Lxc. Unable to start unpriviledge container

Hello, I am a student currently doing an internship at my university. For the past two months, I’ve been working on updating our university’s application (remotelabz) to replace privileged containers with unprivileged ones.

I need help with a problem I’ve been facing for a week now.

I cannot get a container to start.

The Issue

After copying the container, I try to start it via systemd-run and lxc-start, but it fails silently with unclear logs. I suspect something is wrong with how I’m preparing or launching the container in the unprivileged context — maybe a permission issue, or a missing runtime config.

Am I missing a step or misconfiguring the container or systemd environment?

Any help is greatly appreciated. Thanks!

Context

I need to run a script as a privileged user that uses the command sudo -u unprivileged_user to interact with unprivileged containers. The workflow is:

1. A base container (Migration) is created using lxc-create as the unprivileged user (remotelabz-lxc) via systemd-run --user.
2. I copy this base container using lxc-copy (didn’t achieve to do it from unpriviledge user).
   (sudo lxc-copy -n Migration -P /home/remotelabz-lxc/.local/share/lxc -N 7139d2d2-69ef-4883-a26b-8099ba51bf60)
3. After that, I try to start the copied container using the following command:

systemd-run --unit=lxc-7139d2d2 --user --scope -p "Delegate=yes" -- lxc-start -n 7139d2d2-69ef-4883-a26b-8099ba51bf60 -f /opt/remotelabz-worker/instances/user/11a4ee00-7470-4210-9045-bf66e8be0fb7/9a2b1c0f-8ad9-43c6-b5ad-afbfd39f501f/7139d2d2-69ef-4883-a26b-8099ba51bf60/template.txt-new

But the container fails to start, and I’m not sure if the issue comes from a misconfiguration in the container setup or the way I handle unprivileged users and permissions.

lxc-checkconfig :

LXC version 5.0.3
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-6.8.0-59-generic

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled
Cgroup namespace: enabled
Cgroup v1 mount points: 
Cgroup v2 mount points: 
 - /sys/fs/cgroup
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

template of the container :

lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.rootfs.path = dir:/home/remotelabz-lxc/.local/share/lxc/7139d2d2-69ef-4883-a26b-8099ba51bf60/rootfs
lxc.uts.name = 7139d2d2-69ef-4883-a26b-8099ba51bf60

# Network configuration
lxc.net.0.type = veth
lxc.net.0.name = eth0
lxc.net.0.link = br-9a2b1c0f
lxc.net.0.flags = up
lxc.net.0.ipv4.address = 10.11.0.17/24
lxc.net.0.ipv4.gateway = 10.11.0.30
lxc.net.0.hwaddr = 00:2D:EB:0F:8C:F6

lxc.hook.version = 1

lxc.apparmor.profile=unconfined
lxc.apparmor.allow_nesting=1

lxc.idmap = u 0 362144 65536
lxc.idmap = g 0 362144 65536

step done to setup the unpriviledge user :

sudo adduser --disabled-password --gecos "" remotelabz-lxc

echo "remotelabz-lxc:$FREE_RANGE:65536" >> /etc/subuid
echo "remotelabz-lxc:$FREE_RANGE:65536" >> /etc/subgid

echo "remotelabz-lxc veth lxcbr0 10" | sudo tee -a /etc/lxc/lxc-usernet

loginctl enable-linger remotelabz-lxc
mkdir -p /var/lib/systemd/linger
touch /var/lib/systemd/linger/remotelabz-lxc
chown remotelabz-lxc: /var/lib/systemd/linger/remotelabz-lxc

sudo -u remotelabz-lxc mkdir -p /home/remotelabz-lxc/.config/lxc
sudo -u remotelabz-lxc cp /etc/lxc/default.conf /home/remotelabz-lxc/.config/lxc/default.conf

cat <<EOF | sudo -u remotelabz-lxc tee -a /home/remotelabz-lxc/.config/lxc/default.conf > /dev/null

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up

lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 1

lxc.idmap = u 0 $FREE_RANGE 65536
lxc.idmap = g 0 $FREE_RANGE 65536
EOF

chmod +x /home/remotelabz-lxc

return of the command with debug options, lxc-usernet is modified and i’ve checked cgroup permissions and the user have the correct right, which make me unable to understand the source of the problem.

Running as unit: lxc-7139d2d2.scope; invocation ID: c3c9a735e07a4d7a859b0443c5d8a2f0
lxc-start: 7139d2d2-69ef-4883-a26b-8099ba51bf60: ../src/lxc/cgroups/cgfsng.c: __cgfsng_delegate_controllers: 3341 Device or resource busy - Could not enable "+cpu +memory +pids" controllers in the unified cgroup 9
lxc-start: 7139d2d2-69ef-4883-a26b-8099ba51bf60: ../src/lxc/network.c: lxc_create_network_unpriv_exec: 2990 lxc-user-nic failed to configure requested network: ../src/lxc/cmd/lxc_user_nic.c: 1211: main: Quota reached
lxc-start: 7139d2d2-69ef-4883-a26b-8099ba51bf60: ../src/lxc/start.c: lxc_spawn: 1840 Failed to create the network
lxc-start: 7139d2d2-69ef-4883-a26b-8099ba51bf60: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "7139d2d2-69ef-4883-a26b-8099ba51bf60"
lxc-start: 7139d2d2-69ef-4883-a26b-8099ba51bf60: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: 7139d2d2-69ef-4883-a26b-8099ba51bf60: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options

Did you configured the subuid and the subgid for the root user?

Thank you for your help. Yes, i had done that. I managed to make a container work now.

The error that was blocking me was "Could not enable "+cpu +memory +pids", but I discovered that it’s actually a false error message — it always appears and is misleading. The real issue was elsewhere. Specifically, I had assumed that adding a single line like unpriv_user_name veth lxcbr0 10 in the lxc-usernet file would be enough for all containers to work. However, it turns out that each container needs its own specific line, like unpriv_user_name veth br-XXXXXXXX 10, corresponding to the bridge it uses.

Here are the steps I followed to get a container running:

1. Use a privileged user to copy the container into the unprivileged user's directory:
sudo lxc-copy -n Migration -P /home/remotelabz-lxc/.local/share/lxc -N UUID -o /home/remotelabz-lxc/.local/share/lxc/lxc-copy.log -l DEBUG

2. Give ownership of the new container to the unprivileged user:
sudo chown -R remotelabz-lxc:remotelabz-lxc /home/remotelabz-lxc/.local/share/lxc/UUID

3. Set ACL permissions so that the unprivileged user's UID-mapped process can access the path:
sudo bash -c '
path="/home/remotelabz-lxc/.local/share/lxc/UUID"
uid_mapped=362144

while [ "$path" != "/" ] && [ -d "$path" ]; do
  setfacl -m u:${uid_mapped}:x "$path"
  path=$(dirname "$path")
done
'

4. Add the required network bridge line to `/etc/lxc/lxc-usernet`:
remotelabz-lxc veth br-BRIDGE_NUMBER 10

5. Optionally restart the LXC network service (not always required, but may help):
sudo systemctl restart lxc-net.service

6. Start the container as the unprivileged user using systemd-run (with environment vars to ensure proper session setup):
env XDG_RUNTIME_DIR=/run/user/1003 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1003/bus systemd-run --unit=lxc-start-UUID_CONTENEUR --user --scope -p Delegate=yes -- lxc-start -n UUID -f PATH_TO_TEMPLATE

7. Attach to the container if needed:
env XDG_RUNTIME_DIR=/run/user/1003 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1003/bus \
systemd-run --user --scope -p Delegate=yes -- lxc-attach -n UUID