Merge bf2328c714 into d99198819c

Without this change, the fd is closed twice on failure.

Fixes a bug introduced by dff9808a62.

Fixes #35288.

hwdb.d/60-keyboard.hwdb

@@ -1438,6 +1438,11 @@ evdev:input:b0003v046DpC309*
  KEYBOARD_KEY_c01b6=images                              # My Pictures (F11)
  KEYBOARD_KEY_c01b7=audio                               # My Music (F12)
 
+# Logitech MX Keys for Mac
+evdev:input:b0003v046Dp4092*
+ KEYBOARD_KEY_70035=102nd                               # '<' key
+ KEYBOARD_KEY_70064=grave                               # '^' key
+
 ###########################################################
 # Maxdata
 ###########################################################

man/systemd.exec.xml

@@ -562,6 +562,13 @@
         To disable the safety check that the extension-release file name matches the image file name, the
         <varname>x-systemd.relax-extension-release-check</varname> mount option may be appended.</para>
 
+        <para>This option can be used together with a <option>notify-reload</option> service type and
+        <citerefentry><refentrytitle>systemd.v</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+        to manage configuration updates. When such a service carrying confext images is reloaded, the confext
+        itself will also be reloaded to pick up any changes. This only applies to confext extensions. See
+        <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        also for details.</para>
+
         <para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or
         <literal>strict</literal>, or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is
         set, then this setting adds <filename>/dev/loop-control</filename> with <constant>rw</constant> mode,
@@ -606,6 +613,14 @@
         or the host. See:
         <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
 
+        <para>This option can be used together with a <option>notify-reload</option> service type and
+        <citerefentry><refentrytitle>systemd.v</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+        to manage configuration updates. When such a system service carrying confext directories is reloaded,
+        the confext itself will also be reloaded to pick up any changes. This only applies to confext
+        extensions. See
+        <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        also for details.</para>
+
         <para>Note that usage from user units requires overlayfs support in unprivileged user namespaces,
         which was first introduced in kernel v5.11.</para>
 

po/uk.po

@@ -9,8 +9,8 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-20 19:13+0000\n"
+"PO-Revision-Date: 2024-11-21 19:38+0000\n"
-"Last-Translator: Dmytro Markevych <hotr1pak@gmail.com>\n"
+"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
 "systemd/main/uk/>\n"
 "Language: uk\n"
@@ -120,11 +120,11 @@ msgstr "Для оновлення домашньої теки користува
 
 #: src/home/org.freedesktop.home1.policy:53
 msgid "Update your home area"
-msgstr "Оновіть свій домашній простір"
+msgstr "Оновлення домашньої області"
 
 #: src/home/org.freedesktop.home1.policy:54
 msgid "Authentication is required to update your home area."
-msgstr "Для оновлення домашньої області потрібна автентифікація."
+msgstr "Для оновлення домашньої області слід пройти розпізнавання."
 
 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@@ -1215,7 +1215,7 @@ msgstr "Керування додатковими функціями"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
 msgid "Authentication is required to manage optional features"
-msgstr "Для керування додатковими функціями потрібна автентифікація"
+msgstr "Для керування додатковими можливостями слід пройти розпізнавання"
 
 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"

src/core/execute.c

@@ -71,6 +71,7 @@
 #include "unit-serialize.h"
 #include "user-util.h"
 #include "utmp-wtmp.h"
+#include "vpick.h"
 
 static bool is_terminal_input(ExecInput i) {
         return IN_SET(i,
@@ -1938,6 +1939,25 @@ char** exec_context_get_restrict_filesystems(const ExecContext *c) {
         return l ? TAKE_PTR(l) : strv_new(NULL);
 }
 
+int exec_context_has_vpicked_extensions(const ExecContext *context) {
+        int r;
+
+        assert(context);
+
+        FOREACH_ARRAY(mi, context->extension_images, context->n_extension_images) {
+                r = path_uses_vpick(mi->source);
+                if (r != 0)
+                        return r;
+        }
+        STRV_FOREACH(ed, context->extension_directories) {
+                r = path_uses_vpick(*ed);
+                if (r != 0)
+                        return r;
+        }
+
+        return 0;
+}
+
 void exec_status_start(ExecStatus *s, pid_t pid, const dual_timestamp *ts) {
         assert(s);
 

src/core/execute.h

@@ -559,6 +559,8 @@ char** exec_context_get_syscall_log(const ExecContext *c);
 char** exec_context_get_address_families(const ExecContext *c);
 char** exec_context_get_restrict_filesystems(const ExecContext *c);
 
