Hello LXC community! I’m a Forgejo contributor who is working on solving a bug with the Forgejo Actions runner where running jobs in LXC containers causes a loss of random chunks of log data. I’m reaching out here for two possible pieces of help…
For context, the Forgejo Actions runner allows running continuous integration scripts on Forgejo repositories, very similar to the more well-known GitHub Actions. Typically these occur in docker containers, but Forgejo has enhanced this capability with LXC containers as well. We’ve been struggling with an issue where, when a CI action is running and failing, it may output a lot of logs in a short time window. On our LXC implementation we find that sometimes these logs are missing chunks of data.
I believe that the root cause of this issue is that we run lxc-attach with a target command, and when lxc-attach pipes stdout around it allows data from “short writes” to stdout to be discarded (lxc/src/lxc/terminal.c at cba4ce7ef2ec09176de0aaca80f94636bcffabf2 · lxc/lxc · GitHub). As Forgejo’s runner starts subcommands in a pty, lxc-attach has a small buffer to write into and, as fast as we can read that buffer, we see data loss intermittently. The same would happen with the --pty-log option; as our use-case requires us to stream data into another application, we’d need to connect this to a FIFO which would have some limited buffering capability.
I’ve currently minimized the amount of data loss by attempting to read the pty buffer as quickly as we can to keep it as-available as possible for lxc-attach to write to. But minimizing data loss isn’t as great as eliminating it.
My new plan to address this issue has two steps:
- I’ve introduced a new automated test which attempts to verify as much of the LXC environment as possible – eg. that the correct user, cwd, linux namespaces, cgroup, pty, are all “operating as expected”.
- Now I’m proposing to replace
lxc-attachwithnsenterso that we can avoid the short-write behaviour oflxc-attach. With the automated test unchanged, the hope is that there’s a guarantee that all the relevant isolation, security, and other attributes of running commands within the container are maintained.
So, the two pieces of help that I’m looking for are…
- I’m reasonably confident that replacing
lxc-attachwithnsenter(Making sure you're not a bot!) is fixing our log problem, but I’m less confident that we’re doing everything we need to do to provide the same execution environment undernsenterthat we previously had. If someone with more LXC experience could review this idea and give me some feedback, it’d be greatly appreciated. - I’m operating under the assumption that the
lxc-attachbehaviour with short writes is as-designed and as-intended, which is why I’m taking the step of working around it. I’d love to hear a confirmation of this (and possibly an explanation? perhaps intentionally not providing backpressure to the running command, for some reason?). Either way we’d probably have to continue down thensenterpath in the short-term, but if there was a pathway to fixing this inlxc-enterthen there may be different options in the long-term.
Appreciate any time that could be spared to help out with this.

