Update the nspawn unit services
This change updates the unit file for systemd-nspawn to allow it to better confine containers and have them reliabily start/stop on host restart. Change-Id: I3c7a07a94c94a81ac8380a4e336cf744615a6b5b Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
482e3eb330
commit
fce12838ba
|
@ -71,9 +71,10 @@
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
state: directory
|
state: directory
|
||||||
with_items:
|
with_items:
|
||||||
- /etc/systemd/nspawn
|
|
||||||
- /etc/systemd/network
|
|
||||||
- /etc/systemd/journald.conf.d
|
- /etc/systemd/journald.conf.d
|
||||||
|
- /etc/systemd/network
|
||||||
|
- /etc/systemd/nspawn
|
||||||
|
- /etc/systemd/system/machines.target.wants
|
||||||
- /var/log/journal
|
- /var/log/journal
|
||||||
|
|
||||||
- name: Create journald directories
|
- name: Create journald directories
|
||||||
|
|
|
@ -15,11 +15,12 @@ Before=machines.target
|
||||||
After=network.target
|
After=network.target
|
||||||
After=network-online.target
|
After=network-online.target
|
||||||
After=systemd-networkd.service
|
After=systemd-networkd.service
|
||||||
|
After=systemd-resolved.service
|
||||||
After=nspawn-macvlan.service
|
After=nspawn-macvlan.service
|
||||||
Wants=network-online.target
|
Wants=network-online.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
|
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ ((nspawn_systemd_version | int) > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
|
||||||
KillMode=mixed
|
KillMode=mixed
|
||||||
Type=notify
|
Type=notify
|
||||||
RestartForceExitStatus=133
|
RestartForceExitStatus=133
|
||||||
|
@ -48,5 +49,10 @@ DeviceAllow=/dev/loop-control rw
|
||||||
DeviceAllow=block-loop rw
|
DeviceAllow=block-loop rw
|
||||||
DeviceAllow=block-blkext rw
|
DeviceAllow=block-blkext rw
|
||||||
|
|
||||||
|
# nspawn can set up LUKS encrypted loopback files, in which case it needs
|
||||||
|
# access to /dev/mapper/control and the block devices /dev/mapper/*.
|
||||||
|
DeviceAllow=/dev/mapper/control rw
|
||||||
|
DeviceAllow=block-device-mapper rw
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=machines.target
|
WantedBy=machines.target
|
||||||
|
|
Loading…
Reference in New Issue