You are not logged in.

#1 2018-07-14 00:17:56

jernst
Member
From: Silicon Valley
Registered: 2014-03-04
Posts: 290
Website

"configures an IP firewall ... but the local system does not support"

I'm running a container with systemd-nspawn on an Arch x86_64 system, and the container console keeps printing this:

File /usr/lib/systemd/system/systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.

DuckDuckGo tells me to look for a kernel option, but the stock kernel I'm using has it set:

% zcat config.gz  | grep CONFIG_CGROUP_BPF
CONFIG_CGROUP_BPF=y

The offending line in question, inside a "[Service]" section:

IPAddressDeny=any

What's going on here?

Offline

#2 2018-07-14 00:44:04

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: "configures an IP firewall ... but the local system does not support"

https://github.com/systemd/systemd/blob … all.c#L646
Increase systemd.log_level to debug so you can see which condition check is failing.

Offline

#3 2018-07-14 03:46:01

jernst
Member
From: Silicon Valley
Registered: 2014-03-04
Posts: 290
Website

Re: "configures an IP firewall ... but the local system does not support"

The cause seems to be an invocation of "systemctl daemon-reexec" in one of my scripts. If I run like this:

% SYSTEMD_LOG_LEVEL=debug systemctl daemon-reexec
Bus n/a: changing state UNSET → OPENING
Bus n/a: changing state OPENING → AUTHENTICATING
Bus n/a: changing state AUTHENTICATING → RUNNING
Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=Reexecute cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a
Reexecuting.
systemd 238 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN +PCRE2 default-hierarchy=hybrid)
Detected virtualization systemd-nspawn.
Detected architecture x86-64.
File /usr/lib/systemd/system/systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
Bus n/a: changing state RUNNING → CLOSING
Bus n/a: changing state CLOSING → CLOSED

I'm getting a bit more output but not the debug messages @loqs pointed me to. I also tried adding it to systemd-journald.service:

[Service]
Environment=SYSTEMD_LOG_LEVEL=debug

without luck. Where do I need to put this?

Offline

#4 2018-07-14 06:20:02

seth
Member
Registered: 2012-09-03
Posts: 49,951

Re: "configures an IP firewall ... but the local system does not support"

try

export SYSTEMD_LOG_LEVEL=debug
systemctl daemon-reexec

Online

#5 2018-07-15 00:10:35

jernst
Member
From: Silicon Valley
Registered: 2014-03-04
Posts: 290
Website

Re: "configures an IP firewall ... but the local system does not support"

@seth: I thought my invocation:

SYSTEMD_LOG_LEVEL=debug systemctl daemon-reexec

and your's:

export SYSTEMD_LOG_LEVEL=debug
systemctl daemon-reexec

are equivalent, except that your setting stays around and mine is only for that single command.

Offline

#6 2018-07-15 06:51:21

seth
Member
Registered: 2012-09-03
Posts: 49,951

Re: "configures an IP firewall ... but the local system does not support"

Yes, that is precisely the point - you want to debug systemd-nspawn and it doesn't necessarily inherit the "systemctl" environment.

Online

#7 2018-07-16 20:40:21

jernst
Member
From: Silicon Valley
Registered: 2014-03-04
Posts: 290
Website

Re: "configures an IP firewall ... but the local system does not support"

seth: both produce the exact same output for me.

IMHO chances are that what needs to have that environment is some daemon or other but I don't know which and how to set that flag for them.

Offline

Board footer

Powered by FluxBB