+int exec_context_has_vpicked_extensions(const ExecContext *context);
+
 void exec_status_start(ExecStatus *s, pid_t pid, const dual_timestamp *ts);
 void exec_status_exit(ExecStatus *s, const ExecContext *context, pid_t pid, int code, int status);
 void exec_status_handoff(ExecStatus *s, const struct ucred *ucred, const dual_timestamp *ts);

src/core/namespace.c

@@ -37,6 +37,8 @@
 #include "nulstr-util.h"
 #include "os-util.h"
 #include "path-util.h"
+#include "pidref.h"
+#include "process-util.h"
 #include "selinux-util.h"
 #include "socket-util.h"
 #include "sort-util.h"
@@ -3296,6 +3298,117 @@ bool ns_type_supported(NamespaceType type) {
         return access(ns_proc, F_OK) == 0;
 }
 
+int refresh_extensions_in_namespace(
+                const PidRef *target,
+                const char *hierarchy_env,
+                const NamespaceParameters *p) {
+
+        const char *overlay_prefix = "/run/systemd/mount-rootfs";
+        _cleanup_(mount_list_done) MountList ml = {};
+        _cleanup_free_ char *extension_dir = NULL;
+        _cleanup_strv_free_ char **hierarchies = NULL;
+        MountInNamespaceFlags min_flags = 0;
+        int r;
+
+        assert(pidref_is_set(target));
+        assert(hierarchy_env);
+        assert(p);
+
+        log_debug("Refreshing extensions in-namespace for hierarchy '%s'", hierarchy_env);
+
+        extension_dir = path_join(p->private_namespace_dir, "unit-extensions");
+        if (!extension_dir)
+                return -ENOMEM;
+
+        min_flags |= MOUNT_IN_NAMESPACE_MAKE_FILE_OR_DIRECTORY;
+
+        r = parse_env_extension_hierarchies(&hierarchies, hierarchy_env);
+        if (r < 0)
+                return r;
+
+        r = append_extensions(
+                        &ml,
+                        overlay_prefix,
+                        p->private_namespace_dir,
+                        hierarchies,
+                        p->extension_images,
+                        p->n_extension_images,
+                        p->extension_directories);
+        if (r < 0)
+                return r;
+        if (ml.n_mounts == 0)
+                return 0;
+
+        r = safe_fork("(sd-ns-refresh-exts)",
+                        FORK_DEATHSIG_SIGTERM | FORK_WAIT | FORK_NEW_MOUNTNS | FORK_MOUNTNS_SLAVE,
+                        NULL);
+        if (r < 0)
+                return r;
+        if (r == 0) {
+                (void) mkdir_p_label(overlay_prefix, 0555);
+
+                /* This is effectively two rounds, since all the extensions come before overlays
+                * (setup_namespace() similarly relies on this property).
+                *
+                * (1) First, set up all the extension mounts in the child, which are not visible from the
+                * process. (2) Then, set up overlays for the sysext/confext hierarchies again using the new
+                * extension mounts as layers, and move them into the namespace. */
+                FOREACH_ARRAY(m, ml.mounts, ml.n_mounts) {
+                        if (IN_SET(m->mode, MOUNT_EXTENSION_DIRECTORY, MOUNT_EXTENSION_IMAGE)) {
+                                r = apply_one_mount(p->root_directory, m, p);
+                                if (r < 0) {
+                                        log_debug_errno(r, "Failed to apply extension mount: %m");
+                                        _exit(EXIT_FAILURE);
+                                }
+                        } else if (m->mode == MOUNT_OVERLAY) {
+                                _cleanup_free_ char *path_relative = NULL, *path_in_namespace = NULL;
+
+                                r = apply_one_mount(p->root_directory, m, p);
+                                if (r < 0)
+                                        _exit(EXIT_FAILURE);
+                                if (r == 0) {
+                                        /* Tried to mount overlay, but it is now empty - umount it then. */
+                                        min_flags |= MOUNT_IN_NAMESPACE_UMOUNT;
+                                }
+
+                                /* bind_mount_in_namespace takes a src on the outside and a dest evaluated
+                                * within the namespace. First, figure out where we want the overlay on top
+                                * of within the namespace.
+                                */
+                                r = path_make_relative(overlay_prefix, mount_entry_path(m), &path_relative);
+                                if (r < 0) {
+                                        log_debug_errno(r, "Failed to make path relative: %m");
+                                        _exit(EXIT_FAILURE);
+                                }
+                                r = asprintf(&path_in_namespace, "%s/%s", empty_to_root(p->root_directory), path_relative);
+                                if (r < 0) {
+                                        log_oom_debug();
+                                        _exit(EXIT_FAILURE);
+                                }
+
+                                r = bind_mount_in_namespace(
+                                                target,
+                                                p->propagate_dir,
+                                                p->incoming_dir,
+                                                /* src= */ mount_entry_path(m),
+                                                /* dest= */ path_in_namespace,
+                                                min_flags);
+                                if (r < 0) {
+                                        log_debug_errno(
+                                                        r,
+                                                        "Failed to move overlay within %s->%s: %m",
+                                                        mount_entry_path(m),
+                                                        path_in_namespace);
+                                        _exit(EXIT_FAILURE);
+                                }
+                        }
+                }
+                _exit(EXIT_SUCCESS);
+        }
+
+        return 0;
+}
+
 static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
         [PROTECT_HOME_NO]        = "no",
         [PROTECT_HOME_YES]       = "yes",

