From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 23 Jul 2019 11:28:44 +0000 (+0200)
Subject: man: document the modprobe hack for DeviceAllow=
X-Git-Tag: v243-rc1~39^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F13144%2Fhead;p=thirdparty%2Fsystemd.git

man: document the modprobe hack for DeviceAllow=
---

diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index e7b5dfbce67..1b5ac3e8e45 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -686,6 +686,18 @@
           TTYs and all ALSA sound devices,
           respectively. <literal>char-cpu/*</literal> is a specifier
           matching all CPU related device groups.</para>
+
+          <para>Note that whitelists defined this way should only reference device groups which are
+          resolvable at the time the unit is started. Any device groups not resolvable then are not added to
+          the device whitelist. In order to work around this limitation, consider extending service units
+          with an <command>ExecStartPre=/sbin/modprobeâ¦</command> line that loads the necessary
+          kernel module implementing the device group if missing. Example: <programlisting>â¦
+[Service]
+ExecStartPre=-/sbin/modprobe -abq loop
+DeviceAllow=block-loop
+DeviceAllow=/dev/loop-control
+â¦</programlisting></para>
+
         </listitem>
       </varlistentry>
 
