2

I am running Arch Linux and on top of that, Ubuntu inside a systemd-nspawn container. I am suddenly having issues getting apache to start (inside the container).

Everything was working fine a few days ago, but now it's not. I don't know if an update inside or outside of the container has changed something.

Inside the container, I see the following:

root@container:~# apachectl -k start
/usr/sbin/apachectl: 99: ulimit: error setting limit (Operation not permitted)
Setting ulimit failed. See README.Debian for more information.
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Action '-k start' failed.
The Apache error log may have more information.

I checked using lsof and netstat and nothing else is running on ports 80/443. Also, what is that "ulimit" error? What's going on there?

I did use sudo systemctl edit systemd-nspawn@my-container.service to edit the settings to disable private networking and enable some bind mounts:

[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest -U --settings=override --machine=%i \
        --bind-ro=/etc/resolv.conf:/etc/resolv.conf \
        --bind=/home/nticompass/Code/website:/opt/website

Yes, the apache config inside the container is setup to use /opt/website as its root. I have it bind mounted so I can use my IDE on my main OS (Arch Linux) to edit the files and then have the container be able to access them (without having to copy/transfer them).

I am not sure what to do here. Did something change in an update? Do I need to update a config on my Arch Linux? Why can't the container access the ports? What is that "ulimit" error?

EDIT: Here is a list of packages that were upgraded/installed in the last week on my Arch Linux (main) system: https://pastebin.com/5xyGpBrw

gen_Eric
  • 211
  • 1
  • 5
  • 17
  • I've also been trying to get help with this over at the Arch Linux forums: https://bbs.archlinux.org/viewtopic.php?pid=1756223#p1756223 – gen_Eric Dec 20 '17 at 17:33

2 Answers2

0

We cannot tell if an update changed something, because there isn't any information about updates in your question. We need to know what updates have been installed in the system before it stopped working.

Both the ulimit error and Apache start-up failure are most likely caused by insufficient privileges.

So, definitely something changed how your container is started up.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • How can I debug these "insufficient privileges" (capabilities)? Something is definitely wrong, as I can't `ping` inside the container, apache can't bind to 80/443 and I can't write to the bound folder. – gen_Eric Dec 19 '17 at 18:30
0

This issue was caused by a linux kernel change in Arch Linux. Since kernel 4.14.5, the -U option (which is a default for systemd-nspawn), creates an unprivileged container. It used to create a privileged one, but not anymore.

This is what was blocking apache from opening ports 80 and 443.

The solution is to run sudo systemctl edit systemd-nspawn@my-container.service and remove the -U option. I also had to edit /etc/systemd/nspawn/my-container.nspawn and add the following:

[Exec]
PrivateUsers=off

Thanks to: https://bbs.archlinux.org/viewtopic.php?pid=1756246#p1756246

gen_Eric
  • 211
  • 1
  • 5
  • 17