Bug#1055830: systemd in a container fails to set up mount namespacing

Christian Horn chris at fluxcoil.net
Sun Nov 12 10:15:45 GMT 2023 

Package: systemd
Version: 252.17-1~deb12u1
Severity: important

Dear Maintainer,

* What led up to the situation?

Fedora39 running as host, Debian Bookworm container is started via podman.
Packages systemd and redis get installed in the container, then trying to
start redis via 'systemctl start redis fails'.
'journalctl -xeu redis-server.service' says:
(s-server)[66]: Failed to mount /run/systemd/inaccessible/reg to /run/systemd/unit-root/proc/kallsyms: Permission denied
(s-server)[66]: redis-server.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc/kallsyms: Permission denied
(s-server)[66]: redis-server.service: Failed at step NAMESPACE spawning /usr/bin/redis-server: Permission denied

* What exactly did you do (or not do) that was effective (or
  ineffective)?

Using a Debian trixie container, the issue does not appear.
I see this on both amd64 and aarch64 architecture.
I think everybody trying to run redis in a Bookworm 
container will hit this issue.

* Reproducer
To be executed on a Fedora39 system, as user:
```
sudo dnf -y install podman
mkdir -p ~/repro/build-bookworm
cat >~/repro/build-bookworm/Containerfile<<EOT
FROM docker.io/library/debian:bookworm
ENV DEBIAN_FRONTEND noninteractive
RUN apt update && apt upgrade -y && \
	apt install -y systemd redis
CMD [ "/lib/systemd/systemd" ]
EOT

cd ~/repro
podman build -t repro build-bookworm/
podman run --name repro -d --security-opt seccomp=unconfined \
	localhost/repro /lib/systemd/systemd
podman exec -it repro bash
# now to be executed on the containers shell which opened
systemctl start redis
```


-- Package-specific info:

-- System Information:
Debian Release: 12.2
  APT prefers stable-security
  APT policy: (810, 'stable-security'), (810, 'stable'), (809, 'proposed-updates'), (500, 'stable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  libacl1            2.3.1-3
ii  libaudit1          1:3.0.9-1
ii  libblkid1          2.38.1-5+b1
ii  libc6              2.36-9+deb12u3
ii  libcap2            1:2.66-4
ii  libcryptsetup12    2:2.6.1-4~deb12u1
ii  libfdisk1          2.38.1-5+b1
ii  libgcrypt20        1.10.1-3
ii  libkmod2           30+20221128-1
ii  liblz4-1           1.9.4-1
ii  liblzma5           5.4.1-0.2
ii  libmount1          2.38.1-5+b1
ii  libp11-kit0        0.24.1-2
ii  libseccomp2        2.5.4-1+b3
ii  libselinux1        3.4-1+b6
ii  libssl3            3.0.11-1~deb12u2
ii  libsystemd-shared  252.17-1~deb12u1
ii  libsystemd0        252.17-1~deb12u1
ii  libzstd1           1.5.4+dfsg2-5
ii  mount              2.38.1-5+b1

Versions of packages systemd recommends:
ii  chrony [time-daemon]            4.3-2+deb12u1
ii  dbus [default-dbus-system-bus]  1.14.10-1~deb12u1

Versions of packages systemd suggests:
ii  libfido2-1             1.12.0-2+b1
pn  libqrencode4           <none>
pn  libtss2-esys-3.0.2-0   <none>
pn  libtss2-mu0            <none>
pn  libtss2-rc0            <none>
pn  polkitd | policykit-1  <none>
pn  systemd-boot           <none>
pn  systemd-container      <none>
pn  systemd-homed          <none>
pn  systemd-resolved       <none>
pn  systemd-userdbd        <none>

Versions of packages systemd is related to:
ii  dbus-user-session  1.14.10-1~deb12u1
pn  dracut             <none>
ii  initramfs-tools    0.142
ii  libnss-systemd     252.17-1~deb12u1
ii  libpam-systemd     252.17-1~deb12u1
ii  udev               252.17-1~deb12u1

-- Configuration Files:
/etc/systemd/journald.conf changed [not included]
/etc/systemd/system.conf changed [not included]

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list