Apache in Containers – Troubleshooting Run Issues

apache-2.4arch-linuxcontainersUbuntu

I am running Arch Linux and on top of that, Ubuntu inside a systemd-nspawn container. I am suddenly having issues getting apache to start (inside the container).

Everything was working fine a few days ago, but now it's not. I don't know if an update inside or outside of the container has changed something.

Inside the container, I see the following:

root@container:~# apachectl -k start
/usr/sbin/apachectl: 99: ulimit: error setting limit (Operation not permitted)
Setting ulimit failed. See README.Debian for more information.
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Action '-k start' failed.
The Apache error log may have more information.

I checked using lsof and netstat and nothing else is running on ports 80/443. Also, what is that "ulimit" error? What's going on there?

I did use sudo systemctl edit systemd-nspawn@my-container.service to edit the settings to disable private networking and enable some bind mounts:

[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest -U --settings=override --machine=%i \
        --bind-ro=/etc/resolv.conf:/etc/resolv.conf \
        --bind=/home/nticompass/Code/website:/opt/website

Yes, the apache config inside the container is setup to use /opt/website as its root. I have it bind mounted so I can use my IDE on my main OS (Arch Linux) to edit the files and then have the container be able to access them (without having to copy/transfer them).

I am not sure what to do here. Did something change in an update? Do I need to update a config on my Arch Linux? Why can't the container access the ports? What is that "ulimit" error?

EDIT: Here is a list of packages that were upgraded/installed in the last week on my Arch Linux (main) system: https://pastebin.com/5xyGpBrw

Best Answer

We cannot tell if an update changed something, because there isn't any information about updates in your question. We need to know what updates have been installed in the system before it stopped working.

Both the ulimit error and Apache start-up failure are most likely caused by insufficient privileges.

So, definitely something changed how your container is started up.

Update 2021

A lot of Patches got Submitted to diffrent Projects like the docker upstream repos by REDHAT. To be More clear my frind David Walsh @ REDHAT did also post a lot about that. https://developers.redhat.com/blog/author/rhatdan/.

Running SystemD Without additional Privileges requires

/run as a tmpfs. /sys/fs/cgroup read/only. /sys/fs/cgroup/systemd read/write. /etc/machine-id Needs to Contain a Uniqe MachineID SIGRTMIN+3 as stopsignal as sigterm will not work /var/log/journal If it does not exist it will write to memory

docker run -d \ 
    --tmpfs /tmp \
    --tmpfs /run \
    -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
    --stop-signal SIGRTMIN+3 \
    httpd /sbin/init

Note: The Stopsignal flag can be droped when your dockerfile contains STOPSIGNAL SIGRTMIN+3

See the full Post. https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/

Note: Today with Podman this would be even more simple read about it here: https://developers.redhat.com/blog/2019/04/24/how-to-run-systemd-in-a-container/

Apache (Linux) httpd listen on link-local IPv6 address

Having spent some time on this it seems that the Apache documentation could be misleading, although I may have missed something. It says IPv6 addresses must be enclosed in square brackets. This is true for non link-local addresses. But I have now discovered that link-local addresses can be used, and must include a scope id, but without the square brackets. See below:

Apache documentation:

$ wget -q -O- https://httpd.apache.org/docs/2.4/bind.html | grep -Pao "(?<=p.)IPv6[ a-z]+"
IPv6 addresses must be enclosed in square brackets

My configuration:

$ grep -R ^Listen /etc/httpd/conf/
/etc/httpd/conf/httpd.conf:Listen fe80::a00:16ff:fe89:420f%3:80
/etc/httpd/conf/extra/httpd-ssl.conf:Listen fe80::a00:16ff:fe89:420f%net1:443

As you can see, I've used the interface id for the scope id with port 80, and the interface name for the scope id with port 443. This is just to show that either the interface id or name can successfully be used as the scope id.

Results:

$ sudo netstat -pant | grep -i httpd
tcp6   0    0 fe80::a00:16ff:fe89::80 :::*  LISTEN   709/httpd
tcp6   0    0 fe80::a00:16ff:fe89:443 :::*  LISTEN   709/httpd

Best Answer

Related Solutions

Docker – Running systemd inside a docker container (arch linux)

Update 2021

Running SystemD Without additional Privileges requires

Apache (Linux) httpd listen on link-local IPv6 address

Related Topic