"systemctl start" command does not return inside container

1

I use Incus to run a Ubuntu container. I found that inside container, if I run systemctl start my-service where my service is “oneshot” type, the command doesn’t return. I have to press Ctrl +C to make it quit.

Here is the content of .service file:

[Unit]
Description=Structlog Journald Service
After=network.target

[Service]
Type=oneshot
User=web
Group=web
WorkingDirectory=/opt/structlog-journald
ExecStart=/opt/structlog-journald/.venv/bin/python3 examples/simple.py
RemainAfterExit=no

[Install]
WantedBy=multi-user.target

Here is the code which is run by that service: structlog-journald/examples/simple.py at main · hongquan/structlog-journald · GitHub

How to fix it?

2

That script doesn’t seem to be suitable to run as a service - surely getpass.getuser() is interactive, waiting for a keyboard response? And therefore it hangs.

I’d say this question isn’t related to incus. For more advice, try on a python programming mailing list.

3

No, it is not interactive. Here is the result when running it outside “systemctl”:

image
image1122×722 135 KB

Other than this script, any script run with systemctl start gets the same hanging issue. This issue is not seen when running outside Incus container.

4

This is apparently specific to your system, so you will need to provide more details. What’s the incus version? Where did you install it from? What’s the OS and kernel version of the underlying host? What’s the OS type and version that you’re running inside the container?

Here’s an example which works for me:

root@nuc3:~# incus launch images:ubuntu/22.04/cloud testing
Launching testing
Retrieving image: Unpacking image: 100% (4.51GB/s)
root@nuc3:~# incus shell testing
root@testing:~# cat <<EOS >/etc/systemd/system/testing.service
[Unit]
Description=Testing Service
After=network.target

[Service]
Type=oneshot
User=nobody
Group=nogroup
WorkingDirectory=/tmp
ExecStart=/bin/sleep 3
RemainAfterExit=no

[Install]
WantedBy=multi-user.target
EOS
root@testing:~# systemctl daemon-reload
root@testing:~# time systemctl start testing.service

real	0m3.027s
user	0m0.004s
sys	0m0.015s
root@testing:~#

This underlying host is running incus 6.0.4, installed from Zabbly packages, and is Ubuntu 22.04.5.

root@nuc3:~# uname -a
Linux nuc3 6.8.0-60-generic #63~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 22 19:00:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

So first, try the above simple example. If it doesn’t work, then you’ll have to drill down as to what’s different about your system.

5

Hi, the example above faces the same hanging issue, so it must be the problem with my system.

The Incus in my host (Ubuntu 25.04):

❯ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 25.04
Release:        25.04
Codename:       plucky
❯ uname -a
Linux MiniDesk 6.14.0-23-generic #23-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 13 23:02:20 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

❯ apt show incus
Package: incus
Version: 6.0.3-4
Built-Using: go-md2man-v2 (= 2.0.4-1), gobgp (= 3.33.0-1), golang-1.24 (= 1.24.0-2), golang-blackfriday-v2 (=>
Priority: optional
Section: universe/admin
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 20.5 kB
Depends: incus-agent (= 6.0.3-4), incus-base (= 6.0.3-4), qemu-system-x86 (>= 1:8.0), swtpm, virtiofsd
Suggests: gdisk
Homepage: https://linuxcontainers.org/incus/
Download-Size: 5,282 B
APT-Manual-Installed: yes
APT-Sources: http://mirrors.tino.org/ubuntu plucky/universe amd64 Packages
Description: Powerful system container and virtual machine manager - daemon
 Incus is a next generation system container and virtual machine manager.
 It offers a unified user experience around full Linux systems running
 inside containers or virtual machines.
 .
 It's image based with pre-made images available for a wide number of
 Linux distributions and is built around a very powerful, yet pretty
 simple, REST API.
 .
 This metapackage will install everything needed to run containers and VMs.

The guest OS:

> uname -a
Linux ubuntu-in-incus 6.14.0-23-generic #23-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 13 23:02:20 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
> lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04.2 LTS
Release:        24.04
Codename:       noble
6

I think I should destroy this container and try again, because other programs are affected by this issue, not only systemctl start.

I suspect that this is the root cause: Bug #2109394 “AppArmor breaks Incus containers” : Bugs : apparmor package : Ubuntu

This also fixes: AppArmor blocks sending signals on Ubuntu 25.04 host

7

Yes, I seem to remember seeing problems with 24.10 or 25.04.

Have you tried the workaround? sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0

and/or Incus not working under Ubuntu 25.04? - #13 by kaharlichenko

Otherwise, rebuilding the outer host with Ubuntu 24.04 would be a safe solution. Non-LTS versions of Ubuntu are likely to have breaking changes in them.