src/core/namespace.h

@@ -16,6 +16,7 @@ typedef struct MountImage MountImage;
 #include "fs-util.h"
 #include "macro.h"
 #include "namespace-util.h"
+#include "pidref.h"
 #include "runtime-scope.h"
 #include "string-util.h"
 
@@ -250,3 +251,8 @@ const char* namespace_type_to_string(NamespaceType t) _const_;
 NamespaceType namespace_type_from_string(const char *s) _pure_;
 
 bool ns_type_supported(NamespaceType type);
+
+int refresh_extensions_in_namespace(
+                const PidRef *target,
+                const char *hierarchy_env,
+                const NamespaceParameters *p);

src/core/service.c

@@ -21,6 +21,7 @@
 #include "devnum-util.h"
 #include "env-util.h"
 #include "escape.h"
+#include "execute.h"
 #include "exec-credential.h"
 #include "exit-status.h"
 #include "fd-util.h"
@@ -33,11 +34,13 @@
 #include "manager.h"
 #include "missing_audit.h"
 #include "mount-util.h"
+#include "namespace.h"
 #include "open-file.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "process-util.h"
 #include "random-util.h"
+#include "runtime-scope.h"
 #include "selinux-util.h"
 #include "serialize.h"
 #include "service.h"
@@ -2709,6 +2712,67 @@ static void service_enter_reload_by_notify(Service *s) {
                 log_unit_warning(UNIT(s), "Failed to schedule propagation of reload, ignoring: %s", bus_error_message(&error, r));
 }
 
