Bug#921176: redis-server service is failing to start in buster lxc container
Control: reassign -1 lxc Control: severity -1 important Hi, Pirate Praveen: > In dmesg inside container (same error on the host as well), so it seems > apparmor is blocking it. > [14760.307180] audit: type=1400 audit(1549992481.311:156): > apparmor="DENIED" operation="mount" info="failed flags match" error=-13 > profile="lxc-container-default-cgns" name="/" pid=20531 > comm="(s-server)" flags="rw, rslave" The lxc-container-default-cgns profile is shipped by the lxc package ⇒ reassigning. This looks very much like LXC bug #916639 so please retry with: lxc 1:3.1.0+really3.0.3-3 or newer? If that's not sufficient, you might need to set these options for your container: lxc.apparmor.profile = generated lxc.apparmor.allow_nesting = 1 (On sid, these settings are in /etc/lxc/default.conf already but I'm not familiar with LXC and I don't know if they'll apply to pre-existing containers.) Thanks in advance! Also, I'm setting severity to non-RC as it would be unfortunate to block the migration to testing of… the very version that likely fixes this bug. Once it's clarified that this is #916639, I'll fix the metadata. Cheers, -- intrigeri
Processed: Re: Bug#921176: redis-server service is failing to start in buster lxc container
Processing control commands: > reassign -1 lxc Bug #921176 [apparmor] redis-server inside lxc is failing to start when apparmor is enabled - apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6706 comm="(s-server)" flags="rw, rslave" Bug reassigned from package 'apparmor' to 'lxc'. Ignoring request to alter found versions of bug #921176 to the same values previously set Ignoring request to alter fixed versions of bug #921176 to the same values previously set > severity -1 important Bug #921176 [lxc] redis-server inside lxc is failing to start when apparmor is enabled - apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=6706 comm="(s-server)" flags="rw, rslave" Severity set to 'important' from 'serious' -- 921176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921176 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#921176: redis-server service is failing to start in buster lxc container
Hi Pirate, > > Great stuff. What's the next step here? Cearly this should Just > > Work but I'm not sure where the bug is right now. I suggest the > > next part of this process is that you re-enable apparmor with > > logging. > > Should we not involve apparmor maintainers? Reassign to apparmor and > add affects redis-server? Go ahead, although without (or until you have..) that debugging info I might also tag it as "moreinfo" when you reassign... Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#921176: redis-server service is failing to start in buster lxc container
Hi Pirate, > > Great stuff. What's the next step here? Cearly this should Just > > Work but I'm not sure where the bug is right now. I suggest the > > next part of this process is that you re-enable apparmor with > > logging. > > Should we not involve apparmor maintainers? Reassign to apparmor and > add affects redis-server? Go ahead, although without (or until you have..) that debugging info I might also tag it as "moreinfo" when you reassign... Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#921176: redis-server service is failing to start in buster lxc container
On Wed, Feb 13, 2019 at 2:16 PM, Chris Lamb wrote: Hi Pirate, > (ie. I don't think you can rule out apparmor either just yet.) yes, culprit is apparmor only. After aa-teardown, I can start redis service. Great stuff. What's the next step here? Cearly this should Just Work but I'm not sure where the bug is right now. I suggest the next part of this process is that you re-enable apparmor with logging. Should we not involve apparmor maintainers? Reassign to apparmor and add affects redis-server?
