[php-maint] Bug#869182: php-common: Trouble running phpsessionclean.service on a LXC Container...
Chris
fisch.666 at gmx.de
Sun Feb 18 19:14:11 UTC 2018
Hi,
noticed the same today with unprivileged LXC Debian Stretch containers
running PHP. As a reference a possible workaround could be the following:
--------------------------
A temporary fix is:
systemctl disable phpsessionclean.timer
systemctl stop phpsessionclean.timer
Then fix the cron for operation without systemd in: /etc/cron.d/php
##09,39 * * * * root [ -x /usr/lib/php/sessionclean ] && if [
! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi
09,39 * * * * root [ -x /usr/lib/php/sessionclean ] &&
/usr/lib/php/sessionclean
--------------------------
Credits goes to a user from the proxmox forums here:
https://forum.proxmox.com/threads/app-armor-issues.37746/#post-198073
On Fri, 21 Jul 2017 11:56:12 +0200 Marco Gaiarin <gaio at sv.lnf.it> wrote:
> Package: php-common
> Version: 1:49
> Severity: normal
>
>
> I've setup a LXC stretch container in a Proxmox virtualization cluster, and
> after installing apache/PHP i've start to have in logs of the container rows
> like:
>
> Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Failed to reset devices.list: Operation not permitted
> Jul 21 10:09:14 vglpi systemd[24929]: phpsessionclean.service: Failed at step NETWORK spawning /usr/lib/php/sessionclean: Permission denied
> Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Main process exited, code=exited, status=225/NETWORK
> Jul 21 10:09:14 vglpi systemd[1]: Failed to start Clean php session files.
> Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Unit entered failed state.
> Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Failed with result 'exit-code'.
> Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Failed to reset devices.list: Operation not permitted
> Jul 21 10:39:14 vglpi systemd[24948]: phpsessionclean.service: Failed at step NETWORK spawning /usr/lib/php/sessionclean: Permission denied
> Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Main process exited, code=exited, status=225/NETWORK
> Jul 21 10:39:14 vglpi systemd[1]: Failed to start Clean php session files.
> Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Unit entered failed state.
> Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Failed with result 'exit-code'.
>
> and, on the same time, on the host that run the container:
>
> Jul 21 10:09:14 tessier kernel: [22515856.189072] audit: type=1400 audit(1500624554.627:384): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
> Jul 21 10:09:14 tessier kernel: [22515856.189077] audit: type=1400 audit(1500624554.627:385): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
> Jul 21 10:09:14 tessier kernel: [22515856.189082] audit: type=1400 audit(1500624554.627:386): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
> Jul 21 10:09:14 tessier kernel: [22515856.189085] audit: type=1400 audit(1500624554.627:387): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
> Jul 21 10:39:14 tessier kernel: [22517656.161803] audit: type=1400 audit(1500626354.625:388): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
> Jul 21 10:39:14 tessier kernel: [22517656.161808] audit: type=1400 audit(1500626354.625:389): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
> Jul 21 10:39:14 tessier kernel: [22517656.161812] audit: type=1400 audit(1500626354.625:390): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
> Jul 21 10:39:14 tessier kernel: [22517656.161815] audit: type=1400 audit(1500626354.625:391): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
>
> I've tried to run the script by hand, as root, and no error appears
> (on container and on host).
>
> For now, i've disabled the service:
>
> root at vglpi:~# systemctl disable phpsessionclean
>
>
> Thanks.
>
> -- System Information:
> Debian Release: 9.0
> APT prefers stable
> APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.4.21-1-pve (SMP w/2 CPU cores)
> Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages php-common depends on:
> ii init-system-helpers 1.48
> ii psmisc 22.21-2.1+b2
> ii sed 4.4-1
>
> php-common recommends no packages.
More information about the pkg-php-maint
mailing list