Hi, noticed the same today with unprivileged LXC Debian Stretch containers running PHP. As a reference a possible workaround could be the following:
-------------------------- A temporary fix is: systemctl disable phpsessionclean.timer systemctl stop phpsessionclean.timer Then fix the cron for operation without systemd in: /etc/cron.d/php ##09,39 * * * * root [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi 09,39 * * * * root [ -x /usr/lib/php/sessionclean ] && /usr/lib/php/sessionclean -------------------------- Credits goes to a user from the proxmox forums here: https://forum.proxmox.com/threads/app-armor-issues.37746/#post-198073 On Fri, 21 Jul 2017 11:56:12 +0200 Marco Gaiarin <g...@sv.lnf.it> wrote: > Package: php-common > Version: 1:49 > Severity: normal > > > I've setup a LXC stretch container in a Proxmox virtualization cluster, and > after installing apache/PHP i've start to have in logs of the container rows > like: > > Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Failed to reset > devices.list: Operation not permitted > Jul 21 10:09:14 vglpi systemd[24929]: phpsessionclean.service: Failed at > step NETWORK spawning /usr/lib/php/sessionclean: Permission denied > Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Main process > exited, code=exited, status=225/NETWORK > Jul 21 10:09:14 vglpi systemd[1]: Failed to start Clean php session files. > Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Unit entered > failed state. > Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Failed with > result 'exit-code'. > Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Failed to reset > devices.list: Operation not permitted > Jul 21 10:39:14 vglpi systemd[24948]: phpsessionclean.service: Failed at > step NETWORK spawning /usr/lib/php/sessionclean: Permission denied > Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Main process > exited, code=exited, status=225/NETWORK > Jul 21 10:39:14 vglpi systemd[1]: Failed to start Clean php session files. > Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Unit entered > failed state. > Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Failed with > result 'exit-code'. > > and, on the same time, on the host that run the container: > > Jul 21 10:09:14 tessier kernel: [22515856.189072] audit: type=1400 > audit(1500624554.627:384): apparmor="DENIED" operation="file_lock" > profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" > family="unix" sock_type="dgram" protocol=0 addr=none > Jul 21 10:09:14 tessier kernel: [22515856.189077] audit: type=1400 > audit(1500624554.627:385): apparmor="DENIED" operation="file_lock" > profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" > family="unix" sock_type="dgram" protocol=0 addr=none > Jul 21 10:09:14 tessier kernel: [22515856.189082] audit: type=1400 > audit(1500624554.627:386): apparmor="DENIED" operation="file_lock" > profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" > family="unix" sock_type="dgram" protocol=0 addr=none > Jul 21 10:09:14 tessier kernel: [22515856.189085] audit: type=1400 > audit(1500624554.627:387): apparmor="DENIED" operation="file_lock" > profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" > family="unix" sock_type="dgram" protocol=0 addr=none > Jul 21 10:39:14 tessier kernel: [22517656.161803] audit: type=1400 > audit(1500626354.625:388): apparmor="DENIED" operation="file_lock" > profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" > family="unix" sock_type="dgram" protocol=0 addr=none > Jul 21 10:39:14 tessier kernel: [22517656.161808] audit: type=1400 > audit(1500626354.625:389): apparmor="DENIED" operation="file_lock" > profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" > family="unix" sock_type="dgram" protocol=0 addr=none > Jul 21 10:39:14 tessier kernel: [22517656.161812] audit: type=1400 > audit(1500626354.625:390): apparmor="DENIED" operation="file_lock" > profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" > family="unix" sock_type="dgram" protocol=0 addr=none > Jul 21 10:39:14 tessier kernel: [22517656.161815] audit: type=1400 > audit(1500626354.625:391): apparmor="DENIED" operation="file_lock" > profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" > family="unix" sock_type="dgram" protocol=0 addr=none > > I've tried to run the script by hand, as root, and no error appears > (on container and on host). > > For now, i've disabled the service: > > root@vglpi:~# systemctl disable phpsessionclean > > > Thanks. > > -- System Information: > Debian Release: 9.0 > APT prefers stable > APT policy: (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.4.21-1-pve (SMP w/2 CPU cores) > Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), > LANGUAGE=it_IT.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages php-common depends on: > ii init-system-helpers 1.48 > ii psmisc 22.21-2.1+b2 > ii sed 4.4-1 > > php-common recommends no packages.
