Lines Matching refs:of
13 systemd has a number of interfaces for interacting with container managers,
14 when systemd is used inside of an OS container. If you work on a container
33 (It's OK to mount `/sys/` as `tmpfs` btw, and only mount a subset of its
59 container (see above). Various clients of `systemd-udevd` also check the
60 read-only state of `/sys/`, including PID 1 itself and `systemd-networkd`.
72 "upper" parts read-only of the hierarchies, and only allow write-access to
74 all controller hierarchies with exception of `name=systemd` fully read-only
75 (this only applies to cgroupv1, of course), to protect the controllers from
77 cgroup sub-tree of the container itself (on cgroupv2 in the unified
81 7. Create the control group root of your container by either running your
86 it. This ensures that the unit you created will be part of all cgroup
89 cgroup path systemd put your process in for all operations of the container.
90 Do not add new cgroup directories to the top of the tree. This will not only
104 enabled if `/etc/machine-id` is empty (i.e. not yet set) at boot time of the
107 to the effect of `qemu`'s `-uuid` switch). Note that you should pass only a
119 should take a space separated list of pty names, without the leading `/dev/`
121 variable's name you may only specify ptys, and not other types of ttys. Also
130 4. To allow applications to detect the OS version and other metadata of the host
161 More precisely, link `/var/log/journal/<container-machine-id>` of the
162 container into the same dir of the host. Administrators can then
174 the container manager should be capable of being run as a systemd
175 service. It will then receive the sockets starting with FD 3, the number of
183 further details see the explanations of
188 5. Container managers should stay away from the cgroup hierarchy outside of the
189 unit they created for their container. That's private property of systemd,
196 make use of this functionality. (Also see information about
201 1. Inside of a container, if a `veth` link is named `host0`, `systemd-networkd`
202 running inside of the container will by default run DHCPv4, DHCPv6, and
207 2. Outside of a container, if a `veth` link is prefixed "ve-", `systemd-networkd`
213 devices, for example hashed out of the container names. That way it is more
228 mounts to establish in the container, for the implementation of `machinectl
237 `blk`. These nodes correspond with the six types of file nodes Linux knows
238 (with the exceptions of symlinks). Each node should be of the specific type
240 types should have major and minor of zero (which are unallocated devices on
242 `InaccessiblePath=` setting of unit files, i.e. file nodes to mask this way
257 4. The `/run/host/os-release` file contains the `/etc/os-release` file of the
259 information about the host environment, on top of what `uname -a` reports.
279 version of `/dev/`. To set this up systemd in the container needs this
283 device nodes the container can create instead of taking away the capability
286 2. Do not drop `CAP_SYS_ADMIN` from the container. A number of the most
292 services that make use of these options if you drop the capability. Also
301 subsystem consists of all the devices `/dev/tty*`, `/dev/vcs*`, `/dev/vcsa*`
309 container. Device access (with the exception of network devices) is not
310 virtualized on Linux. Enumeration and probing of meta information from
316 6. Don't mount only a sub-tree of the `cgroupfs` into the container. This will not
326 ownership. Multiple other subsystems of systemd similarly test for `/sys/`
330 read-only state of `/sys/` enables a nice automatism: as soon as `/sys/` and
332 payload can make use of that, simply by marking `/sys/` writable. (Note that
335 sub-directories of `/sys/` writable, but make sure to leave the root of
339 capabilities to the container, in particular not to those making use of user
342 actual attempt to make use of the audit subsystem will fail. Note that
358 host and container, and hence `RLIMIT_NPROC` and so of the container users
360 hole, and actually is a real-life problem: since Avahi sets `RLIMIT_NPROC` of
370 services using these settings (which include many of systemd's own) will hence
385 tree. It generally is not. Hence check the environment block of PID 1, not your
392 out-of-the-box in containers. In fact we are interested to ensure that the same