CentOS 7.6 unprivileged Centos container "failed to mount cgroup at /sys/fs/cgroup/systemd"


I have a CentOS 7.6 host with EPEL lxc 1.0.11-1 and try to use CentOS unprivileged containers (no problem with privileged) with the root account.

On the host I added “root:100000:65536” to the files “/etc/subuid” and “/etc/subgid”,
“lxc.id_map = u 0 100000 65536” and “lxc.id_map = g 0 100000 65536” to the file “/etc/lxc/default.conf”,
“user.max_user_namespaces = 7976” (default 0 on CentOS 7) to the file /etc/sysctl.conf.

I created/started the CentOS 7 container with no network.

lxc-create -n centos-nopriv -i download – -d centos -r 7 -a amd64

lxc-start -n centos-nopriv -L DEBUG -d

But the container startup do not complete I have only the “init” process and in the file DEBUG

Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
Detected virtualization lxc.
Detected architecture x86-64.

Welcome to CentOS Linux 7 (Core)!

Failed to read AF_UNIX datagram queue length, ignoring: No such file or directory
Failed to install release agent, ignoring: No such file or directory
Failed to create root cgroup hierarchy: No such file or directory
Failed to allocate manager object: No such file or directory
[!!!] Failed to allocate manager object, freezing.

I can access the container

lxc-attach -n centos-nopriv

[root@centos-nopriv /]# ps -ef
root 1 0 0 08:38 ? 00:00:00 /sbin/init
root 4 0 0 08:39 ? 00:00:00 /bin/bash
root 42 4 0 08:43 ? 00:00:00 ps -ef
[root@centos-nopriv /]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/vgxxx-lvxxx 20957184 2136916 18820268 11% /
devtmpfs 1020884 0 1020884 0% /dev
tmpfs 1022520 0 1022520 0% /dev/shm
tmpfs 1022520 4 1022516 1% /run
tmpfs 1022520 0 1022520 0% /sys/fs/cgroup
[root@centos-nopriv /]# ls -ld /sys/fs/cgroup/systemd
drwxr-xr-x. 3 root root 60 Dec 19 08:39 /sys/fs/cgroup/systemd
[root@centos-nopriv /]# touch /sys/fs/cgroup/systemd/toto
[root@centos-nopriv /]# rm -f /sys/fs/cgroup/systemd/toto
[root@centos-nopriv /]# exit

The container config:

lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
lxc.mount.auto = proc:mixed sys:ro
lxc.tty = 4
lxc.pts = 1024
lxc.arch = x86_64
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.utsname = centos-nopriv
lxc.network.type = empty
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
lxc.cap.drop = setfcap
lxc.cap.drop = sys_module
lxc.cap.drop = sys_nice
lxc.cap.drop = sys_pacct
lxc.cap.drop = sys_rawio
lxc.cap.drop = sys_time
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
lxc.rootfs = /srv/diode/lxc/centos-nopriv/rootfs

I have no problem with unprivileged containers and a Fedora fc29/lxc 3.0.3-1(no success with fc28/lxc 2…) but I can not used Fedora in prod.

Best regards.


LXC 1.0 isn’t considered to support running systemd containers.
It’s unaware of cgroup namespaces that would help in this case and is also missing a number of other systemd support features like the new /dev handling and console management.

You should really try to get to LXC 2.0 or even better, 3.0 as more recent LTS releases.

Thank You,

No problem to install a kernel 4 from the elrepo but do you where can I download lxc 2 or 3 rpm for CentOS 7 ?

Best regards.



No systemd problem with Centos 7/lxc 1 with privileged container.

With no privileged container systemd with FC 28/lxc 2 does not work, I have to use FC 29/lxc 3.

Best regards.


https://copr.fedorainfracloud.org/coprs/ganto/lxc3/ appears to be compatible with CentOS 7 and provides the LXC 3.0 LTS release.


Thank you ! form the “Copr ganto” repo I upgraded lxc to version 3.0.3 (lua-lxc is in 3.0.2 version) and now I can start no privileged CentOS/systemd containers with the default CentOS kernel 3.10.0-957.1.3.

I added the file “/etc/yum.repos.d/ganto-lxc3-epel-7.repo”

name=Copr repo for lxc3 owned by ganto

and updated lxc with

yum update lxc lxc-templates lua-lxc python34-lxc lxc-libs

Now I have some works to implement what we need.

Best regards.