Can't run start container in unpriviledge mode: lxc_secure_rename_in_ns - Permission denied - Failed opening network namespace path for 19657

vital · February 22, 2026, 6:02pm

Hi, I’m using debian trixie.

When I start LXC as an unprivileged user it fails. I’ve done the configuration according to the manual and use systemd-run, and it also fails without systemd-run or using lxc-unpriv-start

systemd-run --unit=my-unit --user --scope -p “Delegate=yes” – lxc-start -n test --logfile /tmp/log.txt --logpriority=TRACE

The error log says:

lxc-start test 20260222141658.761 WARN     start - ../src/lxc/start.c:lxc_spawn:1844 - Operation not permitted -
Failed to allocate new network namespace id
lxc-start test 20260222141658.766 INFO     network - ../src/lxc/network.c:lxc_create_network_unpriv_exec:3001 - E
xecing lxc-user-nic create /home/vital/.local/share/lxc test 19657 veth lxcbr0 (null)
lxc-start test 20260222141658.967 ERROR    network - ../src/lxc/network.c:lxc_create_network_unpriv_exec:3029 - l
xc-user-nic failed to configure requested network: ../src/lxc/cmd/lxc_user_nic.c: 838: lxc_secure_rename_in_ns -
Permission denied - Failed opening network namespace path for 19657
../src/lxc/cmd/lxc_user_nic.c: 1219: main: Failed to rename the link
lxc-start test 20260222141658.967 ERROR    start - ../src/lxc/start.c:lxc_spawn:1852 - Failed to create the network

I use lxc 6.0.4 from trixie but I also tried to backport 6.0.5 from debian sid with the same result.

