I find a potential cultprit: I have umask set to 0027 via pam_umask. Everything seems to work if I remove it.
Meanwhile I’m also looking for a better solution without disabling pam_umask.
I think this could be a potential explanation of the post that you mentioned.
Looking ahead, I think it’d be great we have at least one of:
- LXC checks that the container root has access to all cgroup directories, just like LXC checks the setuid bit.
- LXC shows a hint upon cgroup mounting errors.
- Maybe mention this in some relevant wiki/manual.
Otherwise this issue could be very cryptic.