Issue with CentOS7 httpd spawing: Permission denied (PVE4 beta 2)

[tukiyo3]

~~~
# systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: failed (Result: exit-code) since Sun 2015-09-13 09:26:53 JST; 15min ago
Process: 520 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=226/NAMESPACE)
Process: 480 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=226/NAMESPACE)
Main PID: 480 (code=exited, status=226/NAMESPACE)
CGroup: /lxc/361/system.slice/httpd.service

Sep 13 09:26:53 wwwc7 systemd[480]: Failed at step NAMESPACE spawning /usr/sbin/httpd: Permission denied
Sep 13 09:26:53 wwwc7 systemd[1]: httpd.service: main process exited, code=exited, status=226/NAMESPACE
Sep 13 09:26:53 wwwc7 systemd[520]: Failed at step NAMESPACE spawning /bin/kill: Permission denied
Sep 13 09:26:53 wwwc7 systemd[1]: httpd.service: control process exited, code=exited status=226
Sep 13 09:26:53 wwwc7 systemd[1]: Failed to start The Apache HTTP Server.
Sep 13 09:26:53 wwwc7 systemd[1]: Unit httpd.service entered failed state.
~~~

~~~
# ps -ef | grep http
# /usr/sbin/httpd
# ps -ef | grep http
root 1800 1 0 09:42 ? 00:00:00 /usr/sbin/httpd
apache 1801 1800 0 09:42 ? 00:00:00 /usr/sbin/httpd
apache 1802 1800 0 09:42 ? 00:00:00 /usr/sbin/httpd
apache 1803 1800 0 09:42 ? 00:00:00 /usr/sbin/httpd
apache 1804 1800 0 09:42 ? 00:00:00 /usr/sbin/httpd
apache 1805 1800 0 09:42 ? 00:00:00 /usr/sbin/httpd
~~~

postfix, mariadb, nfsd have same probrems.

 

[dietmar]

Found a similar problem here:

https://lists.fedoraproject.org/pipermail/users/2013-January/428794.html

 

[tukiyo3]

/etc/systemd/system/multi-user.target.wants/httpd.service

- PrivateTmp=true
+ PrivateTmp=false
+ NoNewPrivileges=yes

systemctl daemon-reload, and
systemctl restart httpd is GREEN.

and mariadb, postfix are fixed same patch.

thanks, solved.

 

[ralsalamanca]

I had the same problem, and yes the last post is a fix for this problem. But I need a permanent solution

 

[sigxcpu]

Editing a permanent file on a permanent storage medium (i.e. hard-drive) is not permanent enough for you?

 

[ralsalamanca]

Editing a permanent file on a permanent storage medium (i.e. hard-drive) is not permanent enough for you?

hahaha sorry my english, but i try to say a "base solution" (i dont know if is a correct word), not a simple fix. the "visible" problem is fixed with that, but is not the base problem. the "real" problem is the service can't use a private tmp folder (i dont know how centos create or mount this folder).

 

[sigxcpu]

Actually the same happens on debian, too. So it is a distribution/app problem. You can write to the creators or you can have your own custom templates with this fix in place.