Cannot run LXC containers

whiteman808 · June 18, 2025, 11:07am

What am I doing wrong?

outside tmux:

~ ❯ cat /proc/self/cgroup                                             13:39:04
1:net_cls:/
0::/user.slice/user-1000.slice/session-3.scope
~ ❯ cat /sys/fs/cgroup/user.slice/user-1000.slice/cgroup.controllers  13:39:06
cpuset cpu io memory pids
~ ❯ cat /etc/systemd/system/user@.service.d/delegate.conf             13:39:22
[Service]
Delegate=cpu cpuset io memory pids
~ ❯ lxc-ls --fancy                                                                                                                              ✘ INT 13:37:31
NAME       STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED
build-test STOPPED 0         -      -    -    true
debian     STOPPED 0         -      -    -    true
~ ❯ lxc-start -n build-test -F                                                                                                                        13:37:33
Failed to mount cgroup (type cgroup) on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NODEV|MS_NOEXEC "none,name=systemd"): Operation not permitted
[!!!!!!] Failed to mount cgroup v1 hierarchy.
Exiting PID 1...
~ ❯ lxc-ls --fancy                                                                                                                                    13:37:36
NAME       STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED
build-test STOPPED 0         -      -    -    true
debian     STOPPED 0         -      -    -    true
~ ❯ lxc-start -n debian -F                                                                                                                            13:37:43
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
[!!!!!!] Failed to mount API filesystems.
Exiting PID 1...
~ ❯ systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start -n debian -F                                                                13:37:49
Running as unit: myshell.scope; invocation ID: ed7704f190154cb2aacae30500eb6427
lxc-start: debian: ../lxc-6.0.3/src/lxc/cgroups/cgfsng.c: __cgfsng_delegate_controllers: 3618 Device or resource busy - Could not enable "+cpuset +cpu +io +memory +pids" controllers in the unified cgroup 8
systemd 252.38-1~deb12u1 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to Debian GNU/Linux 12 (bookworm)!

Queued start job for default target graphical.target.
[  OK  ] Created slice system-getty.slice - Slice /system/getty.
[  OK  ] Created slice system-modprobe.slice - Slice /system/modprobe.
[  OK  ] Created slice user.slice - User and Session Slice.
[  OK  ] Started systemd-ask-password-console.path - Dispatch Password Requests to Console Directory Watch.
[  OK  ] Started systemd-ask-password-wall.path - Forward Password Requests to Wall Directory Watch.
[  OK  ] Reached target cryptsetup.target - Local Encrypted Volumes.
[  OK  ] Reached target integritysetup.target - Local Integrity Protected Volumes.
[  OK  ] Reached target paths.target - Path Units.
[  OK  ] Reached target remote-cryptsetup.target - Remote Encrypted Volumes.
[  OK  ] Reached target remote-fs.target - Remote File Systems.
[  OK  ] Reached target remote-veritysetup.target - Remote Verity Protected Volumes.
[  OK  ] Reached target slices.target - Slice Units.
[  OK  ] Reached target swap.target - Swaps.
[  OK  ] Reached target veritysetup.target - Local Verity Protected Volumes.
[  OK  ] Listening on systemd-initctl.socket - initctl Compatibility Named Pipe.
[  OK  ] Listening on systemd-journald-dev-log.socket - Journal Socket (/dev/log).
[  OK  ] Listening on systemd-journald.socket - Journal Socket.
[  OK  ] Listening on systemd-networkd.socket - Network Service Netlink Socket.
[  OK  ] Listening on systemd-udevd-control.socket - udev Control Socket.
[  OK  ] Listening on systemd-udevd-kernel.socket - udev Kernel Socket.
         Mounting dev-mqueue.mount - POSIX Message Queue File System...
         Mounting sys-kernel-debug.mount - Kernel Debug File System...
         Starting modprobe@configfs.service - Load Kernel Module configfs...
         Starting modprobe@dm_mod.service - Load Kernel Module dm_mod...
         Starting modprobe@drm.service - Load Kernel Module drm...
         Starting modprobe@fuse.service - Load Kernel Module fuse...
         Starting modprobe@loop.service - Load Kernel Module loop...
         Starting systemd-journald.service - Journal Service...
         Starting systemd-network-generator.service - Generate network units from Kernel command line...
         Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...
         Starting systemd-sysctl.service - Apply Kernel Variables...
         Starting systemd-udev-trigger.service - Coldplug All udev Devices...
[  OK  ] Mounted dev-mqueue.mount - POSIX Message Queue File System.
sys-kernel-debug.mount: Mount process exited, code=exited, status=32/n/a
sys-kernel-debug.mount: Failed with result 'exit-code'.
[FAILED] Failed to mount sys-kernel-debug.mount - Kernel Debug File System.
See 'systemctl status sys-kernel-debug.mount' for details.
modprobe@configfs.service: Deactivated successfully.
[  OK  ] Finished modprobe@configfs.service - Load Kernel Module configfs.
modprobe@dm_mod.service: Deactivated successfully.
[  OK  ] Finished modprobe@dm_mod.service - Load Kernel Module dm_mod.
modprobe@drm.service: Deactivated successfully.
[  OK  ] Finished modprobe@drm.service - Load Kernel Module drm.
modprobe@fuse.service: Deactivated successfully.
[  OK  ] Finished modprobe@fuse.service - Load Kernel Module fuse.
modprobe@loop.service: Deactivated successfully.
[  OK  ] Finished modprobe@loop.service - Load Kernel Module loop.
[  OK  ] Finished systemd-network-generator.service - Generate network units from Kernel command line.
[  OK  ] Finished systemd-remount-fs.service - Remount Root and Kernel File Systems.
[  OK  ] Finished systemd-sysctl.service - Apply Kernel Variables.
[  OK  ] Reached target network-pre.target - Preparation for Network.
         Mounting sys-kernel-config.mount - Kernel Configuration File System...
         Starting systemd-sysusers.service - Create System Users...
sys-kernel-config.mount: Mount process exited, code=exited, status=32/n/a
sys-kernel-config.mount: Failed with result 'exit-code'.
[FAILED] Failed to mount sys-kernel-config.mount - Kernel Configuration File System.
See 'systemctl status sys-kernel-config.mount' for details.
[  OK  ] Started systemd-journald.service - Journal Service.
         Starting systemd-journal-flush.service - Flush Journal to Persistent Storage...
[  OK  ] Finished systemd-sysusers.service - Create System Users.
         Starting systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev...
[  OK  ] Finished systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev.
[  OK  ] Reached target local-fs-pre.target - Preparation for Local File Systems.
[  OK  ] Reached target local-fs.target - Local File Systems.
         Starting systemd-udevd.service - Rule-based Manager for Device Events and Files...
[  OK  ] Finished systemd-journal-flush.service - Flush Journal to Persistent Storage.
         Starting systemd-tmpfiles-setup.service - Create System Files and Directories...
[  OK  ] Started systemd-udevd.service - Rule-based Manager for Device Events and Files.
         Starting systemd-networkd.service - Network Configuration...
[  OK  ] Finished systemd-tmpfiles-setup.service - Create System Files and Directories.
         Starting systemd-resolved.service - Network Name Resolution...
         Starting systemd-update-utmp.service - Record System Boot/Shutdown in UTMP...
[  OK  ] Finished systemd-update-utmp.service - Record System Boot/Shutdown in UTMP.
[  OK  ] Started systemd-resolved.service - Network Name Resolution.
[  OK  ] Reached target nss-lookup.target - Host and Network Name Lookups.
[  OK  ] Started systemd-networkd.service - Network Configuration.
[  OK  ] Reached target network.target - Network.
[  OK  ] Finished systemd-udev-trigger.service - Coldplug All udev Devices.
[  OK  ] Reached target sysinit.target - System Initialization.
[  OK  ] Started apt-daily.timer - Daily apt download activities.
[  OK  ] Started apt-daily-upgrade.timer - Daily apt upgrade and clean activities.
[  OK  ] Started dpkg-db-backup.timer - Daily dpkg database backup timer.
[  OK  ] Started e2scrub_all.timer - Periodic ext4 Online Metadata Check for All Filesystems.
[  OK  ] Started systemd-tmpfiles-clean.timer - Daily Cleanup of Temporary Directories.
[  OK  ] Reached target timers.target - Timer Units.
[  OK  ] Listening on dbus.socket - D-Bus System Message Bus Socket.
[  OK  ] Reached target sockets.target - Socket Units.
[  OK  ] Reached target basic.target - Basic System.
         Starting dbus.service - D-Bus System Message Bus...
         Starting e2scrub_reap.service - Remove Stale Online ext4 Metadata Check Snapshots...
         Starting systemd-logind.service - User Login Management...
         Starting systemd-user-sessions.service - Permit User Sessions...
[  OK  ] Started dbus.service - D-Bus System Message Bus.
         Starting systemd-hostnamed.service - Hostname Service...
[  OK  ] Finished systemd-user-sessions.service - Permit User Sessions.
[  OK  ] Started console-getty.service - Console Getty.
[  OK  ] Reached target getty.target - Login Prompts.
[  OK  ] Finished e2scrub_reap.service - Remove Stale Online ext4 Metadata Check Snapshots.
[  OK  ] Started systemd-logind.service - User Login Management.
[  OK  ] Reached target multi-user.target - Multi-User System.
[  OK  ] Reached target graphical.target - Graphical Interface.
         Starting systemd-update-utmp-runlevel.service - Record Runlevel Change in UTMP...
[  OK  ] Started systemd-hostnamed.service - Hostname Service.
         Starting polkit.service - Authorization Manager...
[  OK  ] Finished systemd-update-utmp-runlevel.service - Record Runlevel Change in UTMP.
[  OK  ] Started polkit.service - Authorization Manager.

