New incus install fails to start container

hi-ko · May 28, 2026, 1:54pm

on a ubuntu 24.04.4 vm (running on ESX) I purged all incus packages, wiped the zfs device and reinstalled latest incus without any error but once I try to start a new container this container fails to start:

incus launch images:ubuntu/24.04 test
Launching test
Error: Failed instance creation: Failed to run: /opt/incus/bin/incusd forkstart test /var/lib/incus/containers /run/incus/test/lxc.conf /var/log/incus/test: exit status 1

incus info --show-log test
Name: test
Description:
Status: STOPPED
Type: container
Architecture: x86_64
Created: 2026/05/28 13:52 UTC
Last Used: 2026/05/28 13:52 UTC

Log (lxc.log):

lxc test 20260528135241.413 ERROR    utils - ../src/lxc/utils.c:run_buffer:569 - Script exited with status 32
lxc test 20260528135241.413 ERROR    conf - ../src/lxc/conf.c:lxc_setup:3845 - Failed to run mount hooks
lxc test 20260528135241.413 ERROR    start - ../src/lxc/start.c:do_start:1466 - Failed to setup container "test"
lxc test 20260528135241.413 ERROR    sync - ../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 4)
lxc test 20260528135241.416 ERROR    network - ../src/lxc/network.c:lxc_netdev_restore_altnames:1422 - Invalid argument - Failed to get altnames for interface "vethcb7baebf"
lxc test 20260528135241.416 WARN     network - ../src/lxc/network.c:lxc_delete_network_priv:3940 - Failed to restore altnames for interface with index 0 and initial name "vethcb7baebf"
lxc test 20260528135241.416 WARN     network - ../src/lxc/network.c:lxc_delete_network_priv:3945 - Failed to rename interface with index 0 from "physbwonOD" to its initial name "vethcb7baebf"
lxc test 20260528135241.416 ERROR    lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:837 - Received container state "ABORTING" instead of "RUNNING"
lxc test 20260528135241.416 ERROR    start - ../src/lxc/start.c:__lxc_start:2288 - Failed to spawn container "test"
lxc test 20260528135241.416 WARN     start - ../src/lxc/start.c:lxc_abort:1229 - No such process - Failed to send SIGKILL via pidfd 17 for process 4201
lxc 20260528135241.514 ERROR    af_unix - ../src/lxc/af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Connection reset by peer - Failed to receive response
lxc 20260528135241.514 ERROR    commands - ../src/lxc/commands.c:lxc_cmd_rsp_recv_fds:128 - Failed to receive file descriptors for command "get_init_pid"

Any idea, what’s going wrong?

hi-ko · May 30, 2026, 1:13am

found out the reason:
this ubuntu server was setup with systemd-network. Once switching back to default netplan network config incus behaves as expected. So either the systemd-network config has incompatible parts or incus is not compatible with network config done by systemd.

Could some tell me please if network config should be possible by systemd with incus in general?
I try to decipher the systemd config and will report back …

gibmat · May 30, 2026, 1:19am

I’m not familiar with how modern(ish) Ubuntu configures its networking, but Incus is very much compatible with systemd-networkd – it’s how IncusOS (based on Debian trixie) configures all of its networking.

hi-ko · May 30, 2026, 1:47am

My assumption was wrong that the issue was caused by system-networkd config.
I found another change I reverted by switching to netplan:

cat /etc/sysctl.d/disable_ptrace.conf
kernel.yama.ptrace_scope=3

which actually blocks the usage of ptrace and any incus commands.

Protect against ptrace of processes: kernel.yama.ptrace_scope:

If your system is running in the DMZ and processes high sensitive data, there is usually no reason to allow ptrace at all. Best is to disable it completely (kernel.yama.ptrace_scope = 3).

Once I remove this incus works as expected. Why is ptrace required to start incus and how could this seen with CVE-2026-46333?
s. also Protect against ptrace of processes: kernel.yama.ptrace_scope

work around: restrict ptrace to admin only:

kernel.yama.ptrace_scope=2

Fave_Hil · May 30, 2026, 6:35pm

I’m also facing the same issue, I tried following your suggestion and set kernel.yama.ptrace_scope=3 but still not able to start the container.

Started seeing this issue after upgrading the incus package to 7.1-ubuntu24.04-202605291904.

