public inbox for pve-user@lists.proxmox.com
 help / color / mirror / Atom feed
* [PVE-User] systemd-logind.service
@ 2022-09-05 10:27 Kalpesh Sejpal
  2022-09-08  9:58 ` Piviul
  0 siblings, 1 reply; 5+ messages in thread
From: Kalpesh Sejpal @ 2022-09-05 10:27 UTC (permalink / raw)
  To: pve-user

Hi,

It's better to enable features Flag nesting=1 for each LXC container with
that error.

Please, check security conserns before changing it.

If you can't do that then another alternative it to mask systemd-logind
service.

Hopefully it can solve the problem.

Regards,
kalpesh sejpal

On Mon, 5 Sep, 2022, 3:30 pm , <pve-user-request@lists.proxmox.com> wrote:

> Send pve-user mailing list submissions to
>         pve-user@lists.proxmox.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> or, via email, send a message with subject or body 'help' to
>         pve-user-request@lists.proxmox.com
>
> You can reach the person managing the list at
>         pve-user-owner@lists.proxmox.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of pve-user digest..."
>
>
> Today's Topics:
>
>    1. systemd-logind.service (Piviul)
>    2. systemd-logind.service (Piviul)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 2 Sep 2022 09:23:31 +0200
> From: Piviul <piviul@riminilug.it>
> To: Proxmox VE user list <pve-user@lists.proxmox.com>
> Subject: [PVE-User] systemd-logind.service
> Message-ID: <02a31483-11f1-584a-eee1-76d138c57db2@riminilug.it>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On a proxmox 6.4 environment, when a user log on to a specific LXC
> container machine named unifi-controller, the logon time is very slow
> and on the host logs I find:
>
> Sep 02 07:15:36 unifi-controller systemd[1978474]:
> systemd-logind.service: Failed at step NAMESPACE spawning
> /lib/systemd/systemd-logind: Permission denied
> Sep 02 07:15:36 unifi-controller systemd[1978474]:
> systemd-logind.service: Failed to set up mount namespacing:
> /run/systemd/unit-root/proc: Permission denied
>
> Other LXC doesn't have any problems. Someone can help me to find the issue?
>
> Best regards
>
> Piviul
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 2 Sep 2022 10:26:17 +0200
> From: Piviul <piviul@riminilug.it>
> To: Proxmox VE user list <pve-user@lists.proxmox.com>
> Subject: [PVE-User] systemd-logind.service
> Message-ID: <5f271b1a-1a38-9861-f390-afb80ad29de5@riminilug.it>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> I add that on the proxmox node I can find the following logs:
>
> Sep? 2 10:22:22 pve02 kernel: [6409941.290413] audit: type=1400
> audit(1662106942.591:968): apparmor="DENIED" operation="mount"
> info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>"
> name="/run/systemd/unit-root/proc/" pid=3151975 comm="(d-logind)"
> fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
> Sep? 2 10:22:22 pve02 kernel: [6409941.341352] audit: type=1400
> audit(1662106942.643:969): apparmor="DENIED" operation="mount"
> info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>"
> name="/run/systemd/unit-root/proc/" pid=3151979 comm="(d-logind)"
> fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
> Sep? 2 10:22:22 pve02 kernel: [6409941.391871] audit: type=1400
> audit(1662106942.691:970): apparmor="DENIED" operation="mount"
> info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>"
> name="/run/systemd/unit-root/proc/" pid=3151983 comm="(d-logind)"
> fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
> Sep? 2 10:22:22 pve02 kernel: [6409941.442322] audit: type=1400
> audit(1662106942.743:971): apparmor="DENIED" operation="mount"
> info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>"
> name="/run/systemd/unit-root/proc/" pid=3151987 comm="(d-logind)"
> fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
> Sep? 2 10:22:22 pve02 kernel: [6409941.466567] audit: type=1400
> audit(1662106942.767:972): apparmor="DENIED" operation="mount"
> info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>"
> name="/run/systemd/unit-root/proc/" pid=3151991 comm="(d-logind)"
> fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
>
> Seems an apparmor problem... furthermore seems that old LXC doesn't
> suffer of this problem but if I create a new LXC it does.
>
> Piviul
>
> ------------------------------
>
> On a proxmox 6.4 environment, when a user log on to a specific LXC
> container machine named unifi-controller, the logon time is very slow
> and on the host logs I find:
>
>
> Sep 02 07:15:36 unifi-controller systemd[1978474]:
> systemd-logind.service: Failed at step NAMESPACE spawning
> /lib/systemd/systemd-logind: Permission denied
> Sep 02 07:15:36 unifi-controller systemd[1978474]:
> systemd-logind.service: Failed to set up mount namespacing:
> /run/systemd/unit-root/proc: Permission denied
>
> Other LXC doesn't have any problems. Someone can help me to find the issue?
>
> Best regards
> Paul
>
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________PvEe-user mailing list
> pve-user@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
>
> ------------------------------
>
> End ofPvEe-user Digest, Vol 174, Issue 1
> ****************************************
>
>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PVE-User] systemd-logind.service
  2022-09-05 10:27 [PVE-User] systemd-logind.service Kalpesh Sejpal
@ 2022-09-08  9:58 ` Piviul
  0 siblings, 0 replies; 5+ messages in thread
From: Piviul @ 2022-09-08  9:58 UTC (permalink / raw)
  To: pve-user

On 05/09/22 12:27, Kalpesh Sejpal wrote:
> Hi,
>
> It's better to enable features Flag nesting=1 for each LXC container with
> that error.
>
> Please, check security conserns before changing it.
>
> If you can't do that then another alternative it to mask systemd-logind
> service.

