From fce12838ba3c04d455a3802ed988dc5a3e85d342 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Thu, 20 Dec 2018 02:19:12 -0600
Subject: [PATCH] Update the nspawn unit services

This change updates the unit file for systemd-nspawn to allow it to
better confine containers and have them reliabily start/stop on host
restart.

Change-Id: I3c7a07a94c94a81ac8380a4e336cf744615a6b5b
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 tasks/main.yml                       | 5 +++--
 templates/systemd-nspawn@.service.j2 | 8 +++++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index b084bd6..dd5ebd0 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -71,9 +71,10 @@
     path: "{{ item }}"
     state: directory
   with_items:
-    - /etc/systemd/nspawn
-    - /etc/systemd/network
     - /etc/systemd/journald.conf.d
+    - /etc/systemd/network
+    - /etc/systemd/nspawn
+    - /etc/systemd/system/machines.target.wants
     - /var/log/journal
 
 - name: Create journald directories
diff --git a/templates/systemd-nspawn@.service.j2 b/templates/systemd-nspawn@.service.j2
index 16fa6b1..b3f9a43 100644
--- a/templates/systemd-nspawn@.service.j2
+++ b/templates/systemd-nspawn@.service.j2
@@ -15,11 +15,12 @@ Before=machines.target
 After=network.target
 After=network-online.target
 After=systemd-networkd.service
+After=systemd-resolved.service
 After=nspawn-macvlan.service
 Wants=network-online.target
 
 [Service]
-ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
+ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ ((nspawn_systemd_version | int) > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
 KillMode=mixed
 Type=notify
 RestartForceExitStatus=133
@@ -48,5 +49,10 @@ DeviceAllow=/dev/loop-control rw
 DeviceAllow=block-loop rw
 DeviceAllow=block-blkext rw
 
+# nspawn can set up LUKS encrypted loopback files, in which case it needs
+# access to /dev/mapper/control and the block devices /dev/mapper/*.
+DeviceAllow=/dev/mapper/control rw
+DeviceAllow=block-device-mapper rw
+
 [Install]
 WantedBy=machines.target