zram-reloader.service broken by security.lockKernelModules

[8573]

Now that I'm using the hardened profile, which enables security.lockKernelModules, whenever I run nixos-rebuild switch, I'm told that the systemd unit zram-reloader.service failed with the error "Operation not permitted" while trying to unload the zram kernel module.

I'm not saying this is a bug — it seems to be the lockKernelModules feature working as intended — but it's a bit annoying and I wonder whether something could be done about it.

[Mic92]

Explicitly specifying the kernel modules required by zram is an option (in boot.kernelModules).

[8573]

The zram module is loaded; the "problem" is that the zram-reloader.service unit tries to unload and reload the module (to, I'd guess, ensure that the module's parameters match what's been specified in the NixOS configuration).

[joachifm]

I think the best you can do is order the unit before locking occurs, so that it at least has an opportunity to work once (at boot), but it will fail on all subsequent reloads. That's just how the feature works, I'm afraid.

[8573]

I was more thinking that zram-reloader.service could just be disabled if security.lockKernelModules is enabled, which would at least prevent nixos-rebuild from always complaining about it, but having it run once before modules are locked does sound better.

[joachifm]

Another idea is to make the reload service bail early if the lock is engaged or, equivalently, condition its execution on whether the locking unit is active. This combined with proper ordering should make using the reloader smoother. Ideally, it'd work once and then not bother trying after that.

[stale[bot]]

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
2. Ask on the NixOS Discourse.
3. Ask on the #nixos channel on irc.freenode.net.

[minijackson]

still important to me

[stale[bot]]

I marked this as stale due to inactivity. → More info