cockpit.service fails in LXC: Failed to set up mount namespacing

[LuisCane]

Explain what happens

1. I start or enable cockpit.socket
2. I check the status and see that it is active

• cockpit.socket - Cockpit Web Service Socket
  Loaded: loaded (/lib/systemd/system/cockpit.socket; enabled; vendor preset: enabled)
  Active: active (listening) since Thu 2022-05-19 16:41:19 UTC; 18s ago
  Triggers: * cockpit.service
  Docs: man:cockpit-ws(8)
  Listen: [::]:9090 (Stream)
  Process: 1846 ExecStartPost=/usr/share/cockpit/motd/update-motd localhost (code=exited, status=0/SUCCESS)
  Process: 1853 ExecStartPost=/bin/ln -snf active.motd /run/cockpit/motd (code=exited, status=0/SUCCESS)
  Tasks: 0 (limit: 38355)
  Memory: 4.0K
  CPU: 8ms
  CGroup: /system.slice/cockpit.socket

May 19 16:41:19 resume systemd[1]: Starting Cockpit Web Service Socket.
May 19 16:41:19 resume systemd[1]: Listening on Cockpit Web Service Socket.

3. I try to connect, but the connection fails. I've used Firefox and Curl.
   curl https://localhost:9090
   curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:9090

4. I check the status again and see that it is failed.

• cockpit.socket - Cockpit Web Service Socket
  Loaded: loaded (/lib/systemd/system/cockpit.socket; enabled; vendor preset: enabled)
  Active: failed (Result: service-start-limit-hit) since Thu 2022-05-19 16:48:35 UTC; 4s ago
  Triggers: * cockpit.service
  Docs: man:cockpit-ws(8)
  Listen: [::]:9090 (Stream)
  Process: 1846 ExecStartPost=/usr/share/cockpit/motd/update-motd localhost (code=exited, status=0/SUCCESS)
  Process: 1853 ExecStartPost=/bin/ln -snf active.motd /run/cockpit/motd (code=exited, status=0/SUCCESS)
  Process: 2252 ExecStopPost=/bin/ln -snf inactive.motd /run/cockpit/motd (code=exited, status=0/SUCCESS)
  CPU: 9ms

May 19 16:41:19 resume systemd[1]: Starting Cockpit Web Service Socket.
May 19 16:41:19 resume systemd[1]: Listening on Cockpit Web Service Socket.
May 19 16:48:35 resume systemd[1]: cockpit.socket: Failed with result 'service-start-limit-hit'.

Debian 10 LXC container in Proxmox running Wordpress. I replaced Webmin with Cockpit

Version of Cockpit

239-1~bpo10+1

Where is the problem in Cockpit?

No response

Server operating system

Debian

Server operating system version

Buster Linux resume 5.13.19-6-pve #1 SMP PVE 5.13.19-15 (Tue, 29 Mar 2022 15:59:50 +0200) x86_64 GNU/Linux

What browsers are you using?

Firefox, Other

System log

May 19 16:26:50 resume systemd[752]: cockpit.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied
May 19 16:26:50 resume systemd[752]: cockpit.service: Failed at step NAMESPACE spawning /usr/lib/cockpit/cockpit-tls: Permission denied
May 19 16:26:51 resume systemd[1]: cockpit.service: Main process exited, code=exited, status=226/NAMESPACE
May 19 16:26:51 resume systemd[1]: cockpit.service: Failed with result 'exit-code'.
May 19 16:26:51 resume systemd[1]: Starting Cockpit Web Service...
May 19 16:26:51 resume systemd[1]: Started Cockpit Web Service.
May 19 16:26:51 resume systemd[756]: cockpit.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied
May 19 16:26:51 resume systemd[756]: cockpit.service: Failed at step NAMESPACE spawning /usr/lib/cockpit/cockpit-tls: Permission denied
May 19 16:26:51 resume systemd[1]: cockpit.service: Main process exited, code=exited, status=226/NAMESPACE
May 19 16:26:51 resume systemd[1]: cockpit.service: Failed with result 'exit-code'.
May 19 16:26:51 resume systemd[1]: Starting Cockpit Web Service...

[martinpitt]

cockpit.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied

This smells like your LXC container does not have enough privileges to set up systemd's isolation options? cockpit.service has these:

NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
MemoryDenyWriteExecute=true

These make cockpit.service safer (due to having much reduced capabilities) on ordinary systems, but being able to set that up requires additional privileges on the host. If you can't/don't want to grant these privileges to the LXC container, you can try and drop these options, then it should work.

[LuisCane]

I'll look into this. Thanks.

[0xalen]

I was able to make it work commenting out just "ProtectKernelTunables=true". The rest of the options can remain enabled

[erwin1024]

For me it was the nesting-option in the lxc which has to be enabled.