Bug#1055830: systemd in a container fails to set up mount namespacing

[Michael Biebl]

Control: tags -1 + moreinfo help


On Sun, 12 Nov 2023 11:15:45 +0100 Christian Horn <chris at fluxcoil.net> 
wrote:
> Package: systemd
> Version: 252.17-1~deb12u1
> Severity: important
> 
> Dear Maintainer,
> 
> * What led up to the situation?
> 
> Fedora39 running as host, Debian Bookworm container is started via podman.
> Packages systemd and redis get installed in the container, then trying to
> start redis via 'systemctl start redis fails'.
> 'journalctl -xeu redis-server.service' says:
> (s-server)[66]: Failed to mount /run/systemd/inaccessible/reg to /run/systemd/unit-root/proc/kallsyms: Permission denied
> (s-server)[66]: redis-server.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc/kallsyms: Permission denied
> (s-server)[66]: redis-server.service: Failed at step NAMESPACE spawning /usr/bin/redis-server: Permission denied
> 
> * What exactly did you do (or not do) that was effective (or
>   ineffective)?
> 
> Using a Debian trixie container, the issue does not appear.
> I see this on both amd64 and aarch64 architecture.
> I think everybody trying to run redis in a Bookworm 
> container will hit this issue.
> 

 From the provided information it is not obvious that this is actually a 
systemd issue. It could be the kernel or any of the dependencies systemd 
relies on or even redis itself.

In any case, if you think this is a systemd issue, we would need further 
information how to fix this.

So any help is welcome.

Michael


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240228/c402d260/attachment-0001.sig>