Bug#921176: redis-server service is failing to start in buster lxc container
Hi Pirate, > > (ie. I don't think you can rule out apparmor either just yet.) > > yes, culprit is apparmor only. After aa-teardown, I can start redis > service. Great stuff. What's the next step here? Cearly this should Just Work but I'm not sure where the bug is right now. I suggest the next part of this process is that you re-enable apparmor with logging. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#921176: redis-server service is failing to start in buster lxc container
On Tue, Feb 12, 2019 at 11:17 PM, Chris Lamb wrote: Hi Pirate, Initially I tried editing /lib/systemd/system/redis-server.service and later I edited /lib/systemd/system/redis-server\@.service as well (edited both these files) > b) Exactly how you are editing the shipped .service file. I tried adding changing true to false initially, then adding # in front of the options Ah, so you are not using: systemctl edit --full You are likely not actually testing the service file you believe you are, leading to a misleading report. You might need a "systemctl daemon-reload" too. I did daemon-reload, systemctl does not allow to start redis without daemon-reload if service file changed on disk. apparmor was at 2.11.1-4, updating it to 2.13.2-7 fixed the above error, but redis still can't be started like before (same error message) even after stopping apparmor on the host. Don't you mean disabled with aa-disable or something? I'm not 100% certain but simply stopping the service may not be enough. A reboot with the service disabled, etc. might be what is needed (perhaps consult the Debian Wiki on this?) (ie. I don't think you can rule out apparmor either just yet.) yes, culprit is apparmor only. After aa-teardown, I can start redis service. pravi@nishumbha:~$ sudo aa-teardown Unloading AppArmor profiles pravi@nishumbha:~$ sudo ss-status sudo: ss-status: command not found pravi@nishumbha:~$ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
Bug#921176: redis-server service is failing to start in buster lxc container
Hi Pirate, > Initially I tried editing /lib/systemd/system/redis-server.service and > later I edited /lib/systemd/system/redis-server\@.service as well > (edited both these files) > > > b) Exactly how you are editing the shipped .service file. > > I tried adding changing true to false initially, then adding # in front > of the options Ah, so you are not using: systemctl edit --full You are likely not actually testing the service file you believe you are, leading to a misleading report. You might need a "systemctl daemon-reload" too. > apparmor was at 2.11.1-4, updating it to 2.13.2-7 fixed the above > error, but redis still can't be started like before (same error > message) even after stopping apparmor on the host. Don't you mean disabled with aa-disable or something? I'm not 100% certain but simply stopping the service may not be enough. A reboot with the service disabled, etc. might be what is needed (perhaps consult the Debian Wiki on this?) (ie. I don't think you can rule out apparmor either just yet.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#921176: redis-server service is failing to start in buster lxc container
On Tue, Feb 12, 2019 at 9:44 PM, Chris Lamb wrote: Hi Pirate, https://wiki.debian.org/Packaging/Pre-Requisites#LXC has networking setup instructions. Still no dice and I don't really have the bandwidth to learn another container technology. :( May be ask lxc team for help? I tried removing all hardening features and it still won't start Please provide: a) The *exact* .service file you are trying. Initially I tried editing /lib/systemd/system/redis-server.service and later I edited /lib/systemd/system/redis-server\@.service as well (edited both these files) b) Exactly how you are editing the shipped .service file. I tried adding changing true to false initially, then adding # in front of the options So current snapshot look like this, root@redis:~# cat /lib/systemd/system/redis-server.service [Unit] Description=Advanced key-value store After=network.target Documentation=http://redis.io/documentation, man:redis-server(1) [Service] Type=forking ExecStart=/usr/bin/redis-server /etc/redis/redis.conf ExecStop=/bin/kill -s TERM $MAINPID PIDFile=/run/redis/redis-server.pid TimeoutStopSec=0 Restart=always User=redis Group=redis #RuntimeDirectory=redis #RuntimeDirectoryMode=2755 #UMask=007 #PrivateTmp=yes #LimitNOFILE=65535 #PrivateDevices=yes #ProtectHome=yes #ReadOnlyDirectories=/ #ReadWriteDirectories=-/var/lib/redis #ReadWriteDirectories=-/var/log/redis #ReadWriteDirectories=-/var/run/redis NoNewPrivileges=true CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE MemoryDenyWriteExecute=true ProtectKernelModules=true #ProtectKernelTunables=true #ProtectControlGroups=true #RestrictRealtime=true #RestrictNamespaces=true #RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX # redis-server can write to its own config file when in cluster mode so we # permit writing there by default. If you are not using this feature, it is # recommended that you replace the