin/env -S execlineb -WS0
 # SPDX-License-Identifier: EUPL-1.2+
+# SPDX-FileCopyrightText: 2025 Alyssa Ross <hi@alyssa.is>
 # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
 export LC_ALL C
 export LANGUAGE C
@@ -59,7 +60,12 @@ multisubstitute {
   importas -iuS SYSTEMD_SYSUPDATE_PATH
   importas -iuS tmpdir
 }
-if { $SYSTEMD_SYSUPDATE_PATH --definitions=${tmpdir} update }
+if {
+  forx -x 0 _ { 1 2 3 4 5 }
+  if -nt { $SYSTEMD_SYSUPDATE_PATH --definitions=${tmpdir} update }
+  foreground { sleep 1 }
+  exit 1
+}
 # [ and ] are allowed in update URLs so that IPv6 addresses work, but
 # they cause globbing in the curl command-line tool by default.  Use --globoff
 # to disable this feature.
-- 
2.51.0

Re: [PATCH] vm/app/systemd-sysupdate: fix mounting overlay

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 1414 bytes --]

On 12/8/25 10:47, Alyssa Ross wrote:
> This assumed it would be run as root, so has been broken since we
> stopped running application scripts as root inside img/app VMs.
> 
> Reported-by: Johannes Süllner <johannes.suellner@mailbox.org>
> Link: https://matrix.to/#/!xSysqhzbOZImdvGpix:fairydust.space/$9psDI3BIP00EIzW-qOqzJswkwzgYyQLKpbfDDp0uo6k?via=fairydust.space&via=matrix.org&via=dataaturservice.se
> Fixes: 8bfcbf9 ("img/app: run applications as non-root")
> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
>  vm/app/systemd-sysupdate/download-update | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
> index eada41c..335e389 100755
> --- a/vm/app/systemd-sysupdate/download-update
> +++ b/vm/app/systemd-sysupdate/download-update
> @@ -3,6 +3,7 @@
>  # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
>  export LC_ALL C
>  export LANGUAGE C
> +unshare -rUm

-r implies -U, and it would be more readable to use the long forms
of these options.

>  if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
>  backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX }
>  # Not a useless use of cat: if there are NUL bytes in the URL
> 
> base-commit: 9f33ec29d39df59589ed7c1b85d54e116e135df8
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] vm/app/systemd-sysupdate: fix mounting overlay

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1573 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 12/8/25 10:47, Alyssa Ross wrote:
>> This assumed it would be run as root, so has been broken since we
>> stopped running application scripts as root inside img/app VMs.
>> 
>> Reported-by: Johannes Süllner <johannes.suellner@mailbox.org>
>> Link: https://matrix.to/#/!xSysqhzbOZImdvGpix:fairydust.space/$9psDI3BIP00EIzW-qOqzJswkwzgYyQLKpbfDDp0uo6k?via=fairydust.space&via=matrix.org&via=dataaturservice.se
>> Fixes: 8bfcbf9 ("img/app: run applications as non-root")
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>>  vm/app/systemd-sysupdate/download-update | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
>> index eada41c..335e389 100755
>> --- a/vm/app/systemd-sysupdate/download-update
>> +++ b/vm/app/systemd-sysupdate/download-update
>> @@ -3,6 +3,7 @@
>>  # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
>>  export LC_ALL C
>>  export LANGUAGE C
>> +unshare -rUm
>
> -r implies -U, and it would be more readable to use the long forms
> of these options.
>

And yet mount -o and -t, and mktemp -d?  (I can change it, but I have a
general preference for short options to stop lines getting too long, and
for portability when necessary.)

>>  if { mount -toverlay -olowerdir=/run/virtiofs/virtiofs0/etc:/etc -- overlay /etc }
>>  backtick tmpdir { mktemp -d /tmp/sysupdate-XXXXXX }
>>  # Not a useless use of cat: if there are NUL bytes in the URL

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH] vm/app/systemd-sysupdate: fix mounting overlay

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 1601 bytes --]

On 12/8/25 12:28, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> On 12/8/25 10:47, Alyssa Ross wrote:
>>> This assumed it would be run as root, so has been broken since we
>>> stopped running application scripts as root inside img/app VMs.
>>>
>>> Reported-by: Johannes Süllner <johannes.suellner@mailbox.org>
>>> Link: https://matrix.to/#/!xSysqhzbOZImdvGpix:fairydust.space/$9psDI3BIP00EIzW-qOqzJswkwzgYyQLKpbfDDp0uo6k?via=fairydust.space&via=matrix.org&via=dataaturservice.se
>>> Fixes: 8bfcbf9 ("img/app: run applications as non-root")
>>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>>> ---
>>>  vm/app/systemd-sysupdate/download-update | 1 +
>>>  1 file changed, 1 insertion(+)
>>>
>>> diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
>>> index eada41c..335e389 100755
>>> --- a/vm/app/systemd-sysupdate/download-update
>>> +++ b/vm/app/systemd-sysupdate/download-update
>>> @@ -3,6 +3,7 @@
>>>  # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
>>>  export LC_ALL C
>>>  export LANGUAGE C
>>> +unshare -rUm
>>
>> -r implies -U, and it would be more readable to use the long forms
>> of these options.
>>
> 
> And yet mount -o and -t, and mktemp -d?  (I can change it, but I have a
> general preference for short options to stop lines getting too long, and
> for portability when necessary.)

