[pve-devel] [PATCH v3 pve-container 0/2] warn that nesting may be required

[pve-devel] [PATCH v3 pve-container 0/2] warn that nesting may be required

[Robert Obkircher]

This patch adds a task-log warning on CT start if systemd is detected.

Changes since v2:
- read $@ before new eval to preserve error
- remove trailing whitespace

Changes since v1:
- increase minimum systemd version to something more reasonable
- introduce helper callback to log warinings
    - replace RESTEnvironmnet::log_warn in setup plugins
- syntactic changes:
    - renamed get_may_require_nesting_warning to check_systemd_nesting
    - use trailing if for return statements
    - call code from pre_start_hook as suggested


Robert Obkircher (2):
  fix 6897: warn that nesting may be required for systemd
  Propagate prestart-hook warnings to task-log.

 src/PVE/LXC.pm              |  6 ++++--
 src/PVE/LXC/Setup.pm        | 14 +++++++++++---
 src/PVE/LXC/Setup/Base.pm   | 21 ++++++++++++++++++++-
 src/PVE/LXC/Setup/Debian.pm |  5 ++---
 src/PVE/LXC/Setup/Plugin.pm |  2 +-
 src/PVE/LXC/Setup/Ubuntu.pm |  5 ++---
 src/lxc-pve-prestart-hook   | 24 +++++++++++-------------
 7 files changed, 51 insertions(+), 26 deletions(-)

-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH v3 pve-container 1/2] fix 6897: warn that nesting may be required for systemd

[Robert Obkircher]

Recent versions of systemd require nesting to isolate services. If
nesting is disabled Debian 11 and 12 containers hang for 25 seconds
after login and Debian 13 just shows an empty console. To make this
less confusing for users, add a task-log warning on CT start if a
systemd version >241 (used by Debian 10) is detected.

Also introduce a callback to log warnings to a file when the
RESTEnvironment is not available and ensure that it is printed if
vm_start fails.

Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
---
 src/PVE/LXC.pm            |  6 ++++--
 src/PVE/LXC/Setup.pm      | 12 ++++++++++--
 src/PVE/LXC/Setup/Base.pm | 19 +++++++++++++++++++
 src/lxc-pve-prestart-hook |  3 ++-
 4 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index a445a85..d2375c4 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -2975,10 +2975,12 @@ sub vm_start {
 
         # if debug is requested, print the log it also when the start succeeded
         print_ct_stderr_log($vmid) if $is_debug;
-
+    };
+    my $err = $@;
+    eval {
         print_ct_warn_log($vmid); # always print warn log, if any
     };
-    if (my $err = $@) {
+    if ($err) {
         unlink $skiplock_flag_fn;
         die $err;
     }
diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index 87330c4..da2df5d 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -6,6 +6,7 @@ use warnings;
 use POSIX;
 use Cwd 'abs_path';
 
+use PVE::RESTEnvironment;
 use PVE::Tools;
 
 use PVE::LXC::Setup::Alpine;
@@ -97,11 +98,13 @@ my $autodetect_type = sub {
 };
 
 sub new {
-    my ($class, $conf, $rootdir, $type) = @_;
+    my ($class, $conf, $rootdir, $type, $log_warn) = @_;
 
     die "no root directory\n" if !$rootdir || $rootdir eq '/';
 
-    my $self = bless { conf => $conf, rootdir => $rootdir }, $class;
+    $log_warn ||= sub { PVE::RESTEnvironment::log_warn(@_); };
+
+    my $self = bless { conf => $conf, rootdir => $rootdir, log_warn => $log_warn }, $class;
 
     my $os_release = $self->get_ct_os_release();
 
@@ -297,6 +300,11 @@ sub pre_start_hook {
     my ($self) = @_;
 
