Failed to mount on "/usr/lib64/lxc/rootfs" unprivileged container

layer7 · September 23, 2019, 8:27pm

I have trouble starting an unprivileged container because he can not mount the rootfs:

lxc-start ubuntu-c1 20190923201824.624 ERROR    dir - storage/dir.c:dir_mount:198 - Permission denied - Failed to mount "/var/lib/lxc/ubuntu-c1/rootfs" on "/usr/lib64/lxc/rootfs"
lxc-start ubuntu-c1 20190923201824.624 ERROR    conf - conf.c:lxc_mount_rootfs:1326 - Failed to mount rootfs "/var/lib/lxc/ubuntu-c1/rootfs" onto "/usr/lib64/lxc/rootfs" with options "(null)"
lxc-start ubuntu-c1 20190923201824.624 ERROR    conf - conf.c:lxc_setup_rootfs_prepare_root:3393 - Failed to setup rootfs for
lxc-start ubuntu-c1 20190923201824.624 ERROR    conf - conf.c:lxc_setup:3496 - Failed to setup rootfs
lxc-start ubuntu-c1 20190923201824.624 ERROR    start - start.c:do_start:1299 - Failed to setup container "ubuntu-c1"

Config:

# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r xenial -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf


lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536


# For Ubuntu 14.04
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
lxc.arch = linux64

# Container specific configuration
lxc.rootfs.path = dir:/var/lib/lxc/ubuntu-c1/rootfs
lxc.uts.name = ubuntu-c1

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = ovsbr
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:fb:04:b3