The full content of log.txt

full log

lxc-start test 20260222141658.398 INFO     confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type u nsid 0 hostid 624288 range 65536
lxc-start test 20260222141658.399 INFO     confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type g nsid 0 hostid 624288 range 65536
lxc-start test 20260222141658.400 TRACE    commands - ../src/lxc/commands.c:lxc_cmd_timeout:525 - Connection refused - Command "get_init_pid" failed to connect command socket
lxc-start test 20260222141658.401 TRACE    commands - ../src/lxc/commands.c:lxc_cmd_timeout:525 - Connection refused - Command "get_state" failed to connect command socket
lxc-start test 20260222141658.401 TRACE    start - ../src/lxc/start.c:lxc_init_handler:739 - Created anonymous pair {4,5} of unix sockets
lxc-start test 20260222141658.401 TRACE    commands - ../src/lxc/commands.c:lxc_server_init:2138 - Created abstract unix socket "/home/vital/.local/share/lxc/test/command"
lxc-start test 20260222141658.402 TRACE    start - ../src/lxc/start.c:lxc_init_handler:755 - Unix domain socket 6 for command server is ready
lxc-start test 20260222141658.411 INFO     lxccontainer - ../src/lxc/lxccontainer.c:do_lxcapi_start:954 - Set process title to [lxc monitor] /home/vital/.local/share/lxc test
lxc-start test 20260222141658.420 DEBUG    lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:813 - First child 19655 exited
lxc-start test 20260222141658.420 TRACE    start - ../src/lxc/start.c:lxc_start:2233 - Doing lxc_start
lxc-start test 20260222141658.423 WARN     apparmor - ../src/lxc/lsm/apparmor.c:lsm_apparmor_ops_init:1268 - Per-container AppArmor profiles are disabled because the mac_admin capability is missing
lxc-start test 20260222141658.423 INFO     lsm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver AppArmor
lxc-start test 20260222141658.423 TRACE    start - ../src/lxc/start.c:lxc_init:779 - Initialized LSM
lxc-start test 20260222141658.424 TRACE    start - ../src/lxc/start.c:lxc_serve_state_clients:484 - Set container state to STARTING
lxc-start test 20260222141658.424 TRACE    start - ../src/lxc/start.c:lxc_serve_state_clients:487 - No state clients registered
lxc-start test 20260222141658.424 TRACE    start - ../src/lxc/start.c:lxc_init:785 - Set container state to "STARTING"
lxc-start test 20260222141658.425 TRACE    start - ../src/lxc/start.c:lxc_init:841 - Set environment variables
lxc-start test 20260222141658.425 TRACE    start - ../src/lxc/start.c:lxc_init:846 - Ran pre-start hooks
lxc-start test 20260222141658.426 TRACE    start - ../src/lxc/start.c:setup_signal_fd:371 - Created signal file descriptor 8
lxc-start test 20260222141658.426 TRACE    start - ../src/lxc/start.c:lxc_init:859 - Set up signal fd
lxc-start test 20260222141658.427 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:open_systemd:1250 - Using dbus unix socket: 'unix:path=/run/user/1000/bus'
lxc-start test 20260222141658.428 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:open_systemd:1261 - Saying hello to systemd
lxc-start test 20260222141658.432 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:open_systemd:1286 - Waiting systemd Hello for reply
lxc-start test 20260222141658.439 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:open_systemd:1308 - reply came from systemd: ':1.35'
lxc-start test 20260222141658.441 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1561 - unpriv_systemd_create_scope: trying idx 0
lxc-start test 20260222141658.477 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.478 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.479 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.480 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.481 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.482 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.484 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.485 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.486 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.487 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.489 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.490 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.491 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.492 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.493 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.495 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.496 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.497 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.498 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.499 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.501 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.502 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.503 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.504 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.505 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.507 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.508 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.509 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.510 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.511 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.512 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.513 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.514 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.515 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start test 20260222141658.516 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:1001 - got a JobRemoved signal.
lxc-start test 20260222141658.520 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1572 - Created systemd scope lxc-test-0.scope
lxc-start test 20260222141658.520 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:__initialize_cgroups:3844 - Entered an unpriv systemd scope
lxc-start test 20260222141658.521 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:cgroup_hierarchy_add:462 - Adding cgroup hierarchy mounted at  and base cgroup user.slice/user-1000.slice/user@1000.service/app.slice/lxc-test-0.scope
lxc-start test 20260222141658.521 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:cgroup_hierarchy_add:465 - The hierarchy contains the cpu controller
lxc-start test 20260222141658.521 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:cgroup_hierarchy_add:465 - The hierarchy contains the memory controller
lxc-start test 20260222141658.521 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:cgroup_hierarchy_add:465 - The hierarchy contains the pids controller
lxc-start test 20260222141658.521 TRACE    cgroup2_devices - ../src/lxc/cgroups/cgroup2_devices.c:bpf_devices_cgroup_supported:530 - The bpf device cgroup requires real root
lxc-start test 20260222141658.521 TRACE    cgroup - ../src/lxc/cgroups/cgroup.c:cgroup_init:41 - Initialized cgroup driver cgfsng
lxc-start test 20260222141658.521 TRACE    cgroup - ../src/lxc/cgroups/cgroup.c:cgroup_init:48 - Unified cgroup layout
lxc-start test 20260222141658.521 TRACE    start - ../src/lxc/start.c:lxc_init:866 - Initialized cgroup driver
lxc-start test 20260222141658.523 DEBUG    seccomp - ../src/lxc/seccomp.c:parse_config_v2:664 - Host native arch is [3221225534]
lxc-start test 20260222141658.523 TRACE    seccomp - ../src/lxc/seccomp.c:get_new_ctx:478 - Added arch 2 to main seccomp context
lxc-start test 20260222141658.523 TRACE    seccomp - ../src/lxc/seccomp.c:get_new_ctx:486 - Removed native arch from main seccomp context
lxc-start test 20260222141658.523 TRACE    seccomp - ../src/lxc/seccomp.c:get_new_ctx:478 - Added arch 3 to main seccomp context
lxc-start test 20260222141658.524 TRACE    seccomp - ../src/lxc/seccomp.c:get_new_ctx:486 - Removed native arch from main seccomp context
lxc-start test 20260222141658.524 TRACE    seccomp - ../src/lxc/seccomp.c:get_new_ctx:491 - Arch 4 already present in main seccomp context
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "[all]"
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "kexec_load errno 1"
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "open_by_handle_at errno 1"
lxc-start test 20260222141658.524 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "init_module errno 1"
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "finit_module errno 1"
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "delete_module errno 1"
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
lxc-start test 20260222141658.525 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
lxc-start test 20260222141658.526 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
lxc-start test 20260222141658.526 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:1036 - Merging compat seccomp contexts into main context
lxc-start test 20260222141658.526 TRACE    seccomp - ../src/lxc/seccomp.c:parse_config_v2:1046 - Merged first compat seccomp context into main context
lxc-start test 20260222141658.526 TRACE    seccomp - ../src/lxc/seccomp.c:parse_config_v2:1062 - Merged second compat seccomp context into main context
lxc-start test 20260222141658.526 TRACE    start - ../src/lxc/start.c:lxc_init:873 - Read seccomp policy
lxc-start test 20260222141658.526 TRACE    start - ../src/lxc/start.c:lxc_init:880 - Initialized LSM
lxc-start test 20260222141658.526 INFO     start - ../src/lxc/start.c:lxc_init:882 - Container "test" is initialized
lxc-start test 20260222141658.527 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgroup_tree_create:726 - Created 12(lxc.monitor.test) cgroup
lxc-start test 20260222141658.528 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgroup_tree_create:741 - Opened newly created cgroup lxc.monitor.test as 13
lxc-start test 20260222141658.528 INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_create:1682 - The monitor process uses "lxc.monitor.test" as cgroup
lxc-start test 20260222141658.528 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgfsng_delegate_controllers:3633 - Enabled "+cpu +memory +pids" controllers in the unified cgroup 12
lxc-start test 20260222141658.529 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_enter:1832 - Moved monitor (19656) into cgroup 13
lxc-start test 20260222141658.529 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_enter:1846 - Moved transient process into cgroup 13
lxc-start test 20260222141658.530 DEBUG    storage - ../src/lxc/storage/storage.c:get_storage_by_name:209 - Detected rootfs type "dir"
lxc-start test 20260222141658.530 TRACE    conf - ../src/lxc/conf.c:lxc_rootfs_init:353 - Not pinning because container runs in user namespace
lxc-start test 20260222141658.531 TRACE    sync - ../src/lxc/sync.c:lxc_sync_init:139 - Initialized synchronization infrastructure
lxc-start test 20260222141658.533 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgroup_tree_create:726 - Created 12(lxc.payload.test) cgroup
lxc-start test 20260222141658.534 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgroup_tree_create:741 - Opened newly created cgroup lxc.payload.test as 18
lxc-start test 20260222141658.534 INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_create:1790 - The container process uses "lxc.payload.test" as inner and "lxc.payload.test" as limit cgroup
lxc-start test 20260222141658.540 TRACE    start - ../src/lxc/start.c:lxc_spawn:1714 - Spawned container directly into target cgroup via cgroup2 fd 18
lxc-start test 20260222141658.540 TRACE    start - ../src/lxc/start.c:lxc_spawn:1754 - Cloned child process 19657
lxc-start test 20260222141658.540 TRACE    start - ../src/lxc/start.c:core_scheduling:1572 - No new core scheduling domain requested
lxc-start test 20260222141658.540 TRACE    utils - ../src/lxc/utils.c:lxc_can_use_pidfd:1935 - Kernel supports pidfds
