[SOLVED] Linux 6.11 Kernel - Failure to start LXC

[ram75]

https://forum.proxmox.com/threads/o...le-on-test-no-subscription.156818/post-717079

root@blade1:~# pct config 109
arch: amd64
cores: 2
description: test
features: nesting=1
hostname: wazuh-ix1
memory: 4096
nameserver: 192.168.16.7
net0: name=eth0,bridge=vmbr1,firewall=1,gw=192.168.16.3,hwaddr=02:CA:BA:41:6E:3C,ip=192.168.16.152/24,ip6=auto,type=veth
onboot: 1
ostype: ubuntu
protection: 1
rootfs: SM1DDC1:vm-109-disk-0,size=500G
searchdomain: frm-intranet16
swap: 4096
unprivileged: 1

 

[fiona]

Hi,
quoting the original error:

hola, después de instalar el kernel 6.11 no inician los LXC, probé generar uno nuevo pero tuve el mismo error

cgfsng_setup_limits_legacy: 3442 No such file or directory - Failed to set "memory.limit_in_bytes" to "536870912"
lxc_spawn: 1802 Failed to setup cgroup limits for container "122"
TASK ERROR: startup for container '122' failed

Please also post the output of pveversion -v and cat /proc/cmdline. Did you reboot after installing the new kernel? Are there any additional messages in the system log/journal? Can you share the output of pct start 122 --debug?

 

[ram75]

Buen día

Server IBM Blade HS22 (Type 7870)
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2 Sockets)
96GB RAM

Linux blade1 6.11.0-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.11.0-1 (2024-10-23T15:32Z) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 4 08:44:54 -03 2024 from 2801:1e:4007:127::146 on pts/0

root@blade1:~# pveversion -v
proxmox-ve: 8.2.0 (running kernel: 6.11.0-1-pve)
pve-manager: 8.2.7 (running version: 8.2.7/3e0176e6bb2ade3b)
proxmox-kernel-helper: 8.1.0
proxmox-kernel-6.11.0-1-pve-signed: 6.11.0-1
proxmox-kernel-6.11: 6.11.0-1
proxmox-kernel-6.8: 6.8.12-3
proxmox-kernel-6.8.12-3-pve-signed: 6.8.12-3
proxmox-kernel-6.5.13-6-pve-signed: 6.5.13-6
proxmox-kernel-6.5: 6.5.13-6
ceph-fuse: 18.2.4-pve3
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx9
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-4
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.5.1
libproxmox-backup-qemu0: 1.4.1
libproxmox-rs-perl: 0.3.4
libpve-access-control: 8.1.4
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.8
libpve-cluster-perl: 8.0.8
libpve-common-perl: 8.2.5
libpve-guest-common-perl: 5.1.4
libpve-http-server-perl: 5.1.2
libpve-network-perl: 0.9.8
libpve-rs-perl: 0.8.10
libpve-storage-perl: 8.2.5
libqb0: 1.0.5-1
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.4.0-4
proxmox-backup-client: 3.2.7-1
proxmox-backup-file-restore: 3.2.7-1
proxmox-firewall: 0.5.0
proxmox-kernel-helper: 8.1.0
proxmox-mail-forward: 0.2.3
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.7
proxmox-widget-toolkit: 4.2.4
pve-cluster: 8.0.8
pve-container: 5.2.0
pve-docs: 8.2.3
pve-edk2-firmware: 4.2023.08-4
pve-esxi-import-tools: 0.7.2
pve-firewall: 5.0.7
pve-firmware: 3.14-1
pve-ha-manager: 4.0.5
pve-i18n: 3.2.4
pve-qemu-kvm: 9.0.2-3
pve-xtermjs: 5.3.0-3
qemu-server: 8.2.4
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.6-pve1

#############################################################################################

root@blade1:~# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.11.0-1-pve root=/dev/mapper/pve-root ro systemd.unified_cgroup_hierarchy=0 quiet

