Update the nspawn unit services

This change updates the unit file for systemd-nspawn to allow it to
better confine containers and have them reliabily start/stop on host
restart.

Change-Id: I3c7a07a94c94a81ac8380a4e336cf744615a6b5b
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2018-12-20 02:19:12 -06:00 committed by Kevin Carter (cloudnull)
parent 482e3eb330
commit fce12838ba
2 changed files with 10 additions and 3 deletions

View File

@ -71,9 +71,10 @@
path: "{{ item }}"
state: directory
with_items:
- /etc/systemd/nspawn
- /etc/systemd/network
- /etc/systemd/journald.conf.d
- /etc/systemd/network
- /etc/systemd/nspawn
- /etc/systemd/system/machines.target.wants
- /var/log/journal
- name: Create journald directories

View File

@ -15,11 +15,12 @@ Before=machines.target
After=network.target
After=network-online.target
After=systemd-networkd.service
After=systemd-resolved.service
After=nspawn-macvlan.service
Wants=network-online.target
[Service]
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ ((nspawn_systemd_version | int) > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
KillMode=mixed
Type=notify
RestartForceExitStatus=133
@ -48,5 +49,10 @@ DeviceAllow=/dev/loop-control rw
DeviceAllow=block-loop rw
DeviceAllow=block-blkext rw
# nspawn can set up LUKS encrypted loopback files, in which case it needs
# access to /dev/mapper/control and the block devices /dev/mapper/*.
DeviceAllow=/dev/mapper/control rw
DeviceAllow=block-device-mapper rw
[Install]
WantedBy=machines.target