# Vendored systemd-in-container entrypoint

These four files are copied verbatim from
`linux/build/derivative-maker/docker/` (entrypoint.sh and the build-data/
systemd units). They implement upstream Kicksecure's pattern for
running derivative-maker inside a container that uses systemd as PID 1
— required because derivative-maker's build steps assume a real
systemd-managed host (calls `systemctl restart approx-...`,
`daemon-reload`, etc., and expects those services to actually run).

## Why vendored, not COPY'd from the submodule path

The `Dockerfile.builder` build context is `linux/build/docker/`; COPY
cannot reach above that. Vendoring is small (4 files, ~3 KB total) and
gives us a single point to bump if upstream changes the pattern.

## Bump procedure

When the `derivative-maker` submodule pin is bumped (see
`derivative-maker.PIN.md`), re-vendor by re-copying:

    cp linux/build/derivative-maker/docker/entrypoint.sh \
       linux/build/docker/systemd-entrypoint/entrypoint.sh
    cp linux/build/derivative-maker/docker/build-data/docker-entrypoint.service \
       linux/build/docker/systemd-entrypoint/
    cp linux/build/derivative-maker/docker/build-data/docker-entrypoint.target \
       linux/build/docker/systemd-entrypoint/
    cp linux/build/derivative-maker/docker/build-data/docker-entrypoint-stop.sh \
       linux/build/docker/systemd-entrypoint/

Source upstream tag at last vendor: `18.1.7.4-developers-only`
(2026-05-07).