I have tried the workarounds suggested in https://github.com/lxc/lxc/issues/3183.
What I have found is that while I can start Oracle Linux 8 LXC containers perfectly, with no issues, on vanilla out-of-the box unmodified Fedora 33, which as we all know uses cgroupsv2 and nftables, it is also the case that Oracle Linux 7 containers give error when attempting to start on vanilla out-of-the-box Fedora 33.
To run Oracle Linux 7 LXC containers on Fedora 33, the only workaround that has worked, which is pretty drastic, is that Fedora 33 must be switched to cgroupsv1 using a kernel argument.
So for now, our deployment code forces users to deploy Oracle Linux 8 LXC containers when deploying on Fedora 32/33 and does not allow programmed deployment of Oracle Linux 7 LXC containers.
The error that the Oracle Linux 7 containers throw on Fedora 32/33 host is:
[ubuntu@f33sv1 ~]$ sudo lxc-start -n oel79c10 -F
[sudo] password for ubuntu:
lxc-start: oel79c10: cgroups/cgroup2_devices.c: bpf_program_load_kernel: 348 Operation not permitted - Failed to load bpf program: (null)
Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization lxc.
Detected architecture x86-64.
Welcome to Oracle Linux Server 7.9!
Cannot determine cgroup we are running in: No such file or directory
Failed to allocate manager object: No such file or directory
[!!!] Failed to allocate manager object, freezing.
So my question to you is, do you have a fix for this that can be implemented in the config file of an Oracle Linux 7 LXC container running on Fedora 33, or is the more drastic reversion to cgroupv1 the “only” fix ? From the few posts out there about this, it appears to be a general issue with Linux 7 including CentOS 7 and Oracle Linux 7 LXC containers on cgroupv2 on Fedora 32/33.
Limiting users to Oracle Linux 8 LXC containers when deploying on Fedora 32/33 is a pretty good workaround for us, and it’s alot better than if it were the other way around, but I did want to get your take on whether you see this as an “Oracle/CentOS Linux 7” limitation, or as an “LXC issue” and if you have any additional workaround that were not mentioned in #3183.