openstack
/
openstack-ansible-nspawn_hosts
Code Issues Proposed changes

Add the private-network flag to the nspawn ExecStart 

In modern kernels sysfs is largely shared with the host in a read only
state when an nspawn container is created. This sharing results in the
container seeing network interfaces that don't belong to them. This
change forces network isolation by instructing the container to begin
with a fully isolated network stack.

Change-Id: I9ef22c5e321dce8025cafc622bdfb6ad252ef0cf
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2018-08-09 11:15:10 -05:00
parent 4f6ed536ed
commit b99f48bc8b
No known key found for this signature in database
GPG Key ID: 9443251A787B9FB3
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
templates/systemd-nspawn@.service.j2
View File

@ -19,7 +19,7 @@ After=nspawn-macvlan.service
Wants=network-online.target
[Service]
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
ExecStart=/usr/bin/systemd-nspawn --keep-unit --boot --link-journal=try-host --private-network {{ (nspawn_systemd_version | int > 219) | ternary('--settings=override --machine=%I', '--machine=%I') }}
KillMode=mixed
Type=notify
RestartForceExitStatus=133