I would like to run an OCI container inside an Incus container that has Incus installed.
Host: Ubuntu 24.04 - Incus LTS from zabbly
The commands I run inside the Incus-Container:
incus remote add docker https://docker.io --protocol=oci
incus launch docker:hello-world hello
Output:
Launching hello
Error: Failed instance creation: Failed to run: /opt/incus/bin/incusd forkstart hello /var/lib/incus/containers /run/incus/hello/lxc.conf: exit status 1
incus info --show-log hello
Name: hello
Description:
Status: STOPPED
Type: container (application)
Architecture: x86_64
Created: 2025/08/15 16:53 UTC
Last Used: 2025/08/15 17:07 UTC
Log:
lxc hello 20250815170743.636 ERROR cgroup2_devices - ../src/lxc/cgroups/cgroup2_devices.c:bpf_program_load_kernel:332 - Operation not permitted - Failed to load bpf program: (null)
lxc hello 20250815170743.185 ERROR conf - ../src/lxc/conf.c:setup_sysctl_parameters:3137 - Invalid argument - Failed to setup sysctl parameters net.ipv4.ping_group_range to 0 4294967294
lxc hello 20250815170743.185 ERROR conf - ../src/lxc/conf.c:lxc_setup:4022 - Failed to setup sysctl parameters
lxc hello 20250815170743.186 ERROR start - ../src/lxc/start.c:do_start:1273 - Failed to setup container "hello"
lxc hello 20250815170743.186 ERROR sync - ../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 4)
lxc hello 20250815170743.186 WARN network - ../src/lxc/network.c:lxc_delete_network_priv:3674 - Failed to rename interface with index 0 from "eth0" to its initial name "veth62b417df"
lxc hello 20250815170743.186 ERROR lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:837 - Received container state "ABORTING" instead of "RUNNING"
lxc hello 20250815170743.187 ERROR start - ../src/lxc/start.c:__lxc_start:2119 - Failed to spawn container "hello"
lxc hello 20250815170743.188 WARN start - ../src/lxc/start.c:lxc_abort:1037 - No such process - Failed to send SIGKILL via pidfd 18 for process 1802
lxc 20250815170743.265 ERROR af_unix - ../src/lxc/af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Connection reset by peer - Failed to receive response
lxc 20250815170743.266 ERROR commands - ../src/lxc/commands.c:lxc_cmd_rsp_recv_fds:128 - Failed to receive file descriptors for command "get_init_pid"
I have the following security settings already on the Incus-Container:
security.idmap.isolated: "true"
security.nesting: "true"
security.syscalls.intercept.bpf: "true"
security.syscalls.intercept.bpf.devices: "true"
security.syscalls.intercept.mknod: "true"
security.syscalls.intercept.setxattr: "true"
Which ones will I need @stgraber ?
stgraber
August 15, 2025, 6:27pm
2
Can you try security.privileged=true?
The error you’re getting is because net.ipv4.ping_group_range can’t be set due to the nested container’s idmap. Assuming the parent container is unprivileged, there’s no real reason to have the nested container use a sub-map.
1 Like
stgraber
August 15, 2025, 6:29pm
3
Ah, actually the problem may be the other way around, your nested container may already be marked as privileged which then has Incus assume it can set the whole range (just looked at the code now).
1 Like
Unfortunately it does not make a difference: (This is inside the first Incus-Container)
root@somehost:~# incus launch docker:hello-world hello7 -c security.privileged=true
Launching hello7
Error: Failed instance creation: Failed to run: /opt/incus/bin/incusd forkstart hello7 /var/lib/incus/containers /run/incus/hello7/lxc.conf: exit status 1
root@somehost:~# incus info --show-log hello7
Name: hello7
Description:
Status: STOPPED
Type: container (application)
Architecture: x86_64
Created: 2025/08/15 18:32 UTC
Last Used: 2025/08/15 18:32 UTC
Log:
lxc hello7 20250815183222.552 ERROR cgroup2_devices - ../src/lxc/cgroups/cgroup2_devices.c:bpf_program_load_kernel:332 - Operation not permitted - Failed to load bpf program: (null)
lxc hello7 20250815183222.618 ERROR conf - ../src/lxc/conf.c:setup_sysctl_parameters:3137 - Invalid argument - Failed to setup sysctl parameters net.ipv4.ping_group_range to 0 4294967294
lxc hello7 20250815183222.618 ERROR conf - ../src/lxc/conf.c:lxc_setup:4022 - Failed to setup sysctl parameters
lxc hello7 20250815183222.618 ERROR start - ../src/lxc/start.c:do_start:1273 - Failed to setup container "hello7"
lxc hello7 20250815183222.618 ERROR sync - ../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 4)
lxc hello7 20250815183222.618 WARN network - ../src/lxc/network.c:lxc_delete_network_priv:3674 - Failed to rename interface with index 0 from "eth0" to its initial name "vethd277e491"
lxc hello7 20250815183222.618 ERROR lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:837 - Received container state "ABORTING" instead of "RUNNING"
lxc hello7 20250815183222.619 ERROR start - ../src/lxc/start.c:__lxc_start:2119 - Failed to spawn container "hello7"
lxc hello7 20250815183222.619 WARN start - ../src/lxc/start.c:lxc_abort:1037 - No such process - Failed to send SIGKILL via pidfd 18 for process 2368
lxc 20250815183222.690 ERROR af_unix - ../src/lxc/af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Connection reset by peer - Failed to receive response
lxc 20250815183222.690 ERROR commands - ../src/lxc/commands.c:lxc_cmd_rsp_recv_fds:128 - Failed to receive file descriptors for command "get_init_pid"
Can I fix it with the existing package of Incus I have?
stgraber
August 15, 2025, 7:16pm
7
There’s a good chance that the fix will get cherry-picked at some point next week, assuming there are other bugfixes we want to roll out to users before 6.16.
2 Likes
Ok, then I’ll have to use Docker or Podman for now.
In what release will it be?
stgraber
August 27, 2025, 3:03pm
10
It was cherry-picked last week into the Zabbly stable packages.
Otherwise Incus 6.16 will also include it (due out late tomorrow).
1 Like
