[systemd-devel] systemd-nspawn trouble

Lennart Poettering lennart at poettering.net
Wed Apr 22 05:26:58 PDT 2015 

On Wed, 22.04.15 14:22, Michael Biebl (mbiebl at gmail.com) wrote:

> 2015-04-22 14:14 GMT+02:00 Lennart Poettering <lennart at poettering.net>:
> > On Wed, 22.04.15 14:09, Michael Biebl (mbiebl at gmail.com) wrote:
> >
> >> 2015-04-22 13:57 GMT+02:00 Lennart Poettering <lennart at poettering.net>:
> >> >> Maybe we should simply list the iptables kernel modules in
> >> >> src/core/kmod-setup, and then tell people to blacklist them if they
> >> >> really don't want them.
> >> >
> >> > I have made such a change now:
> >> >
> >> > http://cgit.freedesktop.org/systemd/systemd/commit/?id=1d3087978a8ee23107cb64aa55ca97aefe9531e2
> >>
> >> Not everyone is using networkd or nspawn though, so loading this
> >> module for everyone is a bit excessive.
> >
> > Well, then blacklist the module or don't build it at all.
> 
> That's the wrong way around.

Nah, I disagree. We do this for a number of modules now. I mean, we
load tons of modules automatically, even if you don't use them. For
example, my laptop always loads the bluetooth modules, even though I
never used bluetooth. 

We always load more kmods than strictly necessary, simply to ensure a
good user experience, and so we should do this in this case too. And
the blacklist is a good answer to give the user control, if he wants
to opt out of some modules.

(Also note that this is a non-issue on distros like Fedora, where the
kmod is built-in anyway.)

> 
> >> Why non let nspawn and networkd complain loudly if iptables support is missing?
> >> This would also be better in case you have a kernel compiled withouth
> >> iptables support.
> >
> > For the same reason that iptables doesn't complain loudly but loads
> > it. To be user-friendly and just make things work?
> 
> iptables loads it on-demand, If nspawn or networkd would load it
> on-demand, I would have no problem with it.

Well, I really don't want to give networkd the caps for that,
sorry. It's a network facing daemon, it should not be able to load
kernel modules.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list