[SOLVED] apache2.service: Failed to set up mount namespacing: Permission denied

RobFantini

Renowned Member
May 24, 2012
1,836
58
68
Boston,Mass
this issue started when we upgraded an lxc to buster.
Code:
systemctl status apache2.service
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2019-08-11 09:52:05 EDT; 9ms ago
     Docs: https://httpd.apache.org/docs/2.4/
  Process: 32501 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)

Aug 11 09:52:05 backuppc systemd[1]: Starting The Apache HTTP Server...
Aug 11 09:52:05 backuppc systemd[32501]: apache2.service: Failed to set up mount namespacing: Permission denied
Aug 11 09:52:05 backuppc systemd[32501]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Aug 11 09:52:05 backuppc systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Aug 11 09:52:05 backuppc systemd[1]: apache2.service: Failed with result 'exit-code'.
Aug 11 09:52:05 backuppc systemd[1]: Failed to start The Apache HTTP Server.

solution was to set nesting option for the lxc.
 

puldi

Member
Jul 11, 2018
12
1
8
Thank you very much. Had the same issue and just was about to reinstall the container. Your hint helped me fix it.
BUT: I neither did an upgrade to buster inside container nor did I on Proxmox host. The issue appeared after restarting the container which hasn't been modified for some months now. Strange!
 

RobFantini

Renowned Member
May 24, 2012
1,836
58
68
Boston,Mass
Thank you very much. Had the same issue and just was about to reinstall the container. Your hint helped me fix it.
BUT: I neither did an upgrade to buster inside container nor did I on Proxmox host. The issue appeared after restarting the container which hasn't been modified for some months now. Strange!

may have due to an update to apache2 or something ? or lxc on the host.
 

Yuneldeltoro

New Member
Dec 3, 2019
1
5
3
47
La Havana, Cuba.
tostonetcuba.com
this issue started when we upgraded an lxc to buster.
Code:
systemctl status apache2.service
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2019-08-11 09:52:05 EDT; 9ms ago
     Docs: https://httpd.apache.org/docs/2.4/
  Process: 32501 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)

Aug 11 09:52:05 backuppc systemd[1]: Starting The Apache HTTP Server...
Aug 11 09:52:05 backuppc systemd[32501]: apache2.service: Failed to set up mount namespacing: Permission denied
Aug 11 09:52:05 backuppc systemd[32501]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Aug 11 09:52:05 backuppc systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Aug 11 09:52:05 backuppc systemd[1]: apache2.service: Failed with result 'exit-code'.
Aug 11 09:52:05 backuppc systemd[1]: Failed to start The Apache HTTP Server.

solution was to set nesting option for the lxc.

the solution without nesting:
https://stackoverflow.com/questions/55728957/apache-failed-at-step-namespace
https://help.directadmin.com/item.php?id=614

$ sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=false\nNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
$ sudo systemctl daemon-reload
$ sudo systemctl start apache2.service
$ sudo systemctl status apache2.service
 
Last edited:

owlnical

Member
Jun 1, 2017
3
0
6
31
Just to verify, Yuneldeltoro's solution works as well. I used it on a Debian 10 container.
 

Psilospiral

Member
Jun 25, 2019
34
5
8
49
solution was to set nesting option for the lxc.
Thank you for posting this, RobFantini. Your post allowed me to quickly solve a problem. I ran into this same 'namespacing permission denied' issue that was noted in my systemctl logs while creating a CT for a Syncthing server. Simply checking Options>Features>Nesting:ON took care of the problem!
 

BrandonN

Member
Mar 2, 2018
17
2
8
28
Colombia

RobFantini

Renowned Member
May 24, 2012
1,836
58
68
Boston,Mass
not sure if you were asking about nesting or systemd method.

i am not an expert at lxc. however I've read a few places where nesting is a useful feature. for instance this mentions 'However, we heavily encourage the use of unprivileged containers whenever possible. Nesting with unprivileged containers works just as well, but requires an extra step.'

https://ubuntu.com/blog/nested-containers-in-lxd
 

Baulder

Member
Jul 19, 2018
1
1
6
Russia
The solution provided by Yuneldeltoro is right but direct editing of service configuration file is not so beautiful. It's better to edit it by `systemctl edit apache2` command or create override config:

$ sudo cat << EOF >> /etc/systemd/system/apache2.service.d/override.conf
# /lib/systemd/system/apache2.service
[Service]
PrivateTmp=false
NoNewPrivileges=yes
EOF

sudo systemctl daemon-reload
sudo systemctl start apache2.service
 
Last edited:
  • Like
Reactions: Elliott Partridge

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!