man: document the modprobe hack for DeviceAllow=

author: Lennart Poettering <lennart@poettering.net> 2019-07-23 13:28:44 +0200
committer: Lennart Poettering <lennart@poettering.net> 2019-07-23 13:30:56 +0200
commit: 00d85bbb608a0a9b098b606dddb499e868c2dc1e (patch)
tree: cd67fea79700e99cd3c4b6f26513f6b21055b795 /man
parent: 11aa16bb359ded91d68ff5f48fecfafa2a15d3b0 (diff)
download: systemd-00d85bbb608a0a9b098b606dddb499e868c2dc1e.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index e7b5dfbce6..1b5ac3e8e4 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -686,6 +686,18 @@
           TTYs and all ALSA sound devices,
           respectively. <literal>char-cpu/*</literal> is a specifier
           matching all CPU related device groups.</para>
+
+          <para>Note that whitelists defined this way should only reference device groups which are
+          resolvable at the time the unit is started. Any device groups not resolvable then are not added to
+          the device whitelist. In order to work around this limitation, consider extending service units
+          with an <command>ExecStartPre=/sbin/modprobe…</command> line that loads the necessary
+          kernel module implementing the device group if missing. Example: <programlisting>…
+[Service]
+ExecStartPre=-/sbin/modprobe -abq loop
+DeviceAllow=block-loop
+DeviceAllow=/dev/loop-control
+…</programlisting></para>
+
         </listitem>
       </varlistentry>
author	Lennart Poettering <lennart@poettering.net>	2019-07-23 13:28:44 +0200
committer	Lennart Poettering <lennart@poettering.net>	2019-07-23 13:30:56 +0200
commit	00d85bbb608a0a9b098b606dddb499e868c2dc1e (patch)
tree	cd67fea79700e99cd3c4b6f26513f6b21055b795 /man
parent	11aa16bb359ded91d68ff5f48fecfafa2a15d3b0 (diff)
download	systemd-00d85bbb608a0a9b098b606dddb499e868c2dc1e.tar.gz