Apache2: Failed to set up mount namespacing: Permission denied - linux

I have VPS server with Debian 10. I want to start Apache2 with option PrivateTmp=true.
But on start it failed with error: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied.
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-11-27 17:17:43 CET; 5s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 523 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)
Nov 27 17:17:43 5091-server systemd[1]: Starting The Apache HTTP Server...
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed to set up mount namespacing: Permission denied
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 27 17:17:43 5091-server systemd[1]: Failed to start The Apache HTTP Server.
I checked the permissions for tmp:
root#5091-server:~# ls -ld /tmp
drwxrwxrwt 8 root root 4096 Nov 27 17:17 /tmp
root#5091-server:~# ls -ld /var/tmp
drwxrwxrwt 2 root root 4096 Nov 27 17:17 /var/tmp
Any idea which permissions are wrong?

This can work...
sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=false\nNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
sudo systemctl daemon-reload
sudo systemctl start apache2.service
sudo systemctl status apache2.service

This is related to new systemd security features (v220+?) conflicting with unprivileged LXC containers like the ones inside Proxmox.
Edit apache config (the clean way):
sudo systemctl edit apache2.service
Add this to disable new systemd security features (affect LXC containers like the ones inside Proxmox)
[Service]
PrivateDevices=false
PrivateTmp=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false
Maybe only necessary:
ProtectHome=false
ProtectSystem=false
Then
sudo systemctl start apache2.service
sudo systemctl status apache2.service # Just to check the output
I saw this on apache2 and memcached. Also with systemd-logind. In this last case ssh connection speed was affected. ssh -vvv was stuck on debug1: pledge: filesystem (without VPN), and debug1: pledge: network (with VPN). As mention here and here the problem is solved enabling nesting (also here) on the Proxmox containers.
Probably simply enabling the "nesting" feature for the container (if it is unprivileged) will allow systemd to make use of its namespacing features.
Related
Nested containers in LXD | Ubuntu
Roadmap - Proxmox VE 7.1 The real fix is to upgrade host?
Failed to reset devices.list...Operation not permitted · Issue #2004 · lxc/lxd

Related

How to fix permission denied issue RedisJson?

When I try to load a redis module with loadmodule in redis.conf, redis-server crashes.
The log shows
Module /etc/modules/librejson.so failed to load: /etc/modules/librejson.so: unable to open shared objects file: Permission denied.
I have read the documentation to install RedisJson, but it does not work for me.
If I comment loadmodule line, the server works fine.
Installation process
sudo dnf update
sudo dnf upgrade
sudo dnf install redis
Configuration
cd /etc/redis
nvim /redis.conf
loadmodule loadmodule /etc/modules/librejson.so
supervised systemd
The rest of the file is kept by default
What I did
I created modules folder inside etc folder
I ran chown redis:root over modules folder
I moved the module to /etc/modules because I had read that homeprotection can block redis when trying to read the module in the /home path.
Then I used ls -l to check permissions and owners:
-rwxr-xr-x. 2 user user user 23668904 Feb 15 09:10 librejson.so
after that, I ran chown redis:root (as redis.conf owners): -rwxr-xr-xr-x. 2 redis root 23668904 Feb 15 09:10 librejson.so
and when I ran sudo systemctl restart redis.service:
Job for redis.service failed because the control process exited with error code.
See "systemctl status redis.service" and "journalctl -xeu redis.service" for details.
systemctl status redis.service:
redis.service - Redis persistent key-value database
Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; preset: disabled)
Drop-In: /etc/systemd/system/redis.service.d
└─limit.conf
Active: failed (Result: exit-code) since Thu 2023-02-16 13:21:58 CST; 6min ago
Process: 28947 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --daemonize no --supervised systemd (code=exited, status=1/FAILURE)
Main PID: 28947 (code=exited, status=1/FAILURE)
Status: "Redis is loading..."
CPU: 10ms
Feb 16 13:21:58 fedora systemd[1]: Starting redis.service - Redis persistent key-value database...
Feb 16 13:21:58 fedora systemd[1]: redis.service: Main process exited, code=exited, status=1/FAILURE
Feb 16 13:21:58 fedora systemd[1]: redis.service: Failed with result 'exit-code'.
Feb 16 13:21:58 fedora systemd[1]: Failed to start redis.service - Redis persistent key-value database.
and nothing, I ran out of ideas.
System specs
Fedora 37
Redis server v=7.0.8

NGINX error after 'sudo systemctl status nginx' - Failed with result 'exit-code'

