LXC 6.0.4 unprivileged containers get stuck on reboot on Debian 13

LXC
1

I have an unprivileged container owned by an unprivileged host user. After upgrading to Debian 13 which included LXC 6.0.4, regardless of the container’s OS, attempting to restart the container by rebooting inside the container causes the lxc monitor process to hang and start consuming CPU. lxc-ls and similar commands that enumerate the container also hang until the unresponsive lxc monitor is kill -9ed.

Logs seem to point to some kind of Dbus issue when restarting the container. systemd --user is running, lingering is enabled. Running user scopes outside of LXC via systemd-run works fine.

There are no child processes, the cgroup after a reboot looks like this:

├─lxc-dev-r1ch-0.scope
│ └─lxc.pivot
│   └─1444571 [lxc monitor] /home/lxc/.local/share/lxc dev-r1ch

Attaching to the hung PID shows it busy looping in poll / sleep:

strace: Process 1444571 attached
poll([{fd=7, events=POLLIN}], 1, 0)     = 0 (Timeout)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=1000}, NULL) = 0
poll([{fd=7, events=POLLIN}], 1, 0)     = 0 (Timeout)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=1000}, NULL) = 0
poll([{fd=7, events=POLLIN}], 1, 0)     = 0 (Timeout)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=1000}, NULL) = 0
poll([{fd=7, events=POLLIN}], 1, 0)     = 0 (Timeout)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=1000}, NULL) = 0
poll([{fd=7, events=POLLIN}], 1, 0)     = 0 (Timeout)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=1000}, NULL) = 0
poll([{fd=7, events=POLLIN}], 1, 0)     = 0 (Timeout)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=1000}, NULL) = 0
poll([{fd=7, events=POLLIN}], 1, 0)     = 0 (Timeout)
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=1000}, NULL) = 0

Debug log:

lxc-start dev-r1ch 20250929180530.171 NOTICE   conf - ../src/lxc/conf.c:lxc_setup:4022 - The container "dev-r1ch" is set up
lxc-start dev-r1ch 20250929180530.171 INFO     apparmor - ../src/lxc/lsm/apparmor.c:apparmor_process_label_set_at:1179 - Set AppArmor label to "lxc-container-default-with-nesting"
lxc-start dev-r1ch 20250929180530.171 INFO     apparmor - ../src/lxc/lsm/apparmor.c:apparmor_process_label_set:1224 - Changed AppArmor profile to lxc-container-default-with-nesting
lxc-start dev-r1ch 20250929180530.171 DEBUG    terminal - ../src/lxc/terminal.c:lxc_terminal_peer_default:709 - No such device - The process does not have a controlling terminal
lxc-start dev-r1ch 20250929180530.171 NOTICE   start - ../src/lxc/start.c:start:2206 - Exec'ing "/sbin/init"
lxc-start dev-r1ch 20250929180530.171 NOTICE   start - ../src/lxc/start.c:post_start:2217 - Started "/sbin/init" with pid "1447981"
lxc-start dev-r1ch 20250929180530.171 NOTICE   start - ../src/lxc/start.c:signal_handler:447 - Received 17 from pid 1447982 instead of container init 1447981
lxc-start dev-r1ch 20250929180555.799 DEBUG    start - ../src/lxc/start.c:signal_handler:465 - Container init process 1447981 exited
lxc-start dev-r1ch 20250929180555.799 DEBUG    start - ../src/lxc/start.c:__lxc_start:2152 - Hangup(1) - Container "dev-r1ch" is rebooting
lxc-start dev-r1ch 20250929180555.799 INFO     error - ../src/lxc/error.c:lxc_error_set_and_log:34 - Child <1447981> ended on signal Hangup(1)
lxc-start dev-r1ch 20250929180555.799 DEBUG    network - ../src/lxc/network.c:lxc_delete_network:4220 - Deleted network devices
lxc-start dev-r1ch 20250929180555.799 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start dev-r1ch 20250929180555.799 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start dev-r1ch 20250929180555.799 DEBUG    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found
lxc-start dev-r1ch 20250929180555.802 NOTICE   utils - ../src/lxc/utils.c:lxc_drop_groups:1477 - Dropped supplimentary groups
lxc-start dev-r1ch 20250929180555.843 INFO     utils - ../src/lxc/utils.c:run_script_argv:587 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "dev-r1ch", config section "lxc"
lxc-start dev-r1ch 20250929180556.344 INFO     lxccontainer - ../src/lxc/lxccontainer.c:do_lxcapi_start:1090 - Container requested reboot
lxc-start dev-r1ch 20250929180556.344 INFO     start - ../src/lxc/start.c:lxc_check_inherited:326 - Closed inherited fd 10
lxc-start dev-r1ch 20250929180556.345 WARN     apparmor - ../src/lxc/lsm/apparmor.c:lsm_apparmor_ops_init:1268 - Per-container AppArmor profiles are disabled because the mac_admin capability is missing
lxc-start dev-r1ch 20250929180556.345 INFO     lsm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver AppArmor
lxc-start dev-r1ch 20250929180556.345 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.346 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start dev-r1ch 20250929180556.347 DEBUG    cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
(+10 MiB more omitted...)

