Support BPF/cgroup based firewalling

[sanmai-NL]

Issue Report

Bug

Container Linux Version

NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1632.2.1
VERSION_ID=1632.2.1
BUILD_ID=2018-02-01-2053
PRETTY_NAME="Container Linux by CoreOS 1632.2.1 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
COREOS_BOARD="amd64-usr"

Environment

KVM guest.

Expected Behavior

No error. See systemd/systemd#7188.

Actual Behavior

sudo journalctl -xefb

Feb 04 15:05:45 server dbus[654]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
Feb 04 15:05:45 server systemd[1]: File /usr/lib/systemd/system/systemd-machined.service:27 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Feb 04 15:05:45 server systemd[1]: Proceeding WITHOUT firewalling in effect!
Feb 04 15:05:45 server systemd[1]: Starting Virtual Machine and Container Registration Service.

Reproduction Steps

1. Run machinectl?

[bgilbert]

The problem is systemd's cgroup mode: the upstream default is hybrid, which does work with cgroup-based firewalling, but we default to legacy mode for compatibility with Docker 1.12. I think we could switch back to the upstream default after backporting opencontainers/runc#1266 to runc-1.0.0_rc2_p9.

[Vince-Cercury]

I'm using kube-aws v0.9.10-rc.5 with CoreOs 1632.3.0 and getting plenty of those

"File /usr/lib/systemd/system/systemd-journald.service:33 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling."

Is that concerning? what would you recommend?

[bgilbert]

@Vincemd IPAddressDeny is a security hardening feature in systemd that currently doesn't work in Container Linux. The message is safe to ignore; it just means that this particular hardening feature is not being activated on your system.

[Vince-Cercury]

Thanks @bgilbert