From 31ea9c89d49d16b912cd7c1f241f83402eb8c626 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 23 Jul 2019 13:11:09 +0200 Subject: [PATCH 1/3] nspawn: explicitly load units beforehand so that DeviceAllow= syntax works Yuck, but I don't see any prettier solution. Fixes: #13130 --- units/systemd-nspawn@.service.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index c3194d4f21..2473a730b4 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -16,6 +16,8 @@ After=network.target systemd-resolved.service RequiresMountsFor=/var/lib/machines [Service] +# Make sure the DeviceAllow= lines below can properly resolve the 'block-loop' expression (and others) +ExecStartPre=-/sbin/modprobe -abq tun loop dm-mod ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i KillMode=mixed Type=notify From 11aa16bb359ded91d68ff5f48fecfafa2a15d3b0 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 23 Jul 2019 13:14:53 +0200 Subject: [PATCH 2/3] units: make sure logind can properly reference drm char class Similar to the previous fix. --- units/systemd-logind.service.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 1b37290d4f..927f97e94e 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -27,6 +27,8 @@ DeviceAllow=char-drm rw DeviceAllow=char-input rw DeviceAllow=char-tty rw DeviceAllow=char-vcs rw +# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm +ExecStartPre=-/sbin/modprobe -abq drm ExecStart=@rootlibexecdir@/systemd-logind FileDescriptorStoreMax=512 IPAddressDeny=any From 00d85bbb608a0a9b098b606dddb499e868c2dc1e Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 23 Jul 2019 13:28:44 +0200 Subject: [PATCH 3/3] man: document the modprobe hack for DeviceAllow= --- man/systemd.resource-control.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index e7b5dfbce6..1b5ac3e8e4 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -686,6 +686,18 @@ TTYs and all ALSA sound devices, respectively. char-cpu/* is a specifier matching all CPU related device groups. + + Note that whitelists defined this way should only reference device groups which are + resolvable at the time the unit is started. Any device groups not resolvable then are not added to + the device whitelist. In order to work around this limitation, consider extending service units + with an ExecStartPre=/sbin/modprobe… line that loads the necessary + kernel module implementing the device group if missing. Example: … +[Service] +ExecStartPre=-/sbin/modprobe -abq loop +DeviceAllow=block-loop +DeviceAllow=/dev/loop-control +… +