lxc-start ubuntu-c1 --logfile log --logpriority debug -l trace

lxc-start ubuntu-c1 20190923201824.516 INFO     confile - confile.c:set_config_idmaps:1576 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start ubuntu-c1 20190923201824.516 INFO     confile - confile.c:set_config_idmaps:1576 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start ubuntu-c1 20190923201824.517 TRACE    commands - commands.c:lxc_cmd:302 - Connection refused - Command "get_init_pid" failed to connect command socket
lxc-start ubuntu-c1 20190923201824.517 TRACE    commands - commands.c:lxc_cmd:302 - Connection refused - Command "get_state" failed to connect command socket
lxc-start ubuntu-c1 20190923201824.517 TRACE    start - start.c:lxc_init_handler:766 - Created anonymous pair {4,5} of unix sockets
lxc-start ubuntu-c1 20190923201824.517 TRACE    commands - commands.c:lxc_cmd_init:1273 - Created abstract unix socket "/var/lib/lxc/ubuntu-c1/command"
lxc-start ubuntu-c1 20190923201824.517 TRACE    start - start.c:lxc_init_handler:779 - Unix domain socket 6 for command server is ready
lxc-start ubuntu-c1 20190923201824.517 INFO     lxccontainer - lxccontainer.c:do_lxcapi_start:971 - Set process title to [lxc monitor] /var/lib/lxc ubuntu-c1
lxc-start ubuntu-c1 20190923201824.517 TRACE    start - start.c:lxc_start:2128 - Doing lxc_start
lxc-start ubuntu-c1 20190923201824.518 INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver nop
lxc-start ubuntu-c1 20190923201824.518 TRACE    start - start.c:lxc_init:799 - Initialized LSM
lxc-start ubuntu-c1 20190923201824.518 TRACE    seccomp - seccomp.c:get_new_ctx:458 - Added arch 2 to main seccomp context
lxc-start ubuntu-c1 20190923201824.518 TRACE    seccomp - seccomp.c:get_new_ctx:466 - Removed native arch from main seccomp context
lxc-start ubuntu-c1 20190923201824.518 TRACE    seccomp - seccomp.c:get_new_ctx:458 - Added arch 3 to main seccomp context
lxc-start ubuntu-c1 20190923201824.518 TRACE    seccomp - seccomp.c:get_new_ctx:466 - Removed native arch from main seccomp context
lxc-start ubuntu-c1 20190923201824.518 TRACE    seccomp - seccomp.c:get_new_ctx:471 - Arch 4 already present in main seccomp context
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:do_resolve_add_rule:505 - Set seccomp rule to reject force umounts
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "[all]"
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "kexec_load errno 1"
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "open_by_handle_at errno 1"
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "init_module errno 1"
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "finit_module errno 1"
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:759 - Processing "delete_module errno 1"
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:935 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:944 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:954 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:964 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start ubuntu-c1 20190923201824.518 INFO     seccomp - seccomp.c:parse_config_v2:970 - Merging compat seccomp contexts into main context
lxc-start ubuntu-c1 20190923201824.518 TRACE    seccomp - seccomp.c:parse_config_v2:980 - Merged first compat seccomp context into main context
lxc-start ubuntu-c1 20190923201824.518 TRACE    seccomp - seccomp.c:parse_config_v2:996 - Merged second compat seccomp context into main context
lxc-start ubuntu-c1 20190923201824.518 TRACE    start - start.c:lxc_init:806 - Read seccomp policy
lxc-start ubuntu-c1 20190923201824.518 TRACE    start - start.c:lxc_serve_state_clients:474 - Set container state to STARTING
lxc-start ubuntu-c1 20190923201824.518 TRACE    start - start.c:lxc_serve_state_clients:477 - No state clients registered
lxc-start ubuntu-c1 20190923201824.518 TRACE    start - start.c:lxc_init:814 - Set container state to "STARTING"
lxc-start ubuntu-c1 20190923201824.518 TRACE    start - start.c:lxc_init:877 - Set environment variables
lxc-start ubuntu-c1 20190923201824.518 TRACE    start - start.c:lxc_init:884 - Ran pre-start hooks
lxc-start ubuntu-c1 20190923201824.518 TRACE    start - start.c:setup_signal_fd:356 - Created signal file descriptor 7
lxc-start ubuntu-c1 20190923201824.518 TRACE    start - start.c:lxc_init:895 - Set up signal fd
lxc-start ubuntu-c1 20190923201824.519 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:676 - No such device - The process does not have a controlling terminal
lxc-start ubuntu-c1 20190923201824.519 TRACE    start - start.c:lxc_init:903 - Created console
lxc-start ubuntu-c1 20190923201824.519 TRACE    terminal - terminal.c:lxc_terminal_map_ids:1192 - Chowned terminal "/dev/pts/39"
lxc-start ubuntu-c1 20190923201824.519 TRACE    start - start.c:lxc_init:910 - Chowned console
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1016 - basecginfo is:
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1017 - 11:cpuset:/
10:devices:/init.scope
9:blkio:/init.scope
8:freezer:/
7:perf_event:/
6:cpu,cpuacct:/init.scope
5:net_cls,net_prio:/
4:pids:/init.scope
3:hugetlb:/
2:memory:/init.scope
1:name=systemd:/init.scope
0::/init.scope

lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 0: cpuset
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 1: devices
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 2: blkio
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 3: freezer
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 4: perf_event
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 5: cpu
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 6: cpuacct
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 7: net_cls
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 8: net_prio
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 9: pids
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 10: hugetlb
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 11: memory
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1020 - kernel subsystem 12: cgroup2
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:1023 - named subsystem 0: name=systemd
lxc-start ubuntu-c1 20190923201824.519 TRACE    cgfsng - cgroups/cgfsng.c:cg_hybrid_init:2570 - No controllers are enabled for delegation in the unified hierarchy
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:cg_hybrid_init:2597 - Writable cgroup hierarchies:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:997 -   Hierarchies:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   0: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/unified
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   1: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/systemd
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: name=systemd
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   2: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/memory
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: memory
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   3: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/hugetlb
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: hugetlb
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   4: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/pids
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: pids
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   5: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/net_cls,net_prio
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: net_cls
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       1: net_prio
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   6: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/cpu,cpuacct
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: cpu
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       1: cpuacct
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   7: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/perf_event
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: perf_event
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   8: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/freezer
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: freezer
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   9: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/blkio
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: blkio
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   10: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/devices
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: devices
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1002 -   11: base_cgroup: /
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1003 -       mountpoint:  /sys/fs/cgroup/cpuset
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1004 -       controllers:
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:1006 -       0: cpuset
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgroup - cgroups/cgroup.c:cgroup_init:56 - Initialized cgroup driver cgfsng
lxc-start ubuntu-c1 20190923201824.520 TRACE    cgroup - cgroups/cgroup.c:cgroup_init:61 - Running with hybrid cgroup layout
lxc-start ubuntu-c1 20190923201824.520 TRACE    start - start.c:lxc_init:917 - Initialized cgroup driver
lxc-start ubuntu-c1 20190923201824.520 INFO     start - start.c:lxc_init:919 - Container "ubuntu-c1" is initialized
lxc-start ubuntu-c1 20190923201824.521 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_filter_and_set_cpus:495 - No isolated or offline cpus present in cpuset
lxc-start ubuntu-c1 20190923201824.521 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:612 - "cgroup.clone_children" was already set to "1"
