From d5de7131a0c9b78e922638b4cf3fdcc20a80f7bf Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 21 Jan 2024 15:53:44 -0600 Subject: [PATCH] r/vmhost: Remove system call filters from unit The `vm-autostart` script fails with `bad system call` errors when trying to start libvirt domains. Removing the system call filters works around this. Ideally, we should figure out exactly which system call is being rejected and allow it, but that's rather difficult to do and probably not really worth the effort in this case. --- roles/vmhost/files/vm-autostart.service | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/vmhost/files/vm-autostart.service b/roles/vmhost/files/vm-autostart.service index 9c7cd79..3d9055d 100644 --- a/roles/vmhost/files/vm-autostart.service +++ b/roles/vmhost/files/vm-autostart.service @@ -37,8 +37,6 @@ RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources UMask=0027 [Install]