diff options
| -rw-r--r-- | man/systemd.resource-control.xml | 12 | ||||
| -rw-r--r-- | units/systemd-logind.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-nspawn@.service.in | 2 |
3 files changed, 16 insertions, 0 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index e7b5dfbce6..1b5ac3e8e4 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -686,6 +686,18 @@ TTYs and all ALSA sound devices, respectively. <literal>char-cpu/*</literal> is a specifier matching all CPU related device groups.</para> + + <para>Note that whitelists defined this way should only reference device groups which are + resolvable at the time the unit is started. Any device groups not resolvable then are not added to + the device whitelist. In order to work around this limitation, consider extending service units + with an <command>ExecStartPre=/sbin/modprobe…</command> line that loads the necessary + kernel module implementing the device group if missing. Example: <programlisting>… +[Service] +ExecStartPre=-/sbin/modprobe -abq loop +DeviceAllow=block-loop +DeviceAllow=/dev/loop-control +…</programlisting></para> + </listitem> </varlistentry> diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 1b37290d4f..927f97e94e 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -27,6 +27,8 @@ DeviceAllow=char-drm rw DeviceAllow=char-input rw DeviceAllow=char-tty rw DeviceAllow=char-vcs rw +# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm +ExecStartPre=-/sbin/modprobe -abq drm ExecStart=@rootlibexecdir@/systemd-logind FileDescriptorStoreMax=512 IPAddressDeny=any diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index c3194d4f21..2473a730b4 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -16,6 +16,8 @@ After=network.target systemd-resolved.service RequiresMountsFor=/var/lib/machines [Service] +# Make sure the DeviceAllow= lines below can properly resolve the 'block-loop' expression (and others) +ExecStartPre=-/sbin/modprobe -abq tun loop dm-mod ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i KillMode=mixed Type=notify |