[systemd-devel] Secure Linux Containers. I have masked down the systemd starting most daemons within containers.
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 11 14:45:40 PDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/06/2013 09:08 AM, Lennart Poettering wrote:
> On Thu, 14.02.13 07:16, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> Welcome to Fedora 19 (Rawhide)!
>>
>> Set hostname to <lincoln3>. /dev/mapper/control: mknod failed: Operation
>> not permitted Failure to communicate with kernel device-mapper driver.
>> Check that device-mapper is available in the kernel. [ OK ] Listening
>> on Delayed Shutdown Socket. [ OK ] Reached target Swap. [ OK ]
>> Reached target Local File Systems. [ OK ] Listening on Journal Socket.
>> Starting Recreate Volatile Files and Directories... Starting Journal
>> Service... [ OK ] Started Journal Service. [ OK ] Started Recreate
>> Volatile Files and Directories. [ OK ] Reached target System
>> Initialization. [ OK ] Listening on D-Bus System Message Bus Socket. [
>> OK ] Reached target Sockets. [ OK ] Reached target Basic System.
>> Starting The Apache HTTP Server... [ OK ] Started The Apache HTTP
>> Server. [ OK ] Reached target Sandbox multi-user target. Failed to
>> issue method call: Unit chronyd.service is not loaded.
>>
>>
>> As you can see, it looks like systemd is attempting to start some lvm
>> stuff and crond. Any ideas on where this stuff is being started? I want
>> neither to run within the container.
>
> Is this still relevant?
>
> LVM is probably invoked from the fedora units for it. You might be able to
> mask them. Or you might be able to convince the LVM folks to conditionalize
> them somehow, for example via ConditionVirtualization=!container or
> ConditionCapabilities=CAP_MKNOD or so.
>
> The crond unit you should be able to simply disable.
>
> Lennart
>
Well I still have the LVM Problem
/dev/mapper/control: mknod failed: Operation not permitted
Failure to communicate with kernel device-mapper driver.
Check that device-mapper is available in the kernel.
Default target could not be isolated, starting instead: Operation refused,
unit may not be isolated.
Everything else seems to be working fine now.
# systemctl list-units
UNIT LOAD ACTIVE SUB DESCRIPTION
- -.mount loaded active mounted /
boot.mount loaded active mounted /boot
dev-ptmx.mount loaded active mounted /dev/ptmx
etc-fstab.mount loaded active mounted /etc/fstab
etc-hostname.mount loaded active mounted /etc/hostname
etc-httpd.mount loaded active mounted /etc/httpd
etc-libvirt\x2dsandbox-scratch.mount loaded active mounted
/etc/libvirt-sandbox/scratch
etc-machine\x2did.mount loaded active mounted /etc/machine-id
etc-rc.d.mount loaded active mounted /etc/rc.d
etc-systemd-system.mount loaded active mounted
/etc/systemd/system
home.mount loaded active mounted /home
proc-meminfo.mount loaded active mounted /proc/meminfo
root.mount loaded active mounted /root
run-libvirt-lxc-dan1.mount loaded active mounted
/run/libvirt/lxc/dan1
run-user-3267-gvfs.mount loaded active mounted
/run/user/3267/gvfs
tmp.mount loaded active mounted Temporary
Directory
usr-lib-syste...naconda.target.wants.mount loaded active mounted
/usr/lib/systemd/system/anaconda.target.wa
usr-lib-syste...m-basic.target.wants.mount loaded active mounted
/usr/lib/systemd/system/basic.target.wants
usr-lib-syste...l\x2dfs.target.wants.mount loaded active mounted
/usr/lib/systemd/system/local-fs.target.wa
usr-lib-syste...x2duser.target.wants.mount loaded active mounted
/usr/lib/systemd/system/multi-user.target.
