Error on privileged container not on unprivileged: Failed to set up mount namespacing: Permission denied

1

Hello,

I’m facing an error with the dante-server package on a privileged container and I don’t have this error on an unprivileged container.

Jan 26 18:15:55 test-kali (sh)[510]: danted.service: Failed to set up mount namespacing: Permission denied
Jan 26 18:15:55 test-kali (sh)[510]: danted.service: Failed at step NAMESPACE spawning /bin/sh: Permission denied

Here is how to reproduce it:

incus launch images:debian/14 debforky --ephemeral --config security.privileged=true
incus exec test-kali – apt install dante-server -y
incus exec test-kali – systemctl start danted
Job for danted.service failed because the control process exited with error code.
See "systemctl status danted.service" and "journalctl -xeu danted.service" for details.

About the error:

[slt@test][~]$ incus-6.20 exec test-kali -- journalctl -u danted                                                 
Jan 26 18:15:55 test-kali systemd[1]: Starting danted.service - SOCKS (v4 and v5) proxy daemon (danted)...       
Jan 26 18:15:55 test-kali (sh)[510]: danted.service: Failed to set up mount namespacing: Permission denied       
Jan 26 18:15:55 test-kali (sh)[510]: danted.service: Failed at step NAMESPACE spawning /bin/sh: Permission denied
Jan 26 18:15:55 test-kali systemd[1]: danted.service: Control process exited, code=exited, status=226/NAMESPACE  
Jan 26 18:15:55 test-kali systemd[1]: danted.service: Failed with result 'exit-code'.                            
Jan 26 18:15:55 test-kali systemd[1]: Failed to start danted.service - SOCKS (v4 and v5) proxy daemon (danted).  
Jan 26 18:27:21 test-kali systemd[1]: Starting danted.service - SOCKS (v4 and v5) proxy daemon (danted)...       
Jan 26 18:27:21 test-kali systemd[1]: danted.service: Control process exited, code=exited, status=226/NAMESPACE  
Jan 26 18:27:21 test-kali systemd[1]: danted.service: Failed with result 'exit-code'.                            
Jan 26 18:27:21 test-kali systemd[1]: Failed to start danted.service - SOCKS (v4 and v5) proxy daemon (danted).

I search the internet and found about setting PrivateTmp=false in the systemd override, but from what I can see, this is already set by /run/systemd/system/service.d/zzz-lxc-service.conf:

image
image1539×753 117 KB

Any idea on how to debug this?

2

Allow me to bump this thread as the problem persists!

I may be missing something obvious, any idea?

3

Privileged containers have much stronger AppArmor and similar security profiles to try and prevent them causing a bunch of damage to the host system, whether intentionally or by accident.

This does pretty negatively affect some of the newer security features of systemd.

You may want to run systemctl cat on the unit to see what it sets and what’s overriden, you may need to override additional keys to get things going.

You could also try setting security.nesting=true which makes your privileged container even less safe by having to relax some of those namespacing features.

4

I tried overriding additional keys but haven’t found the “missing” ones.

However, setting security.nesting to true allowed me to start the service as expected. That’s a work around I can live with for the time being!

Thank you! :slight_smile: