In Azure, I created
- 2 file shares
- Ubuntu 18.04 VM
When I try to mount my file share via /etc/fstab, it doesn't work.
However mount command works fine.
Entry in the /etc/fstab:
//audiocloud.file.core.windows.net/audiocloud /mnt/audiocloud cifs nofail,vers=3.0,credentials=/etc/smbcredentials/audiocloud.cred,dir_mode=0777,file_mode=0777,serverino
The mount not created.
I tried to look in syslog:
slavik#ub18:/mnt$ cat /var/log/syslog | grep mnt
Aug 30 07:10:16 ub18 systemd[1]: Dependency failed for /mnt.
Aug 30 07:10:16 ub18 systemd[1]: Dependency failed for /mnt/audiocloud.
Aug 30 07:10:16 ub18 systemd[1]: mnt-audiocloud.mount: Job mnt-audiocloud.mount/start failed with result 'dependency'.
Aug 30 07:10:16 ub18 systemd[1]: mnt.mount: Job mnt.mount/start failed with result 'dependency'.
What does this error means?
Here is mount command, which works successfully:
sudo mount -t cifs //audiocloud.file.core.windows.net/audiocloud /mnt/audiocloud -o vers=3.0,username=###,password=###,dir_mode=0777,file_mode=0777,sec=ntlmssp
Looks like the issue was caused by another mount in /etc/fstab, which added by Azure. Somehow I missed it:
/dev/disk/cloud/azure_resource-part1 /mnt auto defaults,nofail,x-systemd.requires=cloud-init.service,comment=cloudconfig 0 2
Apparently, it mounts to /mnt, so my attempt to mount at /mnt/audiocloud failed.
Not sure though, why the mount command works for the same mount location...
Related
I have VPS server with Debian 10. I want to start Apache2 with option PrivateTmp=true.
But on start it failed with error: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied.
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-11-27 17:17:43 CET; 5s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 523 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)
Nov 27 17:17:43 5091-server systemd[1]: Starting The Apache HTTP Server...
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed to set up mount namespacing: Permission denied
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 27 17:17:43 5091-server systemd[1]: Failed to start The Apache HTTP Server.
I checked the permissions for tmp:
root#5091-server:~# ls -ld /tmp
drwxrwxrwt 8 root root 4096 Nov 27 17:17 /tmp
root#5091-server:~# ls -ld /var/tmp
drwxrwxrwt 2 root root 4096 Nov 27 17:17 /var/tmp
Any idea which permissions are wrong?
This can work...
sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=false\nNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
sudo systemctl daemon-reload
sudo systemctl start apache2.service
sudo systemctl status apache2.service
This is related to new systemd security features (v220+?) conflicting with unprivileged LXC containers like the ones inside Proxmox.
Edit apache config (the clean way):
sudo systemctl edit apache2.service
Add this to disable new systemd security features (affect LXC containers like the ones inside Proxmox)
[Service]
PrivateDevices=false
PrivateTmp=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false
Maybe only necessary:
ProtectHome=false
ProtectSystem=false
Then
sudo systemctl start apache2.service
sudo systemctl status apache2.service # Just to check the output
I saw this on apache2 and memcached. Also with systemd-logind. In this last case ssh connection speed was affected. ssh -vvv was stuck on debug1: pledge: filesystem (without VPN), and debug1: pledge: network (with VPN). As mention here and here the problem is solved enabling nesting (also here) on the Proxmox containers.
Probably simply enabling the "nesting" feature for the container (if it is unprivileged) will allow systemd to make use of its namespacing features.
Related
Nested containers in LXD | Ubuntu
Roadmap - Proxmox VE 7.1 The real fix is to upgrade host?
Failed to reset devices.list...Operation not permitted · Issue #2004 · lxc/lxd
I use google cloud shell to execute this program
Linux version
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
Tor version 0.3.5.10.
When I tried restarting "sudo service tor restart" Tor I received an error
[ ok ] Stopping tor daemon...done (not running - there is no /run/tor/tor.pid).
[....] Starting tor daemon...Jun 27 01:51:04.132 [warn] Directory /var/lib/tor cannot be read: Permission denied
Jun 27 01:51:04.132 [warn] Failed to parse/validate config: Couldn't create private data directory "/var/lib/tor"
Jun 27 01:51:04.132 [err] Reading config failed--see warnings above.
failed.
