This repository has been archived by the owner on Jan 4, 2022. It is now read-only.
pkg/nspawntool: use transient scope to fix device cgroups issues #328
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Starting from systemd v239, it's no more possible to create device nodes inside systemd-nspawn containers, because systemd-nspawn creates subcgroups for each machine slice under `/sys/fs/cgroup/devices`. To make docker containers inside nspawn containers capable of creating devices, we need to do workaround. Let's pass `--keep-unit` to systemd-nspawn, and call `systemd-run --scope` for using the cni-spawn wrapper. Then the transient scope gets created with a proper `DevicePolicy` property for each invocation, printing out the CNI result to stdout like before. That way, we can avoid dealing with additional unit files to allow device creation. Fixes #324
This was referenced Nov 20, 2018
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Starting from systemd v239, it's no more possible to create device nodes inside systemd-nspawn containers, because systemd-nspawn creates subcgroups for each machine slice under
/sys/fs/cgroup/devices.To make docker containers inside nspawn containers capable of creating devices, we need to do workaround. Let's pass
--keep-unitto systemd-nspawn, and callsystemd-run --scopefor using the cni-spawn wrapper. Then the transient scope gets created with a properDevicePolicyproperty for each invocation, printing out the CNI result to stdout like before. That way, we can avoid dealing with additional unit files to allow device creation.Fixes #324