[PVE-User] Debian buster, systemd, container and nesting=1
s.ivanov at proxmox.com
Tue Feb 25 18:43:41 CET 2020
On Tue, 18 Feb 2020 16:44:26 +0100
Marco Gaiarin <gaio at sv.lnf.it> wrote:
> I'm still on PVE 5.4.
> I've upgraded a (privileged) LXC container to debian buster, that was
> originally installed as debian jessie, then upgraded to stretch, but
> still without systemd.
> Upgrading to buster trigger systemd installation.
> After installation, most of the services, not all, does not start, eg
> root at vnc:~# systemctl status apache2.service
> ● apache2.service - The Apache HTTP Server
> Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
> Active: failed (Result: exit-code) since Tue 2020-02-18 16:06:35 CET; 44s ago
> Docs: https://httpd.apache.org/docs/2.4/
> Process: 120 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)
> feb 18 16:06:35 vnc systemd: Starting The Apache HTTP Server...
> feb 18 16:06:35 vnc systemd: apache2.service: Failed to set up mount namespacing: Permission denied
> feb 18 16:06:35 vnc systemd: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
> feb 18 16:06:35 vnc systemd: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
> feb 18 16:06:35 vnc systemd: apache2.service: Failed with result 'exit-code'.
> feb 18 16:06:35 vnc systemd: Failed to start The Apache HTTP Server.
> google say me to add 'nesting=1' to 'features', that works, but looking at:
> i read:
> nesting=<boolean> (default = 0)
> Allow nesting. Best used with unprivileged containers with additional id mapping. Note that this will expose procfs and sysfs contents of the host to the guest.
> i can convert this container to an unprivileged ones, but other no, for
> examples some containers are samba domain controller, that need a
> privileged container.
not sure - but why would a samba need to be privileged?
> There's another/better way to make systemd work on containers?
I guess my preferred actions in order:
* setup new unprivileged container and migrate the workload/services from
the old one (optionally enabling nesting if needed)
* try backup/restore to get a privileged container to an unprivileged one
* keep the privileged container with nesting off
* migrate the setup into a qemu-guest
* edit the unit files of the affected services (e.g. apache) - usually
it's the PrivateTmp option which causes this (it wants to mount --rbind
-o rw /) - and drop the PrivateTmp option (see )
* consider making an apparmor override for this particular mount
combination+container (which also can potentially be a security hole
(some apparmor rules are bound to absolute paths and using rbind you can
change the path)
* turn on nesting for a privileged container (keep in mind that you then
open it up quite a bit for breakouts)
of course probably not all of those options can be applied in your
I hope this helps!
More information about the pve-user