Apache2: Failed to set up mount namespacing: Permission denied - Debian

Martin
November 27, 2020
201 views
0 votes
2 Answers

I have VPS server with Debian 10. I want to start Apache2 with option PrivateTmp=true.
But on start it failed with error: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied.

    ● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2020-11-27 17:17:43 CET; 5s ago
     Docs: https://httpd.apache.org/docs/2.4/
  Process: 523 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)

Nov 27 17:17:43 5091-server systemd[1]: Starting The Apache HTTP Server...
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed to set up mount namespacing: Permission denied
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 27 17:17:43 5091-server systemd[1]: Failed to start The Apache HTTP Server.

I checked the permissions for tmp:

root@5091-server:~# ls -ld /tmp
drwxrwxrwt 8 root root 4096 Nov 27 17:17 /tmp
root@5091-server:~# ls -ld /var/tmp
drwxrwxrwt 2 root root 4096 Nov 27 17:17 /var/tmp

Any idea which permissions are wrong?

Answers

- Jottpee
- January 8, 2021 at 9:35 am
- 0 votes
0
This can work…
```
sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=falsenNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
sudo systemctl daemon-reload
sudo systemctl start apache2.service
sudo systemctl status apache2.service
```
Login or Signup to reply.

- PabloBianchi
- December 14, 2022 at 10:41 pm
- 0 votes
0
This is related to new systemd security features (v220+?) conflicting with unprivileged LXC containers like the ones inside Proxmox.
1. Edit apache config (the clean way):
```
sudo systemctl edit apache2.service
```
2. Add this to disable new systemd security features (affect LXC containers like the ones inside Proxmox)
```
[Service]
PrivateDevices=false
PrivateTmp=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false
```
  Maybe only necessary:
```
ProtectHome=false
ProtectSystem=false
```
3. Then
```
sudo systemctl start apache2.service
sudo systemctl status apache2.service  # Just to check the output
```
I saw this on apache2 and memcached. Also with systemd-logind. In this last case ssh connection speed was affected. ssh -vvv was stuck on debug1: pledge: filesystem (without VPN), and debug1: pledge: network (with VPN). As mention here and here the problem is solved enabling nesting (also here) on the Proxmox containers.

Probably simply enabling the "nesting" feature for the container (if it is unprivileged) will allow systemd to make use of its namespacing features.

Related
- Nested containers in LXD | Ubuntu
- Roadmap – Proxmox VE 7.1 The real fix is to upgrade host?
- Failed to reset devices.list…Operation not permitted · Issue #2004 · lxc/lxd
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Apache2: Failed to set up mount namespacing: Permission denied – Debian

Answers

Related