dissect-image: turn verity device sharing into opt-in

Sharing verity volumes is problematic for a veriety of reasons, for example because it might pin the wrong backing device at the wrong time. Let's hence turn this around: unless verity sharing is enabled, leave it off, and turn $SYSTEMD_VERITY_SHARING into a true boolean that can be set both ways. The primary usecase for verity sharing is RootImage=, where it probably makes sense to leave on, hence set the flag there. This is crucial when putting together installers which install an OS on a second disk: if verity sharing is always on we might mount the wrong of the two disks at the wrong time.
2026-04-14 00:14:32 +09:00 · 2025-09-19 17:57:37 +02:00
parent 675fa49f69
commit 57d1ceffb3
4 changed files with 17 additions and 9 deletions
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@@ -123,8 +123,12 @@ All tools:
 * `$SYSTEMD_NETLINK_DEFAULT_TIMEOUT` — specifies the default timeout of waiting
  replies for netlink messages from the kernel. Defaults to 25 seconds.

-* `$SYSTEMD_VERITY_SHARING=0` — if set, sharing dm-verity devices by
-  using a stable `<ROOTHASH>-verity` device mapper name will be disabled.
+* `$SYSTEMD_VERITY_SHARING=` — takes a boolean. If set, overrides whether
+  dm-verity devices shall be shared between multiple components by using a
+  stable `<ROOTHASH>-verity` device mapper name. The default for this depends
+  on the subsystem in question. Usually,
+  RootImage=/ExtensionImages=/MountImages= in unit files default to enabled,
+  while other uses default to disabled for this.

 `systemctl`: