d3650f0c4b
This way we know that any bridges and other user-created network devices are in place, and can be properly added to the container. In the long run this should be dropped, and replaced by direct calls inside nspawn that cause the devices to be created when necessary.
39 lines
1.1 KiB
SYSTEMD
39 lines
1.1 KiB
SYSTEMD
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Container %I
|
|
Documentation=man:systemd-nspawn(1)
|
|
PartOf=machines.target
|
|
Before=machines.target
|
|
After=network.target
|
|
|
|
[Service]
|
|
ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --machine=%I
|
|
KillMode=mixed
|
|
Type=notify
|
|
RestartForceExitStatus=133
|
|
SuccessExitStatus=133
|
|
Delegate=yes
|
|
|
|
# Enforce a strict device policy, similar to the one nspawn configures
|
|
# when it allocates its own scope unit. Make sure to keep these
|
|
# policies in sync if you change them!
|
|
DevicePolicy=strict
|
|
DeviceAllow=/dev/null rwm
|
|
DeviceAllow=/dev/zero rwm
|
|
DeviceAllow=/dev/full rwm
|
|
DeviceAllow=/dev/random rwm
|
|
DeviceAllow=/dev/urandom rwm
|
|
DeviceAllow=/dev/tty rwm
|
|
DeviceAllow=/dev/net/tun rwm
|
|
DeviceAllow=/dev/pts/ptmx rw
|
|
DeviceAllow=char-pts rw
|
|
|
|
[Install]
|
|
WantedBy=machines.target
|