[lxc-users] iptabes kernel modules not loading in containers

[Stéphane Graber]

On Tue, Jan 14, 2014 at 03:00:32PM -0500, John Baker wrote:
> Hi,
> 
> I'm using lxc in 12.04.4 LTS and seem to have a chronic issue with the
> iptables modfule not loading inside a container. I have found that it does
> sometimes work and my coworker never seems to have problems with it in the
> servers he runs. But it happens all the time on mine and I can't see
> anything at all that we do differently. Sometimes it will start running
> inside a container and then mysteriously have stopped next time I check in.
> I can't find any error messages pertaining to it besides the one I get when
> I try to load rules or view the set loaded.
> 
> The only fix I have been able to come up with is to manually
> copy /lib/modules/<kernel ver.>-generic/modules.dep and net directory from
> the host into the container. Then it seems willing to load iptables modules
> consistently but always breaks when the kernel is updated on the host and
> has to be redone.
> 
> Any ideas on what I might be missing? Is there a cgroup I should include
> for sharing iptables modules?

Kernel modules aren't loaded per-container but globally for the whole host.

It's not recommended (and usually blocked by either dropping the
capability or by having apparmor prevent it) to load modules from within
a container. Instead you should make sure all your kernel modules are
loaded from the host before you start your containers.

I suspect the difference between your server and your colleague's is
that he has some init scripts or something else calling iptables before
he starts his containers which will load any modules required by his
container.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140114/e3306f7c/attachment.pgp>