container-systemd-base: replace ROOTFS_POSTPROCESS_COMMAND with package

Factor systemd service masking into container-systemd-config package that installs mask symlinks via do_install. This replaces the ROOTFS_POSTPROCESS_COMMAND approach which is ignored in multi-layer OCI mode. The mask list is customizable via CONTAINER_SYSTEMD_MASK variable. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-10 04:33:43 +0000
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-10 21:04:20 +0000
commit: a71e7b0499c51c74686e41e7810e2f202d851ce6 (patch)
tree: 427d8b0fde510ce30f4dc3bb9a5ca5c93d634f21
parent: 56f78049cff106e52a57e2544d025ea94fd0c702 (diff)
download: meta-virtualization-a71e7b0499c51c74686e41e7810e2f202d851ce6.tar.gz
3 files changed, 35 insertions, 46 deletions
diff --git a/recipes-extended/container-systemd-config/container-systemd-config_1.0.bb b/recipes-extended/container-systemd-config/container-systemd-config_1.0.bb
new file mode 100644
index 00000000..a808fcd1
--- /dev/null
+++ b/recipes-extended/container-systemd-config/container-systemd-config_1.0.bb
@@ -0,0 +1,31 @@
+SUMMARY = "Systemd service masking for container use"
+DESCRIPTION = "Masks systemd services that are inappropriate inside containers \
+    (udev, hwdb, serial-getty, etc.). Installed as a package so it works \
+    with both single-layer and multi-layer OCI images."
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+inherit allarch
+# Default services to mask in containers
+# Customizable: CONTAINER_SYSTEMD_MASK:pn-container-systemd-config:append = " extra.service"
+CONTAINER_SYSTEMD_MASK ?= "\
+    systemd-udevd.service \
+    systemd-udevd-control.socket \
+    systemd-udevd-kernel.socket \
+    proc-sys-fs-binfmt_misc.automount \
+    sys-fs-fuse-connections.mount \
+    sys-kernel-debug.mount \
+    systemd-hwdb-update.service \
+    serial-getty@ttyS0.service \
+    dev-ttyS0.device \
+    console-getty.service \
+    serial-getty@.service \
+"
+do_install() {
+    install -d ${D}${sysconfdir}/systemd/system
+    for service in ${CONTAINER_SYSTEMD_MASK}; do
+        ln -sf /dev/null ${D}${sysconfdir}/systemd/system/$service
+    done
+}
diff --git a/recipes-extended/images/container-systemd-base.bb b/recipes-extended/images/container-systemd-base.bb
index 96ef4667..3264e6cf 100644
--- a/recipes-extended/images/container-systemd-base.bb
+++ b/recipes-extended/images/container-systemd-base.bb
@@ -7,11 +7,8 @@ SYSTEMD_CONTAINER_APP ?= ""
 # Use local.conf to specify the application(s) to install
 IMAGE_INSTALL += "${SYSTEMD_CONTAINER_APP}"
-# Use local.conf to specify additional systemd services to disable. To overwrite
+# To mask additional systemd services, use:
-# the default list use SERVICES_TO_DISABLE:pn-systemd-container in local.conf
+#   CONTAINER_SYSTEMD_MASK:pn-container-systemd-config:append = " extra.service"
-SERVICES_TO_DISABLE:append = " ${SYSTEMD_CONTAINER_DISABLE_SERVICES}"
+# in local.conf or your image recipe.
-# Use local.conf to enable systemd services
-SERVICES_TO_ENABLE += "${SYSTEMD_CONTAINER_ENABLE_SERVICES}"
 require container-systemd-base.inc
diff --git a/recipes-extended/images/container-systemd-base.inc b/recipes-extended/images/container-systemd-base.inc
index 0b856e83..ea933390 100644
--- a/recipes-extended/images/container-systemd-base.inc
+++ b/recipes-extended/images/container-systemd-base.inc
@@ -26,47 +26,8 @@ IMAGE_INSTALL:append = " systemd"
 IMAGE_INSTALL:append = " packagegroup-core-base-utils"
 IMAGE_INSTALL:append = " packagegroup-core-ssh-openssh"
 IMAGE_INSTALL:append = " busybox"
+IMAGE_INSTALL:append = " container-systemd-config"
 IMAGE_FEATURES ?= ""
 NO_RECOMMENDATIONS = "1"
-SERVICES_TO_DISABLE ?= " \
-    systemd-udevd.service \
-    systemd-udevd-control.socket \
-    systemd-udevd-kernel.socket \
-    proc-sys-fs-binfmt_misc.automount \
-    sys-fs-fuse-connections.mount \
-    sys-kernel-debug.mount \
-    systemd-hwdb-update.service \
-    serial-getty@ttyS0.service \
-    dev-ttyS0.device \
-    console-getty.service \
-    serial-getty@.service \
-"
-SERVICES_TO_ENABLE ?= ""
-disable_systemd_services () {
-        SERVICES_TO_DISABLE="${SERVICES_TO_DISABLE}"
-        if [ -n "$SERVICES_TO_DISABLE" ]; then
-                echo "Disabling systemd services:"
-                for service in $SERVICES_TO_DISABLE; do
-                        echo "    $service"
-                        systemctl --root="${IMAGE_ROOTFS}" mask $service > /dev/null >1
-                done
-        fi
-}
-enable_systemd_services () {
-        SERVICES_TO_ENABLE="${SERVICES_TO_ENABLE}"
-        if [ -n "$SERVICES_TO_ENABLE" ]; then
-                echo "Enabling additional systemd services:"
-                for service in $SERVICES_TO_ENABLE; do
-                        echo "    $service"
-                        systemctl --root="${IMAGE_ROOTFS}" enable $service > /dev/null >1
-                done
-        fi
-}
-ROOTFS_POSTPROCESS_COMMAND += "disable_systemd_services; enable_systemd_services;"
author	Bruce Ashfield <bruce.ashfield@gmail.com>	2026-02-10 04:33:43 +0000
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2026-02-10 21:04:20 +0000
commit	a71e7b0499c51c74686e41e7810e2f202d851ce6 (patch)
tree	427d8b0fde510ce30f4dc3bb9a5ca5c93d634f21
parent	56f78049cff106e52a57e2544d025ea94fd0c702 (diff)
download	meta-virtualization-a71e7b0499c51c74686e41e7810e2f202d851ce6.tar.gz