vmspawn: add template unit to start systemd-vmspawn -M

diff --git a/units/meson.build b/units/meson.build
index acfd8d1dcbee4d66cb13c75afd2b0ff0682fd8f7..0c971ef0bc4b5c8d004c7bee7b7a63b2c667c5be 100644 (file)
--- a/units/meson.build
+++ b/units/meson.build
@@ -436,6 +436,10 @@ units = [
           'conditions' : ['ENABLE_NETWORKD'],
         },
         { 'file' : 'systemd-nspawn@.service.in' },
+        {
+          'file' : 'systemd-vmspawn@.service.in',
+          'conditions' : ['ENABLE_VMSPAWN'],
+        },
         {
           'file' : 'systemd-oomd.service.in',
           'conditions' : ['ENABLE_OOMD'],

diff --git a/units/systemd-vmspawn@.service.in b/units/systemd-vmspawn@.service.in
new file mode 100644 (file)
index 0000000..6080020
--- /dev/null
+++ b/units/systemd-vmspawn@.service.in
@@ -0,0 +1,34 @@
+#  SPDX-License-Identifier: LGPL-2.1-or-later
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Virtual Machine %i
+Documentation=man:systemd-vmspawn(1)
+PartOf=machines.target
+Before=machines.target
+After=network.target modprobe@tun.service
+RequiresMountsFor=/var/lib/machines/%i
+
+[Service]
+ExecStart=systemd-vmspawn --quiet --network-tap --machine=%i
+KillMode=mixed
+Type=notify
+Slice=machine.slice
+
+{# Enforce a strict device policy. Make sure to keep these policies in sync if you change them! #}
+DevicePolicy=closed
+DeviceAllow=/dev/net/tun rwm
+DeviceAllow=char-pts rw
+
+# vmspawn itself needs access to /dev/kvm and /dev/vhost-vsock
+DeviceAllow=/dev/kvm rw
+DeviceAllow=/dev/vhost-vsock rw
+
+[Install]
+WantedBy=machines.target