Any idea what might be causing this or how to debug it further? Is this something fixed in 6.0.5 and I just need to wait for Debian packaging? Thanks.

2

Welcome!

The command is lxc-monitor. How does it appear as lxc monitor (no hypher) on your system?

Reference: lxc-monitor(1) - Linux manual page

3

The process in question is actually lxc-start that renames itself on startup. I am not using lxc-monitor.

4

Haven’t looked into this at all, but if we’re able to figure out the necessary fix it should be easy enough to get added to the 13.2 point release, scheduled for November 15.

5

I found dbus-monitor gives some more information:

method call time=1759173739.497652 sender=:1.39 -> destination=org.freedesktop.systemd1 serial=4 path=/org/freedesktop/systemd1; interface=org.freedesktop.systemd1.Manager; member=StartTransientUnit
   string "lxc-dev-r1ch-0.scope"
   string "fail"
   array [
      struct {
         string "PIDs"
         variant             array [
               uint32 1478858
            ]
      }
      struct {
         string "Delegate"
         variant             boolean true
      }
      struct {
         string "CollectMode"
         variant             string "inactive-or-failed"
      }
   ]
   array [
   ]

error time=1759173739.497780 sender=:1.1 -> destination=:1.39 error_name=org.freedesktop.systemd1.UnitExists reply_serial=4
   string "Unit lxc-dev-r1ch-0.scope was already loaded or has a fragment file."

signal time=1759173748.252669 sender=:1.1 -> destination=(null destination) serial=1183 path=/org/freedesktop/systemd1; interface=org.freedesktop.systemd1.Manager; member=UnitRemoved
   string "lxc-dev-r1ch-0.scope"
   object path "/org/freedesktop/systemd1/unit/lxc_2ddev_2dr1ch_2d0_2escope"

It looks like it tries to call StartTransientUnit before the old transient unit was removed, though I don’t know if that’s how it’s supposed to work.

6

Facing the same issue with unprivileged containers run by regular user on Debian 13.

7

For what it worth, i can reproduce the issue. After migrating to Debian 13, running reboot from within a unprivileged LXC container run by a unprivileged user freezes that container. It is not possible to stop it with lxc-stop. It also breaks the lxc-ls command,as well as lxc-info -n <container_name>.

Note that a similar issue happened transiently on Debian 12, but with Debian 13, it is becoming systematic.

8

@hallyn could you take a look?
I believe you contributed the systemd transient unit stuff.

9

cgfsng: fix reboots when using dbus by hallyn · Pull Request #4628 · lxc/lxc · GitHub fixes it here.

I’ll hopefully be pushing a patch to make error handling a little more robust as well, and time out when appropriate.

10

The fix has been applied in Debian sid, and should make it to trixie eventually (https://bugs.debian.org/1124036).