Il 16/01/19 19:24, Lennart Poettering ha scritto:
On Mi, 16.01.19 09:20, Mailing List SVR (lists@xxxxxxxxxxxxxxxxx) wrote:
Well, this command will make the sd devices readable inside the container on
centos 7 too
echo 'b 8:* rw' > /sys/fs/cgroup/devices/machine.slice/machine-bionic\\x2druntime.scope/devices.allow
now I'll will search how to pass to systemd-nspawn using a command line
argument
Use --property=DeviceAllow=…
thanks but this does not seems available in systemd 219, the version
shipped with centos 7, it fails with unrecognized option error.
Newer systemd versions work out of the box probably because they have
DevicePolicy=auto as default,
so basically I ended up writing a systemd-nspawn wrapper that, launched
from a systemd service, wait for
/sys/fs/cgroup/devices/machine.slice/machine-<name>.scope to appear and
then it sets the required permissions in devices.allow.
If I use the reboot command inside the container then the cgroup dir is
recreated and the permissions are lost since my wrapper is not called
luckily I can control the container and so I changed the reboot command
so it shutdowns the container instead and I set Restart=always in the
systemd service so the container is restarted automatically after the
shutdown,
so the only way to shutdown the container is using systemctl stop <my
service> but this is better than nothing,
Nicola
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
