Lxc-checkconfig: enabled, not loaded

pajot · July 5, 2019, 11:21am

On my gentoo host system, lxc-checkconfig gives the following output:

$ lxc-checkconfig
— Namespaces —
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

— Control groups —
Cgroups: enabled

Cgroup v1 mount points:
/sys/fs/cgroup/openrc
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/cpu
/sys/fs/cgroup/cpuacct
/sys/fs/cgroup/blkio
/sys/fs/cgroup/memory
/sys/fs/cgroup/devices
/sys/fs/cgroup/freezer
/sys/fs/cgroup/net_cls
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/net_prio
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/pids
/sys/fs/cgroup/rdma

Cgroup v2 mount points:
/sys/fs/cgroup/unified

Cgroup v1 systemd controller: missing
Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

— Misc —
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, not loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

— Checkpoint/Restore —
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities:

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

What does ‘enabled, not loaded’ mean exactly?

simos · July 5, 2019, 3:21pm

I think it means that the .config of the current kernel supports the feature, but the corresponding kernel module has not been loaded yet.

pajot · July 6, 2019, 2:28pm

But these components weren’t compiled as modules to begin with. They are in a monolithic kernel, so there’s nothing to load.

Does this script actually check whether a component is usable?

simos · July 6, 2019, 3:56pm

Have a look at the source,

github.com

lxc/lxc/blob/master/src/lxc/cmd/lxc-checkconfig.in

#!/bin/sh

# Allow environment variables to override config
: ${CONFIG:=/proc/config.gz}
: ${MODNAME:=configs}

CAT="cat"

if [ -t 1 ]; then
    SETCOLOR_SUCCESS="printf \\033[1;32m"
    SETCOLOR_FAILURE="printf \\033[1;31m"
    SETCOLOR_WARNING="printf \\033[1;33m"
    SETCOLOR_NORMAL="printf \\033[0;39m"
else
    SETCOLOR_SUCCESS=":"
    SETCOLOR_FAILURE=":"
    SETCOLOR_WARNING=":"
    SETCOLOR_NORMAL=":"
fi

This file has been truncated. show original

pajot · July 6, 2019, 4:22pm

It appears that the test isn’t robust, it only looks for loaded modules:

echo “— Misc —”

…

echo -n "CONFIG_NF_NAT_IPV4: " && is_enabled CONFIG_NF_NAT_IPV4 && is_probed nf_nat_ipv4

is_probed() {
lsmod | grep $1 > /dev/null
if [ $? -eq 0 ]; then
echo -n “, loaded”
else
echo -n “, not loaded”
fi
}

simos · July 6, 2019, 4:36pm

It checks for a limited number of kernel modules which for some kernels are compiled as modules.

I think it can be extended easily to differentiate between compuled-in and modules, and report appropriately.