[systemd-devel] Secure Linux Containers. I have masked down the systemd starting most daemons within containers.
Lennart Poettering
lennart at poettering.net
Fri Mar 22 19:37:51 PDT 2013
On Mon, 11.03.13 17:45, Daniel J Walsh (dwalsh at redhat.com) wrote:
> > LVM is probably invoked from the fedora units for it. You might be able to
> > mask them. Or you might be able to convince the LVM folks to conditionalize
> > them somehow, for example via ConditionVirtualization=!container or
> > ConditionCapabilities=CAP_MKNOD or so.
> >
> > The crond unit you should be able to simply disable.
> >
> > Lennart
> >
>
>
> Well I still have the LVM Problem
>
> /dev/mapper/control: mknod failed: Operation not permitted
> Failure to communicate with kernel device-mapper driver.
> Check that device-mapper is available in the kernel.
> Default target could not be isolated, starting instead: Operation refused,
> unit may not be isolated.
This really sounds as if the LVM units should conditionalize themselves
on CAP_MKNOD as suggested. It might make sense to file a bug asking them
to add ConditionCapabilities=CAP_MKNOD to their unit files.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list