Redis networking fails to support namespacing, so fails with LXD containers

[davidfavor]

This a complex problem related to Redis network stack implementation.

The net effect is Redis can't run inside normal containers.

The work around (which can't be used in a real runtime environment), looks like maybe making both the container where Redis runs + any containers which reference the Redis instance all be unprivileged containers... which completely breaks container security...

Likely good to fix this, to support Redis being used in LXD containers.

https://github.com/lxc/lxd/issues/3799 explains the problem.

I'm opening this ticket, as it appears no one has opened a similar ticket.

To reproduce...

1. lxc launch ubuntu:bionic redis

2. lxc exec redis bash

3. apt-get install redis-server

4. redis-cli ping
   Could not connect to Redis at 127.0.0.1:6379: No route to host

Looking at tcpdump... wow... Redis networking seems very odd...

[elderlabs]

Bumping this. Debian 9, installed redis-server 5.0.3 via testing branch. Works in a full VM, does not start inside a container. Log is as follows:

redis-server.service: Failed at step NAMESPACE spawning /usr/bin/redis-server: Permission denied

[LANopop]

this is still an issue with a debian 10 privileged lxc container on proxmox

May 06 08:48:28 xxx systemd[531]: redis-server.service: Failed to set up mount namespacing: Permission denied
May 06 08:48:28 xxx systemd[531]: redis-server.service: Failed at step NAMESPACE spawning /usr/bin/redis-server: Permission denied

Workaround:
https://forum.proxmox.com/threads/problem-lxc-mariadb-debian-10.55926/

• enabling nesting in the container settings solves the problem, but might have some unwanted implications