While attempting to start an unprivileged LXC container, the following error was encountered:
lxc-start web-api ... ERROR mount_utils - __fd_bind_mount: Operation not permitted - Failed to change mount attributes
lxc-start web-api ... ERROR dir_mount: Operation not permitted - Failed to mount "/home/debian/.local/share/lxc/web-api/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs"
lxc-create -n web-api -t download -- -d debian -r trixie -a amd64
lxc-unpriv-start web-api -l DEBUG -o lxc_unpriv_start.log
container setup :
cat .config/lxc/default.conf
# Networking
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
# AppArmor
lxc.apparmor.profile = lxc-container-default-cgns
lxc.apparmor.allow_nesting = 0
# UID/GID Mapping
lxc.idmap = u 0 100000 1000
lxc.idmap = g 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 101001 64535
lxc.idmap = g 1001 101001 64535
grep debian /etc/subuid /etc/subgid
/etc/subuid:debian:100000:65536
/etc/subgid:debian:100000:65536
cat /etc/lxc/lxc-usernet
debian veth lxcbr0 10
If i only use UID/GID
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
then i need to set the
setfacl -m u:100000:x /home/debian
setfacl -m u:100000:x /home/debian/.local/
setfacl -m u:100000:x /home/debian/.local/share/
Both cases the same issue occurs.
Full Log:
cat lxc_unpriv_start.log
lxc-start web-api 20251006103206.945 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type u nsid 0 hostid 100000 range 1000
lxc-start web-api 20251006103206.945 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type g nsid 0 hostid 100000 range 1000
lxc-start web-api 20251006103206.945 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type u nsid 1000 hostid 1000 range 1
lxc-start web-api 20251006103206.945 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type g nsid 1000 hostid 1000 range 1
lxc-start web-api 20251006103206.945 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type u nsid 1001 hostid 101001 range 64535
lxc-start web-api 20251006103206.945 INFO confile - ../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type g nsid 1001 hostid 101001 range 64535
lxc-start web-api 20251006103206.947 INFO lxccontainer - ../src/lxc/lxccontainer.c:do_lxcapi_start:959 - Set process title to [lxc monitor] /home/debian/.local/share/lxc web-api
lxc-start web-api 20251006103206.948 DEBUG lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:818 - First child 8751 exited
lxc-start web-api 20251006103206.948 WARN apparmor - ../src/lxc/lsm/apparmor.c:lsm_apparmor_ops_init:1268 - Per-container AppArmor profiles are disabled because the mac_admin capability is missing
lxc-start web-api 20251006103206.949 INFO lsm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver AppArmor
lxc-start web-api 20251006103206.952 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.952 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.953 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.954 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.954 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.954 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.954 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.954 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.955 DEBUG cgfsng - ../src/lxc/cgroups/cgfsng.c:systemd_cgroup_scope_ready:996 - Dbus error...
lxc-start web-api 20251006103206.956 DEBUG seccomp - ../src/lxc/seccomp.c:parse_config_v2:664 - Host native arch is [3221225534]
lxc-start web-api 20251006103206.956 INFO seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "reject_force_umount # comment this to allow umount -f; not recommended"
lxc-start web-api 20251006103206.956 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
lxc-start web-api 20251006103206.956 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
lxc-start web-api 20251006103206.956 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
lxc-start web-api 20251006103206.956 INFO seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "[all]"
lxc-start web-api 20251006103206.956 INFO seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "kexec_load errno 1"
lxc-start web-api 20251006103206.956 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
lxc-start web-api 20251006103206.956 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
lxc-start web-api 20251006103206.956 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "open_by_handle_at errno 1"
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "init_module errno 1"
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "finit_module errno 1"
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "delete_module errno 1"
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
lxc-start web-api 20251006103206.957 INFO seccomp - ../src/lxc/seccomp.c:parse_config_v2:1036 - Merging compat seccomp contexts into main context
lxc-start web-api 20251006103206.957 INFO start - ../src/lxc/start.c:lxc_init:882 - Container "web-api" is initialized
lxc-start web-api 20251006103206.957 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_create:1679 - The monitor process uses "lxc.monitor.web-api" as cgroup
lxc-start web-api 20251006103206.957 DEBUG storage - ../src/lxc/storage/storage.c:get_storage_by_name:209 - Detected rootfs type "dir"
lxc-start web-api 20251006103206.957 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_create:1787 - The container process uses "lxc.payload.web-api" as inner and "lxc.payload.web-api" as limit cgroup
lxc-start web-api 20251006103206.958 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUSER
lxc-start web-api 20251006103206.958 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWNS
lxc-start web-api 20251006103206.958 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWPID
lxc-start web-api 20251006103206.958 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUTS
lxc-start web-api 20251006103206.958 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWIPC
lxc-start web-api 20251006103206.958 INFO start - ../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWCGROUP
lxc-start web-api 20251006103206.958 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved user namespace via fd 20 and stashed path as user:/proc/8752/fd/20
lxc-start web-api 20251006103206.958 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved mnt namespace via fd 21 and stashed path as mnt:/proc/8752/fd/21
lxc-start web-api 20251006103206.958 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved pid namespace via fd 22 and stashed path as pid:/proc/8752/fd/22
lxc-start web-api 20251006103206.958 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved uts namespace via fd 23 and stashed path as uts:/proc/8752/fd/23
lxc-start web-api 20251006103206.958 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved ipc namespace via fd 24 and stashed path as ipc:/proc/8752/fd/24
lxc-start web-api 20251006103206.958 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved cgroup namespace via fd 25 and stashed path as cgroup:/proc/8752/fd/25
lxc-start web-api 20251006103206.958 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start web-api 20251006103206.958 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start web-api 20251006103206.958 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found
lxc-start web-api 20251006103206.965 INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_setup_limits:3538 - Limits for the unified cgroup hierarchy have been setup
lxc-start web-api 20251006103206.965 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start web-api 20251006103206.965 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start web-api 20251006103206.965 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found
lxc-start web-api 20251006103206.973 NOTICE utils - ../src/lxc/utils.c:lxc_drop_groups:1477 - Dropped supplimentary groups
lxc-start web-api 20251006103206.974 INFO start - ../src/lxc/start.c:do_start:1105 - Unshared CLONE_NEWNET
lxc-start web-api 20251006103206.974 NOTICE utils - ../src/lxc/utils.c:lxc_drop_groups:1477 - Dropped supplimentary groups
lxc-start web-api 20251006103206.974 NOTICE utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1453 - Switched to gid 0
lxc-start web-api 20251006103206.974 NOTICE utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1462 - Switched to uid 0
lxc-start web-api 20251006103206.975 DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved net namespace via fd 7 and stashed path as net:/proc/8752/fd/7
lxc-start web-api 20251006103206.975 WARN start - ../src/lxc/start.c:lxc_spawn:1844 - Operation not permitted - Failed to allocate new network namespace id
lxc-start web-api 20251006103206.975 INFO network - ../src/lxc/network.c:lxc_create_network_unpriv_exec:3001 - Execing lxc-user-nic create /home/debian/.local/share/lxc web-api 8753 veth lxcbr0 (null)
lxc-start web-api 20251006103206.992 ERROR mount_utils - ../src/lxc/mount_utils.c:__fd_bind_mount:382 - Operation not permitted - Failed to change mount attributes
lxc-start web-api 20251006103206.992 ERROR dir - ../src/lxc/storage/dir.c:dir_mount:195 - Operation not permitted - Failed to mount "/home/debian/.local/share/lxc/web-api/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs"
lxc-start web-api 20251006103206.992 ERROR conf - ../src/lxc/conf.c:lxc_mount_rootfs:1240 - Failed to mount rootfs "/home/debian/.local/share/lxc/web-api/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs" with options "noatime,nodiratime"
lxc-start web-api 20251006103206.992 ERROR conf - ../src/lxc/conf.c:lxc_setup_rootfs_prepare_root:3504 - Failed to setup rootfs for
lxc-start web-api 20251006103206.992 ERROR conf - ../src/lxc/conf.c:lxc_setup:3879 - Failed to setup rootfs
lxc-start web-api 20251006103206.992 ERROR start - ../src/lxc/start.c:do_start:1273 - Failed to setup container "web-api"
lxc-start web-api 20251006103206.993 ERROR sync - ../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected sequence number 3)
lxc-start web-api 20251006103206.993 DEBUG network - ../src/lxc/network.c:lxc_delete_network:4220 - Deleted network devices
lxc-start web-api 20251006103206.993 ERROR start - ../src/lxc/start.c:__lxc_start:2119 - Failed to spawn container "web-api"
lxc-start web-api 20251006103206.993 WARN start - ../src/lxc/start.c:lxc_abort:1037 - No such process - Failed to send SIGKILL via pidfd 19 for process 8753
lxc-start web-api 20251006103206.994 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start web-api 20251006103206.994 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start web-api 20251006103206.994 DEBUG idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found
lxc-start web-api 20251006103206.995 ERROR lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:837 - Received container state "ABORTING" instead of "RUNNING"
lxc-start web-api 20251006103206.996 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:307 - The container failed to start
lxc-start web-api 20251006103206.996 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:310 - To get more details, run the container in foreground mode
lxc-start web-api 20251006103206.997 ERROR lxc_start - ../src/lxc/tools/lxc_start.c:lxc_start_main:312 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start web-api 20251006103207.622 NOTICE utils - ../src/lxc/utils.c:lxc_drop_groups:1477 - Dropped supplimentary groups
lxc-start web-api 20251006103207.450 INFO utils - ../src/lxc/utils.c:run_script_argv:587 - Executing script "/usr/share/lxcfs/lxc.reboot.hook" for container "web-api", config section "lxc"
Host:
cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.1
ID=debian
uname -a
Linux debian 6.12.43+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.43-1 (2025-08-27) x86_64 GNU/Linux