+static bool service_should_reload_extensions(Service *s) {
+        int r;
+
+        assert(s);
+
+        /* Only support this for notify-reload service types. */
+        if (s->type != SERVICE_NOTIFY_RELOAD)
+                return false;
+
+        /* TODO: Add support for user services, which can use
+         * ExtensionDirectories= + notify-reload. For now, skip for user
+         * services. */
+        if (UNIT(s)->manager->runtime_scope != RUNTIME_SCOPE_SYSTEM) {
+                log_unit_debug(UNIT(s), "Not reloading extensions for user services.");
+                return false;
+        }
+
+        r = exec_context_has_vpicked_extensions(&s->exec_context);
+        if (r < 0) {
+                log_unit_warning_errno(UNIT(s), r, "Failed to determine if service should reload extensions, assuming false: %m");
+                return false;
+        }
+        return r > 0;
+}
+
+static int service_reload_extensions(Service *s) {
+        /* TODO: do this asynchronously */
+        _cleanup_free_ char *propagate_dir = NULL;
+
+        assert(s);
+
+        /* TODO: remove after adding support for user services */
+        assert(UNIT(s)->manager->runtime_scope == RUNTIME_SCOPE_SYSTEM);
+
+        if (!service_should_reload_extensions(s))
+                return 0;
+
+        propagate_dir = path_join("/run/systemd/propagate/", UNIT(s)->id);
+        if (!propagate_dir)
+                return -ENOMEM;
+
+        NamespaceParameters p = {
+                .private_namespace_dir = "/run/systemd",
+                .incoming_dir = "/run/systemd/incoming",
+                .propagate_dir = propagate_dir,
+                .runtime_scope = UNIT(s)->manager->runtime_scope,
+                .root_directory =  s->exec_context.root_directory,
+                .extension_images = s->exec_context.extension_images,
+                .n_extension_images = s->exec_context.n_extension_images,
+                .extension_directories = s->exec_context.extension_directories,
+                .extension_image_policy = s->exec_context.extension_image_policy
+        };
+
+        /* Only reload confext, and not sysext, because it doesn't make sense
+        for program code to be swapped at reload. */
+        return refresh_extensions_in_namespace(
+                        unit_main_pid(UNIT(s)),
+                        "SYSTEMD_CONFEXT_HIERARCHIES",
+                        &p);
+}
+
 static void service_enter_reload(Service *s) {
         bool killed = false;
         int r;
@@ -2720,6 +2784,14 @@ static void service_enter_reload(Service *s) {
 
         usec_t ts = now(CLOCK_MONOTONIC);
 
+        /* If we have confexts extensions, try to reload vpick'd confext extensions, which is particularly
+         * beneficial for notify-reload services that could potentially pick up a new version of its
+         * configuration.
+         */
+        r = service_reload_extensions(s);
+        if (r < 0)
+                log_unit_warning_errno(UNIT(s), r, "Failed to reload confexts, ignoring: %m");
+
         if (s->type == SERVICE_NOTIFY_RELOAD && pidref_is_set(&s->main_pid)) {
                 r = pidref_kill_and_sigcont(&s->main_pid, s->reload_signal);
                 if (r < 0) {
@@ -3426,14 +3498,12 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
                         return 0;
                 }
 
-                r = service_add_fd_store(s, fd, fdn, do_poll);
+                r = service_add_fd_store(s, TAKE_FD(fd), fdn, do_poll);
                 if (r < 0) {
                         log_unit_debug_errno(u, r,
                                              "Failed to store deserialized fd '%s', ignoring: %m", fdn);
                         return 0;
                 }
-
-                TAKE_FD(fd);
         } else if (streq(key, "extra-fd")) {
                 _cleanup_free_ char *fdv = NULL, *fdn = NULL;
                 _cleanup_close_ int fd = -EBADF;

src/shared/mount-util.c

@@ -1132,7 +1132,7 @@ static int mount_in_namespace(
         _cleanup_close_pair_ int errno_pipe_fd[2] = EBADF_PAIR;
         pid_t child;
 
-        if (flags & MOUNT_IN_NAMESPACE_IS_IMAGE) {
+        if (!(flags & MOUNT_IN_NAMESPACE_UMOUNT) && flags & MOUNT_IN_NAMESPACE_IS_IMAGE) {
                 r = verity_dissect_and_mount(
                                 chased_src_fd,
                                 chased_src_path,
@@ -1150,7 +1150,7 @@ static int mount_in_namespace(
                         return log_debug_errno(r,
                                                "Failed to dissect and mount image '%s': %m",
                                                chased_src_path);
-        } else {
+        } else if (!(flags & MOUNT_IN_NAMESPACE_UMOUNT)) {
                 new_mount_fd = open_tree(
                                 chased_src_fd,
                                 "",
@@ -1189,6 +1189,18 @@ static int mount_in_namespace(
         if (r == 0) {
                 errno_pipe_fd[0] = safe_close(errno_pipe_fd[0]);
 