lxc-start ubuntu-c1 20190923201824.521 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1403 - The monitor process uses "lxc.monitor/ubuntu-c1" as cgroup
lxc-start ubuntu-c1 20190923201824.522 DEBUG    storage - storage/storage.c:get_storage_by_name:232 - Detected rootfs type "dir"
lxc-start ubuntu-c1 20190923201824.526 INFO     network - network.c:instantiate_veth:148 - Retrieved mtu 1500 from ovsbr
lxc-start ubuntu-c1 20190923201824.586 INFO     network - network.c:instantiate_veth:176 - Attached "vethWAE03C" to bridge "ovsbr"
lxc-start ubuntu-c1 20190923201824.586 DEBUG    network - network.c:instantiate_veth:201 - Instantiated veth "vethWAE03C/vethHEPARZ", index is "1852"
lxc-start ubuntu-c1 20190923201824.586 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1277 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc.payload/ubuntu-c1"
lxc-start ubuntu-c1 20190923201824.586 ERROR    cgfsng - cgroups/cgfsng.c:container_create_path_for_hierarchy:1317 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/ubuntu-c1"
lxc-start ubuntu-c1 20190923201824.586 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1453 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/ubuntu-c1"
lxc-start ubuntu-c1 20190923201824.586 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1277 - File exists - Failed to create directory "/sys/fs/cgroup/unified//lxc.payload/ubuntu-c1-1"
lxc-start ubuntu-c1 20190923201824.586 ERROR    cgfsng - cgroups/cgfsng.c:container_create_path_for_hierarchy:1317 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/ubuntu-c1-1"
lxc-start ubuntu-c1 20190923201824.586 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1453 - Failed to create cgroup "/sys/fs/cgroup/unified//lxc.payload/ubuntu-c1-1"
lxc-start ubuntu-c1 20190923201824.588 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_filter_and_set_cpus:495 - No isolated or offline cpus present in cpuset
lxc-start ubuntu-c1 20190923201824.588 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:612 - "cgroup.clone_children" was already set to "1"
lxc-start ubuntu-c1 20190923201824.588 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1468 - The container process uses "lxc.payload/ubuntu-c1-2" as cgroup
lxc-start ubuntu-c1 20190923201824.589 TRACE    start - start.c:lxc_spawn:1740 - Cloned child process 11489
lxc-start ubuntu-c1 20190923201824.589 INFO     start - start.c:lxc_spawn:1750 - Cloned CLONE_NEWUSER
lxc-start ubuntu-c1 20190923201824.589 INFO     start - start.c:lxc_spawn:1750 - Cloned CLONE_NEWNS
lxc-start ubuntu-c1 20190923201824.589 INFO     start - start.c:lxc_spawn:1750 - Cloned CLONE_NEWPID
lxc-start ubuntu-c1 20190923201824.589 INFO     start - start.c:lxc_spawn:1750 - Cloned CLONE_NEWUTS
lxc-start ubuntu-c1 20190923201824.589 INFO     start - start.c:lxc_spawn:1750 - Cloned CLONE_NEWIPC
lxc-start ubuntu-c1 20190923201824.589 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved user namespace via fd 16
lxc-start ubuntu-c1 20190923201824.589 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved mnt namespace via fd 17
lxc-start ubuntu-c1 20190923201824.589 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved pid namespace via fd 18
lxc-start ubuntu-c1 20190923201824.589 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved uts namespace via fd 19
lxc-start ubuntu-c1 20190923201824.589 DEBUG    start - start.c:lxc_try_preserve_namespaces:192 - Preserved ipc namespace via fd 20
lxc-start ubuntu-c1 20190923201824.589 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2798 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start ubuntu-c1 20190923201824.589 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2798 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start ubuntu-c1 20190923201824.589 DEBUG    conf - conf.c:lxc_map_ids:2884 - Functional newuidmap and newgidmap binary found
lxc-start ubuntu-c1 20190923201824.595 TRACE    conf - conf.c:lxc_map_ids:2958 - newuidmap wrote mapping "newuidmap 11489 0 100000 65536"
lxc-start ubuntu-c1 20190923201824.599 TRACE    conf - conf.c:lxc_map_ids:2958 - newgidmap wrote mapping "newgidmap 11489 0 100000 65536"
lxc-start ubuntu-c1 20190923201824.600 INFO     start - start.c:do_start:1168 - Unshared CLONE_NEWNET
lxc-start ubuntu-c1 20190923201824.600 INFO     cgfsng - cgroups/cgfsng.c:__cg_legacy_setup_limits:2353 - Limits for the legacy cgroup hierarchies have been setup
