LXC unprivileged container journal and other services failed to start

[PhilipZ]

Hello,
Long time reader, first time post.
I have upgraded to last Proxmox VE 9.1.4. Install unprivileged LXC from template debian-13-standard_13.1-2_amd64.tar.zst. Because in this container will have only LDAP server during preparation of container I switch off nesting. After start LXC first strange (for me) things was that console (from web interface) showing black screen. Because IPv4 was static I login to container with ssh. In the beginning I not pay attention of not working services, but after first start of slapd receive error and try to open journalctl without success. Than checked with

systemctl --failed

and found

root@debian13:~# systemctl --failed
  UNIT                                     LOAD   ACTIVE SUB    DESCRIPTION
● dev-mqueue.mount                         loaded failed failed POSIX Message Queue File System
● run-lock.mount                           loaded failed failed Legacy Locks Directory /run/lock
● tmp.mount                                loaded failed failed Temporary Directory /tmp
● console-getty.service                    loaded failed failed Console Getty
● container-getty@1.service                loaded failed failed Container Getty on /dev/tty1
● container-getty@2.service                loaded failed failed Container Getty on /dev/tty2
● nscd.service                             loaded failed failed Name Service Cache Daemon
● systemd-journal-flush.service            loaded failed failed Flush Journal to Persistent Storage
● systemd-journald.service                 loaded failed failed Journal Service
● systemd-network-generator.service        loaded failed failed Generate network units from Kernel command line
● systemd-networkd.service                 loaded failed failed Network Configuration
● systemd-sysctl.service                   loaded failed failed Apply Kernel Variables
● systemd-tmpfiles-setup-dev-early.service loaded failed failed Create Static Device Nodes in /dev gracefully
● systemd-tmpfiles-setup-dev.service       loaded failed failed Create Static Device Nodes in /dev
● systemd-tmpfiles-setup.service           loaded failed failed Create System Files and Directories
● systemd-udev-load-credentials.service    loaded failed failed Load udev Rules from Credentials
● systemd-journald-dev-log.socket          loaded failed failed Journal Socket (/dev/log)
● systemd-journald.socket                  loaded failed failed Journal Sockets
● systemd-networkd.socket                  loaded failed failed Network Service Netlink Socket

Legend: LOAD   → Reflects whether the unit definition was properly loaded.
        ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
        SUB    → The low-level unit activation state, values depend on unit type.

19 loaded units listed.

Searching in net and proxmox forum I decided to try to turn on Nesting and BAMM - all failed services start running and console in web interface immediately show me login prompt.
Working config

root@pve3:/sys# pct config 602
arch: amd64
cores: 1
features: nesting=1
hostname: debian13
memory: 512
net0: name=eth0,bridge=vmbr0,gw=192.168.1.1,hwaddr=xx:xx:xx:xx:xx:xx,ip=192.168.1.122/24,type=veth
ostype: debian
rootfs: local-ssd:subvol-602-disk-0,size=2G
swap: 512
unprivileged: 1

root@pve3:/sys# pveversion
pve-manager/9.1.4/5ac30304265fbd8e (running kernel: 6.17.4-2-pve)

I prefer to keep nesting=0 . Can you give me advice how or what to do to be possible all services in container to work when nesting=0?

 

[leesteken]

I prefer to keep nesting=0 . Can you give me advice how or what to do to be possible all services in container to work when nesting=0?

Use an older container template with an older systemd version that does not require nesting. Or use a container template that does not use systemd like Devuan.

 

[PhilipZ]

Use an older container template with an older systemd version that does not require nesting. Or use a container template that does not use systemd like Devuan.

How older should be debian template? Before this container I test debian-12-turnkey-openldap_18.1-1_amd64.tar.gz and there also have not working services when nesting=1, but not so many. I prefer to stay in debian if it is possible. Other options? Where I can find more info about nesting and systemd version? Is it relation between kernel version and this issue? I can go back to 6.14.11-5-pve or 6.14.11-4-pve.

 

[leesteken]

Where I can find more info about nesting and systemd version?

I don't know exactly but it has been discussed several times on this forum.

Is it relation between kernel version and this issue? I can go back to 6.14.11-5-pve or 6.14.11-4-pve.

No, it's related to the systemd version inside the container (template/OS).

I prefer to stay in debian if it is possible. Other options?

Yes, keep nesting, which is enabled by default, enabled: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pct_general . Or run a VM instead of a container.

If you insist on not using the feature that Proxmox added because modern templates require it then that's fine with me, but you will have issues with most templates (now and even more so in the future). And I don't know the work-arounds or fixes or which older version still works. Eventually, all old templates will break since they are not fully independent of the host kernel like a VM.