[PVE-User] Debian buster, systemd, container and nesting=1

Marco Gaiarin gaio at sv.lnf.it
Tue Feb 18 16:44:26 CET 2020 

I'm still on PVE 5.4.

I've upgraded a (privileged) LXC container to debian buster, that was
originally installed as debian jessie, then upgraded to stretch, but
still without systemd.
Upgrading to buster trigger systemd installation.

After installation, most of the services, not all, does not start, eg
apache:

 root at vnc:~# systemctl status apache2.service 
 ● apache2.service - The Apache HTTP Server
    Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
    Active: failed (Result: exit-code) since Tue 2020-02-18 16:06:35 CET; 44s ago
      Docs: https://httpd.apache.org/docs/2.4/
   Process: 120 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)
 
 feb 18 16:06:35 vnc systemd[1]: Starting The Apache HTTP Server...
 feb 18 16:06:35 vnc systemd[120]: apache2.service: Failed to set up mount namespacing: Permission denied
 feb 18 16:06:35 vnc systemd[120]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
 feb 18 16:06:35 vnc systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
 feb 18 16:06:35 vnc systemd[1]: apache2.service: Failed with result 'exit-code'.
 feb 18 16:06:35 vnc systemd[1]: Failed to start The Apache HTTP Server.

google say me to add 'nesting=1' to 'features', that works, but looking at:

	https://pve.proxmox.com/wiki/Linux_Container

i read:

 nesting=<boolean> (default = 0)
    Allow nesting. Best used with unprivileged containers with additional id mapping. Note that this will expose procfs and sysfs contents of the host to the guest.


i can convert this container to an unprivileged ones, but other no, for
examples some containers are samba domain controller, that need a
privileged container.


There's another/better way to make systemd work on containers?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the pve-user mailing list