[php-maint] Bug#869182: php-common: Trouble running phpsessionclean.service on a LXC Container...

Chris fisch.666 at gmx.de
Sun Feb 18 19:14:11 UTC 2018 

Hi,

noticed the same today with unprivileged LXC Debian Stretch containers
running PHP. As a reference a possible workaround could be the following:

--------------------------
A temporary fix is:

systemctl disable phpsessionclean.timer
systemctl stop phpsessionclean.timer

Then fix the cron for operation without systemd in: /etc/cron.d/php

##09,39 *     * * *     root   [ -x /usr/lib/php/sessionclean ] && if [
! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi
09,39 *     * * *     root   [ -x /usr/lib/php/sessionclean ] &&
/usr/lib/php/sessionclean
--------------------------

Credits goes to a user from the proxmox forums here:
https://forum.proxmox.com/threads/app-armor-issues.37746/#post-198073

On Fri, 21 Jul 2017 11:56:12 +0200 Marco Gaiarin <gaio at sv.lnf.it> wrote:
> Package: php-common
> Version: 1:49
> Severity: normal
> 
> 
> I've setup a LXC stretch container in a Proxmox virtualization cluster, and
> after installing apache/PHP i've start to have in logs of the container rows
> like:
> 
>  Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Failed to reset devices.list: Operation not permitted
>  Jul 21 10:09:14 vglpi systemd[24929]: phpsessionclean.service: Failed at step NETWORK spawning /usr/lib/php/sessionclean: Permission denied
>  Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Main process exited, code=exited, status=225/NETWORK
>  Jul 21 10:09:14 vglpi systemd[1]: Failed to start Clean php session files.
>  Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Unit entered failed state.
>  Jul 21 10:09:14 vglpi systemd[1]: phpsessionclean.service: Failed with result 'exit-code'.
>  Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Failed to reset devices.list: Operation not permitted
>  Jul 21 10:39:14 vglpi systemd[24948]: phpsessionclean.service: Failed at step NETWORK spawning /usr/lib/php/sessionclean: Permission denied
>  Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Main process exited, code=exited, status=225/NETWORK
>  Jul 21 10:39:14 vglpi systemd[1]: Failed to start Clean php session files.
>  Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Unit entered failed state.
>  Jul 21 10:39:14 vglpi systemd[1]: phpsessionclean.service: Failed with result 'exit-code'.
> 
> and, on the same time, on the host that run the container:
> 
>  Jul 21 10:09:14 tessier kernel: [22515856.189072] audit: type=1400 audit(1500624554.627:384): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
>  Jul 21 10:09:14 tessier kernel: [22515856.189077] audit: type=1400 audit(1500624554.627:385): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
>  Jul 21 10:09:14 tessier kernel: [22515856.189082] audit: type=1400 audit(1500624554.627:386): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
>  Jul 21 10:09:14 tessier kernel: [22515856.189085] audit: type=1400 audit(1500624554.627:387): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=20780 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
>  Jul 21 10:39:14 tessier kernel: [22517656.161803] audit: type=1400 audit(1500626354.625:388): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
>  Jul 21 10:39:14 tessier kernel: [22517656.161808] audit: type=1400 audit(1500626354.625:389): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
>  Jul 21 10:39:14 tessier kernel: [22517656.161812] audit: type=1400 audit(1500626354.625:390): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
>  Jul 21 10:39:14 tessier kernel: [22517656.161815] audit: type=1400 audit(1500626354.625:391): apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=23425 comm="(ionclean)" family="unix" sock_type="dgram" protocol=0 addr=none
> 
> I've tried to run the script by hand, as root, and no error appears
> (on container and on host).
> 
> For now, i've disabled the service:
> 
> 	root at vglpi:~# systemctl disable phpsessionclean
> 
> 
> Thanks.
> 
> -- System Information:
> Debian Release: 9.0
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.4.21-1-pve (SMP w/2 CPU cores)
> Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages php-common depends on:
> ii  init-system-helpers  1.48
> ii  psmisc               22.21-2.1+b2
> ii  sed                  4.4-1
> 
> php-common recommends no packages.

More information about the pkg-php-maint mailing list