#############################################################################################

root@blade1:~# pct start 122 --debug
cgfsng_setup_limits_legacy: 3442 No such file or directory - Failed to set "memory.limit_in_bytes" to "536870912"
lxc_spawn: 1802 Failed to setup cgroup limits for container "122"
__lxc_start: 2114 Failed to spawn container "122"
sm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver AppArmor
INFO utils - ../src/lxc/utils.c:run_script_argv:587 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "122", config section "lxc"
INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1498 - Running privileged, not using a systemd unit
DEBUG seccomp - ../src/lxc/seccomp.carse_config_v2:664 - Host native arch is [3221225534]
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:815 - Processing "reject_force_umount # comment this to allow umount -f; not recommended"
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:815 - Processing "[all]"
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:815 - Processing "kexec_load errno 1"
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:815 - Processing "open_by_handle_at errno 1"
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[304pen_by_handle_at] action[327681:errno] arch[0]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304pen_by_handle_at] action[327681:errno] arch[1073741827]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304pen_by_handle_at] action[327681:errno] arch[1073741886]
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:815 - Processing "init_module errno 1"
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:815 - Processing "finit_module errno 1"
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:815 - Processing "delete_module errno 1"
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:815 - Processing "ioctl errno 1 [1,0x9400,SCMP_CMP_MASKED_EQ,0xff00]"
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:555 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[16:ioctl] action[327681:errno] arch[0]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:555 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741827]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:555 - arg_cmp[0]: SCMP_CMP(1, 7, 65280, 37888)
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[16:ioctl] action[327681:errno] arch[1073741886]
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:815 - Processing "keyctl errno 38"
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[250:keyctl] action[327718:errno] arch[0]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[250:keyctl] action[327718:errno] arch[1073741827]
INFO seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[250:keyctl] action[327718:errno] arch[1073741886]
INFO seccomp - ../src/lxc/seccomp.carse_config_v2:1036 - Merging compat seccomp contexts into main context
INFO start - ../src/lxc/start.c:lxc_init:882 - Container "122" is initialized
INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_create:1669 - The monitor process uses "lxc.monitor/122" as cgroup
DEBUG storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
DEBUG storage - ../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_setup_limits_legacy:3449 - Limits for the legacy cgroup hierarchies have been setup
INFO cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_create:1777 - The container process uses "lxc/122/ns" as inner and "lxc/122" as limit cgroup
INFO start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWUSER
INFO start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWNS
INFO start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWPID
INFO start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWUTS
INFO start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWIPC
DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved user namespace via fd 69 and stashed path as user:/proc/4518/fd/69
DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved mnt namespace via fd 70 and stashed path as mnt:/proc/4518/fd/70
DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved pid namespace via fd 71 and stashed path as pid:/proc/4518/fd/71
DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved uts namespace via fd 72 and stashed path as uts:/proc/4518/fd/72
DEBUG start - ../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved ipc namespace via fd 73 and stashed path as ipc:/proc/4518/fd/73
DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newuidmap" does have the setuid bit set
DEBUG idmap_utils - ../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary "/usr/bin/newgidmap" does have the setuid bit set
DEBUG idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap binary found
ERROR cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_setup_limits_legacy:3442 - No such file or directory - Failed to set "memory.limit_in_bytes" to "536870912"
ERROR start - ../src/lxc/start.c:lxc_spawn:1802 - Failed to setup cgroup limits for container "122"
DEBUG network - ../src/lxc/network.c:lxc_delete_network:4217 - Deleted network devices
ERROR start - ../src/lxc/start.c:__lxc_start:2114 - Failed to spawn container "122"
WARN start - ../src/lxc/start.c:lxc_abort:1037 - No such process - Failed to send SIGKILL via pidfd 68 for process 4558
startup for container '122' failed
root@blade1:~#

 