     $self->protected_call(sub { $self->{plugin}->pre_start_hook($self->{conf}) });
+
+    my $init = $self->get_ct_init_path();
+    # not a protected_call because it calls objdump
+    my $warning = $self->{plugin}->check_systemd_nesting($self->{conf}, $init);
+    $self->{log_warn}->($warning) if $warning;
 }
 
 sub post_clone_hook {
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index a2c88ed..671e8c8 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -647,6 +647,25 @@ sub get_ct_init_path {
     return $init_path;
 }
 
+sub check_systemd_nesting {
+    my ($self, $conf, $init) = @_;
+
+    my $features = PVE::LXC::Config->parse_features($conf->{features});
+    return if $features->{nesting};
+
+    return if (!defined($init) || $init !~ m@/systemd$@);
+
+    my $sdver = $self->get_systemd_version($init);
+
+    # 241 is the systemd version used by Debian 10. It was chosen based
+    # on a forum post that suggested enabling nesting for the upgrade
+    # from PMG 6.x to 7 and after a quick test where a Debian 11 container
+    # hung 25 seconds after login.
+    return if (!defined($sdver) || $sdver <= 241);
+
+    return "Systemd $sdver detected. You may need to enable nesting.";
+}
+
 sub ssh_host_key_types_to_generate {
     my ($self) = @_;
 
diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
index 73125e1..0e69630 100755
--- a/src/lxc-pve-prestart-hook
+++ b/src/lxc-pve-prestart-hook
@@ -155,7 +155,8 @@ PVE::LXC::Tools::lxc_hook(
 
         PVE::LXC::Config->foreach_passthrough_device($conf, $setup_passthrough_device);
 
-        my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
+        my $warn_sub = sub { log_warn($vmid, @_); };
+        my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir, undef, $warn_sub);
         $lxc_setup->pre_start_hook();
 
         if (PVE::CGroup::cgroup_mode() == 2) {
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH v3 pve-container 2/2] Propagate prestart-hook warnings to task-log.

[Robert Obkircher]

Replace RESTEnvironment::log_warn in the setup plugins with the
callback that writes them to a file during the prestart-hook. Also
improve the callback so it works inside the protected_call chroot.

Calls to "warn" are left unmodified for now.

Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
---
 src/PVE/LXC/Setup.pm        |  2 +-
 src/PVE/LXC/Setup/Base.pm   |  2 +-
 src/PVE/LXC/Setup/Debian.pm |  5 ++---
 src/PVE/LXC/Setup/Plugin.pm |  2 +-
 src/PVE/LXC/Setup/Ubuntu.pm |  5 ++---
 src/lxc-pve-prestart-hook   | 25 +++++++++++--------------
 6 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index da2df5d..500b63c 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -124,7 +124,7 @@ sub new {
 
     my $plugin_class = $plugins->{$type} || die "no such OS type '$type'\n";
 
-    my $plugin = $plugin_class->new($conf, $rootdir, $os_release);
+    my $plugin = $plugin_class->new($conf, $rootdir, $os_release, $log_warn);
     $self->{plugin} = $plugin;
     $self->{in_chroot} = 0;
 
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 671e8c8..829b685 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -24,7 +24,7 @@ use PVE::LXC::Tools;
 use base qw(PVE::LXC::Setup::Plugin);
 
 sub new {
-    my ($class, $conf, $rootdir, $os_release) = @_;
+    my ($class, $conf, $rootdir, $os_release, $log_warn) = @_;
 
     return bless { conf => $conf, rootdir => $rootdir, os_release => $os_release }, $class;
 }
diff --git a/src/PVE/LXC/Setup/Debian.pm b/src/PVE/LXC/Setup/Debian.pm
index 030d934..dbb5050 100644
--- a/src/PVE/LXC/Setup/Debian.pm
+++ b/src/PVE/LXC/Setup/Debian.pm
@@ -6,7 +6,6 @@ use warnings;
 use PVE::Tools qw($IPV6RE);
 use PVE::LXC;
 use PVE::Network;
-use PVE::RESTEnvironment qw(log_warn);
 
 use File::Path;
 
