Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#39873 - [nginx] PrivateDevices=yes will cause nginx start fail when arch is in systemd container

Attached to Project: Arch Linux
Opened by Kimi Arthur (Kimi Arthur) - Tuesday, 15 April 2014, 12:22 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Tuesday, 20 May 2014, 15:18 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Sébastien Luttringer (seblu)
Bartłomiej Piotrowski (Barthalion)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

I'm running ArchLinux inside a container in Suse. And when updated with the 1.4.7-2 of nginx. I cannot start the service.

When I change the option "PrivateDevices=yes" to "PrivateDevices=no", it starts normally.

Additional info:
* package version(s): 1.4.7-2

* config and/or log files etc:

status:

● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled)
Active: failed (Result: exit-code) since Tue 2014-04-15 20:08:59 CST; 5s ago
Process: 8467 ExecStop=/usr/bin/nginx -g pid /run/nginx.pid; -s quit (code=exited, status=226/NAMESPACE)
Process: 8468 ExecStartPre=/usr/bin/nginx -t -q -g pid /run/nginx.pid; daemon on; master_process on; (code=exited, status=226/NAMESPACE)
Main PID: 7640 (code=exited, status=0/SUCCESS)

Apr 15 20:08:59 arch systemd[8468]: Failed at step NAMESPACE spawning /usr/bin/nginx: Operation not permitted
Apr 15 20:08:59 arch systemd[1]: nginx.service: control process exited, code=exited status=226
Apr 15 20:08:59 arch systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Apr 15 20:08:59 arch systemd[1]: Unit nginx.service entered failed state.

journalctl:

-- Logs begin at Wed 2013-12-11 13:07:04 CST, end at Tue 2014-04-15 20:09:53 CST. --
Apr 15 20:08:59 arch systemd[8468]: Failed at step NAMESPACE spawning /usr/bin/nginx: Operation not permitted
-- Subject: Process /usr/bin/nginx could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- The process /usr/bin/nginx could not be executed and failed.
--
-- The error number returned while executing this process is 1.
Apr 15 20:08:59 arch systemd[1]: nginx.service: control process exited, code=exited status=226
Apr 15 20:08:59 arch systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit nginx.service has failed.
--
-- The result is failed.
Apr 15 20:08:59 arch systemd[1]: Unit nginx.service entered failed state.
Apr 15 20:08:59 arch sudo[8464]: pam_unix(sudo:session): session closed for user root


Steps to reproduce:

(Possibly)
1) install Suse,
2) install arch linux as a systemd service,
3) install nginx,
4) start nginx service
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Tuesday, 20 May 2014, 15:18 GMT
Reason for closing:  Won't fix
Comment by Daniel Micay (thestinger) - Tuesday, 15 April 2014, 18:47 GMT
It works fine for me in an Arch container spawned with `systemd-nspawn -bD sandbox` on an Arch Linux host. Entering the namespace currently requires `CAP_SYS_ADMIN`, and perhaps you're missing that capability on the container.

Fedora is going to be adding `PrivateDevices=yes` to many services too, so OpenSUSE will need to fix whatever is broken. Unless you can replicate this problem on an Arch host, I don't think it is a bug.
Comment by Bartłomiej Piotrowski (Barthalion) - Wednesday, 16 April 2014, 08:03 GMT
As Daniel wrote, I don't think that PrivateDevices is guilty. Whether it's missing CAP_SYS_ADMIN or terribly old systemd on OpenSUSE, you can easily modify nginx.service by dropping your changes to /etc/systemd/system/nginx.service.d/. Closing.
Comment by Mike (oktobermoon) - Wednesday, 14 May 2014, 20:09 GMT
  • Field changed: Percent Complete (100% → 0%)
I have reproduced this on Arch hosts.
The bug occurred after moving LXC containers from one host to another. After that, I could not start nginx. We run exclusively Arch Linux in our environments. Arch hosts, and Arch containers. I have confirmed that changing PrivateDevices to "no" allows nginx to start. If it is set to "yes" I get the same errors listed above

-- Logs begin at Thu 2014-04-10 12:58:54 MDT, end at Mon 2014-05-05 10:31:45 MDT. --
May 05 10:28:53 dev systemd[3043]: Failed at step NAMESPACE spawning /usr/bin/nginx: Operation not permitted
-- Subject: Process /usr/bin/nginx could not be executed
-- Defined-By: systemd
Comment by Daniel Micay (thestinger) - Wednesday, 14 May 2014, 20:11 GMT
It sounds like something like this: https://bugs.archlinux.org/task/31301
Comment by Bartłomiej Piotrowski (Barthalion) - Tuesday, 20 May 2014, 15:17 GMT
Considering the fact that it's easy to disable PrivateDevices if needed and the problem doesn't touch a significant part of our userbase, I'm going to close the task.

Loading...