LXC running docker fails to start after upgrade from 6.4 to 7.0

All CT is privileged on my side and unprivileged is incompatible with my CT.
The only solution is to add :

Code:
lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =

That fix the issue
 
can you please provide instructions where to add the following.
lxc.cgroup.devices.allow = lxc.cgroup.devices.deny =
 
can you please provide instructions where to add the following.
lxc.cgroup.devices.allow = lxc.cgroup.devices.deny =
Yes i can :

For LXC 100 :
edit
Code:
nano /etc/pve/lxc/100.conf
Then add the lines at the end.

Best Regards
 
  • Like
Reactions: vjiggi
An initial patch for this issue was sent to the pve-devel list for discussion:
https://lists.proxmox.com/pipermail/pve-devel/2021-July/049452.html
- once this or an improved version has been applied,
privileged containers should run successfully in legacy cgroup layouts

Code:
lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =
I'd suggest to remove those lines again, once a working version becomes available, because this essentially allows a privileged container (=root on host) to access arbitrary devices - you lose quite a bit of the isolation of the container.
 
Last edited:
  • Like
Reactions: t.lamprecht
An initial patch for this issue was sent to the pve-devel list for discussion:
https://lists.proxmox.com/pipermail/pve-devel/2021-July/049452.html
- once this or an improved version has been applied,
privileged containers should run successfully in legacy cgroup layouts


I'd suggest to remove those lines again, once a working version becomes available, because this essentially allows a privileged container (=root on host) to access arbitrary devices - you lose quite a bit of the isolation of the container.
That good news im waiting for this patch.
On my side is most for run Centos 7 not for run Docker.
 
it's already available on the `pvetest` repository:
https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_test_repo

lxc-pve version 4.0.9-3

Have try and is not work without

Code:
lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =

Try to run without option (CentOS 7) :

Code:
pct start 102 --debug
cgfsng_setup_limits_legacy: 2764 Bad address - Failed to set "devices.deny" to "a"
cgroup_tree_create: 808 Failed to setup legacy device limits
cgfsng_payload_create: 1171 Numerical result out of range - Failed to create container cgroup
lxc_spawn: 1644 Failed creating cgroups
__lxc_start: 2073 Failed to spawn container "102"
210720135846.376 DEBUG    seccomp - seccomp.c:parse_config_v2:656 - Host native arch is [3221225534]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
INFO     seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "[all]"
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "kexec_load errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "open_by_handle_at errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "init_module errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "finit_module errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "delete_module errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:1017 - Merging compat seccomp contexts into main context
INFO     start - start.c:lxc_init:855 - Container "102" is initialized
INFO     cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1070 - The monitor process uses "lxc.monitor/102" as cgroup
DEBUG    storage - storage/storage.c:storage_query:233 - Detected rootfs type "dir"
ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2764 - Bad address - Failed to set "devices.deny" to "a"
ERROR    cgfsng - cgroups/cgfsng.c:cgroup_tree_create:808 - Failed to setup legacy device limits
DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1160 - Failed to create cgroup "(null)"
ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1171 - Numerical result out of range - Failed to create container cgroup
ERROR    start - start.c:lxc_spawn:1644 - Failed creating cgroups
DEBUG    network - network.c:lxc_delete_network:4180 - Deleted network devices
ERROR    start - start.c:__lxc_start:2073 - Failed to spawn container "102"
startup for container '102' failed

Code:
arch: amd64
cores: 1
hostname: xxxx
memory: 512
net0: name=eth0,bridge=vmbr0,firewall=1,gw=10.10.155.254,hwaddr=DA:26:6B:E4:22:D4,ip=10.10.155.123/24,type=veth
ostype: centos
rootfs: netapp:vm-102-disk-0,size=8G
swap: 512

Try to run without option (CentOS 8) :

Code:
pct start 101 --debug
cgfsng_setup_limits_legacy: 2764 Bad address - Failed to set "devices.deny" to "a"
cgroup_tree_create: 808 Failed to setup legacy device limits
cgfsng_payload_create: 1171 Numerical result out of range - Failed to create container cgroup
lxc_spawn: 1644 Failed creating cgroups
__lxc_start: 2073 Failed to spawn container "101"
alinux' in /etc/os-release file, trying fallback detection