lxc-start test 20260222141658.541 INFO     start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUSER
lxc-start test 20260222141658.541 INFO     start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWNS
lxc-start test 20260222141658.541 INFO     start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWPID
lxc-start test 20260222141658.541 INFO     start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUTS
lxc-start test 20260222141658.541 INFO     start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWIPC
lxc-start test 20260222141658.541 INFO     start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWCGROUP
lxc-start test 20260222141658.540 TRACE    start - ../src/lxc/start.c:lxc_spawn:1714 - Spawned container directly into target cgroup via cgroup2 fd 18
lxc-start test 20260222141658.542 DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved user namespace via fd 20 and stashed path as user:/proc/19656/fd/20
lxc-start test 20260222141658.542 DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved mnt namespace via fd 21 and stashed path as mnt:/proc/19656/fd/21
lxc-start test 20260222141658.542 DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved pid namespace via fd 22 and stashed path as pid:/proc/19656/fd/22
lxc-start test 20260222141658.542 DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved uts namespace via fd 23 and stashed path as uts:/proc/19656/fd/23
lxc-start test 20260222141658.543 DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved ipc namespace via fd 24 and stashed path as ipc:/proc/19656/fd/24
lxc-start test 20260222141658.543 DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved cgroup namespace via fd 25 and stashed path as cgroup:/proc/19656/fd/25
lxc-start test 20260222141658.543 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start test 20260222141658.543 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start test 20260222141658.544 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found
lxc-start test 20260222141658.545 TRACE    sync - ../src/lxc/sync.c:lxc_sync_wait_parent:110 - Child waiting for parent with sequence startup
lxc-start test 20260222141658.602 TRACE    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:246 - newuidmap wrote mapping "newuidmap 19657 0 624288 65536"
lxc-start test 20260222141658.648 TRACE    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:246 - newgidmap wrote mapping "newgidmap 19657 0 624288 65536"
lxc-start test 20260222141658.649 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgfsng_delegate_controllers:3633 - Enabled "+cpu +memory +pids" controllers in the unified cgroup 12
lxc-start test 20260222141658.649 TRACE    conf - ../src/lxc/conf.c:get_minimal_idmap:4469 - Allocated minimal idmapping for ns uid 0 and ns gid 0
lxc-start test 20260222141658.651 TRACE    conf - ../src/lxc/conf.c:userns_exec_1:4533 - Establishing uid mapping for "19662" in new user namespace: nsuid 65536 - hostid 1000 - range 1
lxc-start test 20260222141658.651 TRACE    conf - ../src/lxc/conf.c:userns_exec_1:4533 - Establishing uid mapping for "19662" in new user namespace: nsuid 0 - hostid 624288 - range 65536
lxc-start test 20260222141658.651 TRACE    conf - ../src/lxc/conf.c:userns_exec_1:4533 - Establishing gid mapping for "19662" in new user namespace: nsuid 65536 - hostid 1000 - range 1
lxc-start test 20260222141658.651 TRACE    conf - ../src/lxc/conf.c:userns_exec_1:4533 - Establishing gid mapping for "19662" in new user namespace: nsuid 0 - hostid 624288 - range 65536
lxc-start test 20260222141658.652 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start test 20260222141658.652 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start test 20260222141658.652 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found
lxc-start test 20260222141658.698 TRACE    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:246 - newuidmap wrote mapping "newuidmap 19662 65536 1000 1 0 624288 65536"
lxc-start test 20260222141658.746 TRACE    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:246 - newgidmap wrote mapping "newgidmap 19662 65536 1000 1 0 624288 65536"
lxc-start test 20260222141658.747 TRACE    conf - ../src/lxc/conf.c:run_userns_fn:4405 - Calling function "chown_cgroup_wrapper"
lxc-start test 20260222141658.747 NOTICE   utils - ../src/lxc/utils.c:lxc_drop_groups:1481 - Dropped supplimentary groups
lxc-start test 20260222141658.751 TRACE    sync - ../src/lxc/sync.c:lxc_sync_barrier_child:97 - Parent waking child with sequence startup and waiting with sequence configure
lxc-start test 20260222141658.757 INFO     start - ../src/lxc/start.c:do_start:1105 - Unshared CLONE_NEWNET
lxc-start test 20260222141658.757 NOTICE   utils - ../src/lxc/utils.c:lxc_drop_groups:1481 - Dropped supplimentary groups
lxc-start test 20260222141658.757 NOTICE   utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1457 - Switched to gid 0
lxc-start test 20260222141658.757 NOTICE   utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1466 - Switched to uid 0
lxc-start test 20260222141658.758 TRACE    sync - ../src/lxc/sync.c:lxc_sync_wake_parent:104 - Child waking parent with sequence configure
lxc-start test 20260222141658.758 TRACE    sync - ../src/lxc/sync.c:lxc_sync_wait_parent:110 - Child waiting for parent with sequence post-configure
lxc-start test 20260222141658.759 DEBUG    start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved net namespace via fd 7 and stashed path as net:/proc/19656/fd/7
lxc-start test 20260222141658.761 WARN     start - ../src/lxc/start.c:lxc_spawn:1844 - Operation not permitted - Failed to allocate new network namespace id
lxc-start test 20260222141658.766 INFO     network - ../src/lxc/network.c:lxc_create_network_unpriv_exec:3001 - Execing lxc-user-nic create /home/vital/.local/share/lxc test 19657 veth lxcbr0 (null)
