I've been experimenting with LXC containers and ran into some misbehaviour that I think is down to the provided templates. There seem to be a couple of workrounds available but I thought I'd dump what I know in case this is worth addressing.
I have a couple of Proxmox 8 nodes and created an LXC container using the
The resulting container starts up fine, but takes 15 to 25 seconds to log in, every time, either on its console or over SSH. This seems to be due to the
A ton of googling around got me the first, rather undesirable, workround: this problem goes away if you set the container to allow nesting. As I understand it, this is giving the container permission to trudge around in the host's /proc and /sys directories, so I don't like that very much; it seems unnecessary for a basic container.
Some more googling lead me to the fact that in the equivalent templates from
Some questions: first, is this expected behaviour in some way or worth reporting as a bug in the template? If so, where would I do that?
Is the build process for the Proxmox-supplied templates visible somewhere? I didn't find a GitHub repository for this, although I did manage to find things like the Debian-specific setup code.
I have a couple of Proxmox 8 nodes and created an LXC container using the
debian-12-standard_12.2-1_amd64.tar.zst
template. I set the container to be unprivileged and to NOT support nesting.The resulting container starts up fine, but takes 15 to 25 seconds to log in, every time, either on its console or over SSH. This seems to be due to the
systemd-logind.service
repeatedly failing; once its retry counter is exhausted the login succeeds anyway. The proximate cause of the failure seems to be some permissions failures related to namespaces:
Code:
Jan 02 16:41:25 pihole systemd[1]: Starting systemd-logind.service - User Login Management...
Jan 02 16:41:25 pihole (d-logind)[89509]: systemd-logind.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied
Jan 02 16:41:25 pihole (d-logind)[89509]: systemd-logind.service: Failed at step NAMESPACE spawning /lib/systemd/systemd-logind: Permission denied
Jan 02 16:41:25 pihole systemd[1]: systemd-logind.service: Main process exited, code=exited, status=226/NAMESPACE
...
Jan 02 16:41:25 pihole systemd[1]: Failed to start systemd-logind.service - User Login Management.
Jan 02 16:41:50 pihole dbus-daemon[90]: [system] Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)
Jan 02 16:41:50 pihole sshd[89498]: pam_systemd(sshd:session): Failed to create session: Failed to activate service 'org.freedesktop.login1': timed out (service_start_timeout=25000ms)
A ton of googling around got me the first, rather undesirable, workround: this problem goes away if you set the container to allow nesting. As I understand it, this is giving the container permission to trudge around in the host's /proc and /sys directories, so I don't like that very much; it seems unnecessary for a basic container.
Some more googling lead me to the fact that in the equivalent templates from
linuxcontainers.org
there's a file /etc/systemd/system-generators/lxc
put there by the distrobuilder
utility which appears to set systemd up for an LXC environment. Those templates don't show this issue (although using them with Proxmox means manually configuring networking, as the Proxmox setup code for Debian is incompatible with what they use) and I import that file from one of those other templates into my container and reboot it then the issue goes away even if nesting is not enabled. This is the fix I'm using now.Some questions: first, is this expected behaviour in some way or worth reporting as a bug in the template? If so, where would I do that?
Is the build process for the Proxmox-supplied templates visible somewhere? I didn't find a GitHub repository for this, although I did manage to find things like the Debian-specific setup code.