following lines with "ProtectSystem=full". #ProtectSystem=true #ReadWriteDirectories=-/etc/redis [Install] WantedBy=multi-user.target Alias=redis.service c) uname -a root@redis:~# uname -a Linux redis 4.15.0-2-amd64 #1 SMP Debian 4.15.11-1 (2018-03-20) x86_64 GNU/Linux root@redis:~# This is reproduced on a second machine. On first machine, I tried with two kernels, one older and then 4.19. d) aa-status Anything in the global kernel log or dmesg...? In dmesg inside container (same error on the host as well), so it seems apparmor is blocking it. [14760.307180] audit: type=1400 audit(1549992481.311:156): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=20531 comm="(s-server)" flags="rw, rslave" [14760.573458] audit: type=1400 audit(1549992481.579:157): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=20532 comm="(s-server)" flags="rw, rslave" [14760.823723] audit: type=1400 audit(1549992481.827:158): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=20533 comm="(s-server)" flags="rw, rslave" [14761.073770] audit: type=1400 audit(1549992482.079:159): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=20534 comm="(s-server)" flags="rw, rslave" [14761.323944] audit: type=1400 audit(1549992482.327:160): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=20536 comm="(s-server)" flags="rw, rslave" Though systemctl status apparmor on host showed it failed, Feb 12 18:23:25 nishumbha systemd[1]: Starting AppArmor initialization... Feb 12 18:23:30 nishumbha apparmor[600]: Starting AppArmor profiles:AppArmor parser error for /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin in /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin at line 89: Could not open 'abstractions/dri-enumerate' Feb 12 18:23:30 nishumbha apparmor[600]: AppArmor parser error for /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin in /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin at line 89: Could not open 'abstractions/dri-enumerate' Feb 12 18:23:30 nishumbha apparmor[600]: failed! Feb 12 18:23:30 nishumbha systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a apparmor was at 2.11.1-4, updating it to 2.13.2-7 fixed the above error, but redis still can't be started like before (same error message) even after stopping apparmor on the host. pravi@nishumbha:~$ systemctl status apparmor ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: Active: inactive (dead) since Tue 2019-02-12 23:06:50 IST; 3min 56s ago Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 10021 ExecStop=/bin/true
Bug#921176: redis-server service is failing to start in buster lxc container
Hi Pirate, > https://wiki.debian.org/Packaging/Pre-Requisites#LXC has networking > setup instructions. Still no dice and I don't really have the bandwidth to learn another container technology. :( > I tried removing all hardening features and it still won't start Please provide: a) The *exact* .service file you are trying. b) Exactly how you are editing the shipped .service file. c) uname -a d) aa-status Anything in the global kernel log or dmesg...? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#921176: redis-server service is failing to start in buster lxc container
On Tue, Feb 12, 2019 at 6:09 PM, Chris Lamb wrote: Hi Pirate, > (However, I am not sure why I do not have working networking inside > my container so I cannot debug it better on my end.) But loopback is enough for redis-server, right? Yes, but I can't even install without network. :) https://wiki.debian.org/Packaging/Pre-Requisites#LXC has networking setup instructions. I tried removing all hardening features and it still won't start. I tried to start manually by running redis-server /etc/redis/redis.conf as root and that worked. Can you try with the redis user? That also works. root@redis:~# su redis -s /bin/sh -c 'redis-server /etc/redis/redis.conf' root@redis:~# ps ax |grep redis 1073 ?Ssl0:00 redis-server 127.0.0.1:6379 1078 pts/2S+ 0:00 grep redis root@redis:~# redis-cli 127.0.0.1:6379> help redis-cli 5.0.3 To get help about Redis commands type: "help @" to get a list of commands in "help " for help on "help " to get a list of possible help topics "quit" to exit To set redis-cli preferences: ":set hints" enable online hints ":set nohints" disable online hints Set your preferences in ~/.redisclirc 127.0.0.1:6379> > Also, perhaps enable some deeper logging? Or check the actual > redis-server.log file too? There is nothing in /var/log/redis. I think its failing even before redis-server gets a chance to log. Can you enable more systemd logging? If it's failing there, surely we can get more info than just "failed"? It was always the same error I mentioned in first mail. Anyway with LogLevel=debug set in systemd conf, I got a more verbose log, which is attached. -- A start job for unit redis-server.service has finished with a failure. -- -- The job identifier is 822 and the job result is failed. Feb 12 15:22:36 redis systemd[1]: redis-server.service: Changed dead -> failed Feb 12 15:22:41 redis systemd[1]: redis-server.service: Trying to enqueue job redis-server.service/start/replace Feb 12 15:22:41 redis systemd[1]: redis-server.service: Installed new job redis-server.service/start as 862 Feb 12 15:22:41 redis systemd[1]: redis-server.service: Enqueued job redis-server.service/start as 862 Feb 12 15:22:41 redis systemd[1]: redis-server.service: Passing 0 fds to service Feb 12 15:22:41 redis systemd[1]: redis-server.service: About to execute: /usr/bin/redis-server /etc/redis/redis.conf Feb 12 15:22:41 redis systemd[1]: redis-server.service: Forked /usr/bin/redis-server as 1047 Feb 12 15:22:41 redis systemd[1]: redis-server.service: Changed failed -> start Feb 12 15:22:41 redis systemd[1]: Starting Advanced key-value store... -- Subject: A start job for unit redis-server.service has begun execution -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- A start job for unit redis-server.service has begun execution. -- -- The job identifier is 862. Feb 12 15:22:41 redis systemd[1]: redis-server.service: User lookup succeeded: uid=105 gid=107 Feb 12 15:22:41 redis systemd[1047]: /run/systemd/unit-root/dev is duplicate. Feb 12 15:22:41 redis systemd[1047]: /run/systemd/unit-root/bin is redundant by /run/systemd/unit-root/ Feb 12 15:22:41 redis systemd[1047]: /run/systemd/unit-root/boot is redundant by /run/systemd/unit-root/ Feb 12 15:22:41 redis systemd[1047]: /run/systemd/unit-root/efi is redundant by /run/systemd/unit-root/ Feb 12 15:22:41 redis systemd[1047]: /run/systemd/unit-root/lib is redundant by /run/systemd/unit-root/ Feb 12 15:22:41 redis systemd[1047]: /run/systemd/unit-root/lib64 is redundant by /run/systemd/unit-root/ Feb 12 15:22:41 redis systemd[1047]: /run/systemd/unit-root/sbin is redundant by /run/systemd/unit-root/ Feb 12 15:22:41 redis systemd[1047]: /run/systemd/unit-root/usr is redundant by /run/systemd/unit-root/ Feb 12 15:22:41 redis systemd[1047]: Failed to remount '/' as SLAVE: Permission denied Feb 12 15:22:41 redis systemd[1047]: redis-server.service: Failed to set up mount namespacing: Permission denied Feb 12 15:22:41 redis systemd[1047]: redis-server.service: Failed at step NAMESPACE spawning /usr/bin/redis-server: Permission denied -- Subject: Process /usr/bin/redis-server could not be executed -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- The process /usr/bin/redis-server could not be executed and failed. -- -- The error number returned by this process is ERRNO. Feb 12 15:22:41 redis systemd[1]: redis-server.service: Child 1047 belongs to redis-server.service. Feb 12 15:22:41 redis systemd[1]: redis-server.service: Control process exited, code=exited, status=226/NAMESPACE -- Subject: Unit process exited -- Defined-By: systemd -- Support: https://www.debian.org/support -- -- An ExecStart= process belonging to unit redis-server.service has exited. -- -- The process' exit code is 'exited' and its exit status is 226. Feb 12 15:22:41 redis systemd[1]: redis-server.service: Got final SIGCHLD for state start. Feb 12 15:22:41 redis
Bug#921176: redis-server service is failing to start in buster lxc container
Hi Pirate, > > (However, I am not sure why I do not have working networking inside > > my container so I cannot debug it better on my end.) > > But loopback is enough for redis-server, right? Yes, but I can't even install without network. :) > I tried removing all hardening features and it still won't start. I > tried to start manually by running redis-server /etc/redis/redis.conf > as root and that worked. Can you try with the redis user? > > Also, perhaps enable some deeper logging? Or check the actual > > redis-server.log file too? > > There is nothing in /var/log/redis. I think its failing even before > redis-server gets a chance to log. Can you enable more systemd logging? If it's failing there, surely we can get more info than just "failed"? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#921176: redis-server service is failing to start in buster lxc container
On ചൊ, ഫെബ്രു 5, 2019 at 11:14 വൈകു, Chris Lamb wrote: severity 921176 serious thanks Hi Pirate, [Dropping severity as it only affects LXC right now] It is working on the same host machine with stretch(-backports) container (5:5.0.3-3~bpo9+2). So host machine seems fine. Thanks for looking into this and providing some LXC basics. (However, I am not sure why I do not have working networking inside my container so I cannot debug it better on my end.) But loopback is enough for redis-server, right? On the other hand, the first thing I would do if this was working would be to try removing more hardening features as previously discussed on this bug number until it (likely) worked. Could you try this please? I tried removing all hardening features and it still won't start. I tried to start manually by running redis-server /etc/redis/redis.conf as root and that worked. Also, perhaps enable some deeper logging? Or check the actual redis-server.log file too? There is nothing in /var/log/redis. I think its failing even before redis-server gets a chance to log. I found this https://github.com/systemd/systemd/issues/10032 and tried updating systemd on host to 240-5 (from 238-5) and also updating apparmor and disabling apparmor. But none of it worked.