lxc-start test 20260222141658.967 ERROR    network - ../src/lxc/network.c:lxc_create_network_unpriv_exec:3029 - lxc-user-nic failed to configure requested network: ../src/lxc/cmd/lxc_user_nic.c: 838: lxc_secure_rename_in_ns - Permission denied - Failed opening network namespace path for 19657
../src/lxc/cmd/lxc_user_nic.c: 1219: main: Failed to rename the link
lxc-start test 20260222141658.967 ERROR    start - ../src/lxc/start.c:lxc_spawn:1852 - Failed to create the network
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_expose_namespace_environment:907 - Set environment variable LXC_USER_NS=/proc/19656/fd/20
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_expose_namespace_environment:907 - Set environment variable LXC_MNT_NS=/proc/19656/fd/21
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_expose_namespace_environment:907 - Set environment variable LXC_PID_NS=/proc/19656/fd/22
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_expose_namespace_environment:907 - Set environment variable LXC_UTS_NS=/proc/19656/fd/23
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_expose_namespace_environment:907 - Set environment variable LXC_IPC_NS=/proc/19656/fd/24
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_expose_namespace_environment:907 - Set environment variable LXC_NET_NS=/proc/19656/fd/7
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_expose_namespace_environment:907 - Set environment variable LXC_CGROUP_NS=/proc/19656/fd/25
lxc-start test 20260222141658.968 DEBUG    network - ../src/lxc/network.c:lxc_delete_network:4221 - Deleted network devices
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_serve_state_socket_pair:545 - Sent container state "ABORTING" to 5
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_serve_state_clients:484 - Set container state to ABORTING
lxc-start test 20260222141658.968 TRACE    start - ../src/lxc/start.c:lxc_serve_state_clients:487 - No state clients registered
lxc-start test 20260222141658.969 ERROR    lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:832 - Received container state "ABORTING" instead of "RUNNING"
lxc-start test 20260222141658.969 ERROR    lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:307 - The container failed to start
lxc-start test 20260222141658.969 ERROR    lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:310 - To get more details, run the container in foreground mode
lxc-start test 20260222141658.970 ERROR    lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:312 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start test 20260222141658.973 ERROR    start - ../src/lxc/start.c:__lxc_start:2119 - Failed to spawn container "test"
lxc-start test 20260222141658.973 TRACE    start - ../src/lxc/start.c:lxc_serve_state_clients:484 - Set container state to ABORTING
lxc-start test 20260222141658.973 TRACE    start - ../src/lxc/start.c:lxc_serve_state_clients:487 - No state clients registered
lxc-start test 20260222141658.974 WARN     start - ../src/lxc/start.c:lxc_abort:1037 - No such process - Failed to send SIGKILL via pidfd 19 for process 19657
lxc-start test 20260222141658.974 TRACE    start - ../src/lxc/start.c:lxc_serve_state_clients:484 - Set container state to STOPPING
lxc-start test 20260222141658.974 TRACE    start - ../src/lxc/start.c:lxc_serve_state_clients:487 - No state clients registered
lxc-start test 20260222141658.978 TRACE    conf - ../src/lxc/conf.c:userns_exec_full:4796 - establishing uid mapping for "19674" in new user namespace: nsuid 0 - hostid 624288 - range 65536
lxc-start test 20260222141658.978 TRACE    conf - ../src/lxc/conf.c:userns_exec_full:4796 - establishing gid mapping for "19674" in new user namespace: nsuid 0 - hostid 624288 - range 65536
lxc-start test 20260222141658.978 TRACE    conf - ../src/lxc/conf.c:userns_exec_full:4796 - establishing uid mapping for "19674" in new user namespace: nsuid 65536 - hostid 1000 - range 1
lxc-start test 20260222141658.978 TRACE    conf - ../src/lxc/conf.c:userns_exec_full:4796 - establishing gid mapping for "19674" in new user namespace: nsuid 65536 - hostid 1000 - range 1
lxc-start test 20260222141658.978 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start test 20260222141658.979 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start test 20260222141658.979 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found
lxc-start test 20260222141658.105 TRACE    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:246 - newuidmap wrote mapping "newuidmap 19674 0 624288 65536 65536 1000 1"
lxc-start test 20260222141658.110 TRACE    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:246 - newgidmap wrote mapping "newgidmap 19674 0 624288 65536 65536 1000 1"
lxc-start test 20260222141658.110 TRACE    conf - ../src/lxc/conf.c:run_userns_fn:4405 - Calling function "cgroup_tree_remove_wrapper"
lxc-start test 20260222141658.111 NOTICE   utils - ../src/lxc/utils.c:lxc_drop_groups:1481 - Dropped supplimentary groups
lxc-start test 20260222141658.111 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:cgroup_tree_remove:491 - Removed cgroup tree 12(lxc.payload.test)
lxc-start test 20260222141658.111 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgroup_tree_create:726 - Created 12(lxc.pivot) cgroup
lxc-start test 20260222141658.111 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgroup_tree_create:741 - Opened newly created cgroup lxc.pivot as 4
lxc-start test 20260222141658.125 TRACE    cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_destroy:927 - Removed cgroup tree 12(lxc.monitor.test)
lxc-start test 20260222141658.125 TRACE    start - ../src/lxc/start.c:lxc_end:964 - Closed command socket
lxc-start test 20260222141658.125 TRACE    start - ../src/lxc/start.c:lxc_end:975 - Set container state to "STOPPED"
lxc-start test 20260222141658.126 INFO     utils - ../src/lxc/utils.c:run_script_argv:587 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "test", config section "lxc"

ip a

5: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 10:66:6a:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 10.0.3.1/24 brd 10.0.3.255 scope global lxcbr0
       valid_lft forever preferred_lft forever
    inet6 fc42:5009:ba4b:5ab0::1/64 scope global
       valid_lft forever preferred_lft forever

cat ~/.config/lxc/default.conf

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up

lxc.apparmor.profile = unconfined

.apparmor.profile = lxc-container-default-cgns
lxc.apparmor.allow_nesting = 1
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.idmap = u 0 624288 65536
lxc.idmap = g 0 624288 65536

cat /etc/lxc/lxc-usernet

vital veth lxcbr0 20

cat /etc/subgid (User vital that’s me)

systemd-timesync:100000:65536
systemd-network:165536:65536
systemd-resolve:231072:65536
Debian-exim:362144:65536
messagebus:427680:65536
statd:493216:65536
avahi-autoipd:558752:65536
vital:624288:65536
geoclue:689824:65536
saned:755360:65536
colord:820896:65536
uuidd:886432:65536
_lxd:951968:10000001
root:951968:10000001

cat /etc/subuid

systemd-timesync:100000:65536
systemd-network:165536:65536
systemd-resolve:231072:65536
Debian-exim:362144:65536
messagebus:427680:65536
statd:493216:65536
avahi-autoipd:558752:65536
vital:624288:65536
geoclue:689824:65536
saned:755360:65536
colord:820896:65536
uuidd:886432:65536
_lxd:951968:10000001
root:951968:10000001

Any ideas how to solve this?