Unable to start container

On Ubuntu 16.04.6, I can’t seem to start any unprivileged containers. The error I get is:
lxc-start: utils.c: mkdir_p: 236 Permission denied - failed to create directory ‘/sys/fs/cgroup/pids/system.slice/ssh.service/lxc’
lxc-start: utils.c: mkdir_p: 236 Permission denied - failed to create directory ‘/sys/fs/cgroup/perf_event/lxc’
lxc-start: utils.c: mkdir_p: 236 Permission denied - failed to create directory ‘/sys/fs/cgroup/hugetlb/lxc’
lxc-start: utils.c: mkdir_p: 236 Permission denied - failed to create directory ‘/sys/fs/cgroup/freezer/lxc’
lxc-start: cgroups/cgfs.c: lxc_cgroupfs_create: 1027 Permission denied - Could not create cgroup ‘/lxc’ in ‘/sys/fs/cgroup/freezer’.
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/pids/system.slice/ssh.service
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/perf_event/
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/hugetlb/
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/freezer/
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/blkio/system.slice/ssh.service
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/cpuset/
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/memory/system.slice/ssh.service
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/devices/system.slice/ssh.service
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/cpu,cpuacct/system.slice/ssh.service
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Read-only file system - Failed to delete /sys/fs/cgroup/net_cls,net_prio/
lxc-start: cgroups/cgfs.c: cgroup_rmdir: 209 Permission denied - Failed to delete /sys/fs/cgroup/systemd/system.slice/ssh.service
lxc-start: start.c: lxc_spawn: 1537 Failed creating cgroups.
lxc-start: start.c: __lxc_start: 1802 Failed to spawn container “u1”.
The container failed to start.

I’m pretty sure everything is configured correctly, I have the sub(uid/gid)s configured, lxc-net is set up, not sure what else I’d need to do?

Sounds like your user doesn’t own their current cgroups.

Look at /proc/self/cgroup, the path in which you are in the cgroup tree should be writable by your user for things to work properly.

That’s normally what libpam-cgfs does for you on login.

Yep, my user, the group I’m in and everyone else has read-only access. libpam-cgfs appears to be installed, any way of identifying why my user lacks write permission?

Interestingly, on my Debian desktop, and on a different Ubuntu 16.04.6 system, my user lacks write access also to /proc/self/cgroup, but can still start lxc containers.

What should I look at to fix this? Could libpam-cgfs be misconfigured? If so, what is the expected config?

I looked at the contents of /proc/self/cgroup on the different systems, looks like there’s some kind of misconfiguration (though I’m not sure how to fix it), on the working ubuntu 16.04 it is:
blkio:/user.slice
cpu,cpuacct:/user.slice
cpuset:/
devices:/user.slice
freezer:/user/tjames/0
hugetlb:/
memory:/user/tjames/0
name=systemd:/user.slice/user-18160.slice/session-2220.scope
net_cls,net_prio:/
perf_event:/
pids:/user.slice/user-18160.slice

whereas on the non-working system it is:
blkio:/user.slice
cpu,cpuacct:/user.slice
cpuset:/
devices:/user.slice
freezer:/
hugetlb:/
memory:/user.slice
name=systemd:/user.slice/user-18160.slice/session-12214.scope
net_cls,net_prio:/
perf_event:/
pids:/user.slice/user-18160.slice

The differences being in the memory and freezer lines (tjames is my username on these systems). What would be setting these values?

libpam-cgfs