[systemd-devel] systemd-nspawn trouble
Tobias Hunger
tobias.hunger at gmail.com
Fri Apr 24 15:14:46 PDT 2015
Hello,
sorry (again) for the delay. I unfortunately can not check into this
as often as I would like:-(
Lennart: Thank you for that patch, that does indeed fix my issue with
read-only machine images.
The networking issue does work better when iptables are used. All I
needed to do was to make sure that packages from the VM are not
getting dropped in the forwarding chain. Is there a way for me to do
that automatically as interfaces to containers are created? I do not
want to just accept every machine talking to everything else.
Paranoia:-)
What I noticed though is that the VM has the google nameservers set
up. That came as a bit of a surprise: I had expected either the host
to be the only DNS server register (providing a DNS proxy) or at least
that the nameservers of the host will also be set in the VM. Is that a
know issue or are my expectations wrong?
Best Regards,
Tobias
On Wed, Apr 22, 2015 at 5:00 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Wed, 22.04.15 16:31, Tobias Hunger (tobias.hunger at gmail.com) wrote:
>
>> On Wed, Apr 22, 2015 at 4:04 PM, Lennart Poettering
>> <lennart at poettering.net> wrote:
>> > Well, if that's what it says, then yes. We can certainly add support
>> > for manipulating nft too, but so far the APIs fo that appeared much
>> > less convincing to me, and quite a bit more exotic.
>>
>> The user space tools for nft are much nicer than iptables, so I think
>> they do provide a significant benefit. I would appreciate not having
>> to go back to iptables:-)
>>
>> The exact command line I am running is this (straight out of systemctl
>> cat systemd-nspawn at vm.service, *THANKS* to whoever implemented that!):
>>
>> ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --ephemeral \
>> --machine=vm \
>> --network-veth \
>> --bind=/mnt/raid0/data/ftp:/mnt/ftp
>>
>> /var/lib/machines is a normal read-write btrfs snapshot. vm is a
>> read-only snapshot.
>>
>> It starts fine when vm is read-write.
>
> OK, I think I fixed this now, please check:
>
> http://cgit.freedesktop.org/systemd/systemd/commit/?id=aee327b8169670986f6a48acbd5ffe1355bfcf27
>
> Lennart
>
> --
> Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list