lxc-start ubuntu-c1 20190923201824.601 TRACE    conf - conf.c:get_minimal_idmap:4265 - Allocated minimal idmapping
lxc-start ubuntu-c1 20190923201824.601 TRACE    conf - conf.c:userns_exec_1:4325 - Establishing uid mapping for "11512" in new user namespace: nsuid 0 - hostid 100000 - range 65536
lxc-start ubuntu-c1 20190923201824.601 TRACE    conf - conf.c:userns_exec_1:4325 - Establishing uid mapping for "11512" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start ubuntu-c1 20190923201824.601 TRACE    conf - conf.c:userns_exec_1:4325 - Establishing gid mapping for "11512" in new user namespace: nsuid 0 - hostid 100000 - range 65536
lxc-start ubuntu-c1 20190923201824.601 TRACE    conf - conf.c:userns_exec_1:4325 - Establishing gid mapping for "11512" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start ubuntu-c1 20190923201824.601 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2798 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start ubuntu-c1 20190923201824.601 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2798 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start ubuntu-c1 20190923201824.601 DEBUG    conf - conf.c:lxc_map_ids:2884 - Functional newuidmap and newgidmap binary found
lxc-start ubuntu-c1 20190923201824.606 TRACE    conf - conf.c:lxc_map_ids:2958 - newuidmap wrote mapping "newuidmap 11512 0 100000 65536 65536 0 1"
lxc-start ubuntu-c1 20190923201824.610 TRACE    conf - conf.c:lxc_map_ids:2958 - newgidmap wrote mapping "newgidmap 11512 0 100000 65536 65536 0 1"
lxc-start ubuntu-c1 20190923201824.610 TRACE    conf - conf.c:run_userns_fn:4089 - Calling function "chown_cgroup_wrapper"
lxc-start ubuntu-c1 20190923201824.610 WARN     cgfsng - cgroups/cgfsng.c:chowmod:1523 - No such file or directory - Failed to chown(/sys/fs/cgroup/unified//lxc.payload/ubuntu-c1-2/memory.oom.group, 65536, 0)
lxc-start ubuntu-c1 20190923201824.611 DEBUG    start - start.c:lxc_spawn:1805 - Preserved net namespace via fd 11
lxc-start ubuntu-c1 20190923201824.611 TRACE    start - start.c:lxc_spawn:1812 - Allocated new network namespace id
lxc-start ubuntu-c1 20190923201824.624 DEBUG    network - network.c:lxc_network_move_created_netdev_priv:2617 - Moved network device "vethHEPARZ"/"(null)" to network namespace of 11489
lxc-start ubuntu-c1 20190923201824.624 NOTICE   utils - utils.c:lxc_switch_uid_gid:1403 - Switched to gid 0
lxc-start ubuntu-c1 20190923201824.624 NOTICE   utils - utils.c:lxc_switch_uid_gid:1412 - Switched to uid 0
lxc-start ubuntu-c1 20190923201824.624 NOTICE   utils - utils.c:lxc_setgroups:1425 - Dropped additional groups
lxc-start ubuntu-c1 20190923201824.624 INFO     start - start.c:do_start:1279 - Unshared CLONE_NEWCGROUP
lxc-start ubuntu-c1 20190923201824.624 TRACE    conf - conf.c:remount_all_slave:3298 - Remounted all mount table entries as MS_SLAVE
lxc-start ubuntu-c1 20190923201824.624 DEBUG    storage - storage/storage.c:get_storage_by_name:232 - Detected rootfs type "dir"
lxc-start ubuntu-c1 20190923201824.624 ERROR    dir - storage/dir.c:dir_mount:198 - Permission denied - Failed to mount "/var/lib/lxc/ubuntu-c1/rootfs" on "/usr/lib64/lxc/rootfs"
lxc-start ubuntu-c1 20190923201824.624 ERROR    conf - conf.c:lxc_mount_rootfs:1326 - Failed to mount rootfs "/var/lib/lxc/ubuntu-c1/rootfs" onto "/usr/lib64/lxc/rootfs" with options "(null)"
lxc-start ubuntu-c1 20190923201824.624 ERROR    conf - conf.c:lxc_setup_rootfs_prepare_root:3393 - Failed to setup rootfs for
lxc-start ubuntu-c1 20190923201824.624 ERROR    conf - conf.c:lxc_setup:3496 - Failed to setup rootfs
lxc-start ubuntu-c1 20190923201824.624 ERROR    start - start.c:do_start:1299 - Failed to setup container "ubuntu-c1"
lxc-start ubuntu-c1 20190923201824.624 ERROR    sync - sync.c:__sync_wait:61 - An error occurred in another process (expected sequence number 5)
lxc-start ubuntu-c1 20190923201824.624 INFO     network - network.c:lxc_delete_network_priv:2719 - Interface "(null)" with index 1852 already deleted or existing in different network namespace
lxc-start ubuntu-c1 20190923201824.624 INFO     network - network.c:lxc_delete_network_priv:2723 - Removed interface "(null)" with index 1852
lxc-start ubuntu-c1 20190923201824.649 INFO     network - network.c:lxc_delete_network_priv:2746 - Removed interface "vethWAE03C" from "ovsbr"
lxc-start ubuntu-c1 20190923201824.705 INFO     network - network.c:lxc_delete_network_priv:2761 - Removed port "vethWAE03C" from openvswitch bridge "ovsbr"
