[systemd-devel] systemd-nspawn trouble

Lennart Poettering lennart at poettering.net
Wed Apr 22 04:46:19 PDT 2015


On Tue, 21.04.15 22:43, Tobias Hunger (tobias.hunger at gmail.com) wrote:

> Hi!
> 
> Now that systemd 219 is finally available in arch I am playing with
> systemd-nspawn again.
> 
> I was trying to run "systemd-nspawn --ephemeral", but that failed
> since I had a read-only image in /var/lib/machines. Why is that not
> allowed? systemd-nspawn does create its own snapshot of that one after
> all (which can be read-write). Why does the base image have to be
> read-write, too?

Hmm? This shouldn't fail. What's the precise error message you get?

> Then I have trouble with "systemd-nspawn --network-veth": The host0
> interface won't come up and stays in degraded state. On the host i get
> the following line in the journal:
> 
> systemd-networkd[509]: ve-XXX     : Could not enable IP masquerading:
> Protocol not available
> 
> I have an nftables based firewall up and running, so maybe networkd is
> expecting iptables to be in use?

Most likely iptables is compiled as kernel module for you. The module
cannot be auto-loaded currently, iptables manually loads it for you on
first invocation, networkd doesn't. If you load it manually (by adding
it to modules-load.d for example) things should work.

I am not sure how to fix this best. I#d rather not have networkd gain
support for autoloading kernel modules. Also, it's unlikely to be
sufficient, given that nspawn can make use of the iptables bits as
well...

Maybe we should simply list the iptables kernel modules in
src/core/kmod-setup, and then tell people to blacklist them if they
really don't want them.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list