[systemd-devel] Secure Linux Containers. I have masked down the systemd starting most daemons within containers.
Lennart Poettering
lennart at poettering.net
Wed Mar 6 06:08:12 PST 2013
On Thu, 14.02.13 07:16, Daniel J Walsh (dwalsh at redhat.com) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Welcome to Fedora 19 (Rawhide)!
>
> Set hostname to <lincoln3>.
> /dev/mapper/control: mknod failed: Operation not permitted
> Failure to communicate with kernel device-mapper driver.
> Check that device-mapper is available in the kernel.
> [ OK ] Listening on Delayed Shutdown Socket.
> [ OK ] Reached target Swap.
> [ OK ] Reached target Local File Systems.
> [ OK ] Listening on Journal Socket.
> Starting Recreate Volatile Files and Directories...
> Starting Journal Service...
> [ OK ] Started Journal Service.
> [ OK ] Started Recreate Volatile Files and Directories.
> [ OK ] Reached target System Initialization.
> [ OK ] Listening on D-Bus System Message Bus Socket.
> [ OK ] Reached target Sockets.
> [ OK ] Reached target Basic System.
> Starting The Apache HTTP Server...
> [ OK ] Started The Apache HTTP Server.
> [ OK ] Reached target Sandbox multi-user target.
> Failed to issue method call: Unit chronyd.service is not loaded.
>
>
> As you can see, it looks like systemd is attempting to start some lvm stuff
> and crond. Any ideas on where this stuff is being started? I want neither to
> run within the container.
Is this still relevant?
LVM is probably invoked from the fedora units for it. You might be able
to mask them. Or you might be able to convince the LVM folks to
conditionalize them somehow, for example via
ConditionVirtualization=!container or ConditionCapabilities=CAP_MKNOD or
so.
The crond unit you should be able to simply disable.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list