Httpd fails to restart on reboot: Failed to set up mount namespacing

rkudyba · June 15, 2019, 2:35pm

After a reboot httpd fails with the below status.

httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─override.conf, php-fpm.conf
   Active: failed (Result: exit-code) since Sun 2019-06-09 00:00:21 EDT; 6 days ago
     Docs: man:httpd.service(8)
 Main PID: 26527 (code=exited, status=0/SUCCESS)
   Status: "Total requests: 691351; Idle/Busy workers 100/0;Requests/sec: 5.69; Bytes served/sec: 3.1KB/sec"

Jun 08 19:24:28 ourworkstation mod_evasive[9803]: Couldn't open logfile /tmp/dos-64.39.99.168: No such file or directory
Jun 08 19:24:28 ourworkstation mod_evasive[9803]: Couldn't open logfile /tmp/dos-64.39.99.168: No such file or directory
Jun 08 19:24:29 ourworkstation mod_evasive[9803]: Couldn't open logfile /tmp/dos-64.39.99.168: No such file or directory
Jun 08 19:24:34 ourworkstation mod_evasive[9803]: Couldn't open logfile /tmp/dos-64.39.99.168: No such file or directory
Jun 09 00:00:12 ourworkstation systemd[1]: Reloading The Apache HTTP Server.
Jun 09 00:00:12 ourworkstation systemd[13773]: httpd.service: Failed to set up mount namespacing: No such file or directory
Jun 09 00:00:12 ourworkstation systemd[13773]: httpd.service: Failed at step NAMESPACE spawning /usr/sbin/httpd: No such file >
Jun 09 00:00:12 ourworkstation systemd[1]: httpd.service: Control process exited, code=exited, status=226/NAMESPACE
Jun 09 00:00:21 ourworkstation systemd[1]: httpd.service: Failed with result 'exit-code'.
Jun 09 00:00:21 ourworkstation systemd[1]: Reload failed for The Apache HTTP Server.
lines 1-19/19 (END)

To take care of that mod_evasive error (from a Qualys IP) I set a log path in /etc/httpd/conf.d/mod_evasive.conf, e.g., DOSLogDir "/var/log/httpd/mod_evasive"

I then found this thread, and set the following in /usr/lib/systemd/system/httpd.service:

PrivateTmp=false
NoNewPrivileges=yes

And then:
systemctl daemon-reload

Also saw this error from mod_security: Status engine is currently disabled, enable it by set SecStatusEngine to On.

So I set SecStatusEngine On in /etc/httpd/conf.d/mod_security.conf.

These seem like work-arounds. Is there a better way to handle these warnings and errors? We are on kernel-5.0.17-300.fc30.x86_64