So I set full permissions for the tor directory sudo chmod -R 777 /var/lib/tor
[FAIL] Checking if tor configuration is valid ... failed!
Jun 27 01:53:59.685 [notice] Tor 0.3.5.10 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1g, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Jun 27 01:53:59.685 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 27 01:53:59.685 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jun 27 01:53:59.685 [notice] Read configuration file "/etc/tor/torrc".
Jun 27 01:53:59.688 [warn] Error setting groups to gid 114: "Operation not permitted".
Jun 27 01:53:59.688 [warn] If you set the "User" option, you must start Tor as root.
Jun 27 01:53:59.688 [warn] Failed to parse/validate config: Problem with User value. See logs for details.
Jun 27 01:53:59.688 [err] Reading config failed--see warnings above.
I use root privileges sudo su
[ ok ] Stopping tor daemon...done (not running - there is no /run/tor/tor.pid).
[....] Starting tor daemon...Jun 27 01:58:58.455 [warn] Directory /var/lib/tor cannot be read: Permission denied
Jun 27 01:58:58.455 [warn] Failed to parse/validate config: Couldn't create private data directory "/var/lib/tor"
Jun 27 01:58:58.455 [err] Reading config failed--see warnings above.
Is there any way that can help me solve my problem or how can i be able to install tor version 2.9.14?
You might have already solved the problem by now, if not I hope this can help.
Is there any way that can help me solve my problem?
OPTION 1
Let's take a look at these warnings:
[warn] Error setting groups to gid 114: "Operation not permitted".
[warn] If you set the "User" option, you must start Tor as root.
[warn] Failed to parse/validate config: Problem with User value.
To get a log of all users run cat /etc/passwd and you'll see debian-tor listed:
...
debian-tor:x:108:114::/var/lib/tor:/bin/false
...
The folder /var/lib/tor is owned by user debian-tor, so sudo -u debian-tor tor will work.
Alternatively, you can run this for your current user: (or chmod 777 for all)
chmod 700 -R /var/lib/tor/*
chown -R tor /var/lib/tor/
sudo service tor restart
You actually should run tor as non-root, else you get this message:
You are running Tor as root. You don't need to, and you probably shouldn't.
OPTION 2
As the warning suggests to see logs for details you should check for a message within dsmeg and /var/log/syslog. If you find anything then it can be AppArmor or SELinux blocking tor. Both SELinux and AppArmor provide a set of tools to isolate applications from each other to protect the host system from being compromised, so it's not recommended disabling them permanently but temporarily for debugging.
According to Debian SELinux support:
The Debian packaged Linux kernels have SELinux support compiled in,
but disabled by default.
Check the SELinux state with getenforce, if the output is Permissive or Disabled then you're set.
Moreover, looking at AppArmor/Progress:
Since Debian 10 (Buster), AppArmor is enabled by default.
To disable AppArmor on your system run: (reference)
sudo mkdir -p /etc/default/grub.d
echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \
| sudo tee /etc/default/grub.d/apparmor.cfg
sudo update-grub
sudo reboot
There's a chance that either one's the culprit. Users have reported similar issue here.
How can i be able to install tor version 2.9.14?
Downgrading the tor package is as simple as this:
sudo apt-get install tor=0.2.9.14
But why would you want do that?
tor v2 will be deprecated soon. You'll see warnings like:
[warn] At least one protocol listed as required in the consensus is
not supported by this version of Tor. You should upgrade. This version
of Tor will not work as a client on the Tor network. The missing
protocols are: DirCache=2 HSDir=2 HSIntro=4 Link=4-5
NB: Post on tor.stackexchange for tor related issues.
context: I've added some scripts to an empty centos VM to install some monitoring tools including prometheus 2.0.
problem: Once installed in the non-root sudo user's home directory, I copy the prometheus.service that I wrote to "/etc/systemd/system", run sudo systemctl daemon-reload, sudo systemctl enable prometheus.service, sudo systemctl start prometheus.service but the service fails.
note: I can run the prometheus binary in the terminal directly using the same command without any problems, but I can't run it as a service.
