[systemd-devel] systemd-nspawn trouble

Tom Gundersen teg at jklm.no
Mon May 18 02:16:34 PDT 2015


On Sun, May 17, 2015 at 5:30 PM, Michael Biebl <mbiebl at gmail.com> wrote:
> 2015-05-15 22:16 GMT+02:00 Tom Gundersen <teg at jklm.no>:
>> on-demand I agree with Lennart that it makes the most sense to simply
>> unconditionally load the modules. If this is undesirable the solution
>> should be to teach the kernel to auto-load the modules, not to expect
>> the admin to figure out that explicit loading is required, IMHO.
>
> And now we expect that the admin figures out how to disable loading of
> the iptables module, which isn't anymore obvious.

Out of interest, what is the 'regression' users would experience by
having the iptables module loaded? Or is it just about the principle
of not wanting to load a module unless it is actually used?

> What I was suggesting was, that the iptables modules should only be
> loaded on demand, i.e. when the firewalling functionality is actually
> used.

If so, this should be done by the kernel.

> Lennart did argue, that he didn't want to do that within
> networkd, since he didn't want to grant networkd that capability to
> load modules and therefor to load the module unconditionally in PID 1.
> But moving the modules loading out of networkd doesn't mean, it has to
> be done unconditonally, see how we did it for
> udev/kmod-static-nodes.service

Hm, this is all about letting the kernel do the module loading lazily
on-demand, so I'd be all for that, but then the kernel would need to
learn how to do that for iptables first...

Cheers,

Tom


More information about the systemd-devel mailing list