[PVE-User] Debian buster, systemd, container and nesting=1

Stoiko Ivanov s.ivanov at proxmox.com
Tue Feb 25 18:43:41 CET 2020 

Hi,

On Tue, 18 Feb 2020 16:44:26 +0100
Marco Gaiarin <gaio at sv.lnf.it> wrote:

> I'm still on PVE 5.4.
> 
> I've upgraded a (privileged) LXC container to debian buster, that was
> originally installed as debian jessie, then upgraded to stretch, but
> still without systemd.
> Upgrading to buster trigger systemd installation.
> 
> After installation, most of the services, not all, does not start, eg
> apache:
> 
>  root at vnc:~# systemctl status apache2.service 
>  ● apache2.service - The Apache HTTP Server
>     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
>     Active: failed (Result: exit-code) since Tue 2020-02-18 16:06:35 CET; 44s ago
>       Docs: https://httpd.apache.org/docs/2.4/
>    Process: 120 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)
>  
>  feb 18 16:06:35 vnc systemd[1]: Starting The Apache HTTP Server...
>  feb 18 16:06:35 vnc systemd[120]: apache2.service: Failed to set up mount namespacing: Permission denied
>  feb 18 16:06:35 vnc systemd[120]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
>  feb 18 16:06:35 vnc systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
>  feb 18 16:06:35 vnc systemd[1]: apache2.service: Failed with result 'exit-code'.
>  feb 18 16:06:35 vnc systemd[1]: Failed to start The Apache HTTP Server.
> 
> google say me to add 'nesting=1' to 'features', that works, but looking at:
> 
> 	https://pve.proxmox.com/wiki/Linux_Container
> 
> i read:
> 
>  nesting=<boolean> (default = 0)
>     Allow nesting. Best used with unprivileged containers with additional id mapping. Note that this will expose procfs and sysfs contents of the host to the guest.
> 
> 
> i can convert this container to an unprivileged ones, but other no, for
> examples some containers are samba domain controller, that need a
> privileged container.
not sure - but why would a samba need to be privileged?

> 
> 
> There's another/better way to make systemd work on containers?

I guess my preferred actions in order:
* setup new unprivileged container and migrate the workload/services from
  the old one (optionally enabling nesting if needed)
* try backup/restore to get a privileged container to an unprivileged one
* keep the privileged container with nesting off
* migrate the setup into a qemu-guest
* edit the unit files of the affected services (e.g. apache) - usually
  it's the PrivateTmp option which causes this (it wants to mount --rbind
  -o rw /) - and drop the PrivateTmp option (see [0])
* consider making an apparmor override for this particular mount
  combination+container (which also can potentially be a security hole
  (some apparmor rules are bound to absolute paths and using rbind you can
  change the path)
* turn on nesting for a privileged container (keep in mind that you then
  open it up quite a bit for breakouts)

of course probably not all of those options can be applied in your
environment.

> 
> 
> Thanks.
> 

I hope this helps!
stoiko

[0]https://forum.proxmox.com/threads/apache2-service-failed-to-set-up-mount-namespacing-permission-denied.56871/

More information about the pve-user mailing list