I was able to search around and find an existing issue.
https://github.com/systemd/systemd/pull/6876
The keyctl syscalls are not setup to handle namespaces which is a
requirement of unprivileged containers. I eventually figured out the
right seccomp syntax to disable keyctl syscalls:
|2 blacklistkeyctl_chown errno 38 keyctl errno 38|
What I don't understand is how was this not a problem before, and why
isn't this in the default lxc config files for debian. And if this is
worth reporting to the debian packaging team.
I still have a problem starting the boinc service related to keyctl, but
the problem is resolved if I modify the systemd unit file to not switch
to the boinc user and remain as root instead.
On 01/04/2018 04:02 AM, Pavol Cupka wrote:
could be cgroups v2 related.
On Tue, Jan 2, 2018 at 7:49 AM <lxc@brak.space> wrote:
Hello,
I'm having trouble running buster containers on debian Buster/Sid. I'm
using the download template with unprivileged containers and plain lxc
no lxd. The container is created no problem, however, it seems the
created container does not have a systemd, and hence basically nothing
works.
What could be causing this. Jessie containers work just fine for me.
Thanks,
Paul
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
<mailto:lxc-users@lists.linuxcontainers.org>
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users