After trying to add new domains do my ubuntu 20.04 cloud server with nginx and pm2,I created a server block in
'/etc/nginx/sites-available/mydomain.ar'
and did the same thing into
'/etc/nginx/sites-enabled/mydomain.ar'
The next step was to do a link to both files with
ln -s /etc/nginx/sites-available/cloud.ktsoftware.ar /etc/nginx/sites-enabled/cloud.ktsoftware.ar
got a error that files already existed
ln: failed to create symbolic link '/etc/nginx/sites-enabled/mydomain.ar': File exists
in consequence i run to forced the link
sudo ln -sf /etc/nginx/sites-available/cloud.ktsoftware.ar /etc/nginx/sites-enabled/cloud.ktsoftware.ar
everything appears ok, no error response after that. Then i do
sudo systemctl status nginx
and got this error:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sun 2022-07-10 13:47:17 -03; 17min ago
Docs: man:nginx(8)
Process: 1287489 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
below first error paragraph
Jul 10 13:47:17 vps-2421400-x systemd[1]: nginx.service: Succeeded.
Jul 10 13:47:17 vps-2421400-x systemd[1]: Stopped A high performance web server and a reverse proxy server.
Jul 10 13:47:17 vps-2421400-x systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul 10 13:47:17 vps-2421400-x nginx[1287489]: nginx: [emerg] open() "/etc/nginx/sites-enabled/mydomain.conf" failed (2: No such file or directory) in /etc/n>
Jul 10 13:47:17 vps-2421400-x nginx[1287489]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 10 13:47:17 vps-2421400-x systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul 10 13:47:17 vps-2421400-x systemd[1]: nginx.service: Failed with result 'exit-code'.
Jul 10 13:47:17 vps-2421400-x systemd[1]: Failed to start A high performance web server and a reverse proxy server.
lines 1-14/14 (END)
"lines 1-14/14 (END)" *
and crashed everything i think.
What is the best way to link the domains server blocks?

Systemd enabled services not starting at boot anymore

I made some custom systemd services long time ago, all have the same configuration (except for the ExecStart of course)
This configuration worked for years, I have ubuntu up and running since version 18.04 LTS, but now looks like some of these systemd services aren't starting at boot at all, the configuration is as follow (myapp.service):
[Unit]
Description="myapp"
After=syslog.target network-online.target
Wants=network-online.target
[Service]
Restart=always
RestartSec=10
User=root
Group=root
WorkingDirectory=/opt/myapp
ExecStart=/usr/local/bin/myapp
KillMode=control-group
[Install]
WantedBy=multi-user.target
The service is enabled:
$ sudo systemctl enable myapp
Created symlink /etc/systemd/system/multi-user.target.wants/myapp.service → /lib/systemd/system/myapp.service.
If i do "systemctl status myapp" after a reboot:
● myapp.service - "myapp"
Loaded: loaded (/lib/systemd/system/myapp.service; enabled; vendor preset: enabled)
Active: inactive (dead)
If i do "journalctl -u myapp -f" after a reboot:
Jan 13 12:10:06 myhost systemd[1]: Started myapp.
Jan 17 07:15:03 myhost systemd[1]: Stopping myapp...
Jan 17 07:15:09 myhost systemd[1]: Stopped myapp.
What's wrong with my configuration?
If I manually start /usr/local/bin/myapp there are no errors on the script and I've also tried running it with tmux, now it's 3 days running in bg and no errors. But systemd just won't start it after a reboot.
Today, i've also tried to install a new service that require a systemd config, the package is zram-config and by default it is enabled at boot.
But after a: apt install zram-config && sudo reboot:
$ sudo systemctl status zram-config
● zram-config.service - Initializes zram swaping
Loaded: loaded (/lib/systemd/system/zram-config.service; enabled; vendor preset: enabled)
Active: inactive (dead)
but if now i do:
$ sudo systemctl start zram-config
$ sudo systemctl status zram-config
● zram-config.service - Initializes zram swaping
Loaded: loaded (/lib/systemd/system/zram-config.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2020-01-27 12:25:55 CET; 1s ago
Process: 5541 ExecStart=/usr/bin/init-zram-swapping (code=exited, status=0/SUCCESS)
Main PID: 5541 (code=exited, status=0/SUCCESS)
Jan 27 12:25:55 myhost systemd[1]: Starting Initializes zram swaping...
Jan 27 12:25:55 myhost init-zram-swapping[5541]: Setting up swapspace version 1, size = 985,7 MiB (1033568256 bytes)
Jan 27 12:25:55 myhost init-zram-swapping[5541]: nessuna etichetta, UUID=4ac5c2cd-0c68-4f6d-a5c0-d8f91a509c71
Jan 27 12:25:55 myhost init-zram-swapping[5541]: Setting up swapspace version 1, size = 985,7 MiB (1033568256 bytes)
Jan 27 12:25:55 myhost init-zram-swapping[5541]: nessuna etichetta, UUID=83a4f201-d591-4222-89a6-5bc5aebedef4
Jan 27 12:25:55 myhost init-zram-swapping[5541]: Setting up swapspace version 1, size = 985,7 MiB (1033568256 bytes)
Jan 27 12:25:55 myhost init-zram-swapping[5541]: nessuna etichetta, UUID=1f6f742e-6fb8-4332-b226-bf6918f7ee28
Jan 27 12:25:55 myhost init-zram-swapping[5541]: Setting up swapspace version 1, size = 985,7 MiB (1033568256 bytes)
Jan 27 12:25:55 myhost init-zram-swapping[5541]: nessuna etichetta, UUID=a5509c55-46f5-4112-8fe1-68171f31409e
Jan 27 12:25:55 myhost systemd[1]: Started Initializes zram swaping.
I really don't understand what's wrong with systemd on my Ubuntu install, is it better I do a fresh reinstall of whole OS?
Thanks
Check the full output of journalctl for a message about cycles, like:
Job <your.service> deleted to break ordering cycle starting with <something else>
I had the similar issue. It was due to ordering cycles, which was very hard to debug and fix.

unable to configure the Docker daemon with file /etc/docker/daemon.json: EOF

I am new to docker and cannot understand these errors. So, Please let me know if any more information is needed.
`$ docker --version`
Docker version 1.12.6, build 88a4867/1.12.6
`$ docker info`
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
`$sudo dockerd`
FATA[0000] unable to configure the Docker daemon with file /etc/docker/daemon.json: EOF
`$sudo systemctl start docker`
Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details.
`$sudo systemctl status docker.service -l`
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2017-07-26 14:30:21 EDT; 8min ago
Docs: http://docs.docker.com
Process: 5835 ExecStart=/usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $ADD_REGISTRY $BLOCK_REGISTRY $INSECURE_REGISTRY (code=exited, status=1/FAILURE)
Main PID: 5835 (code=exited, status=1/FAILURE)
Jul 26 14:30:21: Starting Docker Application Container Engine...
Jul 26 14:30:21 dockerd-current[5835]: time="2017-07-26T14:30:21-04:00" level=fatal msg="unable to configure the Docker daemon with file /etc/docker/daemon.json: EOF\n"
Jul 26 14:30:21 systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
Jul 26 14:30:21 systemd[1]: Failed to start Docker Application Container Engine.
Jul 26 14:30:21 systemd[1]: Unit docker.service entered failed state.
Jul 26 14:30:21 systemd[1]: docker.service failed.
Please let me know if I need to check anything else.
The file /etc/docker/daemon.json should not be present or if it is present then it should have a valid JSON object. A blank file would create an error. Either delete the file or if you want to have a blank file then have it with below content
{
}
This will create a blank json object
I have same problem. But I am edited the file /etc/docker/daemon.json and added to it some options. If string with option is not last it have to end with comma character(,).
In root user, type :
$ nano /etc/docker/daemon.json
Ff the file show blank or nothing text, then you just add :
{
}
then save and exit.
Then try to restart docker using
$ service docker restart
In my case just remove that's file using this command
$sudo rm /etc/docker/daemon.json
and then restar the service
$sudo systemctl restart docker.service
$sudo systemctl status docker.service

Systemd Service for jar file gets "operation timed out" error after few minues or stay in "activating mode"

the service unit is:
[Unit]
Description=test
After=syslog.target
After=network.target
[Service]
Type=forking
ExecStart=/bin/java -jar /home/ec2-user/test.jar
TimeoutSec=300
[Install]
WantedBy=multi-user.target
it starts fine for 1-4 minues. But later it fails:
tail /var/log/messages:
Feb 27 18:43:44 ip-172-31-40-48 systemd: Reloading.
Feb 27 18:44:06 ip-172-31-40-48 systemd: Starting test...
Feb 27 18:44:06 ip-172-31-40-48 java: 5.1.73
Feb 27 18:44:06 ip-172-31-40-48 java: Starting the internal [HTTP/1.1] server on port 8182
Feb 27 18:49:06 ip-172-31-40-48 systemd: test.service operation timed out.Terminating.
Feb 27 18:49:06 ip-172-31-40-48 systemd: test.service: control process exited, code=exited status=143
Feb 27 18:49:06 ip-172-31-40-48 systemd: Failed to start test.
Feb 27 18:49:06 ip-172-31-40-48 systemd: Unit test.service entered failed state.
systemctl status test.service (while restarting- stays in activating mode):
test.service - Setsnew
Loaded: loaded (/etc/systemd/system/test.service; enabled)
Active: activating (start) since Sun 2015-03-01 14:29:36 EST; 2min 30s ago
Control: 32462 (java)
CGroup: /system.slice/test.service
systemctl status test.service (after fail):
test.service - test
Loaded: loaded (/etc/systemd/system/test.service; enabled)
Active: failed (Result: exit-code) since Fri 2015-02-27 18:49:06 EST; 18min ago
Process: 27954 ExecStart=/bin/java -jar /home/ec2-user/test.jar (code=exited, status=143)
when running the jar in command line it works just fine.
tried changing the jar location because I thought it's a permissions problem
selinux is off
How can i fix this issue so I could start the jar on boot? there any alternatives? (RHEL7 do not include service command)
You made the service type forking, but this service does not fork. It just runs directly. Thus systemd waited five minutes for the program to daemonize itself, and it never did. The correct type for such a service is simple.
You also disabled SELinux, which is another problem you should resolve.

Resources