Merge pull request #13144 from poettering/nspawn-modprobe

nspawn modprobe fixes

man/systemd.resource-control.xml

@@ -686,6 +686,18 @@
           TTYs and all ALSA sound devices,
           respectively. <literal>char-cpu/*</literal> is a specifier
           matching all CPU related device groups.</para>
+
+          <para>Note that whitelists defined this way should only reference device groups which are
+          resolvable at the time the unit is started. Any device groups not resolvable then are not added to
+          the device whitelist. In order to work around this limitation, consider extending service units
+          with an <command>ExecStartPre=/sbin/modprobe…</command> line that loads the necessary
+          kernel module implementing the device group if missing. Example: <programlisting>…
+[Service]
+ExecStartPre=-/sbin/modprobe -abq loop
+DeviceAllow=block-loop
+DeviceAllow=/dev/loop-control
+…</programlisting></para>
+
         </listitem>
       </varlistentry>
 

units/systemd-logind.service.in

@@ -27,6 +27,8 @@ DeviceAllow=char-drm rw
 DeviceAllow=char-input rw
 DeviceAllow=char-tty rw
 DeviceAllow=char-vcs rw
+# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
+ExecStartPre=-/sbin/modprobe -abq drm
 ExecStart=@rootlibexecdir@/systemd-logind
 FileDescriptorStoreMax=512
 IPAddressDeny=any

units/systemd-nspawn@.service.in

@@ -16,6 +16,8 @@ After=network.target systemd-resolved.service
 RequiresMountsFor=/var/lib/machines
 
 [Service]
+# Make sure the DeviceAllow= lines below can properly resolve the 'block-loop' expression (and others)
+ExecStartPre=-/sbin/modprobe -abq tun loop dm-mod
 ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i
 KillMode=mixed
 Type=notify