This repository has been archived by the owner on Jan 4, 2022. It is now read-only.
pkg/nspawntool: use transient scope to fix device cgroups issues #328
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Starting from systemd v239, it's no more possible to create device nodes inside systemd-nspawn containers, because systemd-nspawn creates subcgroups for each machine slice under
/sys/fs/cgroup/devices
.To make docker containers inside nspawn containers capable of creating devices, we need to do workaround. Let's pass
--keep-unit
to systemd-nspawn, and callsystemd-run --scope
for using the cni-spawn wrapper. Then the transient scope gets created with a properDevicePolicy
property for each invocation, printing out the CNI result to stdout like before. That way, we can avoid dealing with additional unit files to allow device creation.Fixes #324