diff --git a/man/integritytab.xml b/man/integritytab.xml
index 32561e96f2..413f5f49bc 100644
--- a/man/integritytab.xml
+++ b/man/integritytab.xml
@@ -133,6 +133,53 @@
+
+
+
+
+ Marks this veritysetup device as requiring network. It will be started after the
+ network is available, similarly to
+ systemd.mount5
+ units marked with . The service unit to set up this device will be ordered
+ between remote-fs-pre.target and
+ remote-integritysetup.target, instead of
+ integritysetup-pre.target and integritysetup.target.
+
+ Hint: if this device is used for a mount point that is specified in fstab5, the
+ option should also be used for the mount point. Otherwise, a dependency loop
+ might be created where the mount point will be pulled in by local-fs.target,
+ while the service to configure the network is usually only started after the
+ local file system has been mounted.
+
+
+
+
+
+
+
+
+ This device will not be added to integritysetup.target. This
+ means that it will not be automatically enabled on boot, unless something else pulls it in. In
+ particular, if the device is used for a mount point, it'll be enabled automatically during boot,
+ unless the mount point itself is also disabled with .
+
+
+
+
+
+
+
+ This device will not be a hard dependency of
+ integritysetup.target. It'll still be pulled in and started, but the system will
+ not wait for the device to show up and be enabled, and boot will not fail if this is
+ unsuccessful. Note that other units that depend on the enabled device may still fail. In particular,
+ if the device is used for a mount point, the mount point itself also needs to have the
+ option, or the boot will fail if the device is not enabled
+ successfully.
+
+
+ At early boot and when the system manager configuration is
diff --git a/man/systemd.special.xml b/man/systemd.special.xml
index ca3bf463ae..a4ae3f8983 100644
--- a/man/systemd.special.xml
+++ b/man/systemd.special.xml
@@ -66,6 +66,7 @@
printer.target,
reboot.target,
remote-cryptsetup.target,
+ remote-integritysetup.target,
remote-veritysetup.target,
remote-fs-pre.target,
remote-fs.target,
@@ -641,11 +642,22 @@
+
+ remote-integritysetup.target
+
+ Similar to integritysetup.target, but for integrity protected devices
+ which are accessed over the network. It is used for
+ integritytab5
+ entries marked with .
+
+
+
+ remote-veritysetup.targetSimilar to veritysetup.target, but for verity
- integrity protected devices which are accessed over the network. It is used for
+ protected devices which are accessed over the network. It is used for
veritytab5
entries marked with .
diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset
index 5c3be28867..a12be9eba7 100644
--- a/presets/90-systemd.preset
+++ b/presets/90-systemd.preset
@@ -13,6 +13,7 @@
enable remote-fs.target
enable remote-cryptsetup.target
+enable remote-integritysetup.target
enable remote-veritysetup.target
enable machines.target
diff --git a/src/integritysetup/integritysetup-generator.c b/src/integritysetup/integritysetup-generator.c
index 72b890575c..7b0863d958 100644
--- a/src/integritysetup/integritysetup-generator.c
+++ b/src/integritysetup/integritysetup-generator.c
@@ -36,12 +36,17 @@ static int create_disk(
_cleanup_free_ char *n = NULL, *dd = NULL, *e = NULL, *name_escaped = NULL, *key_file_escaped = NULL;
_cleanup_fclose_ FILE *f = NULL;
- int r;
char *dmname = NULL;
+ bool noauto, nofail, netdev;
+ int r;
assert(name);
assert(device);
+ noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0");
+ nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
+ netdev = fstab_test_option(options, "_netdev\0");
+
name_escaped = specifier_escape(name);
if (!name_escaped)
return log_oom();
@@ -88,13 +93,20 @@ static int create_disk(
"Before=blockdev@dev-mapper-%%i.target\n"
"Wants=blockdev@dev-mapper-%%i.target\n"
"Conflicts=umount.target\n"
- "Before=integritysetup.target\n"
"BindsTo=%s\n"
"After=%s\n"
"Before=umount.target\n",
arg_integritytab,
dd, dd);
+ if (netdev)
+ fprintf(f, "After=remote-fs-pre.target\n");
+
+ if (!nofail)
+ fprintf(f,
+ "Before=%s\n",
+ netdev ? "remote-integritysetup.target" : "integritysetup.target");
+
fprintf(f,
"\n"
"[Service]\n"
@@ -110,9 +122,15 @@ static int create_disk(
if (r < 0)
return log_error_errno(r, "Failed to write unit file %s: %m", n);
- r = generator_add_symlink(arg_dest, "integritysetup.target", "requires", n);
- if (r < 0)
- return r;
+ if (!noauto) {
+ r = generator_add_symlink(
+ arg_dest,
+ netdev ? "remote-integritysetup.target" : "integritysetup.target",
+ nofail ? "wants" : "requires",
+ n);
+ if (r < 0)
+ return r;
+ }
dmname = strjoina("dev-mapper-", e, ".device");
return generator_add_symlink(arg_dest, dmname, "requires", n);
diff --git a/units/meson.build b/units/meson.build
index edf09b7989..330dca3086 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -190,6 +190,11 @@ units = [
},
{ 'file' : 'remote-fs-pre.target' },
{ 'file' : 'remote-fs.target' },
+ {
+ 'file' : 'remote-integritysetup.target',
+ 'conditions' : ['HAVE_LIBCRYPTSETUP'],
+ 'symlinks' : ['initrd-root-device.target.wants/'],
+ },
{
'file' : 'remote-veritysetup.target',
'conditions' : ['HAVE_LIBCRYPTSETUP'],
diff --git a/units/remote-integritysetup.target b/units/remote-integritysetup.target
new file mode 100644
index 0000000000..56c59b8007
--- /dev/null
+++ b/units/remote-integritysetup.target
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Remote Integrity Protected Volumes
+Documentation=man:systemd.special(7)
+After=remote-fs-pre.target integritysetup-pre.target
+DefaultDependencies=no
+Conflicts=shutdown.target
+
+[Install]
+WantedBy=multi-user.target