usr-lib-syste...sockets.target.wants.mount loaded active mounted
/usr/lib/systemd/system/sockets.target.wan
usr-lib-syste...sysinit.target.wants.mount loaded active mounted
/usr/lib/systemd/system/sysinit.target.wan
var-lib-nfs-rpc_pipefs.mount loaded active mounted RPC Pipe
File System
var.mount loaded active mounted /var
dbus.service loaded active running D-Bus
System Message Bus
httpd.service loaded active running The Apache
HTTP Server
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-tmpfiles-setup.service loaded active exited Recreate
Volatile Files and Directories
dbus.socket loaded active running D-Bus
System Message Bus Socket
systemd-journald.socket loaded active running Journal Socket
systemd-shutdownd.socket loaded active listening Delayed
Shutdown Socket
dev-dm\x2d2.swap loaded active active /dev/dm-2
basic.target loaded active active Basic System
local-fs.target loaded active active Local File
Systems
multi-user.target loaded active active Sandbox
multi-user target
sockets.target loaded active active Sockets
swap.target loaded active active Swap
sysinit.target loaded active active System
Initialization
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
39 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
# systemctl list-unit-files | grep enabled
httpd.service enabled
# systemctl list-unit-files | grep -v disabled
UNIT FILE STATE
proc-sys-fs-binfmt_misc.automount static
dev-hugepages.mount static
dev-mqueue.mount static
proc-fs-nfsd.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
tmp.mount static
var-lib-nfs-rpc_pipefs.mount static
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
alsa-restore.service static
alsa-store.service static
apg at .service static
colord.service static
configure-printer at .service static
dbus-org.freedesktop.hostname1.service static
dbus-org.freedesktop.locale1.service static
dbus-org.freedesktop.login1.service static
dbus-org.freedesktop.timedate1.service static
dbus.service static
dracut-shutdown.service static
emergency.service static
fedora-autorelabel-mark.service static
fedora-autorelabel.service static
fedora-configure.service static
fedora-import-state.service static
fedora-loadmodules.service static
fedora-readonly.service static
fprintd.service static
halt-local.service static
htcacheclean.service static
httpd.service enabled
initrd-cleanup.service static
initrd-parse-etc.service static
initrd-switch-root.service static
initrd-udevadm-cleanup-db.service static
mdmon at .service static
messagebus.service static
oddjobd.service static
pcscd.service static
plymouth-halt.service static
plymouth-kexec.service static
plymouth-poweroff.service static
plymouth-quit-wait.service static
plymouth-quit.service static
plymouth-read-write.service static
plymouth-reboot.service static
plymouth-start.service static
plymouth-switch-root.service static
polkit.service static
qemu-guest-agent.service static
quotaon.service static
rc-local.service static
rescue.service static
serial-getty at .service static
systemd-ask-password-console.service static
systemd-ask-password-plymouth.service static
systemd-ask-password-wall.service static
systemd-binfmt.service static
systemd-fsck-root.service static
systemd-fsck at .service static
systemd-halt.service static
systemd-hibernate.service static
systemd-hostnamed.service static
systemd-hybrid-sleep.service static
systemd-initctl.service static
systemd-journal-flush.service static
systemd-journal-gatewayd.service static
systemd-journald.service static
systemd-kexec.service static
systemd-localed.service static
systemd-logind.service static
systemd-modules-load.service static
systemd-poweroff.service static
systemd-quotacheck.service static
systemd-random-seed-load.service static
systemd-random-seed-save.service static
systemd-readahead-done.service static
systemd-reboot.service static
systemd-remount-fs.service static
systemd-shutdownd.service static
systemd-suspend.service static
systemd-sysctl.service static
systemd-timedated.service static
systemd-tmpfiles-clean.service static
systemd-tmpfiles-setup.service static
systemd-udev-settle.service static
systemd-udev-trigger.service static
systemd-udevd.service static
systemd-update-utmp-runlevel.service static
systemd-update-utmp-shutdown.service static
systemd-user-sessions.service static
systemd-vconsole-setup.service static
tftp.service static
udisks2.service static
usbmuxd.service static
user at .service static
virt-sandbox-setup.service static
virtlockd.service static
dbus.socket static
syslog.socket static
systemd-initctl.socket static
systemd-journald.socket static
systemd-shutdownd.socket static
systemd-udevd-control.socket static
systemd-udevd-kernel.socket static
basic.target static
bluetooth.target static
cryptsetup.target static
emergency.target static
final.target static
getty.target static
hibernate.target static
hybrid-sleep.target static
initrd-switch-root.target static
local-fs-pre.target static
local-fs.target static
multi-user.target static
network.target static
nss-lookup.target static
nss-user-lookup.target static
printer.target static
remote-fs-pre.target static
rpcbind.target static
shutdown.target static
sigpwr.target static
sleep.target static
smartcard.target static
sockets.target static
sound.target static
spice-vdagentd.target static
suspend.target static
swap.target static
sysinit.target static
system-update.target static
time-sync.target static
umount.target static
systemd-readahead-done.timer static
systemd-tmpfiles-clean.timer static
334 unit files listed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlE+UIMACgkQrlYvE4MpobMHJwCdERs6dMVQomGUOxHz4TRMzYKt
CJ4An1Lkgcwo+or6408dsHDvWA4X5Nyf
=c7Xk
-----END PGP SIGNATURE-----
More information about the systemd-devel
mailing list