lxc-start ubuntu-c1 20190923201824.705 DEBUG    network - network.c:lxc_delete_network:3308 - Deleted network devices
lxc-start ubuntu-c1 20190923201824.705 TRACE    start - start.c:lxc_serve_state_socket_pair:543 - Sent container state "ABORTING" to 5
lxc-start ubuntu-c1 20190923201824.705 TRACE    start - start.c:lxc_serve_state_clients:474 - Set container state to ABORTING
lxc-start ubuntu-c1 20190923201824.705 TRACE    start - start.c:lxc_serve_state_clients:477 - No state clients registered
lxc-start ubuntu-c1 20190923201824.705 DEBUG    lxccontainer - lxccontainer.c:wait_on_daemonized_start:839 - First child 11452 exited
lxc-start ubuntu-c1 20190923201824.705 ERROR    start - start.c:lxc_abort:1103 - No such file or directory - Failed to send SIGKILL to 11489
lxc-start ubuntu-c1 20190923201824.705 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:850 - Received container state "ABORTING" instead of "RUNNING"
lxc-start ubuntu-c1 20190923201824.705 ERROR    lxc_start - tools/lxc_start.c:main:329 - The container failed to start
lxc-start ubuntu-c1 20190923201824.705 ERROR    start - start.c:__lxc_start:2019 - Failed to spawn container "ubuntu-c1"
lxc-start ubuntu-c1 20190923201824.705 TRACE    start - start.c:lxc_serve_state_clients:474 - Set container state to STOPPING
lxc-start ubuntu-c1 20190923201824.705 TRACE    start - start.c:lxc_serve_state_clients:477 - No state clients registered
lxc-start ubuntu-c1 20190923201824.705 ERROR    lxc_start - tools/lxc_start.c:main:332 - To get more details, run the container in foreground mode
lxc-start ubuntu-c1 20190923201824.705 ERROR    lxc_start - tools/lxc_start.c:main:334 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start ubuntu-c1 20190923201824.705 TRACE    conf - conf.c:get_minimal_idmap:4265 - Allocated minimal idmapping
lxc-start ubuntu-c1 20190923201824.706 TRACE    conf - conf.c:userns_exec_1:4325 - Establishing uid mapping for "11561" in new user namespace: nsuid 0 - hostid 100000 - range 65536
lxc-start ubuntu-c1 20190923201824.706 TRACE    conf - conf.c:userns_exec_1:4325 - Establishing uid mapping for "11561" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start ubuntu-c1 20190923201824.706 TRACE    conf - conf.c:userns_exec_1:4325 - Establishing gid mapping for "11561" in new user namespace: nsuid 0 - hostid 100000 - range 65536
lxc-start ubuntu-c1 20190923201824.706 TRACE    conf - conf.c:userns_exec_1:4325 - Establishing gid mapping for "11561" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start ubuntu-c1 20190923201824.706 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2798 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start ubuntu-c1 20190923201824.706 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2798 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start ubuntu-c1 20190923201824.706 DEBUG    conf - conf.c:lxc_map_ids:2884 - Functional newuidmap and newgidmap binary found
lxc-start ubuntu-c1 20190923201824.711 TRACE    conf - conf.c:lxc_map_ids:2958 - newuidmap wrote mapping "newuidmap 11561 0 100000 65536 65536 0 1"
lxc-start ubuntu-c1 20190923201824.714 TRACE    conf - conf.c:lxc_map_ids:2958 - newgidmap wrote mapping "newgidmap 11561 0 100000 65536 65536 0 1"
lxc-start ubuntu-c1 20190923201824.714 TRACE    conf - conf.c:run_userns_fn:4089 - Calling function "cgroup_rmdir_wrapper"
lxc-start ubuntu-c1 20190923201824.717 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_filter_and_set_cpus:495 - No isolated or offline cpus present in cpuset
lxc-start ubuntu-c1 20190923201824.717 DEBUG    cgfsng - cgroups/cgfsng.c:cg_legacy_handle_cpuset_hierarchy:612 - "cgroup.clone_children" was already set to "1"
lxc-start ubuntu-c1 20190923201824.718 TRACE    start - start.c:lxc_fini:1024 - Closed command socket
lxc-start ubuntu-c1 20190923201824.718 TRACE    start - start.c:lxc_fini:1035 - Set container state to "STOPPED"

/etc/subuid and subgid are on root:100000:65536

# ls -la 
total 84
drwxrwx---  3 root   root      45 Sep 23 22:18 .
drwxr-xr-x  3 root   root      23 Sep 18 02:56 ..
-rw-r-----  1 root   root    1103 Sep 23 22:21 config
-rw-r-----  1 root   root   80123 Sep 23 22:21 log
drwxr-xr-x 21 100000 100000   224 Sep 23 22:21 rootfs

I also tried to move this whole thing into a user under /home/$user/.config and .local and .cache and so on. Same issue.

Starting the vm privileged works instantly.

Any idea’s ?

Thank you !