[Unit]
Description=Container %i
Documentation=man:systemd-nspawn(1)
+Wants=modprobe@tun.service modprobe@loop.service modprobe@dm-mod.service
PartOf=machines.target
Before=machines.target
-After=network.target systemd-resolved.service
-RequiresMountsFor=/var/lib/machines
+After=network.target systemd-resolved.service modprobe@tun.service modprobe@loop.service modprobe@dm-mod.service
+RequiresMountsFor=/var/lib/machines/%i
[Service]
-ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i
+# Make sure the DeviceAllow= lines below can properly resolve the 'block-loop' expression (and others)
+ExecStart=systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i
KillMode=mixed
Type=notify
RestartForceExitStatus=133
SuccessExitStatus=133
-WatchdogSec=3min
Slice=machine.slice
Delegate=yes
TasksMax=16384
+@SERVICE_WATCHDOG@
# Enforce a strict device policy, similar to the one nspawn configures when it
# allocates its own scope unit. Make sure to keep these policies in sync if you