diff options
Diffstat (limited to 'units/systemd-nspawn@.service.in')
| -rw-r--r-- | units/systemd-nspawn@.service.in | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index 3e26b53fd6..074b916d38 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -10,6 +10,7 @@ Description=Container %I Documentation=man:systemd-nspawn(1) PartOf=machines.target Before=machines.target +After=network.target [Service] ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --machine=%I @@ -17,7 +18,22 @@ KillMode=mixed Type=notify RestartForceExitStatus=133 SuccessExitStatus=133 +Slice=machine.slice Delegate=yes +# Enforce a strict device policy, similar to the one nspawn configures +# when it allocates its own scope unit. Make sure to keep these +# policies in sync if you change them! +DevicePolicy=strict +DeviceAllow=/dev/null rwm +DeviceAllow=/dev/zero rwm +DeviceAllow=/dev/full rwm +DeviceAllow=/dev/random rwm +DeviceAllow=/dev/urandom rwm +DeviceAllow=/dev/tty rwm +DeviceAllow=/dev/net/tun rwm +DeviceAllow=/dev/pts/ptmx rw +DeviceAllow=char-pts rw + [Install] WantedBy=machines.target |