[systemd-devel] Secure Linux Containers. I have masked down the systemd starting most daemons within containers.

Lennart Poettering lennart at poettering.net
Fri Mar 22 19:37:51 PDT 2013

On Mon, 11.03.13 17:45, Daniel J Walsh (dwalsh at redhat.com) wrote:

> > LVM is probably invoked from the fedora units for it. You might be able to
> > mask them. Or you might be able to convince the LVM folks to conditionalize
> > them somehow, for example via ConditionVirtualization=!container or
> > ConditionCapabilities=CAP_MKNOD or so.
> > 
> > The crond unit you should be able to simply disable.
> > 
> > Lennart
> > 
> Well I still have the LVM Problem
>   /dev/mapper/control: mknod failed: Operation not permitted
>   Failure to communicate with kernel device-mapper driver.
>   Check that device-mapper is available in the kernel.
> Default target could not be isolated, starting instead: Operation refused,
> unit may not be isolated.

This really sounds as if the LVM units should conditionalize themselves
on CAP_MKNOD as suggested. It might make sense to file a bug asking them
to add ConditionCapabilities=CAP_MKNOD to their unit files. 


Lennart Poettering - Red Hat, Inc.

More information about the systemd-devel mailing list