Here's my .service file:
[Unit]
Description=Prometheus Server
Documentation=https://prometheus.io/docs/introduction/overview/
After=network-online.target
[Service]
User=centos
ExecStart=/home/centos/prometheus/prometheus --config.file="/home/centos/prometheus/prometheus.yml" --storage.tsdb.path="/home/centos/prometheus/data"
[Install]
WantedBy=multi-user.target
Here's some of the log:
...
Nov 21 12:41:55 localhost.localdomain prometheus[1554]: level=info ts=2017-11-21T17:41:55.114757834Z caller=main.go:314 msg="Starting TSDB"
Nov 21 12:41:55 localhost.localdomain prometheus[1554]: level=error ts=2017-11-21T17:41:55.114819195Z caller=main.go:323 msg="Opening storage failed" err="mkdir \": permission denied"
Nov 21 12:41:55 localhost.localdomain systemd[1]: prometheus.service: control process exited, code=exited status=1
Nov 21 12:41:55 localhost.localdomain systemd[1]: Failed to start Prometheus Server.
...
I'm new to linux services management, I've spent a lot of time reading online but I'm not sure how permissions works for services, and why it can't create the directory it needs to create.
I've tried:
Changing "SELINUX=enforcing" to "SELINUX=permissive"
Changing the permission to the prometheus directory to 777
...
You also have to set up --web.console.templates and --web.console.libraries. You can copy these directories from exctracted archive. For example:
sudo cp -R ~/prometheus-2.0.0.linux-amd64/consoles /etc/prometheus
sudo cp -R ~/prometheus-2.0.0.linux-amd64/console_libraries /etc/prometheus
Example of working service (change path for yours):
[Unit]
Description=Prometheus
Wants=network-online.target
After=network-online.target
[Service]
User=prometheus
Group=prometheus
Type=simple
ExecStart=/usr/local/bin/prometheus --config.file=/etc/prometheus/prometheus.yml \
--storage.tsdb.path=/var/lib/prometheus/ \
--web.console.templates=/etc/prometheus/consoles \
--web.console.libraries=/etc/prometheus/console_libraries
[Install]
WantedBy=multi-user.target
P.S. Inspired by suggestions here.
Data directory for Prometheus should have write permissions for prometheus application user. If you're running it from a container and external mounting the data directory, you can set 777 permissions on original folder.
If SELinux is stopping startup always consult journalctl -xe to view the SELinux alerts. There are recommended actions to be taken.
I have setup prometheus with SELinux on CentOS 8 without problems. And I don't agree with people that recommend disabling SELinux.
For reference Redhat has a good video for you to watch:
https://www.youtube.com/watch?v=_WOKRaM-HI4&t=1464s
Here is my prometheus.service file.
[Unit]
Description=Prometheus Server
Documentation=https://prometheus.io/docs/introduction/overview/
After=network-online.target
[Service]
User=prometheus
#Restart=on-failure
#Change this line if you download the
#Prometheus on different path user
ExecStart=/home/prometheus/prometheus-2.22.0.linux-amd64/prometheus \
--config.file=/home/prometheus/prometheus-2.22.0.linux-amd64/prometheus.yml \
--storage.tsdb.path=/home/prometheus/prometheus-2.22.0.linux-amd64/data \
--web.listen-address="0.0.0.0:9091"
[Install]
WantedBy=multi-user.target
I have run into a problem on CentOS 7 when attempting to map a volume to the host in a tomcat container. This happens with the public tomcat images as well as an image I have created (based on centos instead of debian).
instantiating a container as follows will succeed:
docker run -it -d tomcat:8
instantiating a container as follows will succeed, but with errors in the log and logs are not written to the host:
docker run -it -d -v /usr/local/tomcat:/usr/local/tomcat tomcat:8
[wpackard#eagle2 tomcat]$ dkr run -it -d -v
/usr/local/tomcat:/usr/local/tomcat tomcat:8
34075701b1436f83a24212170b4d2113ae698df244c449203b1c9af9814485c9
[wpackard#eagle2 tomcat]$ dkr ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
34075701b143 tomcat:8 "catalina.sh run" 5 seconds ago Up 4 seconds 8080/tcp sharp_einstein
[wpackard#eagle2 tomcat]$ dkr logs sharp_einstein
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
java.util.logging.ErrorManager: 4
java.io.FileNotFoundException: /usr/local/tomcat/logs/catalina.2015-03-31.log (Permission denied)
...