@@ -20,7 +19,7 @@ use constant {
 };
 
 sub new {
-    my ($class, $conf, $rootdir) = @_;
+    my ($class, $conf, $rootdir, $os_release, $log_warn) = @_;
 
     my $version = PVE::Tools::file_read_firstline("$rootdir/etc/debian_version");
 
@@ -47,7 +46,7 @@ sub new {
     die "Container Debian version '$version' is too old\n" if $version < DEBIAN_MINIMUM_RELEASE;
 
     if ($version >= (DEBIAN_MAXIMUM_RELEASE + 1)) { # also allow all MAX.X point releases.
-        log_warn("The container's Debian version '$version' is newer than the tested version '"
+        $log_warn->("The container's Debian version '$version' is newer than the tested version '"
             . DEBIAN_MAXIMUM_RELEASE
             . "'. While everything may work fine, full compatibility cannot be guaranteed."
             . " Please check for PVE system updates.\n");
diff --git a/src/PVE/LXC/Setup/Plugin.pm b/src/PVE/LXC/Setup/Plugin.pm
index b9d9c2d..fbcfa8e 100644
--- a/src/PVE/LXC/Setup/Plugin.pm
+++ b/src/PVE/LXC/Setup/Plugin.pm
@@ -8,7 +8,7 @@ use warnings;
 use Carp;
 
 sub new {
-    my ($class, $conf, $rootdir, $os_release) = @_;
+    my ($class, $conf, $rootdir, $os_release, $log_warn) = @_;
     croak "implement me in sub-class\n";
 }
 
diff --git a/src/PVE/LXC/Setup/Ubuntu.pm b/src/PVE/LXC/Setup/Ubuntu.pm
index e364fa8..a213541 100644
--- a/src/PVE/LXC/Setup/Ubuntu.pm
+++ b/src/PVE/LXC/Setup/Ubuntu.pm
@@ -5,7 +5,6 @@ use warnings;
 
 use PVE::Tools;
 use PVE::LXC;
-use PVE::RESTEnvironment qw(log_warn);
 
 use File::Path;
 
@@ -43,7 +42,7 @@ my $known_versions = {
 };
 
 sub new {
-    my ($class, $conf, $rootdir) = @_;
+    my ($class, $conf, $rootdir, $os_release, $log_warn) = @_;
 
     my $lsb_fn = "$rootdir/etc/lsb-release";
     my $lsbinfo = PVE::Tools::file_get_contents($lsb_fn);
@@ -64,7 +63,7 @@ sub new {
         # cannot support 16.10 or older, their systemd is not cgroupv2 ready
         die "unsupported ancient Ubuntu version '$version'\n" if $major < 17;
 
-        log_warn("The container's Ubuntu version '$version' is not in the known version list."
+        $log_warn->("The container's Ubuntu version '$version' is not in the known version list."
             . " As it's newer than the minimum supported version it's likely to work OK, but full"
             . " compatibility cannot be guaranteed. Please check for PVE system updates.\n");
     } else {
diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
index 0e69630..f5dd728 100755
--- a/src/lxc-pve-prestart-hook
+++ b/src/lxc-pve-prestart-hook
@@ -28,17 +28,6 @@ eval {
     $have_sdn = 1;
 };
 
-my $WARNFD;
-
-sub log_warn {
-    my ($vmid, $message) = @_;
-
-    if (!defined($WARNFD)) {
-        open($WARNFD, '>', "/run/pve/ct-${vmid}.warnings");
-    }
-    print $WARNFD "$message\n";
-}
-
 PVE::LXC::Tools::lxc_hook(
     'pre-start',
     'lxc',
@@ -53,6 +42,15 @@ PVE::LXC::Tools::lxc_hook(
 
         PVE::RESTEnvironment->setup_default_cli_env();
 