[ram75]

log/journal

nov 04 08:46:56 blade1 pct[4496]: <root@pam> starting task UPID:blade1:00001191:00016211:6728B430:vzstart:122:root@pam:
nov 04 08:46:56 blade1 pct[4497]: starting CT 122: UPID:blade1:00001191:00016211:6728B430:vzstart:122:root@pam:
nov 04 08:46:57 blade1 systemd[1]: Starting systemd-tmpfiles-clean.service - Cleanup of Temporary Directories...
nov 04 08:46:57 blade1 systemd[1]: systemd-tmpfiles-clean.service: Deactivated successfully.
nov 04 08:46:57 blade1 systemd[1]: Finished systemd-tmpfiles-clean.service - Cleanup of Temporary Directories.
nov 04 08:46:57 blade1 systemd[1]: run-credentials-systemd\x2dtmpfiles\x2dclean.service.mount: Deactivated successfully.
nov 04 08:46:57 blade1 systemd[1]: Created slice system-pve\x2dcontainer\x2ddebug.slice - Slice /system/pve-container-debug.
nov 04 08:46:57 blade1 systemd[1]: Started pve-container-debug@122.service - PVE LXC Container: 122.
nov 04 08:46:59 blade1 kernel: EXT4-fs (dm-20): mounted filesystem ed0ef53a-32a3-4291-b1ac-cfe59397feb9 r/w with ordered data mode. Quota mode: none.
nov 04 08:47:00 blade1 audit[4557]: AVC apparmor="STATUS" operation="profile_load" profile="/usr/bin/lxc-start" name="lxc-122_</var/lib/lxc>" pid=4557 comm="apparmor_parser"
nov 04 08:47:00 blade1 kernel: audit: type=1400 audit(1730720820.380:32): apparmor="STATUS" operation="profile_load" profile="/usr/bin/lxc-start" name="lxc-122_</var/lib/lxc>" pid=455>
nov 04 08:47:00 blade1 pct[4497]: startup for container '122' failed
nov 04 08:47:00 blade1 pct[4496]: <root@pam> end task UPID:blade1:00001191:00016211:6728B430:vzstart:122:root@pam: startup for container '122' failed
nov 04 08:47:01 blade1 audit[4564]: AVC apparmor="STATUS" operation="profile_remove" profile="/usr/bin/lxc-start" name="lxc-122_</var/lib/lxc>" pid=4564 comm="apparmor_parser"
nov 04 08:47:01 blade1 kernel: audit: type=1400 audit(1730720821.003:33): apparmor="STATUS" operation="profile_remove" profile="/usr/bin/lxc-start" name="lxc-122_</var/lib/lxc>" pid=4>
nov 04 08:47:01 blade1 pvestatd[1663]: unable to get PID for CT 122 (not running?)
nov 04 08:47:02 blade1 kernel: EXT4-fs (dm-20): unmounting filesystem ed0ef53a-32a3-4291-b1ac-cfe59397feb9.
nov 04 08:47:02 blade1 systemd[1]: pve-container-debug@122.service: Main process exited, code=exited, status=1/FAILURE
nov 04 08:47:02 blade1 systemd[1]: pve-container-debug@122.service: Failed with result 'exit-code'.

 

[fiona]

When using the systemd.unified_cgroup_hierarchy=0 kernel parameter, I can reproduce the issue. Do you still need that one for legacy containers with too old systemd or is this a left-over? See: https://pve.proxmox.com/pve-docs/chapter-pct.html#pct_cgroup

 

[ram75]

Ok, ya funciona todo.

Estaba usando el proxmox-kernel-6.5: 6.5.13-6 ya que el proxmox-kernel-6.8 falla con la controladora SAS

 

[fiona]

For reference, a fix has been proposed on the mailing list: https://lore.proxmox.com/pve-devel/20241105132719.192486-1-f.ebner@proxmox.com/T/#u

 

[t.lamprecht]

The fix has been applied and the next future 6.11 build will include CGroup v1 support again.

But please note that Proxmox VE 8 will be the last PVE version to support the deprecated legacy CGroup v1 version. PVE 9 (due later next year) won't be able to support v1 anymore as too much crucial and fundamental software removed support completely over the last years.