31-Mar-2015 15:32:04.088 SEVERE [Catalina-startStop-1] org.apache.catalina.startup.HostConfig.start Unable to create directory for deployment: /usr/local/tomcat/conf/Catalina/localhost
31-Mar-2015 15:32:04.097 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/ROOT
31-Mar-2015 15:32:04.468 WARNING [localhost-startStop-1] org.apache.catalina.core.StandardContext.postWorkDirectory Failed to create work directory [/usr/local/tomcat/work/Catalina/localhost/ROOT] for context []
31-Mar-2015 15:32:05.966 SEVERE [localhost-startStop-1] org.apache.jasper.EmbeddedServletOptions.<init> The scratchDir you specified: /usr/local/tomcat/work/Catalina/localhost/ROOT is unusable.
31-Mar-2015 15:32:06.042 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/ROOT has finished in 1,929 ms
31-Mar-2015 15:32:06.043 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/docs
31-Mar-2015 15:32:06.093 WARNING [localhost-startStop-1] org.apache.catalina.core.StandardContext.postWorkDirectory Failed to create work directory [/usr/local/tomcat/work/Catalina/localhost/docs] for context [/docs]
31-Mar-2015 15:32:06.216 SEVERE [localhost-startStop-1] org.apache.jasper.EmbeddedServletOptions.<init> The scratchDir you specified: /usr/local/tomcat/work/Catalina/localhost/docs is unusable.
31-Mar-2015 15:32:06.219 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /usr/local/tomcat/webapps/docs has finished in 176 ms
31-Mar-2015 15:32:06.220 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /usr/local/tomcat/webapps/examples
31-Mar-2015 15:32:06.272 WARNING [localhost-startStop-1] org.apache.catalina.core.StandardContext.postWorkDirectory Failed to create work directory [/usr/local/tomcat/work/Catalina/localhost/examples] for context [/examples]
31-Mar-2015 15:32:07.952 SEVERE [localhost-startStop-1] org.apache.jasper.EmbeddedServletOptions.<init> The scratchDir you specified: /usr/local/tomcat/work/Catalina/localhost/examples is unusable.
[wpackard#eagle2 tomcat]$
Exec'ing to the container and attempting to write also fails.
[wpackard#eagle2 tomcat]$ dkr ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
34075701b143 tomcat:8 "catalina.sh run" 5 minutes ago Up 5 minutes 8080/tcp sharp_einstein
[wpackard#eagle2 tomcat]$ dkr exec -it sharp_einstein /bin/bash
root#34075701b143:/usr/local/tomcat# ls -l
total 96
-rw-rw-r--. 1 root root 56977 Jan 23 11:59 LICENSE
-rw-rw-r--. 1 root root 1397 Jan 23 11:59 NOTICE
-rw-rw-r--. 1 root root 6779 Jan 23 11:59 RELEASE-NOTES
-rw-rw-r--. 1 root root 16204 Jan 23 11:59 RUNNING.txt
drwxrwxr-x. 2 root root 4096 Mar 31 12:14 bin
drwxrwxr-x. 2 root root 4096 Jan 23 11:59 conf
drwxrwxr-x. 2 root root 4096 Mar 31 12:14 lib
drwxrwxr-x. 2 root root 6 Jan 23 11:56 logs
drwxrwxr-x. 2 root root 29 Mar 31 12:14 temp
drwxrwxr-x. 7 root root 76 Jan 23 11:57 webapps
drwxrwxr-x. 2 root root 6 Jan 23 11:56 work
root#34075701b143:/usr/local/tomcat# cd logs
root#34075701b143:/usr/local/tomcat/logs# echo "test" > test.log
bash: test.log: Permission denied
I have created an instance of the postgresql container on centos and that successfully maps and uses the volume, verified by creating a db, stopping the instance and then re-running the container.
[wpackard#eagle2 ~]$ uname --all
Linux eagle2 3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29 18:05:33 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[wpackard#eagle2 ~]$
dkr is an alias to docker, I have created a docker group and added myself to the group to eliminate the need for sudo.
