Add the private-network flag to the nspawn ExecStart
In modern kernels sysfs is largely shared with the host in a read only state when an nspawn container is created. This sharing results in the container seeing network interfaces that don't belong to them. This change forces network isolation by instructing the container to begin with a fully isolated network stack. Change-Id: I9ef22c5e321dce8025cafc622bdfb6ad252ef0cf Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
4f6ed536ed
commit
b99f48bc8b
|
@ -19,7 +19,7 @@ After=nspawn-macvlan.service
|
|||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
|
||||
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
|
||||
KillMode=mixed
|
||||
Type=notify
|
||||
RestartForceExitStatus=133
|
||||
|
|
Loading…
Reference in New Issue