+                if (flags & MOUNT_IN_NAMESPACE_UMOUNT) {
+                        r = umount_verbose(LOG_DEBUG, dest, UMOUNT_NOFOLLOW);
+                        if (r < 0) {
+                                (void) write(errno_pipe_fd[1], &r, sizeof(r));
+                                errno_pipe_fd[1] = safe_close(errno_pipe_fd[1]);
+
+                                _exit(EXIT_FAILURE);
+                        }
+
+                        _exit(EXIT_SUCCESS);
+                }
+
                 if (flags & MOUNT_IN_NAMESPACE_MAKE_FILE_OR_DIRECTORY)
                         (void) mkdir_parents(dest, 0755);
 

src/shared/mount-util.h

@@ -119,6 +119,7 @@ typedef enum MountInNamespaceFlags {
         MOUNT_IN_NAMESPACE_READ_ONLY              = 1 << 0,
         MOUNT_IN_NAMESPACE_MAKE_FILE_OR_DIRECTORY = 1 << 1,
         MOUNT_IN_NAMESPACE_IS_IMAGE               = 1 << 2,
+        MOUNT_IN_NAMESPACE_UMOUNT                 = 1 << 3,
 } MountInNamespaceFlags;
 
 int bind_mount_in_namespace(

src/shared/vpick.c

@@ -681,6 +681,41 @@ int path_pick_update_warn(
         return 1;
 }
 
+int path_uses_vpick(const char *path) {
+        _cleanup_free_ char *dir = NULL, *parent = NULL, *fname = NULL;
+        int r;
+
+        assert(path);
+
+        r = path_extract_filename(path, &fname);
+        if (r == -EADDRNOTAVAIL)
+                return 0;
+        if (r < 0)
+                return r;
+
+        /* ...PATH/NAME.SUFFIX.v */
+        if (endswith(fname, ".v"))
+                return 1;
+
+        /* ...PATH.v/NAME___.SUFFIX */
+        if (!strrstr(fname, "___"))
+                return 0;
+
+        r = path_extract_directory(path, &dir);
+        if (IN_SET(r, -EDESTADDRREQ, -EADDRNOTAVAIL)) /* only filename specified (no dir), or root or "." */
+                return 0;
+        if (r < 0)
+                return r;
+
+        r = path_extract_filename(dir, &parent);
+        if (r == -EADDRNOTAVAIL)
+                return 0;
+        if (r < 0)
+                return r;
+
+        return !!endswith(parent, ".v");
+}
+
 const PickFilter pick_filter_image_raw = {
         .type_mask = (UINT32_C(1) << DT_REG) | (UINT32_C(1) << DT_BLK),
         .architecture = _ARCHITECTURE_INVALID,

src/shared/vpick.h

@@ -56,6 +56,8 @@ int path_pick_update_warn(
                 PickFlags flags,
                 PickResult *ret);
 
+int path_uses_vpick(const char *path);
+
 extern const PickFilter pick_filter_image_raw;
 extern const PickFilter pick_filter_image_dir;
 extern const PickFilter pick_filter_image_any;

src/test/test-vpick.c

@@ -168,4 +168,27 @@ TEST(path_pick) {
         assert_se(result.architecture == ARCHITECTURE_S390);
 }
 
+TEST(path_uses_vpick) {
+        assert_se(path_uses_vpick("foo.v") > 0);
+        assert_se(path_uses_vpick("path/to/foo.v") > 0);
+        assert_se(path_uses_vpick("./path/to/foo.v") > 0);
+        assert_se(path_uses_vpick("path/to.v/foo.v") > 0);
+        assert_se(path_uses_vpick("path/to/foo.raw.v") > 0);
+        assert_se(path_uses_vpick("/var/lib/machines/mymachine.raw.v/") > 0);
+        assert_se(path_uses_vpick("path/to.v/foo___.hi/a.v") > 0);
+        assert_se(!path_uses_vpick("path/to/foo.mp4.vtt"));
+        assert_se(!path_uses_vpick("path/to/foo.mp4.v.1"));
+        assert_se(!path_uses_vpick("path/to.v/a"));
+
+        assert_se(path_uses_vpick("to.v/foo___.raw") > 0);
+        assert_se(path_uses_vpick("path/to.v/foo___.raw") > 0);
+        assert_se(!path_uses_vpick("path/to/foo___.raw"));
+        assert_se(!path_uses_vpick("path/to.v/foo__"));
+        assert_se(!path_uses_vpick("foo___.raw"));
+
+        assert_se(path_uses_vpick("/") < 1);
+        assert_se(path_uses_vpick(".") < 1);
+        assert_se(path_uses_vpick("") < 1);
+}
+
 DEFINE_TEST_MAIN(LOG_DEBUG);

test/units/TEST-50-DISSECT.dissect.sh

@@ -518,6 +518,72 @@ rm -rf "$VDIR" "$EMPTY_VDIR"
 systemd-dissect --umount "$IMAGE_DIR/app0"
 systemd-dissect --umount "$IMAGE_DIR/app1"
 