The volume mapping seems to work correctly on ubuntu. On CentOS I have tried both the package version (as below), and also updating it to 1.5.
[wpackard#eagle2 ~]$ dkr --version
Docker version 1.3.2, build 39fa2fa/1.3.2
[wpackard#eagle2 ~]$
How do I make volumes work on CentOS?
I think your volumes are working :-) You have a permission problem. I run into this fairly often with the mapping of user id between the host and the container. On your host, if you look at /usr/local/tomcat (ls -ld), you will see a owner, group and the permissions. You probably have something like 0755 (read/write/exec by owner, read/exec by group, read/exec by world. You can test this theory easily, simple remember the current settings for /usr/local/tomcat/logs, then do:
chmod 777 /usr/local/tomcat/logs
from the docker host (not the container). Then run your test on the container, the Permission denied should evaporate.
This is NOT a good fix, though. I don't know what the community says about user id mapping for docker. One thing you could do is figure out the user and group in your host for that directory. Then, when you create your image (or at run time) create a user with the same id and a group with the same id in the container. Then run your tomcat service using that user in the container.
This is due to SELinux.
You must attach correct type to host directory:
host$ chcon -Rt svirt_sandbox_file_t /usr/local/tomcat
I have a large hard drive I would like to store data mapserver (Runs as a cgi-bin under Apache) but I am ruining in to errors when trying to access the data.
When I try and access any thing in the /bac/data/gis using mapserver I get:
msDrawMap(): Image handling error. Failed to draw layer named 'world'. msShapefileOpen(): Unable to access file. (/var/www/html/gis/world.shp) msShapefileOpen(): Unable to access file. (/bac/data/gis/global/world.shp)
from the mapserver log file:
[Fri Aug 2 01:12:15 2013].100850 CGI Request 1 on process 28658
[Fri Aug 2 01:12:15 2013].105687 msDrawMap(): rendering using outputformat named png (AGG/PNG).
[Fri Aug 2 01:12:15 2013].105731 msDrawMap(): WMS/WFS set-up and query, 0.000s
[Fri Aug 2 01:12:15 2013].105819 msShapefileOpen(): Unable to access file. (/bac/data/gis/global/world.shp)
[Fri Aug 2 01:12:15 2013].105838 msShapefileOpen(): Unable to access file. (/var/www/html/gis/world.shp)
[Fri Aug 2 01:12:15 2013].105848 msDrawMap(): Image handling error. Failed to draw layer named 'world'.
[Fri Aug 2 01:12:15 2013].106077 mapserv request processing time (msLoadMap not incl.): 0.005s
[Fri Aug 2 01:12:15 2013].106085 msFreeMap(): freeing map at 0x1bdfde0.
I also tried accessing data directly using Apache to see if it could read anything in /bac/data/gis. This was done by adding an ailes and directory directive to httpd.cfg file.
This to failed with the flowing error message in the httpd-error log.
[Thu Aug 01 22:52:37 2013] [error] [client 192.168.0.1] (13)Permission denied: access to /gis/ denied (filesystem path '/bac') because search permissions are missing on a component of the path
The file system is mounted as "/bac" and the data is in /bac/data/gis
my httpd directorys are /var/www/[html cgi-bin]/
I have ensured +x permission on all directors in the /bac/dat/gis path. I all so disabled seliux as this is general the first thing I try when faceing an access denied situation.
Is it possible access data on other file system using Apache and cgi-bin scripts such as mapserver?
As arkascha pointed out, the mount points and filesystems are irrelevant when considering access permissions. You should check that your apache user has access to those files:
user#host$ sudo su apache (apache may need to be replaced by httpd, www-data, check your apache config file to see under which user apache runs)
apache#host$ ls /bac/data/gis/global/world.shp
If the ls command returned a permission error, you have determined the cause of your error. In that case check that the permissions on /bac/data/gis/global/world.shp have "+r" for apache (that will probably be for the "others"), and that all the intermediate directories have +x.
sudo chmod o+r /bac/data/gis/global/world.*
sudo chmod o+x /bac
sudo chmod o+x /bac/data
sudo chmod o+x /bac/data/gis
sudo chmod o+x /bac/data/gis/global