Apache2: Failed to set up mount namespacing: Permission denied

Question

I have VPS server with Debian 10. I want to start Apache2 with option PrivateTmp=true. But on start it failed with error: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied.

    ● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2020-11-27 17:17:43 CET; 5s ago
     Docs: https://httpd.apache.org/docs/2.4/
  Process: 523 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)

Nov 27 17:17:43 5091-server systemd[1]: Starting The Apache HTTP Server...
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed to set up mount namespacing: Permission denied
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 27 17:17:43 5091-server systemd[1]: Failed to start The Apache HTTP Server.

I checked the permissions for tmp:

root@5091-server:~# ls -ld /tmp
drwxrwxrwt 8 root root 4096 Nov 27 17:17 /tmp
root@5091-server:~# ls -ld /var/tmp
drwxrwxrwt 2 root root 4096 Nov 27 17:17 /var/tmp

Any idea which permissions are wrong?

Answer 1

This can work...

sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=false\nNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
sudo systemctl daemon-reload
sudo systemctl start apache2.service
sudo systemctl status apache2.service

Answer 2

This is related to new systemd security features (v220+?) conflicting with unprivileged LXC containers like the ones inside Proxmox.

1. Edit apache config (the clean way):

   sudo systemctl edit apache2.service
   

2. Add this to disable new systemd security features (affect LXC containers like the ones inside Proxmox)

   [Service]
   PrivateDevices=false
   PrivateTmp=false
   ProtectControlGroups=false
   ProtectKernelModules=false
   ProtectSystem=false
   

   Maybe only necessary:

   ProtectHome=false
   ProtectSystem=false
   

3. Then

   sudo systemctl start apache2.service
   sudo systemctl status apache2.service  # Just to check the output
   

I saw this on apache2 and memcached. Also with systemd-logind. In this last case ssh connection speed was affected. ssh -vvv was stuck on debug1: pledge: filesystem (without VPN), and debug1: pledge: network (with VPN). As mention here and here the problem is solved enabling nesting (also here) on the Proxmox containers.

Probably simply enabling the "nesting" feature for the container (if it is unprivileged) will allow systemd to make use of its namespacing features.

Related

• Nested containers in LXD | Ubuntu
• Roadmap - Proxmox VE 7.1 The real fix is to upgrade host?
• Failed to reset devices.list...Operation not permitted · Issue #2004 · lxc/lxd

Answer 3

I had the same error in docker with systemd on newer OS versions. My use case is a testing setup.

As it turns out, my host system for docker had apparmor enabled and this restricted the systemd usage inside the container.

I ended up using

    security_opts:
      - "apparmor=unconfined"

in the ansible molecule.yml.

The setting can be checked by running $ docker inspect $CONTAINERNAME --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'