man: document the modprobe hack for DeviceAllow=

2019-07-23 13:28:44 +02:00 · 2019-07-23 13:28:44 +02:00 · 00d85bbb60
parent 11aa16bb35
commit 00d85bbb60
1 changed files with 12 additions and 0 deletions
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@ -686,6 +686,18 @@
          TTYs and all ALSA sound devices,
          respectively. <literal>char-cpu/*</literal> is a specifier
          matching all CPU related device groups.</para>
+
+          <para>Note that whitelists defined this way should only reference device groups which are
+          resolvable at the time the unit is started. Any device groups not resolvable then are not added to
+          the device whitelist. In order to work around this limitation, consider extending service units
+          with an <command>ExecStartPre=/sbin/modprobe…</command> line that loads the necessary
+          kernel module implementing the device group if missing. Example: <programlisting>…
+[Service]
+ExecStartPre=-/sbin/modprobe -abq loop
+DeviceAllow=block-loop
+DeviceAllow=/dev/loop-control
+…</programlisting></para>
+
        </listitem>
      </varlistentry>