Debian GNU/Linux 12 debian console

debian login:

I use window manager, not sure if does it matter, I mention it because in tmux containers work

inside tmux:

~ ❯ cat /proc/self/cgroup                                                                                                                       ✘ INT 13:46:06
1:net_cls:/
0::/user.slice/user-1000.slice/user@1000.service/tmux-spawn-03997c73-c8d6-4ad9-8a0b-68e135b3684a.scope

Alacritty doesn’t show under user@1000.service but only under session-4.scope belonging to user-1000.slice. In tty lxc-create also doesn’t work.

SirGiggles · June 18, 2025, 6:39pm

What distribution are you running?

EDIT: I’m asking because based on your other post: Can't get unprivileged containers to auto start, it doesn’t seem like you’re running cgroupsv2/unified

Specifically this line in your output popped out to me

lxc-autostart 20250618053446.357 INFO cgfsng - ../lxc-6.0.3/src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1506 - Not in unified layout, not using a systemd unit

whiteman808 · June 18, 2025, 6:41pm

Gentoo

SirGiggles · June 18, 2025, 6:44pm

I presume you went through the relevant Gentoo wiki page?

If so then as another diagnostic step, what’s the output of mount -t cgroup2

whiteman808 · June 18, 2025, 6:45pm

I presume you went through the relevant Gentoo wiki page?

Yes

If so then as another diagnostic step, what’s the output of mount -t cgroup2

~ ❯ mount -t cgroup2                                                                                                                                  20:39:54
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)

SirGiggles · June 18, 2025, 6:52pm

What does lxc-checkconfig say?

whiteman808 · June 18, 2025, 6:53pm

gentoo-dist-hardened kernel

~ ❯ lxc-checkconfig                                                                                                                                   20:44:48
LXC version 6.0.3

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Namespace limits:
  cgroup: 126809
  ipc: 126809
  mnt: 126809
  net: 126809
  pid: 126809
  time: 126809
  user: 126809
  uts: 126809

--- Control groups ---
Cgroups: enabled
Cgroup namespace: enabled
Cgroup v1 mount points:
 - /sys/fs/cgroup/net_cls
Cgroup v2 mount points:
 - /sys/fs/cgroup
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

