* [PVE-User] Bullseye LXC and logrotate...
@ 2021-10-28 10:36 Marco Gaiarin
2021-10-28 14:03 ` Todor Petkov
[not found] ` <mailman.66.1635429832.15957.pve-user@lists.proxmox.com>
0 siblings, 2 replies; 4+ messages in thread
From: Marco Gaiarin @ 2021-10-28 10:36 UTC (permalink / raw)
To: pve-user
Setup a pretty standard LXC container on bullseye, on a PVE7 server.
Every time logrotate run on LXC i got on LXC:
Oct 28 00:00:59 vbaculaacpn1 systemd[106367]: logrotate.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied
Oct 28 00:00:59 vbaculaacpn1 systemd[106367]: logrotate.service: Failed at step NAMESPACE spawning /usr/sbin/logrotate: Permission denied
Oct 28 00:00:59 vbaculaacpn1 systemd[1]: logrotate.service: Main process exited, code=exited, status=226/NAMESPACE
Oct 28 00:00:59 vbaculaacpn1 systemd[1]: logrotate.service: Failed with result 'exit-code'.
Oct 28 00:00:59 vbaculaacpn1 systemd[1]: Failed to start Rotate log files.
And on PVE:
Oct 28 00:00:59 beppe kernel: [280466.359176] audit: type=1400 audit(1635372059.192:31): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-102_</var/lib/lxc>" name="/run/systemd/unit-root/proc/" pid=3059401 comm="(ogrotate)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
?! I've tried to google around a bit, but found nothing.
Thanks.
--
Alla fiera dell'est, per due soldi
un topolino mio padre compro` (A. Branduardi)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PVE-User] Bullseye LXC and logrotate...
2021-10-28 10:36 [PVE-User] Bullseye LXC and logrotate Marco Gaiarin
@ 2021-10-28 14:03 ` Todor Petkov
[not found] ` <mailman.66.1635429832.15957.pve-user@lists.proxmox.com>
1 sibling, 0 replies; 4+ messages in thread
From: Todor Petkov @ 2021-10-28 14:03 UTC (permalink / raw)
To: Proxmox VE user list, Marco Gaiarin
On Thu, 2021-10-28 1:36 PM, Marco Gaiarin wrote:
>
> Setup a pretty standard LXC container on bullseye, on a PVE7 server.
>
> Every time logrotate run on LXC i got on LXC:
>
> Oct 28 00:00:59 vbaculaacpn1 systemd[106367]: logrotate.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied
> Oct 28 00:00:59 vbaculaacpn1 systemd[106367]: logrotate.service: Failed at step NAMESPACE spawning /usr/sbin/logrotate: Permission denied
> Oct 28 00:00:59 vbaculaacpn1 systemd[1]: logrotate.service: Main process exited, code=exited, status=226/NAMESPACE
> Oct 28 00:00:59 vbaculaacpn1 systemd[1]: logrotate.service: Failed with result 'exit-code'.
> Oct 28 00:00:59 vbaculaacpn1 systemd[1]: Failed to start Rotate log files.
>
> And on PVE:
>
> Oct 28 00:00:59 beppe kernel: [280466.359176] audit: type=1400 audit(1635372059.192:31): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-102_</var/lib/lxc>" name="/run/systemd/unit-root/proc/" pid=3059401 comm="(ogrotate)" fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
>
>
> ?! I've tried to google around a bit, but found nothing.
>
>
> Thanks.
>
Hello,
check
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1713773.html
and https://forum.proxmox.com/threads/logrotate-issue-in-buster-lxc.56726/
There are other links in Google when you search for Failed at step
NAMESPACE spawning pve logrotate
Regards
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PVE-User] Bullseye LXC and logrotate...
[not found] ` <mailman.66.1635429832.15957.pve-user@lists.proxmox.com>
@ 2021-10-29 10:28 ` Marco Gaiarin
[not found] ` <mailman.83.1635508452.15957.pve-user@lists.proxmox.com>
0 siblings, 1 reply; 4+ messages in thread
From: Marco Gaiarin @ 2021-10-29 10:28 UTC (permalink / raw)
To: Stefan Radman via pve-user; +Cc: pve-user
Mandi! Stefan Radman via pve-user
In chel di` si favelave...
> Here is what Google turned up for me.
Ah! Your google works better then mine! ;-)
Thanks, i can confirm that fixed.
It is not clear if it is better to relax CAP on LXC or relax hardening of
logrotate inside the LXC, but i hope PVE team will determine the best
solution.
Considering is a unprivileged container, relaxing logrotate seems
appropriate to me.
Thanks!
--
In mondo non rinuncera` a essere violento fino a quando non accettera`
di studiare il proprio bisogno di violenza. (Yolande Mukagasana)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PVE-User] Bullseye LXC and logrotate...
[not found] ` <mailman.83.1635508452.15957.pve-user@lists.proxmox.com>
@ 2021-11-01 20:43 ` Marco Gaiarin
0 siblings, 0 replies; 4+ messages in thread
From: Marco Gaiarin @ 2021-11-01 20:43 UTC (permalink / raw)
To: Arjen via pve-user; +Cc: pve-user
Mandi! Arjen via pve-user
In chel di` si favelave...
Only for the sake of google...
>> Thanks, i can confirm that fixed.
It is NOT fixed, changing logrotate systemd unit configuration does nothing.
> According to this forum post[1] by one of the Proxmox staff, enabling nesting is the way forward.
> [1] https://forum.proxmox.com/threads/lxc-container-upgrade-to-bullseye-slow-login-and-apparmor-errors.93064/post-409030
Bingo! This works! ;-)
Thanks.
--
The number of UNIX installations has grown to 10, with more expected.
(_The UNIX Programmer's Manual_, Second Edition, June 1972)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-01 21:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-28 10:36 [PVE-User] Bullseye LXC and logrotate Marco Gaiarin
2021-10-28 14:03 ` Todor Petkov
[not found] ` <mailman.66.1635429832.15957.pve-user@lists.proxmox.com>
2021-10-29 10:28 ` Marco Gaiarin
[not found] ` <mailman.83.1635508452.15957.pve-user@lists.proxmox.com>
2021-11-01 20:43 ` Marco Gaiarin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.