+# Check reloading refreshes vpick extensions
+VBASE="vtest$RANDOM"
+VDIR="/tmp/${VBASE}.v"
+mkdir "$VDIR"
+cat >/run/systemd/system/testservice-50g.service <<EOF
+[Service]
+Type=notify-reload
+EnvironmentFile=-/usr/lib/systemd/systemd-asan-env
+ExtensionDirectories=${VDIR}
+ExecStart=bash -c ' \\
+    trap "{ \\
+        systemd-notify --reloading; \\
+        ls /etc | grep marker; \\
+        systemd-notify --ready; \\
+    }" SIGHUP; \\
+    systemd-notify --ready; \\
+    while true; do sleep 1; done; \\
+'
+EOF
+mkdir -p "$VDIR/${VBASE}_1/etc/extension-release.d/"
+echo "ID=_any" >"$VDIR/${VBASE}_1/etc/extension-release.d/extension-release.${VBASE}_1"
+touch "$VDIR/${VBASE}_1/etc/${VBASE}_1.marker"
+systemctl start testservice-50g.service
+systemctl is-active testservice-50g.service
+# First reload; at reload time, the marker file in /etc should be picked up.
+systemctl try-reload-or-restart testservice-50g.service
+journalctl -b -u testservice-50g | grep -q -F "${VBASE}_1.marker"
+# Make a version 2 and reload again; this time we should see the v2 marker
+mkdir -p "$VDIR/${VBASE}_2/etc/extension-release.d/"
+echo "ID=_any" >"$VDIR/${VBASE}_2/etc/extension-release.d/extension-release.${VBASE}_2"
+touch "$VDIR/${VBASE}_2/etc/${VBASE}_2.marker"
+systemctl try-reload-or-restart testservice-50g.service
+journalctl --sync
+journalctl -b -u testservice-50g | grep -q -F "${VBASE}_2.marker"
+# Do it for a couple more times (to make sure we're tearing down old overlays)
+for _ in {1..5}; do systemctl reload testservice-50g.service; done
+systemctl stop testservice-50g.service
+
+# Repeat the same vpick notify-reload test with ExtensionImages= (keeping the
+# same VBASE and reusing VDIR files for convenience, but using .raw extensions
+# this time)
+VDIR2="/tmp/${VBASE}.raw.v"
+mkdir "$VDIR2"
+cp /run/systemd/system/testservice-50g.service /run/systemd/system/testservice-50h.service
+sed -i "s%ExtensionDirectories=.*%ExtensionImages=$VDIR2%g" \
+    /run/systemd/system/testservice-50h.service
+mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw"
+systemctl start testservice-50h.service
+systemctl is-active testservice-50h.service
+# First reload should pick up the v1 marker
+systemctl try-reload-or-restart testservice-50h.service
+journalctl --sync
+journalctl -b -u testservice-50h | grep -q -F "${VBASE}_1.marker"
+# Second reload should pick up the v2 marker
+mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw"
+systemctl try-reload-or-restart testservice-50h.service
+journalctl --sync
+journalctl -b -u testservice-50h | grep -q -F "${VBASE}_2.marker"
+# Test that removing all the extensions don't cause any issues
+rm -rf "${VDIR2:?}"/*
+systemctl try-reload-or-restart testservice-50h.service
+systemctl is-active testservice-50h.service
+systemctl stop testservice-50h.service
+
+rm -rf "$VDIR" "$VDIR2"
+
 # Test that an extension consisting of an empty directory under /etc/extensions/ takes precedence
 mkdir -p /var/lib/extensions/
 ln -s /tmp/app-nodistro.raw /var/lib/extensions/app-nodistro.raw

