felipe@satriani:~$ lxc-start -n debian-bookworm-01 -d -F
Running scope as unit: run-r46a3b9c031434ed1bf036628898a6544.scope
lxc-start: debian-bookworm-01: ../src/lxc/cgroups/cgfsng.c: __cgfsng_delegate_controllers: 3341 Device or resource busy - Could not enable "+cpu +memory +pids" controllers in the unified cgroup 8
lxc-start: debian-bookworm-01: ../src/lxc/conf.c: setup_utsname: 876 Operation not permitted - Failed to set the hostname to "debian-bookworm-01"
lxc-start: debian-bookworm-01: ../src/lxc/conf.c: lxc_setup: 4376 Failed to setup the utsname debian-bookworm-01
lxc-start: debian-bookworm-01: ../src/lxc/start.c: do_start: 1272 Failed to setup container "debian-bookworm-01"
lxc-start: debian-bookworm-01: ../src/lxc/sync.c: sync_wait: 34 An error occurred in another process (expected sequence number 3)
lxc-start: debian-bookworm-01: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "debian-bookworm-01"
lxc-start: debian-bookworm-01: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: debian-bookworm-01: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options
Okay so that’s starting from an unprivileged user with the systemd scope stuff.
Can you show your container’s config file to make sure the uid/gid map is correct?
felipe@satriani:~$ lxc-attach -n debian-bookworm-01
Running scope as unit: run-r5a7f806e50874b87bdcd2c354b503399.scope
root@satriani:/# unshare -u -U -r
root@satriani:/# hostname foo
hostname: you must be root to change the host name
Hi. It should be something with the OS infrastructure because at some time debian introduced running unconfined regular user containers via systemd-run, that is not the case anymore, as I mentioned, the same container runs perfectly on a different machine with same lxc, kernel and debian version. it should be something that kept on after upgrade. I don’t know where to dig though
You may want to look for anything user namespace related in /proc/sys as a number of distros have added extra knobs there to limit what an unprivileged user can do.
In this case, a low or zero value in /proc/sys/user/max_uts_namespaces could explain it.
May be worth going over /proc/sys/user/* to see if there’s anything in there that may cause this.