Hi Kalpesh, thank you very much. In effect both solution seems to work. 
There are security risk to set nesting flag on unprivileged container?

Piviul





^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PVE-User] systemd-logind.service
       [not found] ` <mailman.49.1662383601.354.pve-user@lists.proxmox.com>
@ 2022-09-07  4:33   ` Piviul
  0 siblings, 0 replies; 5+ messages in thread
From: Piviul @ 2022-09-07  4:33 UTC (permalink / raw)
  To: pve-user

Il 05/09/22 10:26, Arjen via pve-user ha scritto:
> Maybe this forum thread and this specific post (by the Proxmox staff) can help:
> https://forum.proxmox.com/threads/lxc-container-upgrade-to-bullseye-slow-login-and-apparmor-errors.93064/#post-409018
>
> kind regards, Arjen
Thank you very much Arjen, systemctl mask systemd-logind solve the problem.

Thank you very much indeed!

Best regards

Piviul



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PVE-User] systemd-logind.service
@ 2022-09-02  8:26 Piviul
  0 siblings, 0 replies; 5+ messages in thread
From: Piviul @ 2022-09-02  8:26 UTC (permalink / raw)
  To: Proxmox VE user list

I add that on the proxmox node I can find the following logs:

Sep  2 10:22:22 pve02 kernel: [6409941.290413] audit: type=1400 
audit(1662106942.591:968): apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>" 
name="/run/systemd/unit-root/proc/" pid=3151975 comm="(d-logind)" 
fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
Sep  2 10:22:22 pve02 kernel: [6409941.341352] audit: type=1400 
audit(1662106942.643:969): apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>" 
name="/run/systemd/unit-root/proc/" pid=3151979 comm="(d-logind)" 
fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
Sep  2 10:22:22 pve02 kernel: [6409941.391871] audit: type=1400 
audit(1662106942.691:970): apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>" 
name="/run/systemd/unit-root/proc/" pid=3151983 comm="(d-logind)" 
fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
Sep  2 10:22:22 pve02 kernel: [6409941.442322] audit: type=1400 
audit(1662106942.743:971): apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>" 
name="/run/systemd/unit-root/proc/" pid=3151987 comm="(d-logind)" 
fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"
Sep  2 10:22:22 pve02 kernel: [6409941.466567] audit: type=1400 
audit(1662106942.767:972): apparmor="DENIED" operation="mount" 
info="failed flags match" error=-13 profile="lxc-132_</var/lib/lxc>" 
name="/run/systemd/unit-root/proc/" pid=3151991 comm="(d-logind)" 
fstype="proc" srcname="proc" flags="rw, nosuid, nodev, noexec"

Seems an apparmor problem... furthermore seems that old LXC doesn't 
suffer of this problem but if I create a new LXC it does.

Piviul

------------------------------

On a proxmox 6.4 environment, when a user log on to a specific LXC 
container machine named unifi-controller, the logon time is very slow 
and on the host logs I find:


Sep 02 07:15:36 unifi-controller systemd[1978474]: 
systemd-logind.service: Failed at step NAMESPACE spawning 
/lib/systemd/systemd-logind: Permission denied
Sep 02 07:15:36 unifi-controller systemd[1978474]: 
systemd-logind.service: Failed to set up mount namespacing: 
/run/systemd/unit-root/proc: Permission denied

Other LXC doesn't have any problems. Someone can help me to find the issue?

Best regards

Piviul





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PVE-User] systemd-logind.service
@ 2022-09-02  7:23 Piviul
       [not found] ` <mailman.49.1662383601.354.pve-user@lists.proxmox.com>
  0 siblings, 1 reply; 5+ messages in thread
From: Piviul @ 2022-09-02  7:23 UTC (permalink / raw)
  To: Proxmox VE user list

On a proxmox 6.4 environment, when a user log on to a specific LXC 
container machine named unifi-controller, the logon time is very slow 
and on the host logs I find:

Sep 02 07:15:36 unifi-controller systemd[1978474]: 
systemd-logind.service: Failed at step NAMESPACE spawning 
/lib/systemd/systemd-logind: Permission denied
Sep 02 07:15:36 unifi-controller systemd[1978474]: 
systemd-logind.service: Failed to set up mount namespacing: 
/run/systemd/unit-root/proc: Permission denied

Other LXC doesn't have any problems. Someone can help me to find the issue?

Best regards

Piviul




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-09-08 10:16 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-05 10:27 [PVE-User] systemd-logind.service Kalpesh Sejpal
2022-09-08  9:58 ` Piviul
  -- strict thread matches above, loose matches on Subject: below --
2022-09-02  8:26 Piviul
2022-09-02  7:23 Piviul
     [not found] ` <mailman.49.1662383601.354.pve-user@lists.proxmox.com>
2022-09-07  4:33   ` Piviul

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal