Privileged LXC Container / Change Attributes Gelöst in 9.1.1

D

DBarry

New Member
Feb 10, 2026
1
0
1
[SOLVED] Samba AD DC LXC Container won't start after reboot
Solution: .pve-ignore instead of chattr +i + nesting=1 required


Einleitung (für alle Umsteiger und neuen Nutzer)

Für alle Umsteiger und neuen Nutzer - hier eine Lösung für ein häufiges Problem!

Hey zusammen!

Nach mehreren Tagen Debugging möchte ich euch die gleiche Qual ersparen.
Wenn ihr Proxmox 9.x betreibt und versucht einen Samba AD DC in einem LXC Container einzurichten, werdet ihr höchstwahrscheinlich auf zwei nervige Probleme stoßen, die nirgendwo gut dokumentiert sind.

Beide Probleme haben einfache Lösungen, sobald man weiß was die Ursache ist!

⚠️ WICHTIGER TIPP: Bitte NICHT von Proxmox 9.1.1 auf 9.1.5 updaten!
Version 9.1.5 kommt mit Kernel 6.17.9 der einen bestätigten Bug hat (Bugzilla #7271) der den LXC Container-Start nach einem Reboot komplett zerstört - unabhängig von der Konfiguration.
Bleibt bei 9.1.1 (Kernel 6.17.2) bis ein Fix veröffentlicht wird!
Click to expand...

"ICH HABE DIE ANLEITUNG IN ENGLISCH GESCHRIEBEN WEIL DAS GEILER FÜR ALLE IST!!! WER MECKERT: "GUYS IT'S FCKING 2026, GET YOUR SHIT DONE!!!"



Environment

  • Proxmox VE: 9.1.1
  • Kernel: 6.17.2-1-pve
  • Container OS: Ubuntu 24.04 LTS
  • pve-container: 6.0.18
  • Use case: Samba 4 Active Directory Domain Controller in LXC


PROBLEM 1: Privileged LXC Container has no network / IP after creation

When creating a privileged LXC container (unprivileged: 0) with Ubuntu 24.04, the network interface eth0 stays DOWN and no IP address is assigned.

Container config:
Bash: 
unprivileged: 0
(no features set)

Result:
Bash: 
2: eth0@if21: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN

Root Cause:
Ubuntu 24.04 requires nesting=1 to properly start systemd-networkd.
Without nesting, /proc and /sys are restricted by AppArmor, which prevents systemd-networkd from mounting namespaces and bringing up the network.

✅ SOLUTION:
Bash: 
# Via CLI:
pct set 101 --features nesting=1

# Or in /etc/pve/lxc/101.conf:
features: nesting=1

NOTE: The Proxmox GUI does NOT allow enabling nesting for privileged containers during creation - you MUST set it via CLI or config file!

Final working config:
Bash: 
unprivileged: 0
features: nesting=1


PROBLEM 2: LXC Container won't start after reboot

After a full Samba AD DC installation, the container fails to start after any reboot with this error:

Bash: 
run_buffer: 571 Script exited with status 1
lxc_init: 845 Failed to run lxc.hook.pre-start for container "101"
__lxc_start: 2046 Failed to initialize container "101"
TASK ERROR: startup for container '101' failed

Root Cause:
Using chattr +i to protect system files prevents Proxmox's lxc-pve-prestart-hook from running successfully during container startup.

The following files with chattr +i KILL the container on reboot:
  • /etc/hostname → chattr +i = BREAKS reboot!
  • /etc/hosts → chattr +i = BREAKS reboot!
  • /etc/resolv.conf → chattr +i = BREAKS reboot!

Many Samba AD DC guides recommend using chattr +i to prevent Proxmox from overwriting these files. This is WRONG for LXC containers on Proxmox 9.x!

✅ SOLUTION:
Instead of chattr +i, use Proxmox's built-in ignore mechanism:

Bash: 
touch /etc/.pve-ignore.hostname
touch /etc/.pve-ignore.hosts
touch /etc/.pve-ignore.resolv.conf

These empty files tell Proxmox to NOT overwrite the corresponding system files - without breaking the container startup!

Works in Proxmox 8.x AND 9.x! ✅


COMPLETE WORKING SETUP FOR SAMBA AD DC ON UBUNTU 24.04 LXC

Step 1: Create container (Proxmox Host)
Bash: 
pct create 101 local:vztmpl/ubuntu-24.04-standard_24.04-2_amd64.tar.zst \
  --hostname SambaADDC \
  --memory 4096 \
  --swap 512 \
  --cores 2 \
  --rootfs local-lvm:20 \
  --net0 name=eth0,bridge=vmbr0,ip=192.168.1.111/24,gw=192.168.1.1 \
  --nameserver 192.168.1.1 \
  --unprivileged 0 \
  --features nesting=1

pct start 101

Step 2: Set hostname (inside container)
Bash: 
hostnamectl set-hostname dc1.yourdomain.local

nano /etc/hosts
# Add: 192.168.1.111  dc1.yourdomain.local dc1

# Use .pve-ignore instead of chattr +i !!!
touch /etc/.pve-ignore.hostname
touch /etc/.pve-ignore.hosts

Step 3: Configure resolv.conf
Bash: 
nano /etc/resolv.conf
# Content:
#   nameserver 127.0.0.1
#   nameserver 8.8.8.8
#   search yourdomain.local

# Use .pve-ignore instead of chattr +i !!!
touch /etc/.pve-ignore.resolv.conf

Step 4: Disable systemd-resolved stub listener
Bash: 
mkdir -p /etc/systemd/resolved.conf.d/
cat > /etc/systemd/resolved.conf.d/samba.conf << EOF
[Resolve]
DNSStubListener=no
EOF

systemctl restart systemd-resolved

Step 5: Install & configure Samba
Bash: 
apt install -y samba smbclient winbind krb5-user krb5-config \
  libpam-winbind libnss-winbind dnsutils net-tools

systemctl disable --now smbd nmbd winbind
systemctl mask smbd nmbd winbind

rm -f /etc/samba/smb.conf
samba-tool domain provision --use-rfc2307 --interactive

# Add to [global] in /etc/samba/smb.conf:
#   interfaces = lo YOUR.IP.HERE/24
#   bind interfaces only = yes

cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
systemctl unmask samba-ad-dc
systemctl enable --now samba-ad-dc


KEY TAKEAWAYS

  1. Ubuntu 24.04 LXC (privileged OR unprivileged) REQUIRES nesting=1 → Without it: no network, systemd-networkd fails to start
  2. NEVER use "chattr +i" on /etc/hostname, /etc/hosts, /etc/resolv.conf in LXC containers on Proxmox 9.x! → Use touch /etc/.pve-ignore.<filename> instead!
  3. Do NOT update to Proxmox 9.1.5! Kernel 6.17.9 breaks LXC container reboot (Bugzilla #7271)


Tested on:
  • Proxmox VE: 9.1.1
  • Kernel: 6.17.2-1-pve
  • pve-container: 6.0.18
  • Ubuntu: 24.04 LTS
  • Samba: 4.19.5-Ubuntu
  • Date: February 2026

Hope this helps! Feel free to ask questions.
 
Last edited:
You must log in or register to reply here.
Top Bottom
Back