On Thu, 29.01.15 22:47, Jay Faulkner (j...@jvf.cc) wrote: > Hi all, > > I’m a big fan of systemd, and currently use IPA[1] running inside > systemd-nspawn containers to provision and maintain systems as part > of OpenStack Ironic. This includes, at times, doing things like > flashing firmwares which may require a kernel module to be loaded.
What kinda of kernel modules is this? Note that most normal kernel modules are nowadays auto-loaded the first time one of their features is requested. We nowadays explicitly disallow non-auto loading of kernel modules from containers, for security reasons. If you want to allow kernel modules, then you can do so by adding the CAP_SYS_MODULE capability set to the set of caps to retain in nspawn, by using its --capability= switch. However, you would also have to include the kernel modules to load in the container's directory tree. > Is it possible to have a switch added to systemd-nspawn to allow me > to specify custom seccomp filters, or to disable them entirely? So far we use seccomp filtering only to deal with audit incompatibilities, we do not prohibit kernel module loading that way. Hope this is useful, Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel