[systemd-devel] systemd-nspawn support for loading kernel modules / custom seccomp rules

Jay Faulkner jay at jvf.cc
Thu Jan 29 14:47:07 PST 2015

Hi all,

I’m a big fan of systemd, and currently use IPA[1] running inside systemd-nspawn containers to provision and maintain systems as part of OpenStack Ironic. This includes, at times, doing things like flashing firmwares which may require a kernel module to be loaded.

Currently, we’re using CoreOS 367.0.0 with 3.15.2 kernel and systemd 212. Recently, I attempted an upgrade to CoreOS 575.0.0 with kernel 3.18.2 and systemd 218 and found I could no longer load kernel modules from inside an nspawn container. This appears to be related to some seccomp filters added/enabled in systemd 215.

Is it possible to have a switch added to systemd-nspawn to allow me to specify custom seccomp filters, or to disable them entirely? The only alternative to this for my use case is to not use containers at all or to preload all modules needed before launching my container. The 1st option doesn’t work well because CoreOS doesn’t ship with sufficient OS resources to run IPA inside it, and the second is not reasonable because the same IPA ramdisk is used across many nodes on a fleet, which may have different hardware and therefore different modules are required to perform things like BIOS flashing.

Thanks in advance,
Jay Faulkner

[1] https://github.com/openstack/ironic-python-agent; relevent nspawn flags here: https://github.com/openstack/ironic-python-agent/blob/master/imagebuild/coreos/oem/cloud-config.yml#L40

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20150129/f3c4393b/attachment.html>

More information about the systemd-devel mailing list