Update the nspawn unit services
This change updates the unit file for systemd-nspawn to allow it to better confine containers and have them reliabily start/stop on host restart. Change-Id: I3c7a07a94c94a81ac8380a4e336cf744615a6b5b Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
482e3eb330
commit
fce12838ba
|
@ -71,9 +71,10 @@
|
|||
path: "{{ item }}"
|
||||
state: directory
|
||||
with_items:
|
||||
- /etc/systemd/nspawn
|
||||
- /etc/systemd/network
|
||||
- /etc/systemd/journald.conf.d
|
||||
- /etc/systemd/network
|
||||
- /etc/systemd/nspawn
|
||||
- /etc/systemd/system/machines.target.wants
|
||||
- /var/log/journal
|
||||
|
||||
- name: Create journald directories
|
||||
|
|
|
@ -15,11 +15,12 @@ Before=machines.target
|
|||
After=network.target
|
||||
After=network-online.target
|
||||
After=systemd-networkd.service
|
||||
After=systemd-resolved.service
|
||||
After=nspawn-macvlan.service
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
|
||||
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ ((nspawn_systemd_version | int) > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
|
||||
KillMode=mixed
|
||||
Type=notify
|
||||
RestartForceExitStatus=133
|
||||
|
@ -48,5 +49,10 @@ DeviceAllow=/dev/loop-control rw
|
|||
DeviceAllow=block-loop rw
|
||||
DeviceAllow=block-blkext rw
|
||||
|
||||
# nspawn can set up LUKS encrypted loopback files, in which case it needs
|
||||
# access to /dev/mapper/control and the block devices /dev/mapper/*.
|
||||
DeviceAllow=/dev/mapper/control rw
|
||||
DeviceAllow=block-device-mapper rw
|
||||
|
||||
[Install]
|
||||
WantedBy=machines.target
|
||||
|
|
Loading…
Reference in New Issue