Hi Lennart, On Wed, Apr 22, 2015 at 1:46 PM, Lennart Poettering <lenn...@poettering.net> wrote: >> I was trying to run "systemd-nspawn --ephemeral", but that failed >> since I had a read-only image in /var/lib/machines. Why is that not >> allowed? systemd-nspawn does create its own snapshot of that one after >> all (which can be read-write). Why does the base image have to be >> read-write, too? > > Hmm? This shouldn't fail. What's the precise error message you get?
It complains about a read-only filesystem when trying to bind-mount some directories into the machine. >> Then I have trouble with "systemd-nspawn --network-veth": The host0 >> interface won't come up and stays in degraded state. On the host i get >> the following line in the journal: >> >> systemd-networkd[509]: ve-XXX : Could not enable IP masquerading: >> Protocol not available >> >> I have an nftables based firewall up and running, so maybe networkd is >> expecting iptables to be in use? > > Most likely iptables is compiled as kernel module for you. The module > cannot be auto-loaded currently, iptables manually loads it for you on > first invocation, networkd doesn't. If you load it manually (by adding > it to modules-load.d for example) things should work. I loaded the ip-tables module manually now and that does indeed fix the error message in my original mail. The machine still stays in "degraded (configuring)" forever though. As I said: I have a fully set up nftables-based firewall, so I expect systemd will have trouble doing anything sensible with iptables. I read iptables are a wrapper around nftables nowadays, but iptables -L does not show any of my rules, so that might be the reason for the trouble I am seeing. Do I need to reinstall my machines using an iptables firewall for this to work? Best Regards, Tobias _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