Note: Before booting a new kernel, you can check its configuration with:

  CONFIG=/path/to/config /usr/sbin/lxc-checkconfig


~ ❯ uname -r                                                                                                                                          20:52:51
6.15.2-gentoo-dist-hardened

I’ll try the regular kernel non-hardened one

SirGiggles · June 18, 2025, 7:10pm

On paper, you should be fine to go. A bit silly, and another diagnostic question, but did you do a restart after doing the kernel build after installing LXC?

whiteman808 · June 18, 2025, 7:13pm

Yes, I did the restart. Currently I’m running non-hardened regular gentoo-dist kernel, and I have the same errors.

I see lxc tries to use cgroupv1 still, no idea how can I fix it:

~ ❯ lxc-start -n build-test -F                                                                                                                        21:10:53
Failed to mount cgroup (type cgroup) on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NODEV|MS_NOEXEC "none,name=systemd"): Operation not permitted
[!!!!!!] Failed to mount cgroup v1 hierarchy.
Exiting PID 1...

I can run containers with systemd-run

~ ❯ systemd-run --unit=myshell --user --scope -p "Delegate=yes" lxc-start -n debian                                                                   21:15:00
Running as unit: myshell.scope; invocation ID: 8cd9c2d60abc45429e4dfacd2c3fee5a
~ ❯ lxc-ls                                                                                                                                            21:15:51
build-test debian     test
~ ❯ lxc-ls --fancy                                                                                                                                    21:15:54
lxc-ls: ../lxc-6.0.3/src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 5579 to "net" of 3
lxc-ls: ../lxc-6.0.3/src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 5579 to "net" of 3
lxc-ls: ../lxc-6.0.3/src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 5579 to "net" of 3
NAME       STATE   AUTOSTART GROUPS IPV4       IPV6                                   UNPRIVILEGED
build-test STOPPED 0         -      -          -                                      true
debian     RUNNING 0         -      10.0.3.219 fc42:5009:ba4b:5ab0:216:3eff:fe43:b053 true
test       STOPPED 0         -      -          -                                      true

whiteman808 · June 18, 2025, 7:33pm

Strange output from systemctl status

● rpk
    State: running
    Units: 405 loaded (incl. loaded aliases)
     Jobs: 0 queued
   Failed: 0 units
    Since: Wed 2025-06-18 21:10:11 CEST; 21min ago
  systemd: 257.6
   CGroup: /
           └─net_cls
             ├─    1 /usr/lib/systemd/systemd --switched-root --system --deserialize=46 splash
             ├─  680 /sbin/rpcbind -w -f
             ├─  681 /usr/lib/systemd/systemd-journald
             ├─  715 /usr/lib/systemd/systemd-nsresourced
             ├─  716 /usr/lib/systemd/systemd-userdbd
             ├─  736 /usr/lib/systemd/systemd-resolved
...

SirGiggles · June 18, 2025, 9:11pm

Potentially a wild goose chase, but did you set any grub or systemd-boot flags?

whiteman808 · June 18, 2025, 9:14pm

~ ❯ cat /etc/kernel/cmdline                                                                                                                    36m 1s 23:13:53
root=UUID=6872a91c-bab1-4a19-b842-984409db1225 rd.luks.uuid=5f876d91-c0ec-4def-b849-9ffe9799c3ff pci=noaer quiet splash resume=UUID=6872a91c-bab1-4a19-b842-984409db1225 resume_offset=36886528

Should I reinstall my OS?

SirGiggles · June 18, 2025, 11:39pm

I’m not a Gentoo user so I’ll refrain from suggesting any nuclear option, but I’d suggest you search around and see if anyone else on the forums has had the same issue you did.

If you can’t get any hits then maybe ask on the Gentoo forums as well, or raise an issue in the LXC repo.

simos · June 19, 2025, 9:32am

The Gentoo Wiki has top notch information on LXC (their Incus page is brilliant as well).

This being a setup question, you may try to ask at the Gentoo forums.