Bug#921176: redis-server service is failing to start in buster lxc container

Tue, 12 Feb 2019 09:46:14 -0800 



On Tue, Feb 12, 2019 at 9:44 PM, Chris Lamb <la...@debian.org> wrote:

Hi Pirate,


 https://wiki.debian.org/Packaging/Pre-Requisites#LXC has networking
 setup instructions.


Still no dice and I don't really have the bandwidth to learn
another container technology. :(



May be ask lxc team for help?


  I tried removing all hardening features and it still won't start


Please provide:

 a) The *exact* .service file you are trying.




Initially I tried editing /lib/systemd/system/redis-server.service and 
later I edited /lib/systemd/system/redis-server\@.service as well 
(edited both these files)



 b) Exactly how you are editing the shipped .service file.




I tried adding changing true to false initially, then adding # in front 
of the options


So current snapshot look like this,
root@redis:~# cat /lib/systemd/system/redis-server.service
[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
Type=forking
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
ExecStop=/bin/kill -s TERM $MAINPID
PIDFile=/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
#RuntimeDirectory=redis
#RuntimeDirectoryMode=2755

#UMask=007
#PrivateTmp=yes
#LimitNOFILE=65535
#PrivateDevices=yes
#ProtectHome=yes
#ReadOnlyDirectories=/
#ReadWriteDirectories=-/var/lib/redis
#ReadWriteDirectories=-/var/log/redis
#ReadWriteDirectories=-/var/run/redis

NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
#ProtectKernelTunables=true
#ProtectControlGroups=true
#RestrictRealtime=true
#RestrictNamespaces=true
#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX


# redis-server can write to its own config file when in cluster mode so 
we
# permit writing there by default. If you are not using this feature, 
it is
# recommended that you replace the following lines with 
"ProtectSystem=full".

#ProtectSystem=true
#ReadWriteDirectories=-/etc/redis

[Install]
WantedBy=multi-user.target
Alias=redis.service


 c) uname -a



root@redis:~# uname -a

Linux redis 4.15.0-2-amd64 #1 SMP Debian 4.15.11-1 (2018-03-20) x86_64 
GNU/Linux

root@redis:~#


This is reproduced on a second machine. On first machine, I tried with 
two kernels, one older and then 4.19.



 d) aa-status

Anything in the global kernel log or dmesg...?



In dmesg inside container (same error on the host as well), so it seems 
apparmor is blocking it.



[14760.307180] audit: type=1400 audit(1549992481.311:156): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default-cgns" name="/" pid=20531 
comm="(s-server)" flags="rw, rslave"
[14760.573458] audit: type=1400 audit(1549992481.579:157): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default-cgns" name="/" pid=20532 
comm="(s-server)" flags="rw, rslave"
[14760.823723] audit: type=1400 audit(1549992481.827:158): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default-cgns" name="/" pid=20533 
comm="(s-server)" flags="rw, rslave"
[14761.073770] audit: type=1400 audit(1549992482.079:159): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default-cgns" name="/" pid=20534 
comm="(s-server)" flags="rw, rslave"
[14761.323944] audit: type=1400 audit(1549992482.327:160): 
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 
profile="lxc-container-default-cgns" name="/" pid=20536 
comm="(s-server)" flags="rw, rslave"



Though systemctl status apparmor on host showed it failed,


Feb 12 18:23:25 nishumbha systemd[1]: Starting AppArmor 
initialization...
Feb 12 18:23:30 nishumbha apparmor[600]: Starting AppArmor 
profiles:AppArmor parser error for 
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin in 
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin at line 89: 
Could not open 'abstractions/dri-enumerate'
Feb 12 18:23:30 nishumbha apparmor[600]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin in 
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin at line 89: 
Could not open 'abstractions/dri-enumerate'

Feb 12 18:23:30 nishumbha apparmor[600]:  failed!

Feb 12 18:23:30 nishumbha systemd[1]: apparmor.service: Main process 
exited, code=exited, status=123/n/a



apparmor was at 2.11.1-4, updating it to 2.13.2-7 fixed the above 
error, but redis still can't be started like before (same error 
message) even after stopping apparmor on the host.


pravi@nishumbha:~$ systemctl status apparmor
● apparmor.service - Load AppArmor profiles

  Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; 
vendor preset:
  Active: inactive (dead) since Tue 2019-02-12 23:06:50 IST; 3min 56s 
ago

    Docs: man:apparmor(7)
          https://gitlab.com/apparmor/apparmor/wikis/home/
 Process: 10021 ExecStop=/bin/true (code=exited, status=0/SUCCESS)

 Process: 9765 ExecStart=/lib/apparmor/apparmor.systemd reload 
(code=exited, st

Main PID: 9765 (code=exited, status=0/SUCCESS)


























					Reply via email to