I’m in the process to reinstall an LXD postfix service container based on Fedora 31 and CentOS 8 LXD runtime host. That container was running fine with previous versions of Fedora and a CentOS7 runtime.
When I start Postfix inside Fedora 31 container I get:
> Mär 30 06:15:44 mail-mtaservice systemd[1]: Starting Postfix Mail Transport Agent...
> Mär 30 06:15:45 mail-mtaservice postfix[86]: /usr/libexec/postfix/postfix-script: line 127: /dev/null: Permission denied
> Mär 30 06:15:45 mail-mtaservice postfix/postfix-script[93]: fatal: the Postfix mail system is already running
Inside the mentioned script
start|start-fg)
$daemon_directory/master -t 2>/dev/null || {. <=== line 127
$FATAL the Postfix mail system is already running
exit 1
}
Of course, in native Fedora it works fine (/dev/null is owned by root).
There is no second postfix instance inside the container nor on the host.
It’s a plain standard installation of the container (i.e. just a lxc launch …) and the postfix software.
which looks strange to me. But practically all files in /dev are owned by nobody. That is true vor all containers I created since installation on CentOS 8.
I installed snapd on a CentOS 8 machine and created a CentOS 8 container: The latest LXD 4.0 has the same issue: /usr/libexec/postfix/postfix-script: line 127: /dev/null: Permission denied
Postfix will not run in an LXD 4.0 container.
Same is true for version 3.21 which I used when I ran into the issue. I checked with SELinux in permissive as well as in enforcing mode
I installed snapd on a Fedora 31 machine. LXD version 4.0 worked, the postfix problem did not occur. (but LXD version 3.21 didn’t work at all)
The problem didn’t occur in CentOS 7 either.
So probably the permission problem may be specific to CentOS 8.
Is there a chance that such a CentOS 8 specific problem can be fixed in the foreseeable future?
Did you run snap LXD 4 on the same CentOS 8 host where you tried my packages? In this case it might be the same error caused e.g. by my lxcfs package… Did you have SELinux enabled?
Originally there were 2 different machines but installed in the very same way, just a minimal CentOS 8 server installation. But to be on the safe side, I reverted the test machine with snap to a snapshot before I started the snap installation and installed copr lxd 3.21. I encountered the same permission issue with Postfix.
I’d be happy to run more tests if I can help with that. In any case, I have a certain amount of testing equipment at my disposal.
I just noticed that you released 3.22 on COPR. I updated our systems but found the permission denied issue again. Just for information, could you not address the issue or is the issue not resolvable?
Sorry, I don’t want to push at all, I just have to decide what containerisation system we will use on our systems in the future.
Hi all,
any progress here? I have installed CentOS 8 container in LXD (also driven by CentOS 8):
:; lxc version
Client version: 4.12
Server version: 4.12
Postfix (postfix-3.3.1-12.el8.x86_64.rpm ) does not starts:
Mar 17 10:38:17 CT postfix[92]: /usr/libexec/postfix/postfix-script: line 127: /dev/null: Permission denied
Mar 17 10:38:17 CT postfix/postfix-script[116]: fatal: the Postfix mail system is already running
Mar 17 10:38:18 CT systemd[1]: postfix.service: Control process exited, code=exited status=1
Mar 17 10:38:18 CT systemd[1]: postfix.service: Failed with result 'exit-code'.
Container runs in unprivileged mode, so:
:; ls -al /dev/null
crw-rw-rw-. 1 nobody nobody 1, 3 Feb 22 22:39 /dev/null
Can you try using systemctl edit postfix and then setting PrivateDevices to false, and also try ProtectSystem=false to see if it is one of those causing the issue.
:; sudo systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/postfix.service.d
└─override.conf
Active: active (running) since Wed 2021-03-17 11:22:50 CET; 5s ago
…
Mar 17 11:22:50 CT postfix/master[1317]: daemon started – version 3.3.1, configuration /etc/postfix
Thanks, but I would expect that postfix service starts normally, with distribution unit file.
I expected you to try each one of these two options and then report back which one worked, as trying them both together doesn’t tell us which one worked. Unless they are both required to make it work?
@Predrag_Zecevic when you try to start postfix with the default system unit, do you see anything from AppArmor on the host via sudo dmesg?
@brauner@stgraber is there any reason why systemd’s PrivateDevices option wouldn’t work inside a container (well restrict writing to /dev/null at least)?
What systemd version are you on, afaict PrivateDevices should either ignore permissions errors and move on or simpley fallback to bind-mount. I’m sure I even fixed that in upstream systemd a while ago.