[systemd-devel] systemd-nspawn: access to disk devices does not work on centos 7/systemd 219

Mailing List SVR lists at svrinformatica.it
Wed Jan 16 21:03:59 UTC 2019


Il 16/01/19 19:24, Lennart Poettering ha scritto:
> On Mi, 16.01.19 09:20, Mailing List SVR (lists at svrinformatica.it) wrote:
>
>> Well, this command will make the sd devices readable inside the container on
>> centos 7 too
>>
>> echo 'b 8:* rw' > /sys/fs/cgroup/devices/machine.slice/machine-bionic\\x2druntime.scope/devices.allow
>>
>> now I'll will search how to pass to systemd-nspawn using a command line
>> argument
> Use --property=DeviceAllow=…

thanks but this does not seems available in systemd 219, the version 
shipped with centos 7, it fails with unrecognized option error.

Newer systemd versions work out of the box probably because they have 
DevicePolicy=auto as default,

so basically I ended up writing a systemd-nspawn wrapper that, launched 
from a systemd service, wait for 
/sys/fs/cgroup/devices/machine.slice/machine-<name>.scope to appear and 
then it sets the required permissions in devices.allow.

If I use the reboot command inside the container then the cgroup dir is 
recreated and the permissions are lost since my wrapper is not called

luckily I can control the container and so I changed the reboot command 
so it shutdowns the container instead and I set Restart=always in the 
systemd service so the container is restarted automatically after the 
shutdown,

so the only way to shutdown the container is using systemctl stop <my 
service> but this is better than nothing,

Nicola

>
> Lennart
>
> --
> Lennart Poettering, Red Hat
>



More information about the systemd-devel mailing list