That article says I need to enable CONFIG_CGROUP_NS in the kernel.

This page says that the option doesn’t exist in modern kernels.

Should lxc-checkconfig be fixed to not scare people?

Output of lxc-checkconfig

# lxc-checkconfig
LXC version 4.0.0-devel
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points: 


Cgroup v2 mount points: 
/sys/fs/cgroup

Cgroup v1 systemd controller: missing
Cgroup v1 freezer controller: missing
Cgroup namespace: required
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: missing
CONFIG_NF_NAT_IPV6: missing
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: 

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Any thoughts @brauner ? Thanks

Cgroup namespaces never had a separate config entry they were always under CONFIG_CGROUPS, i.e. if you have cgroups compiled into the kernel then cgroup namespaces should be available. Afaict, lxc-checkconfig is doing nothing wrong. Specifically the CONFIG_CGROUP_NS entry was something entirely different that had nothing to do with cgroup namespaces per se.

What we can do however, is to add a new entry in lxc-checkconfig that specifically checks for cgroup namespaces by looking at /proc/self/ns/cgroup.

This should do the trick:

Hi @einfair
I am having terible time starting containers on Debian 11.
My Checkconfig also has these entries - like the one you posted
Are these missing controllers and missing CONFIG_NF_NAT_IPV the reason why I cannot start containers on Debian 11??
Thank you

brauner Christian Brauner Afaict, lxc-checkconfig is doing nothing wrong. Specifically the CONFIG_CGROUP_NS entry was something entirely different that had nothing to do with cgroup namespaces per se.

I don’t understand your statement “Afaict, lxc-checkconfig is doing nothing wrong.” It seems to me that lxc-checkconfig should not emit " Cgroup namespace: required" based on the value of CONFIG_CGROUP_NS, since that configuration variable is no longer in use (since Linux 2.6.39).

Perhaps I’m missing something in your answer, but it seems to me that any reference to the no-longer-used CONFIG_CGROUP_NS should be removed entirely from lxc-checkconfig.