Am 27.05.2017 um 20:13 schrieb Chris Lamb:
Can you elaborate more on exactly what this kernel is? eg. what version,
what makes Virtuozzo special here, etc. etc. Trying to work out the
scope of the problem.
Unfortunately, this is a provider kernel. I don't know anything about
its patches or configuration. I don't even have /dev/kmsg or any kernel
related file inside the container.
The full version string is: 3.2.41-042stab120.5 #1 SMP Tue Oct 25
22:31:12 MSK 2016 x86_64 GNU/Linux, but I don't think that tells us more
than that it is ancient and probably heavily patched.
I'm at a loss how to debug the namespace setup:
Strace on PID 1 does not work, most likely due to some hardening (or it
being already traced from the outside):
# strace -p 1
strace: attach: ptrace(PTRACE_ATTACH, 1): Operation not permitted
strace in the unit file is already too late.
Arguably, the best solution - at least for myself - would be, to get rid
of this container.
Nevertheless, the fix to redis-server.service seems straightforward,
even if it is just a workaround for a deeper issue.
Can you comment on whether switching it to /run will work on all systems?
I wouldn't want to push this into Stretch without being very confident.
It seems unit files currently pick /run vs. /var/run at will. Systemd's
own units always use /run, as does LVM, Syslog or ALSA. Samba, CUPS and
DBUs use /var/run.
/run should always work, according to
https://wiki.debian.org/ReleaseGoals/RunDirectory#How_to_transition_from_.2Fvar.2Frun_to_.2Frun_and_.2Fvar.2Flock_to_.2Frun.2Flock.3F
Some additional things I discovered:
1. With the patched unit file there is a follow-up graceful failure:
redis-server.service: SECCOMP features not detected in the kernel,
skipping PrivateDevices=
2. Trying redis-server from Stretch on Wheezy's kernel 3.2.88-1 results
in a failure with "status=227/NO_NEW_PRIVILEGES". This can be worked
around by setting |PrivateDevices=no.
I assume this kernel - unlike the hosted one - knows seccomp, but lacks
"no_new_privs", and that this combination causes a non-graceful failure.
|3. Another unit, mphpsessionclean.service, also has namespace issues:
mphpsessionclean.service: Failed at step NAMESPACE spawning
/usr/lib/php/sessionclean: Value too large for defined data type
