[systemd-devel] systemd-nspawn trouble
Tobias Hunger
tobias.hunger at gmail.com
Wed Apr 22 06:12:03 PDT 2015
Hi Lennart,
On Wed, Apr 22, 2015 at 1:46 PM, Lennart Poettering
<lennart at poettering.net> wrote:
>> I was trying to run "systemd-nspawn --ephemeral", but that failed
>> since I had a read-only image in /var/lib/machines. Why is that not
>> allowed? systemd-nspawn does create its own snapshot of that one after
>> all (which can be read-write). Why does the base image have to be
>> read-write, too?
>
> Hmm? This shouldn't fail. What's the precise error message you get?
It complains about a read-only filesystem when trying to bind-mount
some directories into the machine.
>> Then I have trouble with "systemd-nspawn --network-veth": The host0
>> interface won't come up and stays in degraded state. On the host i get
>> the following line in the journal:
>>
>> systemd-networkd[509]: ve-XXX : Could not enable IP masquerading:
>> Protocol not available
>>
>> I have an nftables based firewall up and running, so maybe networkd is
>> expecting iptables to be in use?
>
> Most likely iptables is compiled as kernel module for you. The module
> cannot be auto-loaded currently, iptables manually loads it for you on
> first invocation, networkd doesn't. If you load it manually (by adding
> it to modules-load.d for example) things should work.
I loaded the ip-tables module manually now and that does indeed fix
the error message in my original mail. The machine still stays in
"degraded (configuring)" forever though.
As I said: I have a fully set up nftables-based firewall, so I expect
systemd will have trouble doing anything sensible with iptables. I
read iptables are a wrapper around nftables nowadays, but iptables -L
does not show any of my rules, so that might be the reason for the
trouble I am seeing.
Do I need to reinstall my machines using an iptables firewall for this to work?
Best Regards,
Tobias
More information about the systemd-devel
mailing list