(this has been already reported as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945051)

I have created a few Debian LXC containers on my Arch Linux system for the purpose of testing Galera replication in MariaDB. Unfortunately, they don't work out of the box, because Arch Linux comes with fs.protected_regular = 1 sysctl by default. The same applies to any other distribution which uses a modern version of systemd: see https://github.com/systemd/systemd/commit/2732587540035227fe59e4b64b60127352611b35 .

The failing script during service start is /usr/bin/galera_recovery, the error is:

/usr/bin/galera_recovery: 71: /usr/bin/galera_recovery: cannot create /tmp/wsrep_recovery.BLuWHq: Permission denied

Let's see why (ine numbers are from Debian).

28 log_file=$(mktemp /tmp/wsrep_recovery.XXXXXX)
... (in a function)
71 eval /usr/sbin/mysqld $cmdline_args --user=$user --wsrep_recover \
72 --disable-log-error 2> "$log_file"
...
104 [ "$euid" = "0" ] && chown $user $log_file

So, $log_file is created by mktemp, then chowned to $user, and then opened for writing the log. The opening happens by the shell, not by mysqld, and so it's done as root. So, root tries to open a file, owned by someone else, in a sticky world-writeable directory, and this is exactly what fs.protected_regular = 1 disallows.

The fix would be to remove this line:

[ "$euid" = "0" ] && chown $user $log_file

This is valid, because permissions are checked at open time, and it's root, not $user, who opens the file.