Open sanmai-NL opened 6 years ago
The problem is systemd's cgroup mode: the upstream default is hybrid, which does work with cgroup-based firewalling, but we default to legacy mode for compatibility with Docker 1.12. I think we could switch back to the upstream default after backporting https://github.com/opencontainers/runc/pull/1266 to runc-1.0.0_rc2_p9
.
I'm using kube-aws v0.9.10-rc.5 with CoreOs 1632.3.0 and getting plenty of those
"File /usr/lib/systemd/system/systemd-journald.service:33 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling."
Is that concerning? what would you recommend?
@VinceMD IPAddressDeny
is a security hardening feature in systemd that currently doesn't work in Container Linux. The message is safe to ignore; it just means that this particular hardening feature is not being activated on your system.
Thanks @bgilbert
Issue Report
Bug
Container Linux Version
Environment
KVM guest.
Expected Behavior
No error. See https://github.com/systemd/systemd/issues/7188.
Actual Behavior
Reproduction Steps
machinectl
?