Skip to content

Commit

Permalink
kernel config: Enable CGROUP_BPF
Browse files Browse the repository at this point in the history 
Avoids the following warning:

File /.../systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
  • Loading branch information
@dezgeg
dezgeg committed Feb 27, 2018
1 parent ede1b6f commit 822526f
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions pkgs/os-specific/linux/kernel/common-config.nix
View file
Expand Up @@ -134,6 +134,7 @@ with stdenv.lib;
''}
NETFILTER y
NETFILTER_ADVANCED y
CGROUP_BPF? y # Required by systemd per-cgroup firewalling
IP_ROUTE_VERBOSE y
IP_MROUTE_MULTIPLE_TABLES y
IP_VS_PROTO_TCP y
Expand Down

1 comment on commit 822526f

@dezgeg
Copy link
Contributor Author

@dezgeg dezgeg commented on 822526f Apr 7, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My guess is LXC removes some privilege from the container such that the mechanism can't be used inside one.

Please sign in to comment.