[systemd-devel] systemd-nspawn trouble

[Lennart Poettering]

On Wed, 22.04.15 15:12, Tobias Hunger (tobias.hunger at gmail.com) wrote:

> >> Then I have trouble with "systemd-nspawn --network-veth": The host0
> >> interface won't come up and stays in degraded state. On the host i get
> >> the following line in the journal:
> >>
> >> systemd-networkd[509]: ve-XXX     : Could not enable IP masquerading:
> >> Protocol not available
> >>
> >> I have an nftables based firewall up and running, so maybe networkd is
> >> expecting iptables to be in use?
> >
> > Most likely iptables is compiled as kernel module for you. The module
> > cannot be auto-loaded currently, iptables manually loads it for you on
> > first invocation, networkd doesn't. If you load it manually (by adding
> > it to modules-load.d for example) things should work.
> 
> I loaded the ip-tables module manually now and that does indeed fix
> the error message in my original mail. The machine still stays in
> "degraded (configuring)" forever though.
> 
> As I said: I have a fully set up nftables-based firewall, so I expect
> systemd will have trouble doing anything sensible with iptables. I
> read iptables are a wrapper around nftables nowadays, but iptables -L
> does not show any of my rules, so that might be the reason for the
> trouble I am seeing.

Well, to my knowledge the kernel actually supports both in
parallel. networkd + nspawn only do iptables.

> Do I need to reinstall my machines using an iptables firewall for this to work?

No need.

Lennart

-- 
Lennart Poettering, Red Hat