Browse Source

Update the nspawn unit services

This change updates the unit file for systemd-nspawn to allow it to
better confine containers and have them reliabily start/stop on host
restart.

Change-Id: I3c7a07a94c94a81ac8380a4e336cf744615a6b5b
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Kevin Carter 4 months ago
parent
commit
fce12838ba
2 changed files with 10 additions and 3 deletions
  1. 3
    2
      tasks/main.yml
  2. 7
    1
      templates/systemd-nspawn@.service.j2

+ 3
- 2
tasks/main.yml View File

@@ -71,9 +71,10 @@
71 71
     path: "{{ item }}"
72 72
     state: directory
73 73
   with_items:
74
-    - /etc/systemd/nspawn
75
-    - /etc/systemd/network
76 74
     - /etc/systemd/journald.conf.d
75
+    - /etc/systemd/network
76
+    - /etc/systemd/nspawn
77
+    - /etc/systemd/system/machines.target.wants
77 78
     - /var/log/journal
78 79
 
79 80
 - name: Create journald directories

+ 7
- 1
templates/systemd-nspawn@.service.j2 View File

@@ -15,11 +15,12 @@ Before=machines.target
15 15
 After=network.target
16 16
 After=network-online.target
17 17
 After=systemd-networkd.service
18
+After=systemd-resolved.service
18 19
 After=nspawn-macvlan.service
19 20
 Wants=network-online.target
20 21
 
21 22
 [Service]
22
-ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
23
+ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ ((nspawn_systemd_version | int) > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
23 24
 KillMode=mixed
24 25
 Type=notify
25 26
 RestartForceExitStatus=133
@@ -48,5 +49,10 @@ DeviceAllow=/dev/loop-control rw
48 49
 DeviceAllow=block-loop rw
49 50
 DeviceAllow=block-blkext rw
50 51
 
52
+# nspawn can set up LUKS encrypted loopback files, in which case it needs
53
+# access to /dev/mapper/control and the block devices /dev/mapper/*.
54
+DeviceAllow=/dev/mapper/control rw
55
+DeviceAllow=block-device-mapper rw
56
+
51 57
 [Install]
52 58
 WantedBy=machines.target

Loading…
Cancel
Save