I use mount and mktemp often enough that I have these options
memorized.  I had to look up the options to unshare.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH] vm/app/systemd-sysupdate: fix mounting overlay

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1940 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> On 12/8/25 12:28, Alyssa Ross wrote:
>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>> 
>>> On 12/8/25 10:47, Alyssa Ross wrote:
>>>> This assumed it would be run as root, so has been broken since we
>>>> stopped running application scripts as root inside img/app VMs.
>>>>
>>>> Reported-by: Johannes Süllner <johannes.suellner@mailbox.org>
>>>> Link: https://matrix.to/#/!xSysqhzbOZImdvGpix:fairydust.space/$9psDI3BIP00EIzW-qOqzJswkwzgYyQLKpbfDDp0uo6k?via=fairydust.space&via=matrix.org&via=dataaturservice.se
>>>> Fixes: 8bfcbf9 ("img/app: run applications as non-root")
>>>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>>>> ---
>>>>  vm/app/systemd-sysupdate/download-update | 1 +
>>>>  1 file changed, 1 insertion(+)
>>>>
>>>> diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
>>>> index eada41c..335e389 100755
>>>> --- a/vm/app/systemd-sysupdate/download-update
>>>> +++ b/vm/app/systemd-sysupdate/download-update
>>>> @@ -3,6 +3,7 @@
>>>>  # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
>>>>  export LC_ALL C
>>>>  export LANGUAGE C
>>>> +unshare -rUm
>>>
>>> -r implies -U, and it would be more readable to use the long forms
>>> of these options.
>>>
>> 
>> And yet mount -o and -t, and mktemp -d?  (I can change it, but I have a
>> general preference for short options to stop lines getting too long, and
>> for portability when necessary.)
>
> I use mount and mktemp often enough that I have these options
> memorized.  I had to look up the options to unshare.

Not a very objective standard!  (I use unshare enough that I had these
options memorized.)

We should possibly come up with some well-reasoned guidelines for this,
but until then I'd like to continue using short options for consistency,
so that it's at least not up for debate every time.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH] vm/app/systemd-sysupdate: fix mounting overlay

[Demi Marie Obenour]

[-- Attachment #1.1.1: Type: text/plain, Size: 2141 bytes --]

On 12/8/25 12:49, Alyssa Ross wrote:
> Demi Marie Obenour <demiobenour@gmail.com> writes:
> 
>> On 12/8/25 12:28, Alyssa Ross wrote:
>>> Demi Marie Obenour <demiobenour@gmail.com> writes:
>>>
>>>> On 12/8/25 10:47, Alyssa Ross wrote:
>>>>> This assumed it would be run as root, so has been broken since we
>>>>> stopped running application scripts as root inside img/app VMs.
>>>>>
>>>>> Reported-by: Johannes Süllner <johannes.suellner@mailbox.org>
>>>>> Link: https://matrix.to/#/!xSysqhzbOZImdvGpix:fairydust.space/$9psDI3BIP00EIzW-qOqzJswkwzgYyQLKpbfDDp0uo6k?via=fairydust.space&via=matrix.org&via=dataaturservice.se
>>>>> Fixes: 8bfcbf9 ("img/app: run applications as non-root")
>>>>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>>>>> ---
>>>>>  vm/app/systemd-sysupdate/download-update | 1 +
>>>>>  1 file changed, 1 insertion(+)
>>>>>
>>>>> diff --git a/vm/app/systemd-sysupdate/download-update b/vm/app/systemd-sysupdate/download-update
>>>>> index eada41c..335e389 100755
>>>>> --- a/vm/app/systemd-sysupdate/download-update
>>>>> +++ b/vm/app/systemd-sysupdate/download-update
>>>>> @@ -3,6 +3,7 @@
>>>>>  # SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
>>>>>  export LC_ALL C
>>>>>  export LANGUAGE C
>>>>> +unshare -rUm
>>>>
>>>> -r implies -U, and it would be more readable to use the long forms
>>>> of these options.
>>>>
>>>
>>> And yet mount -o and -t, and mktemp -d?  (I can change it, but I have a
>>> general preference for short options to stop lines getting too long, and
>>> for portability when necessary.)
>>
>> I use mount and mktemp often enough that I have these options
>> memorized.  I had to look up the options to unshare.
> 
> Not a very objective standard!  (I use unshare enough that I had these
> options memorized.)

Coding style is pretty much always subjective 🙂.

> We should possibly come up with some well-reasoned guidelines for this,
> but until then I'd like to continue using short options for consistency,
> so that it's at least not up for debate every time.

Fair!
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]