Bug#921176: redis-server service is failing to start in buster lxc container
Hi, > On the other hand, the first thing I would do if this was working > would be to try removing more hardening features as previously > discussed on this bug number until it (likely) worked. Could you > try this please? > > Also, perhaps enable some deeper logging? Or check the actual > redis-server.log file too? Any update on this? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#921176: redis-server service is failing to start in buster lxc container
severity 921176 serious thanks Hi Pirate, [Dropping severity as it only affects LXC right now] > It is working on the same host machine with stretch(-backports) > container (5:5.0.3-3~bpo9+2). So host machine seems fine. Thanks for looking into this and providing some LXC basics. (However, I am not sure why I do not have working networking inside my container so I cannot debug it better on my end.) On the other hand, the first thing I would do if this was working would be to try removing more hardening features as previously discussed on this bug number until it (likely) worked. Could you try this please? Also, perhaps enable some deeper logging? Or check the actual redis-server.log file too? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#921176: redis-server service is failing to start in buster lxc container
On Mon, 04 Feb 2019 15:30:20 +0500 Pirate Praveen wrote: > > > On തി, ഫെബ്രു 4, 2019 at 1:26 വൈകു, Pirate > Praveen wrote: > > > > > > On 2019, ഫെബ്രുവരി 4 1:20:11 PM IST, Chris Lamb > > wrote: > >> Hi, > >> > >>> redis-server service is failing to start in buster lxc container > >> > >> Any update on this? :) > > > > I'm traveling. hopefully tonight or tomorrow night I can try. > > > > Adding Raju, and Abhijith, who may be able to try this before. > > I found some time to test. With the changes you suggested, the error > message is gone, but it still fails to start. I tried updating kernel > from 4.16 to 4.19 and lxc version from 2.x to 3.x. I also tried to > create a fresh buster chroot, but in all cases it failed. Though > Abhijith was not able to reproduce it in another machine. It is working on the same host machine with stretch(-backports) container (5:5.0.3-3~bpo9+2). So host machine seems fine. Just the lxc basics, if you want to try. lxc-create -n buster -t debian -- -r buster will create the container lxc-start -n buster will start and lxc-attach -n buster will give you a root shell signature.asc Description: OpenPGP digital signature
Bug#921176: redis-server service is failing to start in buster lxc container
On തി, ഫെബ്രു 4, 2019 at 1:26 വൈകു, Pirate Praveen wrote: On 2019, ഫെബ്രുവരി 4 1:20:11 PM IST, Chris Lamb wrote: Hi, redis-server service is failing to start in buster lxc container Any update on this? :) I'm traveling. hopefully tonight or tomorrow night I can try. Adding Raju, and Abhijith, who may be able to try this before. I found some time to test. With the changes you suggested, the error message is gone, but it still fails to start. I tried updating kernel from 4.16 to 4.19 and lxc version from 2.x to 3.x. I also tried to create a fresh buster chroot, but in all cases it failed. Though Abhijith was not able to reproduce it in another machine. Regards, -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Bug#921176: redis-server service is failing to start in buster lxc container
On 2019, ഫെബ്രുവരി 4 1:20:11 PM IST, Chris Lamb wrote: >Hi, > >> redis-server service is failing to start in buster lxc container > >Any update on this? :) I'm traveling. hopefully tonight or tomorrow night I can try. Adding Raju, and Abhijith, who may be able to try this before. > >Regards, -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Bug#921176: redis-server service is failing to start in buster lxc container
Hi, > redis-server service is failing to start in buster lxc container Any update on this? :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Processed: Re: Bug#921176: redis-server service is failing to start in buster lxc container
Processing commands for cont...@bugs.debian.org: > tags 921176 + moreinfo Bug #921176 [redis-server] redis-server service is failing to start in buster lxc container Added tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 921176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921176 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#921176: redis-server service is failing to start in buster lxc container
tags 921176 + moreinfo thanks Hi Pirate, > journalctl -xe shows this error. This used to work before. It is clean > lxc install on a sid host. I just tried to quickly reproduce this but my lxc-foo is lacking… :( However, I suspect that we are using too aggressive a set of security hardening features, including perhaps: ProtectKernelTunables=Yes Can you try starting redis-server with this flag disabled? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Bug#921176: redis-server service is failing to start in buster lxc container
package: redis-server version: 5:5.0.3-4 severity: grave justification: unstable to start the service journalctl -xe shows this error. This used to work before. It is clean lxc install on a sid host. sudo lxc-create -n buster -t debian -- -r buster I was trying to install gitlab, but that failed because redis-server is not running. -- The job identifier is 1139.5:5.0.3-4 ഫെബ്രു 02 15:47:54 gitlab-buster systemd[4302]: redis-server.service: Failed to set up mount namespacing: Permission denied ഫെബ്രു 02 15:47:54 gitlab-buster systemd[4302]: redis-server.service: Failed at step NAMESPACE spawning /usr/bin/redis-server: Permission denied -- Subject: Process /usr/bin/redis-server could not be executed