DEBUG    terminal - terminal.c:lxc_terminal_peer_default:665 - No such device - The process does not have a controlling terminal
DEBUG    seccomp - seccomp.c:parse_config_v2:656 - Host native arch is [3221225534]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
INFO     seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:do_resolve_add_rule:524 - Set seccomp rule to reject force umounts
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "[all]"
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "kexec_load errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[246:kexec_load] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[246:kexec_load] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "open_by_handle_at errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[304:open_by_handle_at] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[304:open_by_handle_at] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "init_module errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[175:init_module] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[175:init_module] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "finit_module errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[313:finit_module] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[313:finit_module] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:807 - Processing "delete_module errno 1"
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding native rule for syscall[176:delete_module] action[327681:errno] arch[0]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741827]
INFO     seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[176:delete_module] action[327681:errno] arch[1073741886]
INFO     seccomp - seccomp.c:parse_config_v2:1017 - Merging compat seccomp contexts into main context
INFO     start - start.c:lxc_init:855 - Container "101" is initialized
INFO     cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1070 - The monitor process uses "lxc.monitor/101" as cgroup
DEBUG    storage - storage/storage.c:storage_query:233 - Detected rootfs type "dir"
ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2764 - Bad address - Failed to set "devices.deny" to "a"
ERROR    cgfsng - cgroups/cgfsng.c:cgroup_tree_create:808 - Failed to setup legacy device limits
DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1160 - Failed to create cgroup "(null)"
ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1171 - Numerical result out of range - Failed to create container cgroup
ERROR    start - start.c:lxc_spawn:1644 - Failed creating cgroups
DEBUG    network - network.c:lxc_delete_network:4180 - Deleted network devices
ERROR    start - start.c:__lxc_start:2073 - Failed to spawn container "101"
startup for container '101' failed

Code:
arch: amd64
cores: 1
hostname: xxxx
memory: 512
net0: name=eth0,bridge=vmbr0,gw=10.10.155.254,hwaddr=3A:54:7B:13:7D:61,ip=10.10.155.125/24,type=veth
ostype: centos
rootfs: local:101/vm-101-disk-0.raw,size=8G
swap: 512

With > "systemd.unified_cgroup_hierarchy=0" you cannot run CentOS 7 :

Code:
cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.11.22-2-pve root=/dev/mapper/pve-root ro quiet systemd.unified_cgroup_hierarchy=0

PS : Without > "systemd.unified_cgroup_hierarchy=0" you can run CentOS 8 !

Actually my only solution is to use my tweak if you have any other idea im ready to test.

Best Regards
 
Last edited:
lxc-pve version 4.0.9-4 is now available in pvetest (and it fixes the issue in my environment)

sorry again for the fuzz :)
No problem ok have retry now work without :

Code:
lxc.cgroup.devices.allow =
lxc.cgroup.devices.deny =

CentOS 7 or 8 is OK

Thanks I appreciate not having to remove all isolation from my CTs.
 
Last edited:
  • Like
Reactions: Stoiko Ivanov
Started to work after I upgraded from Docker 20.10.5 to 20.10.7 in my case:

Code:
user@Reverse-Proxy:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:        20.04
Codename:       focal


Code:
user@Reverse-Proxy:~$ docker --version
Docker version 20.10.7, build f0df350
user@Reverse-Proxy:~$


Something was fixed in the point release to get it working, thanks for the pointer on the docker version. Anyone having issues I recommend upgrading Docker to 20.10.7+ and using Ubuntu 18.04 or later.

Thanks for this note. Upgrading Docker was the key to getting it to work for me.
 
I had the same issue upgrading to version 7.0, my docker containers running in an ubuntu 20.4 LTS LXC container wouldn't start. Looks like it was the same cgroups issue. I upgraded docker engine to the latest version and restarted the container, now all working again.
 
  • Like
Reactions: MMartinez
This problem still exists on Proxmox 7.1-8 with a Debian 11 container, trying to run Librenms via docker-compose
Latest docker-ce from thier repo (5:20.10.11~3-0~debian-bullseye) and docker-compose (1.25.0-1)
 
No issues running on Proxmox 7.1-8, using Debian 11, and docker-ce 20.10.12. No special modifications were done, except the usual nesting=1.
 
No issues running on Proxmox 7.1-8, using Debian 11, and docker-ce 20.10.12. No special modifications were done, except the usual nesting=1.

Found this topic again after trying to install Elastiflow via docker-compose in LXC so there are deff unresolved issues.
Nesting is on in my container.

root@elastiflow:~# docker-compose up -d
Pulling flow-collector (elastiflow/flow-collector:5.3.4)...
5.3.4: Pulling from elastiflow/flow-collector
08c01a0ec47e: Pull complete
9b6b100cde37: Pull complete
096510421d7b: Pull complete
Digest: sha256:78087ccb0dab816499abbeaa13c9e994d44690184c19a970b571eff23012da4f
Status: Downloaded newer image for elastiflow/flow-collector:5.3.4
Creating flow-collector ... error

ERROR: for flow-collector Cannot start service flow-collector: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: process_linux.go:458: setting cgroup config for procHooks process caused: can't load program: operation not permitted: unknown

ERROR: for flow-collector Cannot start service flow-collector: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: process_linux.go:458: setting cgroup config for procHooks process caused: can't load program: operation not permitted: unknown
ERROR: Encountered errors while bringing up the project.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!