| # SPDX-License-Identifier: LGPL-2.1-or-later |
| # |
| # This file is part of systemd. |
| # |
| # systemd is free software; you can redistribute it and/or modify it |
| # under the terms of the GNU Lesser General Public License as published by |
| # the Free Software Foundation; either version 2.1 of the License, or |
| # (at your option) any later version. |
| |
| [Unit] |
| Description=Container %i |
| Documentation=man:systemd-nspawn(1) |
| Wants=modprobe@tun.service modprobe@loop.service modprobe@dm-mod.service |
| PartOf=machines.target |
| Before=machines.target |
| After=network.target systemd-resolved.service modprobe@tun.service modprobe@loop.service modprobe@dm-mod.service |
| RequiresMountsFor=/var/lib/machines/%i |
| |
| [Service] |
| # Make sure the DeviceAllow= lines below can properly resolve the 'block-loop' expression (and others) |
| ExecStart=systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i |
| KillMode=mixed |
| Type=notify |
| RestartForceExitStatus=133 |
| SuccessExitStatus=133 |
| Slice=machine.slice |
| Delegate=yes |
| TasksMax=16384 |
| @SERVICE_WATCHDOG@ |
| |
| # Enforce a strict device policy, similar to the one nspawn configures when it |
| # allocates its own scope unit. Make sure to keep these policies in sync if you |
| # change them! |
| DevicePolicy=closed |
| DeviceAllow=/dev/net/tun rwm |
| DeviceAllow=char-pts rw |
| |
| # nspawn itself needs access to /dev/loop-control and /dev/loop, to implement |
| # the --image= option. Add these here, too. |
| DeviceAllow=/dev/loop-control rw |
| DeviceAllow=block-loop rw |
| DeviceAllow=block-blkext rw |
| |
| # nspawn can set up LUKS encrypted loopback files, in which case it needs |
| # access to /dev/mapper/control and the block devices /dev/mapper/*. |
| DeviceAllow=/dev/mapper/control rw |
| DeviceAllow=block-device-mapper rw |
| |
| [Install] |
| WantedBy=machines.target |