From 9e05e3e944601e84639c4fde0fdc5f4999ffac54 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 3 Feb 2026 18:52:19 -0500 Subject: [PATCH] credentials: Use remote-fs.target for virtiofs mount ordering The original mount unit configuration used Before=local-fs.target, which could cause issues with virtiofs mounts that depend on virtio transport infrastructure being available. Change the mount units to use Before=remote-fs.target instead. This is more appropriate because virtiofs is conceptually similar to a remote filesystem - it requires external infrastructure (virtio transport) to be available, similar to how NFS requires network connectivity. This follows systemd conventions where remote-fs.target is used for filesystems that depend on infrastructure beyond the local disk. Assisted-by: OpenCode (Claude claude-opus-4-5-20250114) Signed-off-by: Colin Walters --- crates/kit/src/credentials.rs | 15 ++++++--------- crates/kit/src/libvirt/run.rs | 7 ++++--- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/crates/kit/src/credentials.rs b/crates/kit/src/credentials.rs index c66f86b8..c9df7e19 100644 --- a/crates/kit/src/credentials.rs +++ b/crates/kit/src/credentials.rs @@ -37,12 +37,12 @@ pub fn guest_path_to_unit_name(guest_path: &str) -> String { /// Creates a systemd mount unit that mounts a virtiofs filesystem at the specified /// guest path. The unit is configured to: /// - Mount type: virtiofs -/// - Options: Include readonly flag if specified -/// - TimeoutSec=10: Fail quickly if mount hangs instead of blocking boot -/// - DefaultDependencies=no to avoid ordering cycles -/// - Before=local-fs.target and After=systemd-remount-fs.service +/// - Options: Include readonly flag if specified, plus SELinux context for RO mounts +/// - Before=remote-fs.target to integrate with standard systemd mount ordering /// -/// Note: systemd automatically creates mount point directories, so DirectoryMode is not needed +/// We use remote-fs.target rather than local-fs.target because virtiofs is +/// conceptually similar to a "remote" filesystem - it requires virtio transport +/// infrastructure to be available, similar to how NFS requires network. /// /// Returns the complete unit file content as a string pub fn generate_virtiofs_mount_unit( @@ -63,10 +63,7 @@ pub fn generate_virtiofs_mount_unit( "[Unit]\n\ Description=Mount virtiofs tag {tag} at {path}\n\ ConditionPathExists=!/etc/initrd-release\n\ - DefaultDependencies=no\n\ - Conflicts=umount.target\n\ - Before=local-fs.target umount.target\n\ - After=systemd-remount-fs.service\n\ + Before=remote-fs.target\n\ \n\ [Mount]\n\ What={tag}\n\ diff --git a/crates/kit/src/libvirt/run.rs b/crates/kit/src/libvirt/run.rs index 2353cf6a..a466c60a 100644 --- a/crates/kit/src/libvirt/run.rs +++ b/crates/kit/src/libvirt/run.rs @@ -1244,14 +1244,15 @@ fn create_libvirt_domain_from_disk( ); } - // Create a single dropin for local-fs.target that wants all mount units - // This must be done AFTER all mount units have been added (including bind-storage-ro) + // Create a dropin for remote-fs.target that wants all virtiofs mount units. + // We use remote-fs.target because virtiofs is conceptually similar to a remote + // filesystem - it requires virtio transport infrastructure, like NFS needs network. if !mount_unit_names.is_empty() { let wants_list = mount_unit_names.join(" "); let dropin_content = format!("[Unit]\nWants={}\n", wants_list); let encoded_dropin = data_encoding::BASE64.encode(dropin_content.as_bytes()); let dropin_cred = format!( - "io.systemd.credential.binary:systemd.unit-dropin.local-fs.target~bcvk-mounts={encoded_dropin}" + "io.systemd.credential.binary:systemd.unit-dropin.remote-fs.target~bcvk-mounts={encoded_dropin}" ); smbios_creds.push(dropin_cred); }