Hi! I recently upgraded my OpenWrt version (skipping quite a few versions in the process) and re-created my lxc containers. At one point, running systemctl status in my container returned 'degraded', which was because the user@1000.service had failed. The exact error message was:
Apr 03 05:33:49 test systemd[128]: Failed to create /user.slice/user-1000.slice/user@1000.service/init.scope control group: Permission denied
Apr 03 05:33:49 test systemd[128]: Failed to allocate manager object: Permission denied
Googling this error set me on a wild goose chase involving very old versions of lxc and updates to the systemd control group interface. That didn't help me fix the issue. Instead, by chance, I noticed that the issue goes away if I start the container from the command line with lxc-start test instead of starting it from the plugin in LuCI.
To reproduce the issue I made a new container with Debian Bookworm (via the web app, but I did not start the container from the web app) and (after editing the configuration file to change the network bridge name to an interface that exists) ran these commands:
lxc-start test
lxc-attach test
adduser test
su test
systemctl status user@1000
This returns a normal status screen listing a PID and status: running. But if I stop the container and then start it from the web app and run
lxc-attach test
su test
systemctl status user@1000
I get the above error.
The full config of my container is:
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: --dist debian --release bookworm --arch arm64 --server images.linuxcontainers.org
# Template script checksum (SHA-1): b27e730655b3208b5e2edcba69290c39970b4fd0
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64
# Container specific configuration
lxc.rootfs.path = dir:/data/lxc/test/rootfs
lxc.uts.name = test
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = br-lan
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:32:90:62
Maybe related, the web app does not allow me to edit the configuration file. The text area is editable, but when I click save it says "action failed!" (edit: seems this is a known bug. https://github.com/openwrt/luci/issues/6098)
and just in case it's helpful here are my uci configuration lines related to lxc:
uci show | grep lxc
lxc.lxc=lxc
lxc.lxc.url='images.linuxcontainers.org'
lxc.lxc.ssl_enabled='0'
lxc.lxc.min_space='100000'
lxc.lxc.min_temp='100000'
lxc-auto.@container[0]=container
lxc-auto.@container[0].name='redacted'
lxc-auto.@container[0].timeout='30'
lxc-auto.@container[0].lxcpath='/data/lxc'
lxc-opkg.lxc=lxc
lxc-opkg.lxc.url='images.linuxcontainers.org'
This is all on an Espressobin (mvebu/cortexa53) and my versions are: OpenWrt 24.10.0 r28427-6df0e3d02a / LuCI openwrt-24.10 branch 25.014.55016~7046a1c and luci-app-lxc is version 25.087.31282~f0a70d0.
Can anyone comment on why this might happen, or how it might be fixed?