How I Use sysext to Inject Tools Into a Read-Only Linux System
How I Use sysext to Inject Tools Into a Read-Only Linux System
https://itsfoss.com/systemd-sysext/
Publish Date: 2026-03-30 03:05:00
Source Domain: itsfoss.com
If you’ve recently dipped your toes into the world of immutable Linux distributions like Fedora Silverblue, openSUSE MicroOS, or even the Steam Deck, you’ll encounter this issue eventually.
You try to perform a basic task, like adding a custom script to /usr/bin or creating a global configuration directory, and the terminal throws an error: Read-only file system.
It’s a frustrating moment. You chose an immutable OS for the stability, the atomic updates, and the “unbreakable” nature of the system. But now you feel like a guest in your own house.
The traditional fixes, manually mounting an overlay filesystem or using rpm-ostree to layer packages, either require a reboot or complex manual management.
systemd-sysext was built specifically to solve this problem. This often-overlooked utility uses OverlayFS under the hood but adds compatibility checking, systemd integration, and a standardized format, allowing you to dynamically merge binaries and libraries into /usr at runtime, without touching the underlying read-only image and without a reboot.
Quick Look at Immutability
To understand why we need sysext, you first have to understand why the Linux world is moving toward immutability. In a traditional “mutable” distribution like Ubuntu or Arch, the root filesystem is a giant, writable scratchpad. Any process with root privileges can modify any file in /usr or /bin.
While this gives us total freedom, it’s also a major source of system drift. Over time, manual changes, conflicting libraries, and failed package installations make the system unpredictable.
Immutable distributions solve this by treating the operating system as a read-only image. When you update the system, you aren’t just changing individual files; you are switching to a completely new, pre-verified version of the OS. This makes the system “atomic”, it either works perfectly, or it rolls back to the previous version.
The Problem: Seeing the “Read-Only” Barrier
While…
