[SOLVED] apache2.service: Failed to set up mount namespacing: Permission denied

RobFantini

Famous Member
May 24, 2012
2,022
107
133
Boston,Mass
this issue started when we upgraded an lxc to buster.
Code:
systemctl status apache2.service
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2019-08-11 09:52:05 EDT; 9ms ago
     Docs: https://httpd.apache.org/docs/2.4/
  Process: 32501 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)

Aug 11 09:52:05 backuppc systemd[1]: Starting The Apache HTTP Server...
Aug 11 09:52:05 backuppc systemd[32501]: apache2.service: Failed to set up mount namespacing: Permission denied
Aug 11 09:52:05 backuppc systemd[32501]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Aug 11 09:52:05 backuppc systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Aug 11 09:52:05 backuppc systemd[1]: apache2.service: Failed with result 'exit-code'.
Aug 11 09:52:05 backuppc systemd[1]: Failed to start The Apache HTTP Server.

solution was to set nesting option for the lxc.
 
Thank you very much. Had the same issue and just was about to reinstall the container. Your hint helped me fix it.
BUT: I neither did an upgrade to buster inside container nor did I on Proxmox host. The issue appeared after restarting the container which hasn't been modified for some months now. Strange!
 
Thank you very much. Had the same issue and just was about to reinstall the container. Your hint helped me fix it.
BUT: I neither did an upgrade to buster inside container nor did I on Proxmox host. The issue appeared after restarting the container which hasn't been modified for some months now. Strange!

may have due to an update to apache2 or something ? or lxc on the host.
 
this issue started when we upgraded an lxc to buster.
Code:
systemctl status apache2.service
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2019-08-11 09:52:05 EDT; 9ms ago
     Docs: https://httpd.apache.org/docs/2.4/
  Process: 32501 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)

Aug 11 09:52:05 backuppc systemd[1]: Starting The Apache HTTP Server...
Aug 11 09:52:05 backuppc systemd[32501]: apache2.service: Failed to set up mount namespacing: Permission denied
Aug 11 09:52:05 backuppc systemd[32501]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Aug 11 09:52:05 backuppc systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Aug 11 09:52:05 backuppc systemd[1]: apache2.service: Failed with result 'exit-code'.
Aug 11 09:52:05 backuppc systemd[1]: Failed to start The Apache HTTP Server.

solution was to set nesting option for the lxc.

the solution without nesting:
https://stackoverflow.com/questions/55728957/apache-failed-at-step-namespace
https://help.directadmin.com/item.php?id=614

$ sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=false\nNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
$ sudo systemctl daemon-reload
$ sudo systemctl start apache2.service
$ sudo systemctl status apache2.service
 
Last edited:
solution was to set nesting option for the lxc.
Thank you for posting this, RobFantini. Your post allowed me to quickly solve a problem. I ran into this same 'namespacing permission denied' issue that was noted in my systemctl logs while creating a CT for a Syncthing server. Simply checking Options>Features>Nesting:ON took care of the problem!
 
  • Like
Reactions: Yuneldeltoro
not sure if you were asking about nesting or systemd method.

i am not an expert at lxc. however I've read a few places where nesting is a useful feature. for instance this mentions 'However, we heavily encourage the use of unprivileged containers whenever possible. Nesting with unprivileged containers works just as well, but requires an extra step.'

https://ubuntu.com/blog/nested-containers-in-lxd
 
The solution provided by Yuneldeltoro is right but direct editing of service configuration file is not so beautiful. It's better to edit it by `systemctl edit apache2` command or create override config:

$ sudo cat << EOF >> /etc/systemd/system/apache2.service.d/override.conf # /lib/systemd/system/apache2.service [Service] PrivateTmp=false NoNewPrivileges=yes EOF sudo systemctl daemon-reload sudo systemctl start apache2.service
 
Last edited:
When I upgraded the LXC container from Debian 10 to 11 it broke redis-server for Nextcloud. I've spent countless hours reading through the forums for any idea how to fix it until I saw this post. I've figured it had to be permission issue. chown / chgrp had no effect.

Enabling the nesting feature on the container worked. It also fixed the slow logging into SSH and changing to root. Strange.

Also, I've noticed new containers automatically enable nesting by default.
 
Last edited:
Enabling the nesting feature on the container worked. It also fixed the slow logging into SSH and changing to root. Strange.
Newer systemd-based containers need the setting (it's mentioned in the 7.1 release-notes) - which is also why it's enabled by default for new (unprivileged) container creations
https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_7.1

I hope this explains it!
 
We had some problems with pages that use setuid and setgid scripts (eg to inject mail). The above comment #10 worked with =no instead of =yes to allow those through again, in case someone else hits this page to figure out these issues!
 
I created this script (for apache) to add the override to the systemd configuration.
Easier to repeat on different servers.

Bash:
#!/bin/bash

# run using sudo or root

OVERRIDE_FILE=/etc/systemd/system/apache2.service.d/override.conf
if [ ! -r "${OVERRIDE_FILE}" ] ; then
    mkdir -p "$(dirname "${OVERRIDE_FILE}")"
    cat > "${OVERRIDE_FILE}" <<EOF
[Service]
PrivateTmp=false
NoNewPrivileges=yes
EOF
    systemctl daemon-reload
else
    echo "'${OVERRIDE_FILE}' already exists"
fi

echo "Contents of '${OVERRIDE_FILE}':"
cat "${OVERRIDE_FILE}"


It was also possible to restart apache interactively using "apachectl -k restart" - useful as a quick fix before permanently fixing it.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!