An LXC container does not start on Debian 11 (currently testing version)

narcisgarcia · March 10, 2021, 1:36pm

I’ve tried to start an unprivileged LXC container on Debian-bullseye (still not released as stable) same as I do with Debian 10 (buster/stable).

When I use Debian 10 I’m using LXC 3.0.3 (from buster repositories)
When I use Debian 11 I’m using LXC 4.0.6 (from bullseye repositories)

This is the log when starting either Debian 10 or Debian 11 container with LXC 4:

(...)
lxc-start vps1 20210310125921.881 INFO     start - start.c:lxc_init:837 - Container "vps1" is initialized
lxc-start vps1 20210310125921.881 WARN     cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1152 - Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-3.scope/lxc.monitor.vps1"
lxc-start vps1 20210310125921.881 WARN     cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1152 - Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-3.scope/lxc.monitor.vps1-1"
(1000 identical lines)
lxc-start vps1 20210310125921.894 WARN     cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1152 - Permission denied - Failed to create directory "/sys/fs/cgroup/user.slice/user-1000.slice/session-3.scope/lxc.monitor.vps1-999"
lxc-start vps1 20210310125921.894 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1365 - Numerical result out of range - Failed to create monitor cgroup
lxc-start vps1 20210310125921.894 ERROR    start - start.c:__lxc_start:1960 - Failed to create monitor cgroup
lxc-start vps1 20210310125921.894 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:859 - Received container state "ABORTING" instead of "RUNNING"
lxc-start vps1 20210310125921.894 ERROR    lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start vps1 20210310125921.894 ERROR    lxc_start - tools/lxc_start.c:main:311 - To get more details, run the container in foreground mode
lxc-start vps1 20210310125921.894 ERROR    lxc_start - tools/lxc_start.c:main:313 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start vps1 20210310125921.895 INFO     utils - utils.c:get_rundir:260 - XDG_RUNTIME_DIR isn't set in the environment
lxc-start vps1 20210310125921.895 INFO     utils - utils.c:get_rundir:260 - XDG_RUNTIME_DIR isn't set in the environment
lxc-start vps1 20210310125921.898 NOTICE   utils - utils.c:lxc_setgroups:1420 - Dropped additional groups
lxc-start vps1 20210310125921.898 INFO     utils - utils.c:get_rundir:260 - XDG_RUNTIME_DIR isn't set in the environment
lxc-start vps1 20210310125921.898 INFO     conf - conf.c:run_script_argv:330 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "vps1", config section "lxc"

(I don’t know what XDG has to do here if it’s a CLI system)

This is the “config” file content:

lxc.include = /usr/share/lxc/config/common.conf
lxc.include = /usr/share/lxc/config/userns.conf
lxc.arch = linux64

lxc.include = /etc/lxc/default.conf
lxc.apparmor.profile = unconfined
lxc.idmap = u 0 231072 65536
lxc.idmap = g 0 231072 65536
lxc.autodev = 1
lxc.mount.entry = /dev/fuse dev/fuse none bind,optional,rw,create=file 0 0
lxc.rootfs.path = dir:/home/lxc/.local/share/lxc/vps1/rootfs
lxc.uts.name = vps1

lxc.net.0.type = veth
lxc.net.0.link = lanbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3E:E3:c6:80

krackout · June 27, 2021, 8:32am

I had exactly the same problem you described. It’s due to cgroups2, enabled by default on Debian 11.

The solution is to use lxc-unpriv-start command, which is available in Debian 11, instead of lxc-start.
Ie, lxc-unpriv-start -n NameOfContainer. If you haven’t logged in with the user which starts the container you should also execute sudo loginctl enable-linger NameOfUser before starting a container.

For more info check this link, it’s where I found the solution.
https://unix.stackexchange.com/questions/655898/cannot-start-unprivileged-lxc-containers-on-debian-11-bullseye

narcisgarcia · December 17, 2021, 6:23pm

Thank you, it seems to work, but:
If I automate both enable-linger and lxc-unpriv-start actions in a script, it complains:

Can’t start an unprivileged container on a pure CGroups v2 host without a systemd user session running.
If you are trying to get a non-interactive user to have unprivileged containers running, you need to
enable lingering sessions for that user, via loginctl enable-linger lxc as root.

I must wait some seconds to “lingering” has effect and lxc-unpriv-start succeeds. How can I detect if “lingering” is working and I can start VPS now?

narcisgarcia · December 17, 2021, 7:10pm

Additional issue with this Debian workaround: lxc-unpriv-attach

Running scope as unit: run-r90aa89183fd146639fef81ae1b0f0dd9.scope

on each call!
This makes difficult to get clean stderr/stdout from running commands on a container.

narcisgarcia · January 25, 2022, 7:58am

If I run:

loginctl disable-linger "lxc"
sudo -iu "lxc" -- lxc-stop -n "MyVps"

Then I can’t start it again until some minute has passed:

sudo -iu "lxc" -- lxc-unpriv-start -n "MyVps"
Failed to start transient scope unit: Transaction for run-red8295ecbac6470397463c211f6bc27b.scope/start is destructive (exit.target has 'start' job queued, but 'stop' is included in transaction).