Merge pull request #1722 from evverx/port-cap-bounding-set-to-extract-first-word

[thirdparty/systemd.git] / units / systemd-nspawn@.service.in

diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index 8e00736498a2485cdce6ad338def44c82f28d610..2e79adff447be4651adf338f56dc3a94f695ab6e 100644 (file)
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -6,12 +6,40 @@
 #  (at your option) any later version.
 
 [Unit]
-Description=Container %i
+Description=Container %I
 Documentation=man:systemd-nspawn(1)
+PartOf=machines.target
+Before=machines.target
+After=network.target
 
 [Service]
-ExecStart=@bindir@/systemd-nspawn -bjD /var/lib/container/%i
+ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%I
+KillMode=mixed
 Type=notify
+RestartForceExitStatus=133
+SuccessExitStatus=133
+Slice=machine.slice
+Delegate=yes
+
+# Enforce a strict device policy, similar to the one nspawn configures
+# when it allocates its own scope unit. Make sure to keep these
+# policies in sync if you change them!
+DevicePolicy=strict
+DeviceAllow=/dev/null rwm
+DeviceAllow=/dev/zero rwm
+DeviceAllow=/dev/full rwm
+DeviceAllow=/dev/random rwm
+DeviceAllow=/dev/urandom rwm
+DeviceAllow=/dev/tty rwm
+DeviceAllow=/dev/net/tun rwm
+DeviceAllow=/dev/pts/ptmx rw
+DeviceAllow=char-pts rw
+
+# nspawn itself needs access to /dev/loop-control and /dev/loop, to
+# implement the --image= option. Add these here, too.
+DeviceAllow=/dev/loop-control rw
+DeviceAllow=block-loop rw
+DeviceAllow=block-blkext rw
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=machines.target