Always bind /sys/module to make lsmod happy

docs/incus_lxd_lxc_kvm.md

@@ -19,7 +19,7 @@ startup=0
 docker_compatible=1
 gpu_passthrough_intel=1
 gpu_passthrough_nvidia=0
-systemd_nspawn_user_args=--network-bridge=br1 --resolv-conf=bind-host --bind=/dev/fuse --bind=/dev/kvm --bind=/dev/vsock --bind=/dev/vhost-vsock --bind-ro=/sys/module
+systemd_nspawn_user_args=--network-bridge=br1 --resolv-conf=bind-host --bind=/dev/fuse --bind=/dev/kvm --bind=/dev/vsock --bind=/dev/vhost-vsock
 # You generally will not need to change the options below
 systemd_run_default_args=--property=KillMode=mixed --property=Type=notify --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=Delegate=yes --property=TasksMax=infinity --collect --setenv=SYSTEMD_NSPAWN_LOCK=0
 systemd_nspawn_default_args=--keep-unit --quiet --boot

jlmkr.py

@@ -320,16 +320,18 @@ def start_jail(jail_name, check_startup_enabled=False):
         f"--description=My nspawn jail {jail_name} [created with jailmaker]",
     ]
 
+    # Always add --bind-ro=/sys/module to make lsmod happy
+    # https://manpages.debian.org/bookworm/manpages/sysfs.5.en.html
     systemd_nspawn_additional_args = [
         f"--machine={jail_name}",
+        "--bind-ro=/sys/module",
         f"--directory={JAIL_ROOTFS_NAME}",
     ]
 
     # TODO: split the docker_compatible option into separate options
     #   - privileged (to disable seccomp, set DevicePolicy=auto and add all capabilities)
     #   - how to call the option to enable ip_forward and bridge-nf-call?
-    # TODO: always add --bind-ro=/sys/module? Or only for privileged jails?
-    # https://manpages.debian.org/bookworm/manpages/sysfs.5.en.html
+    #   - add CSV value for preloading kernel modules like linux.kernel_modules in LXC
 
     if config.get("docker_compatible") == "1":
         # Enable ip forwarding on the host (docker needs it)