Hide Forgot
Description of problem: some services fail to start in container with -P due to different reasons , like lack of dir , selinux policy issue. Version-Release number of selected component (if applicable): libvirt-sandbox-0.5.0-7.el7.x86_64 systemd-207-8.el7.x86_64 selinux-policy-3.12.1-103.el7.noarch How reproducible: 100% Steps to Reproduce: For openssh-server 1 #virt-sandbox-service create -C -u httpd.service -P openssh -P postfix -N dhcp,source=default mul-ssh #virsh -c lxc:/// start mul-ssh #virt-sandbox-service connect mul-ssh 2. #systemctl start sshd sh-4.2# systemctl status sshd sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled) Active: activating (auto-restart) (Result: exit-code) since Thu 2013-12-19 11:29:36 CST; 1s ago Process: 110 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255) Process: 109 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS) Main PID: 110 (code=exited, status=255) sh-4.2#journalctl -xn Dec 19 11:29:36 mul-ssh sshd[110]: Missing privilege separation directory: /var/empty/sshd sh-4.2# mkdir -p /var/empty/sshd sh-4.2# systemctl start sshd sh-4.2# systemctl status sshd sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled) Active: active (running) since Thu 2013-12-19 11:30:18 CST; 4s ago Process: 117 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS) Main PID: 118 (sshd) CGroup: /machine.slice/machine-lxc\x2dmul\x2dssh.scope/system.slice/sshd.service `-118 /usr/sbin/sshd -D > 118 /usr/sbin/sshd -D Dec 19 11:30:18 mul-ssh sshd[118]: Server listening on 0.0.0.0 port 22. Dec 19 11:30:18 mul-ssh sshd[118]: Server listening on :: port 22. For httpd 1. #virt-sandbox-service create -C -u crond.service -P httpd -P postfix -N dhcp,source=default mul-http # virsh -c lxc:/// start mul-http #virt-sandbox-service connect mul-http 2. sh4-2# systemctl start httpd Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details. sh-4.2# journalctl -xn -- Logs begin at Thu 2013-12-19 11:34:47 CST, end at Thu 2013-12-19 11:35:06 CST. -- Dec 19 11:34:47 mul-http crond[15]: (CRON) INFO (running without inotify support) Dec 19 11:34:47 mul-http dhclient[4]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 (xid=0x7a407ff5) Dec 19 11:34:51 mul-http dhclient[4]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 (xid=0x7a407ff5) Dec 19 11:34:55 mul-http dhclient[4]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 9 (xid=0x7a407ff5) Dec 19 11:34:58 mul-http dhclient[4]: DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x7a407ff5) Dec 19 11:34:58 mul-http dhclient[4]: DHCPOFFER from 192.168.122.1 Dec 19 11:34:58 mul-http dhclient[4]: DHCPACK from 192.168.122.1 (xid=0x7a407ff5) Dec 19 11:35:00 mul-http dhclient[4]: bound to 192.168.122.175 -- renewal in 1527 seconds. Dec 19 11:35:06 mul-http httpd[102]: Failed at step NAMESPACE spawning /usr/sbin/httpd: Permission denied Dec 19 11:35:06 mul-http kill[103]: Failed at step NAMESPACE spawning /bin/kill: Permission denied On host setroubleshoot: SELinux is preventing /usr/lib/systemd/systemd from mounton access on the directory /. For complete SELinux messages. run sealert -l 178c6b0b-91aa-472d-89b7-c6482254826e ## sealert -l 178c6b0b-91aa-472d-89b7-c6482254826e SELinux is preventing /usr/lib/systemd/systemd from mounton access on the directory /. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed mounton access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep (httpd) /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0 Target Context system_u:object_r:root_t:s0 Target Objects / [ dir ] Source (httpd) Source Path /usr/lib/systemd/systemd Port <Unknown> Host localhost.localdomain Source RPM Packages systemd-207-8.el7.x86_64 Target RPM Packages filesystem-3.2-13.el7.x86_64 Policy RPM selinux-policy-3.12.1-103.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.10.0-64.el7.x86_64 #1 SMP Tue Dec 17 16:46:38 EST 2013 x86_64 x86_64 Alert Count 4 First Seen 2013-12-19 11:24:29 CST Last Seen 2013-12-19 11:35:06 CST Local ID 178c6b0b-91aa-472d-89b7-c6482254826e Raw Audit Messages type=AVC msg=audit(1387424106.704:232): avc: denied { mounton } for pid=2977 comm="(kill)" path="/" dev="sda1" ino=128 scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir type=SYSCALL msg=audit(1387424106.704:232): arch=x86_64 syscall=mount success=no exit=EACCES a0=0 a1=7faadbd141b2 a2=0 a3=84000 items=0 ppid=1 pid=2977 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(kill) exe=/usr/lib/systemd/systemd subj=system_u:system_r:svirt_lxc_net_t:s0 key=(null) Hash: (httpd),svirt_lxc_net_t,root_t,dir,mounton
Closing old bug, virt-sandbox-service feature has been deleted.