[pkg-lxc-devel] Bug#944243: logrotate fails with "Permission denied" on LXC guest

Pierre-Elliott Bécue peb at debian.org
Thu Nov 28 21:51:10 GMT 2019 

Le mercredi 06 novembre 2019 à 17:27:28+0100, Lukáš Jelínek a écrit :
> journalctl -u logrotate:
>
> Nov 06 17:12:22 syslog systemd[1]: Starting Rotate log files...
> Nov 06 17:12:22 syslog systemd[381]: logrotate.service: Failed to set up mount namespacing: Permission denied
> Nov 06 17:12:22 syslog systemd[381]: logrotate.service: Failed at step NAMESPACE spawning /usr/sbin/logrotate: Permission denied
> Nov 06 17:12:22 syslog systemd[1]: logrotate.service: Main process exited, code=exited, status=226/NAMESPACE
> Nov 06 17:12:22 syslog systemd[1]: logrotate.service: Failed with result 'exit-code'.
> Nov 06 17:12:22 syslog systemd[1]: Failed to start Rotate log files.
>
>
> systemctl status logrotate
>
> ● logrotate.service - Rotate log files
>    Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled)
>    Active: failed (Result: exit-code) since Wed 2019-11-06 17:12:22 CET; 11min ago
>      Docs: man:logrotate(8)
>            man:logrotate.conf(5)
>   Process: 381 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=226/NAMESPACE)
>  Main PID: 381 (code=exited, status=226/NAMESPACE)
>
> Nov 06 17:12:22 syslog systemd[1]: Starting Rotate log files...
> Nov 06 17:12:22 syslog systemd[381]: logrotate.service: Failed to set up mount namespacing: Permission denied
> Nov 06 17:12:22 syslog systemd[381]: logrotate.service: Failed at step NAMESPACE spawning /usr/sbin/logrotate: Permission denied
> Nov 06 17:12:22 syslog systemd[1]: logrotate.service: Main process exited, code=exited, status=226/NAMESPACE
> Nov 06 17:12:22 syslog systemd[1]: logrotate.service: Failed with result 'exit-code'.
> Nov 06 17:12:22 syslog systemd[1]: Failed to start Rotate log files.

The systemd service file for logrotate has hardening options[0] that can't
run properly in an unprivileged container (and could also run badly in a
privileged one).

It's not really what I'd call a bug. It's more like a limitation for the
current way things are designed.

[0] cat /lib/systemd/system/logrotate.service

[...]
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectSystem=full
[...]

If you wish to have things work properly in your container, there are a
couple of solutions. One of these is to systemctl edit logrotate.service
and put this:

[Service]
PrivateDevices=false
PrivateTmp=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectSystem=false

Save and then you should be good (may take a systemctl daemon-reload,
though).

It's plausible that you don't have to disable all hardening options, I'm
merely pointing these, but maybe some work properly in your container.
It's up to you to get which one is the problem.

man systemd.exec to get the description of the effect of each these
options.

Cheers.

-- 
Pierre-Elliott Bécue
GPG: 9AE0 4D98 6400 E3B6 7528  F493 0D44 2664 1949 74E2
It's far easier to fight for one's principles than to live up to them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20191128/f55cc9c2/attachment.sig>

More information about the Pkg-lxc-devel mailing list