rkt · iaguis · Feb 3, 2016 · Feb 3, 2016 · Feb 3, 2016 · Feb 3, 2016
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@
 - Fetched keys are no longer automatically trusted by default, unless `--trust-keys-from-https` is used. Additionally, newly fetched keys have to be explicitly trusted with `rkt trust` if a previous key was trusted for the same image prefix ([#2033](https://github.com/coreos/rkt/pull/2033)).
 - Use NAT loopback to make ports forwarded in pods accessible from localhost ([#1256](https://github.com/coreos/rkt/issues/1256)).
 - Show a clearer error message when unprivileged users execute commands that require root privileges ([#2081](https://github.com/coreos/rkt/pull/2081)).
+- Add a rkt tmpfiles configuration file to make the creation of the rkt data directory on first boot easier ([#2088](https://github.com/coreos/rkt/pull/2088)).
 
 #### Bug fixes
 
@@ -34,6 +35,7 @@ With this release, `rkt` RPM/dpkg packages should have the following updates:
 
 - Pass `--enable-tpm=no` to configure script, if `rkt` should not use TPM.
 - Use the `--with-default-stage1-images-directory` configure flag, if the default is not acceptable and install the built stage1 images there.
+- Distributions using systemd: install the new file `dist/init/systemd/tmpfiles.d/rkt.conf` in `/usr/lib/tmpfiles.d/rkt.conf` and then run `systemd-tmpfiles --create rkt.conf`. This can replace running `rkt install` to set the correct ownership and permissions.
 
 ## v0.16.0
 

diff --git a/Documentation/packaging.md b/Documentation/packaging.md
@@ -68,7 +68,7 @@ A Linux system configured with [suitable options](hacking.md#run-time-requiremen
 
 ### Ownership and permissions of rkt directories
 
-In general, subdirectories of `/var/lib/rkt` should be created with the same ownership and permissions as if created by `rkt install`, see [directory list](https://github.com/coreos/rkt/blob/master/rkt/install.go#L44).
+In general, subdirectories of `/var/lib/rkt` should be created with the same ownership and permissions as if created by `rkt install`, see [directory list](https://github.com/coreos/rkt/blob/master/dist/init/systemd/tmpfiles.d/rkt.conf).
 
 Any rkt package should create a system group `rkt`, and `/var/lib/rkt` should belong to group `rkt` with the `setgid` bit set (`chmod g+s`)
 

diff --git a/dist/init/systemd/tmpfiles.d/rkt.conf b/dist/init/systemd/tmpfiles.d/rkt.conf
@@ -0,0 +1,24 @@
+d /var/lib/rkt 2750 root rkt
+d /var/lib/rkt/tmp 2750 root rkt
+
+d /var/lib/rkt/cas 2770 root rkt
+d /var/lib/rkt/cas/db 2770 root rkt
+f /var/lib/rkt/cas/db/ql.db 0660 root rkt
+# the ql database uses a WAL file whose name is generated from the sha1 hash of
+# the database name
+f /var/lib/rkt/cas/db/.34a8b4c1ad933745146fdbfef3073706ee571625 0660 root rkt
+d /var/lib/rkt/cas/imagelocks 2770 root rkt
+d /var/lib/rkt/cas/imageManifest 2770 root rkt
+d /var/lib/rkt/cas/blob 2770 root rkt
+d /var/lib/rkt/cas/tmp 2770 root rkt
+d /var/lib/rkt/cas/tree 2700 root rkt
+d /var/lib/rkt/cas/treestorelocks 2700 root rkt
+d /var/lib/rkt/locks 2750 root rkt
+
+d /var/lib/rkt/pods 2750 root rkt
+d /var/lib/rkt/pods/embryo 2750 root rkt
+d /var/lib/rkt/pods/prepare 2750 root rkt
+d /var/lib/rkt/pods/prepared 2750 root rkt
+d /var/lib/rkt/pods/run 2750 root rkt
+d /var/lib/rkt/pods/exited-garbage 2750 root rkt
+d /var/lib/rkt/pods/garbage 2750 root rkt
diff --git a/rkt/install.go b/rkt/install.go
@@ -42,6 +42,7 @@ var (
 		"tmp": os.FileMode(0750 | os.ModeSetgid),
 
 		// Cas directories.
+		// Please keep in sync with dist/init/systemd/tmpfiles.d/rkt.conf
 		// Make sure 'rkt' group can read/write some of the 'cas'
 		// directories so that users in the group can fetch images
 		"cas":                os.FileMode(0770 | os.ModeSetgid),