[pkg-lxc-devel] Bug#944243: logrotate fails with "Permission denied" on LXC guest

Lukáš Jelínek lukas.jelinek at nic.cz
Fri Nov 29 15:14:21 GMT 2019 

Thanks very much for this workaround. It works well.

But I think it is a bug because it prevents Debian 10 in LXC containers
to work out-of-the-box in many cases and requires manual hardcore
intervention (in a file which is not intended to be "cut-and-dry"
modified by administrators).


> Le mercredi 06 novembre 2019 à 17:27:28+0100, Lukáš Jelínek a écrit :
>> journalctl -u logrotate:
>>
>> Nov 06 17:12:22 syslog systemd[1]: Starting Rotate log files...
>> Nov 06 17:12:22 syslog systemd[381]: logrotate.service: Failed to set up mount namespacing: Permission denied
>> Nov 06 17:12:22 syslog systemd[381]: logrotate.service: Failed at step NAMESPACE spawning /usr/sbin/logrotate: Permission denied
>> Nov 06 17:12:22 syslog systemd[1]: logrotate.service: Main process exited, code=exited, status=226/NAMESPACE
>> Nov 06 17:12:22 syslog systemd[1]: logrotate.service: Failed with result 'exit-code'.
>> Nov 06 17:12:22 syslog systemd[1]: Failed to start Rotate log files.
>>
>>
>> systemctl status logrotate
>>
>> ● logrotate.service - Rotate log files
>>    Loaded: loaded (/lib/systemd/system/logrotate.service; static; vendor preset: enabled)
>>    Active: failed (Result: exit-code) since Wed 2019-11-06 17:12:22 CET; 11min ago
>>      Docs: man:logrotate(8)
>>            man:logrotate.conf(5)
>>   Process: 381 ExecStart=/usr/sbin/logrotate /etc/logrotate.conf (code=exited, status=226/NAMESPACE)
>>  Main PID: 381 (code=exited, status=226/NAMESPACE)
>>
>> Nov 06 17:12:22 syslog systemd[1]: Starting Rotate log files...
>> Nov 06 17:12:22 syslog systemd[381]: logrotate.service: Failed to set up mount namespacing: Permission denied
>> Nov 06 17:12:22 syslog systemd[381]: logrotate.service: Failed at step NAMESPACE spawning /usr/sbin/logrotate: Permission denied
>> Nov 06 17:12:22 syslog systemd[1]: logrotate.service: Main process exited, code=exited, status=226/NAMESPACE
>> Nov 06 17:12:22 syslog systemd[1]: logrotate.service: Failed with result 'exit-code'.
>> Nov 06 17:12:22 syslog systemd[1]: Failed to start Rotate log files.
> The systemd service file for logrotate has hardening options[0] that can't
> run properly in an unprivileged container (and could also run badly in a
> privileged one).
>
> It's not really what I'd call a bug. It's more like a limitation for the
> current way things are designed.
>
> [0] cat /lib/systemd/system/logrotate.service
>
> [...]
> PrivateDevices=true
> PrivateTmp=true
> ProtectControlGroups=true
> ProtectKernelModules=true
> ProtectSystem=full
> [...]
>
> If you wish to have things work properly in your container, there are a
> couple of solutions. One of these is to systemctl edit logrotate.service
> and put this:
>
> [Service]
> PrivateDevices=false
> PrivateTmp=false
> ProtectControlGroups=false
> ProtectKernelModules=false
> ProtectSystem=false
>
> Save and then you should be good (may take a systemctl daemon-reload,
> though).
>
> It's plausible that you don't have to disable all hardening options, I'm
> merely pointing these, but maybe some work properly in your container.
> It's up to you to get which one is the problem.
>
> man systemd.exec to get the description of the effect of each these
> options.
>
> Cheers.
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3061 bytes
Desc: Elektronicky podpis S/MIME
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20191129/63401e99/attachment.bin>

More information about the Pkg-lxc-devel mailing list