Apache2:无法设置挂载命名空间:权限被拒绝
[英]Apache2: Failed to set up mount namespacing: Permission denied
问题描述
I have VPS server with Debian 10. I want to start Apache2 with option PrivateTmp=true .
我有 Debian 10 的 VPS 服务器。我想使用选项PrivateTmp=true启动 Apache2。 But on start it failed with error: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied .但在开始时它失败并出现错误: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied 。
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-11-27 17:17:43 CET; 5s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 523 ExecStart=/usr/sbin/apachectl start (code=exited, status=226/NAMESPACE)
Nov 27 17:17:43 5091-server systemd[1]: Starting The Apache HTTP Server...
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed to set up mount namespacing: Permission denied
Nov 27 17:17:43 5091-server systemd[523]: apache2.service: Failed at step NAMESPACE spawning /usr/sbin/apachectl: Permission denied
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Control process exited, code=exited, status=226/NAMESPACE
Nov 27 17:17:43 5091-server systemd[1]: apache2.service: Failed with result 'exit-code'.
Nov 27 17:17:43 5091-server systemd[1]: Failed to start The Apache HTTP Server.
I checked the permissions for tmp:我检查了 tmp 的权限:
root@5091-server:~# ls -ld /tmp
drwxrwxrwt 8 root root 4096 Nov 27 17:17 /tmp
root@5091-server:~# ls -ld /var/tmp
drwxrwxrwt 2 root root 4096 Nov 27 17:17 /var/tmp
Any idea which permissions are wrong?知道哪些权限是错误的吗?
2 个解决方案
解决方案1
0 2021-01-08 08:35:57
This can work...这可以工作...
sudo sed -i -e 's,PrivateTmp=true,PrivateTmp=false\nNoNewPrivileges=yes,g' /lib/systemd/system/apache2.service
sudo systemctl daemon-reload
sudo systemctl start apache2.service
sudo systemctl status apache2.service
解决方案2
0 2022-12-14 21:41:29
This is related to new systemd security features (v220+?) conflicting with unprivileged LXC containers like the ones inside Proxmox.这与新的 systemd 安全功能(v220+?)与非特权 LXC 容器(如 Proxmox 中的容器)冲突有关。
Edit apache config (the clean way):
编辑 apache 配置(干净的方式):sudo systemctl edit apache2.serviceAdd this to disable new systemd security features (affect LXC containers like the ones inside Proxmox)
添加它以禁用新的 systemd 安全功能(影响 LXC 容器,如 Proxmox 中的容器)[Service] PrivateDevices=false PrivateTmp=false ProtectControlGroups=false ProtectKernelModules=false ProtectSystem=falseProtectHome=false ProtectSystem=falseThen
然后sudo systemctl start apache2.service sudo systemctl status apache2.service # Just to check the output
I saw this on apache2 and memcached.我在 apache2 和 memcached 上看到了这个。 Also with systemd-logind.还有 systemd-logind。 In this last case ssh connection speed was affected.在最后一个案例中,ssh 连接速度受到了影响。 ssh -vvv was stuck on debug1: pledge: filesystem (without VPN), and debug1: pledge: network (with VPN). ssh -vvv卡在debug1: pledge: filesystem (without VPN) 和debug1: pledge: network (with VPN) 上。 As mention here and here the problem is solved enabling nesting (also here ) on the Proxmox containers.如此处和此处所述,问题已解决,可以在 Proxmox 容器上启用 嵌套(也在 此处)。
Probably simply enabling the "nesting" feature for the container (if it is unprivileged) will allow systemd to make use of its namespacing features.可能只是为容器启用“嵌套”功能(如果它没有特权)将允许 systemd 使用其命名空间功能。
Related有关的
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.