You are not logged in.
I'm running a container with systemd-nspawn on an Arch x86_64 system, and the container console keeps printing this:
File /usr/lib/systemd/system/systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
DuckDuckGo tells me to look for a kernel option, but the stock kernel I'm using has it set:
% zcat config.gz | grep CONFIG_CGROUP_BPF
CONFIG_CGROUP_BPF=y
The offending line in question, inside a "[Service]" section:
IPAddressDeny=any
What's going on here?
Offline
https://github.com/systemd/systemd/blob … all.c#L646
Increase systemd.log_level to debug so you can see which condition check is failing.
Offline
The cause seems to be an invocation of "systemctl daemon-reexec" in one of my scripts. If I run like this:
% SYSTEMD_LOG_LEVEL=debug systemctl daemon-reexec
Bus n/a: changing state UNSET → OPENING
Bus n/a: changing state OPENING → AUTHENTICATING
Bus n/a: changing state AUTHENTICATING → RUNNING
Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=Reexecute cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
Reexecuting.
systemd 238 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization systemd-nspawn.
Detected architecture x86-64.
File /usr/lib/systemd/system/systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
Bus n/a: changing state RUNNING → CLOSING
Bus n/a: changing state CLOSING → CLOSED
I'm getting a bit more output but not the debug messages @loqs pointed me to. I also tried adding it to systemd-journald.service:
[Service]
Environment=SYSTEMD_LOG_LEVEL=debug
without luck. Where do I need to put this?
Offline
try
export SYSTEMD_LOG_LEVEL=debug
systemctl daemon-reexec
Online
@seth: I thought my invocation:
SYSTEMD_LOG_LEVEL=debug systemctl daemon-reexec
and your's:
export SYSTEMD_LOG_LEVEL=debug
systemctl daemon-reexec
are equivalent, except that your setting stays around and mine is only for that single command.
Offline
Yes, that is precisely the point - you want to debug systemd-nspawn and it doesn't necessarily inherit the "systemctl" environment.
Online
seth: both produce the exact same output for me.
IMHO chances are that what needs to have that environment is some daemon or other but I don't know which and how to set that flag for them.
Offline