Centos 7 LXC Container and Bind

[matthew]

I was moving one of my DNS servers to Proxmox 4. I created a Centos 7 LXC container and installed bind on it it with "yum install bind bind-utils". Named will not start.

service named start
Redirecting to /bin/systemctl start named.service
Job for named.service failed. See 'systemctl status named.service' and 'journalctl -xn' for details.


# service named status
Redirecting to /bin/systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: failed (Result: exit-code) since Tue 2015-11-10 18:04:47 CST; 25s ago
Process: 979 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=226/NAMESPACE)


Nov 10 18:04:47 ns1.testtest123.net systemd[979]: Failed at step NAMESPACE spawning /usr/sbin/named-checkconf: Permission denied
Nov 10 18:04:47 ns1.testtest123.net systemd[1]: named.service: control process exited, code=exited status=226
Nov 10 18:04:47 ns1.testtest123.net systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Nov 10 18:04:47 ns1.testtest123.net systemd[1]: Unit named.service entered failed state.





Is this something to do with AppArmor? Few months ago I created a Centos 7 OpenVZ container on Proxmox 3 with no issues at all with DNS server running.

 

[just_insane]

This seems to be a problem with systemd. See a fix here: qiita.com/tukiyo3/items/4df2cc330a9079c4c302
tl;dr: edit this file /usr/lib/systemd/system/[service].service by

[Service]
- PrivateTmp=true
+ PrivateTmp=false
+ NoNewPrivileges=yes

# systemctl daemon-reloadsystemctl restart [service]

 

[matthew]

After making this change to container I had to reboot it to get named to start. Now it does though. Does this change affect the security of the container? Is this something that will be fixed up stream eventually or do I need to do this every time I install a Centos 7 container on Proxmox 4? I like it so so much better when things just work.

Is this the same problem they are seeing here?

http://forum.proxmox.com/threads/23962-AppArmor-denies-named-startup

Thanks!!!

 

[matthew]

I have a Centos 7 Openvz container running on Proxmox 3.x and DNS works without these changes. Is the reason for that AppArmor, LXC or what?

Thanks.

 

[TBarbette]

This is due to AppArmor which prohibits bind mounts inside LXC container (so this is the typical Proxmox 4 setup, it's normal it works with Proxmox 3) and maybe only with a CentOS guest...?

 

[matthew]

So I am assuming many services are going to encounter this? I see similar issue with httpd here.

http://forum.proxmox.com/threads/23...httpd-spawing-Permission-denied-(PVE4-beta-2)

I am guessing its an issue that services cannot have a privatetmp inside a LXC container? If they were installed on bare metal or Openvz it would not be an issue?

I see it mentioned here:

https://mrkmg.com/posts/proxmox-4-upgrade-on-ovh-simple-ip-failover-issues

Will LXC ever be updated to support PrivateTmp?

 

[flotho]

Hi folks,
I personnally have the same issue and I configured the named service inside the LXC.
I changed the PID location and user /var/run.... instead of /run.
From now the LXC service don't try to write in the "host" part anymore so no more need to set up apparmor.

 

[mailinglists]

I made a symlink between these two folders to get it working, 'cause I got tired of fixing the unit files all the time.