$ incus start dav-hml-media
Error: Failed to run: /opt/incus/bin/incusd forkstart dav-hml-prod_dav-hml-media /var/lib/incus/containers /run/incus/dav-hml-prod_dav-hml-media/lxc.conf /var/log/incus/dav-hml-prod_dav-hml-media: exit status 1
Try `incus info --show-log dav-hml-media` for more info
$ sysctl kernel.yama.ptrace_scope
kernel.yama.ptrace_scope = 3
$ incus info --show-log dav-hml-media
Name: dav-hml-media
Description: 
Status: STOPPED
Type: container
Architecture: x86_64
Created: 2026/05/04 17:34 IST
Last Used: 2026/05/30 23:59 IST

Log (lxc.log):

lxc dav-hml-prod_dav-hml-media 20260530182959.413 ERROR    utils - ../src/lxc/utils.c:run_buffer:569 - Script exited with status 1
lxc dav-hml-prod_dav-hml-media 20260530182959.413 ERROR    conf - ../src/lxc/conf.c:lxc_setup:3845 - Failed to run mount hooks
lxc dav-hml-prod_dav-hml-media 20260530182959.413 ERROR    start - ../src/lxc/start.c:do_start:1466 - Failed to setup container "dav-hml-prod_dav-hml-media"
lxc dav-hml-prod_dav-hml-media 20260530182959.413 ERROR    sync - ../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 4)
lxc dav-hml-prod_dav-hml-media 20260530182959.416 ERROR    network - ../src/lxc/network.c:lxc_netdev_restore_altnames:1422 - Invalid argument - Failed to get altnames for interface "veth4d00d1fb"
lxc dav-hml-prod_dav-hml-media 20260530182959.416 WARN     network - ../src/lxc/network.c:lxc_delete_network_priv:3940 - Failed to restore altnames for interface with index 0 and initial name "veth4d00d1fb"
lxc dav-hml-prod_dav-hml-media 20260530182959.416 WARN     network - ../src/lxc/network.c:lxc_delete_network_priv:3945 - Failed to rename interface with index 0 from "physLhDrtF" to its initial name "veth4d00d1fb"
lxc dav-hml-prod_dav-hml-media 20260530182959.416 ERROR    lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:837 - Received container state "ABORTING" instead of "RUNNING"
lxc dav-hml-prod_dav-hml-media 20260530182959.416 ERROR    start - ../src/lxc/start.c:__lxc_start:2288 - Failed to spawn container "dav-hml-prod_dav-hml-media"
lxc dav-hml-prod_dav-hml-media 20260530182959.416 WARN     start - ../src/lxc/start.c:lxc_abort:1229 - No such process - Failed to send SIGKILL via pidfd 17 for process 29356
lxc 20260530182959.472 ERROR    af_unix - ../src/lxc/af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Connection reset by peer - Failed to receive response
lxc 20260530182959.472 ERROR    commands - ../src/lxc/commands.c:lxc_cmd_rsp_recv_fds:128 - Failed to receive file descriptors for command "get_init_pid"
$  cat /etc/os-release
NAME="Pop!_OS"
VERSION="24.04 LTS"
ID=pop
ID_LIKE="ubuntu debian"
PRETTY_NAME="Pop!_OS 24.04 LTS"
VERSION_ID="24.04"
HOME_URL="https://pop.system76.com"
SUPPORT_URL="https://support.system76.com"
BUG_REPORT_URL="https://github.com/pop-os/pop/issues"
PRIVACY_POLICY_URL="https://system76.com/privacy"
VERSION_CODENAME=noble
UBUNTU_CODENAME=noble
LOGO=distributor-logo-pop-os
$

stgraber · May 30, 2026, 6:44pm

Is that using NVIDIA’s container runtime? (nvidia.runtime)

Fave_Hil · May 30, 2026, 7:06pm

Yes, I’ve set it via profile for this container.

stgraber · May 30, 2026, 7:19pm

Try setting it to false and see if that gets the container running, the error suggests it may be a problem with the NVIDIA integration.

Fave_Hil · May 31, 2026, 6:07am

Thanks, that helped in starting the container. I suppose I’ll have to wait till a fix is implemented for nvidia integration ?

mratt · May 31, 2026, 8:18am

Just to add, my Nvidia containers won’t start as well. Removal of Nvidia runtime works, but eventually had to downgrade to last 7.0 release to get this functionality back.

hi-ko · May 31, 2026, 11:06am

you’ll need kernel.yama.ptrace_scope=2 or less.
vaule 3 means: No processes may be traced with ptrace
s. Protect against ptrace of processes: kernel.yama.ptrace_scope

Why is incus depending on ptrace to start/stop a container? An exception should tell issues accessing ptrace.

btw. my issue is not related to nvidia but with setting kernel.yama.ptrace_scope

stgraber · May 31, 2026, 12:51pm

We’ve tracked down the issue affecting nvidia.runtime.
It’s a bug in how we generate lxc.environment.

Once we have this merged, we’ll be cherry-picking that fix to the Zabbly packages.

@Foxboron on the Arch Linux side helped track this down earlier today, so I expect Arch will also get a cherry-pick in pretty short order

@adamcstephens you’ll likely want to do this in Nix as well.

mratt · June 1, 2026, 7:50am

Good morning.

Thank you very much for fixing this so quickly everyone

I’ve installed the latest 7.1 and Nvidia runtime is functional again.

Fave_Hil · June 1, 2026, 9:17pm

Yes, it’s working for me as well. Thank you