[pkg-lxc-devel] Bug#1116615: Bug#1116615: Unprivileged containers using veth have stopped working after upgrading from bookworm to trixie

Mathias Gibbens gibmat at debian.org
Sun Oct 26 18:08:09 GMT 2025 

control: tags -1 + moreinfo

Hi Linas,

On Mon, 2025-09-29 at 01:32 -0500, Linas Vepstas wrote:
> Unprivileged lxc containers using veth will not start after upgrade
> from bookworm to trixie.

  I think there must be something specific to your setup and/or
container configuration, as I can successfully start an unprivilged
trixie container using the steps below, both on a clean bookworm VM
upgraded to trixie after the container is created/started, as well as a
clean trixie VM.

> $ sudo apt install lxc
> $ echo "$(id -un) veth lxcbr0 10" | sudo tee -a /etc/lxc/lxc-usernet
> 
> $ cat ~/.config/lxc/default.conf
> lxc.include = /etc/lxc/default.conf
> 
> lxc.apparmor.profile = unconfined
> 
> lxc.idmap = u 0 100000 65536
> lxc.idmap = g 0 100000 65536
> 
> $ cat /etc/lxc/default.conf
> lxc.net.0.type = veth
> lxc.net.0.link = lxcbr0
> lxc.net.0.flags = up
> 
> lxc.apparmor.profile = generated
> lxc.apparmor.allow_nesting = 1
> 
> $ chmod +x ~/ ~/.local/ ~/.local/share/
> 
> $ lxc-create trixie -t download -- -d debian -r trixie -a amd64
> 
> $ lxc-unpriv-start trixie

  As you can see, the default configuration for lxc in Debian is to
setup a veth-backed NIC for each container.

  It would be useful if you could try creating a minimal container on
the same host system using the above steps to see if you encounter the
same issue starting a fresh container. If so, I would look at your
sub{u,g}id mappings or other local changes to the configurations files
under /usr/share/lxc/config/. If the fresh container starts up, that
points to an issue in the existing container's configuration.

Mathias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-lxc-devel/attachments/20251026/d575a4bb/attachment.sig>

More information about the Pkg-lxc-devel mailing list