tmpfiles.d/20-systemd-shell-extra.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 {% if LINK_SHELL_EXTRA_DROPIN %}
 L$ {{SHELLPROFILEDIR}}/70-systemd-shell-extra.sh - - - - {{LIBEXECDIR}}/profile.d/70-systemd-shell-extra.sh

tmpfiles.d/20-systemd-ssh-generator.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 {% if LINK_SSH_PROXY_DROPIN %}
 L$ {{SSHCONFDIR}}/20-systemd-ssh-proxy.conf - - - - {{LIBEXECDIR}}/ssh_config.d/20-systemd-ssh-proxy.conf

tmpfiles.d/20-systemd-stub.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Copy systemd-stub provided metadata such as PCR signature and public key file
 # from initrd into /run/, so that it will survive the initrd stage

tmpfiles.d/20-systemd-userdb.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 {% if LINK_SSHD_USERDB_DROPIN %}
 L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf

tmpfiles.d/credstore.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 d /etc/credstore 0700 root root
 d /etc/credstore.encrypted 0700 root root

tmpfiles.d/etc.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 L /etc/os-release - - - - ../usr/lib/os-release
 L+ /etc/mtab - - - - ../proc/self/mounts

tmpfiles.d/home.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 Q /home 0755 - - -
 q /srv 0755 - - -

tmpfiles.d/journal-nocow.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Set the NOCOW attribute for directories of journal files. This flag
 # is inherited by their new files and sub-directories. Matters only

tmpfiles.d/legacy.conf.in

@@ -5,10 +5,11 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
-# These files are considered legacy and are unnecessary on legacy-free
+# The functionality provided by these files and directories has been replaced
-# systems.
+# by newer interfaces. Their use is discouraged on legacy-free systems. This
+# configuration is provided to maintain backward compatibility.
 
 d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
@@ -16,15 +17,15 @@ L /var/lock - - - - ../run/lock
 L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
 {% endif %}
 
+{% if HAVE_SYSV_COMPAT %}
 # /run/lock/subsys is used for serializing SysV service execution, and
 # hence without use on SysV-less systems.
-
 d /run/lock/subsys 0755 root root -
 
 # /forcefsck, /fastboot and /forcequotacheck are deprecated in favor of the
 # kernel command line options 'fsck.mode=force', 'fsck.mode=skip' and
 # 'quotacheck.mode=force'
-
 r! /forcefsck
 r! /fastboot
 r! /forcequotacheck
+{% endif %}

tmpfiles.d/meson.build

@@ -35,7 +35,7 @@ in_files = [
         ['20-systemd-stub.conf',          'ENABLE_EFI'],
         ['20-systemd-userdb.conf',        'ENABLE_SSH_USERDB_CONFIG'],
         ['etc.conf'],
-        ['legacy.conf',                   'HAVE_SYSV_COMPAT'],
+        ['legacy.conf'],
         ['static-nodes-permissions.conf'],
         ['systemd.conf'],
         ['var.conf'],

tmpfiles.d/portables.conf

@@ -1,4 +1,4 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 Q /var/lib/portables 0700

tmpfiles.d/provision.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Provision additional login messages from credentials, if they are set. Note
 # that these lines are NOPs if the credentials are not set or if the files

tmpfiles.d/systemd-network.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 d$ /run/systemd/netif        0755 systemd-network systemd-network -
 d$ /run/systemd/netif/links  0755 systemd-network systemd-network -

tmpfiles.d/systemd-nspawn.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 Q /var/lib/machines 0700 - - -
 

tmpfiles.d/systemd-resolve.conf

@@ -5,6 +5,6 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf

tmpfiles.d/systemd-tmp.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Exclude namespace mountpoints created with PrivateTmp=yes
 x /tmp/systemd-private-%b-*

tmpfiles.d/systemd.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 d /run/user 0755 root root -
 {% if ENABLE_UTMP %}

tmpfiles.d/tmp.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Clear tmp directories separately, to make them easier to override
 q /tmp 1777 root root 10d

tmpfiles.d/var.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 q /var 0755 - - -
 

tmpfiles.d/x11.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Make sure these are created by default so that nobody else can
 # or empty them at startup