[systemd-devel] systemd-nspawn trouble

Tobias Hunger tobias.hunger at gmail.com
Fri Apr 24 16:44:51 PDT 2015 

By the way: Is there a way to get the journal from a --ephemeral container?

I had expected --link-journal=host to work, but --link-journal seems
to not be allowed in any way.

On Sat, Apr 25, 2015 at 12:14 AM, Tobias Hunger <tobias.hunger at gmail.com> wrote:
> Hello,
>
> sorry (again) for the delay. I unfortunately can not check into this
> as often as I would like:-(
>
> Lennart: Thank you for that patch, that does indeed fix my issue with
> read-only machine images.
>
> The networking issue does work better when iptables are used. All I
> needed to do was to make sure that packages from the VM are not
> getting dropped in the forwarding chain. Is there a way for me to do
> that automatically as interfaces to containers are created? I do not
> want to just accept every machine talking to everything else.
> Paranoia:-)
>
> What I noticed though is that the VM has the google nameservers set
> up. That came as a bit of a surprise: I had expected either the host
> to be the only DNS server register (providing a DNS proxy) or at least
> that the nameservers of the host will also be set in the VM. Is that a
> know issue or are my expectations wrong?
>
> Best Regards,
> Tobias
>
>
> On Wed, Apr 22, 2015 at 5:00 PM, Lennart Poettering
> <lennart at poettering.net> wrote:
>> On Wed, 22.04.15 16:31, Tobias Hunger (tobias.hunger at gmail.com) wrote:
>>
>>> On Wed, Apr 22, 2015 at 4:04 PM, Lennart Poettering
>>> <lennart at poettering.net> wrote:
>>> > Well, if that's what it says, then yes. We can certainly add support
>>> > for manipulating nft too, but so far the APIs fo that appeared much
>>> > less convincing to me, and quite a bit more exotic.
>>>
>>> The user space tools for nft are much nicer than iptables, so I think
>>> they do provide a significant benefit. I would appreciate not having
>>> to go back to iptables:-)
>>>
>>> The exact command line I am running is this (straight out of systemctl
>>> cat systemd-nspawn at vm.service, *THANKS* to whoever implemented that!):
>>>
>>> ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --ephemeral \
>>>     --machine=vm \
>>>     --network-veth \
>>>     --bind=/mnt/raid0/data/ftp:/mnt/ftp
>>>
>>> /var/lib/machines is a normal read-write btrfs snapshot. vm is a
>>> read-only snapshot.
>>>
>>> It starts fine when vm is read-write.
>>
>> OK, I think I fixed this now, please check:
>>
>> http://cgit.freedesktop.org/systemd/systemd/commit/?id=aee327b8169670986f6a48acbd5ffe1355bfcf27
>>
>> Lennart
>>
>> --
>> Lennart Poettering, Red Hat

More information about the systemd-devel mailing list