units/systemd-nspawn@.service.in - systemd-stable - Rivoreo Source Code Repositories

 #  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU Lesser General Public License as published by
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

 [Unit]
 Description=Container %i
 Documentation=man:systemd-nspawn(1)
 PartOf=machines.target
 Before=machines.target
 After=network.target systemd-resolved.service
 RequiresMountsFor=/var/lib/machines

 [Service]
 # Make sure the DeviceAllow= lines below can properly resolve the 'block-loop' expression (and others)
 ExecStartPre=-/sbin/modprobe -abq tun loop dm-mod
 ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i
 KillMode=mixed
 Type=notify
 RestartForceExitStatus=133
 SuccessExitStatus=133
 Slice=machine.slice
 Delegate=yes
 TasksMax=16384
 @SERVICE_WATCHDOG@

 # Enforce a strict device policy, similar to the one nspawn configures when it
 # allocates its own scope unit. Make sure to keep these policies in sync if you
 # change them!
 DevicePolicy=closed
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=char-pts rw

 # nspawn itself needs access to /dev/loop-control and /dev/loop, to implement
 # the --image= option. Add these here, too.
 DeviceAllow=/dev/loop-control rw
 DeviceAllow=block-loop rw
 DeviceAllow=block-blkext rw

 # nspawn can set up LUKS encrypted loopback files, in which case it needs
 # access to /dev/mapper/control and the block devices /dev/mapper/*.
 DeviceAllow=/dev/mapper/control rw
 DeviceAllow=block-device-mapper rw

 [Install]
 WantedBy=machines.target
	# SPDX-License-Identifier: LGPL-2.1+
	#
	# This file is part of systemd.
	#
	# systemd is free software; you can redistribute it and/or modify it
	# under the terms of the GNU Lesser General Public License as published by
	# the Free Software Foundation; either version 2.1 of the License, or
	# (at your option) any later version.

	[Unit]
	Description=Container %i
	Documentation=man:systemd-nspawn(1)
	PartOf=machines.target
	Before=machines.target
	After=network.target systemd-resolved.service
	RequiresMountsFor=/var/lib/machines

	[Service]
	# Make sure the DeviceAllow= lines below can properly resolve the 'block-loop' expression (and others)
	ExecStartPre=-/sbin/modprobe -abq tun loop dm-mod
	ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i
	KillMode=mixed
	Type=notify
	RestartForceExitStatus=133
	SuccessExitStatus=133
	Slice=machine.slice
	Delegate=yes
	TasksMax=16384
	@SERVICE_WATCHDOG@

	# Enforce a strict device policy, similar to the one nspawn configures when it
	# allocates its own scope unit. Make sure to keep these policies in sync if you
	# change them!
	DevicePolicy=closed
	DeviceAllow=/dev/net/tun rwm
	DeviceAllow=char-pts rw

	# nspawn itself needs access to /dev/loop-control and /dev/loop, to implement
	# the --image= option. Add these here, too.
	DeviceAllow=/dev/loop-control rw
	DeviceAllow=block-loop rw
	DeviceAllow=block-blkext rw

	# nspawn can set up LUKS encrypted loopback files, in which case it needs
	# access to /dev/mapper/control and the block devices /dev/mapper/*.
	DeviceAllow=/dev/mapper/control rw
	DeviceAllow=block-device-mapper rw

	[Install]
	WantedBy=machines.target