[systemd-devel] systemd-nspawn support for loading kernel modules / custom seccomp rules

[Lennart Poettering]

On Thu, 29.01.15 22:47, Jay Faulkner (jay at jvf.cc) wrote:

> Hi all,
> 
> I’m a big fan of systemd, and currently use IPA[1] running inside
> systemd-nspawn containers to provision and maintain systems as part
> of OpenStack Ironic. This includes, at times, doing things like
> flashing firmwares which may require a kernel module to be loaded.

What kinda of kernel modules is this? Note that most normal kernel
modules are nowadays auto-loaded the first time one of their features
is requested.

We nowadays explicitly disallow non-auto loading of kernel modules
from containers, for security reasons. If you want to allow kernel
modules, then you can do so by adding the CAP_SYS_MODULE capability
set to the set of caps to retain in nspawn, by using its --capability=
switch. However, you would also have to include the kernel modules to
load in the container's directory tree.

> Is it possible to have a switch added to systemd-nspawn to allow me
> to specify custom seccomp filters, or to disable them entirely? 

So far we use seccomp filtering only to deal with audit
incompatibilities, we do not prohibit kernel module loading that way.

Hope this is useful,

Lennart

-- 
Lennart Poettering, Red Hat