+        my $warn_file = "/run/pve/ct-${vmid}.warnings";
+        # open eagerly so logging works inside the protected_call chroot
+        open(my $warnfd, '>', $warn_file) or die "Failed to open $warn_file: $!";
+        my $log_warn = sub {
+            my ($message) = @_;
+            print $warnfd "$message\n";
+            $warnfd->flush; # required because protected_call calls POSIX::_exit
+        };
+
         return undef if !-f PVE::LXC::Config->config_file($vmid);
 
         my $conf = PVE::LXC::Config->load_config($vmid);
@@ -155,13 +153,12 @@ PVE::LXC::Tools::lxc_hook(
 
         PVE::LXC::Config->foreach_passthrough_device($conf, $setup_passthrough_device);
 
-        my $warn_sub = sub { log_warn($vmid, @_); };
-        my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir, undef, $warn_sub);
+        my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir, undef, $log_warn);
         $lxc_setup->pre_start_hook();
 
         if (PVE::CGroup::cgroup_mode() == 2) {
             if (!$lxc_setup->unified_cgroupv2_support()) {
-                log_warn(
+                $log_warn->(
                     $vmid,
                     "old systemd (< v232) detected, container won't run in a pure cgroupv2"
                         . " environment! Please see documentation -> container -> cgroup version.",
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH v3 pve-container 1/2] fix 6897: warn that nesting may be required for systemd

[Fabian Grünbichler]

patch organization comments below, other than that the mechanism seems
to work as expected and also fix the existing warnings that were only
logged correctly sometimes.

on more addition that might be nice would be to also call the check on
container creation, i.e. as part of the post_clone/post_create hooks?

On October 28, 2025 11:35 am, Robert Obkircher wrote:
> Recent versions of systemd require nesting to isolate services. If
> nesting is disabled Debian 11 and 12 containers hang for 25 seconds
> after login and Debian 13 just shows an empty console. To make this
> less confusing for users, add a task-log warning on CT start if a
> systemd version >241 (used by Debian 10) is detected.
> 
> Also introduce a callback to log warnings to a file when the
> RESTEnvironment is not available and ensure that it is printed if
> vm_start fails.
> 
> Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
> ---
>  src/PVE/LXC.pm            |  6 ++++--
>  src/PVE/LXC/Setup.pm      | 12 ++++++++++--
>  src/PVE/LXC/Setup/Base.pm | 19 +++++++++++++++++++
>  src/lxc-pve-prestart-hook |  3 ++-
>  4 files changed, 35 insertions(+), 5 deletions(-)
> 
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index a445a85..d2375c4 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -2975,10 +2975,12 @@ sub vm_start {
>  
>          # if debug is requested, print the log it also when the start succeeded
>          print_ct_stderr_log($vmid) if $is_debug;
> -
> +    };
> +    my $err = $@;
> +    eval {
>          print_ct_warn_log($vmid); # always print warn log, if any
>      };
> -    if (my $err = $@) {
> +    if ($err) {
>          unlink $skiplock_flag_fn;
>          die $err;
>      }
> diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
> index 87330c4..da2df5d 100644
> --- a/src/PVE/LXC/Setup.pm
> +++ b/src/PVE/LXC/Setup.pm
> @@ -6,6 +6,7 @@ use warnings;
>  use POSIX;
>  use Cwd 'abs_path';
>  
> +use PVE::RESTEnvironment;
>  use PVE::Tools;
>  
>  use PVE::LXC::Setup::Alpine;
> @@ -97,11 +98,13 @@ my $autodetect_type = sub {
>  };
>  
>  sub new {
> -    my ($class, $conf, $rootdir, $type) = @_;
> +    my ($class, $conf, $rootdir, $type, $log_warn) = @_;
>  
>      die "no root directory\n" if !$rootdir || $rootdir eq '/';
>  
> -    my $self = bless { conf => $conf, rootdir => $rootdir }, $class;
> +    $log_warn ||= sub { PVE::RESTEnvironment::log_warn(@_); };
> +
> +    my $self = bless { conf => $conf, rootdir => $rootdir, log_warn => $log_warn }, $class;
>  
>      my $os_release = $self->get_ct_os_release();
>  
> @@ -297,6 +300,11 @@ sub pre_start_hook {
>      my ($self) = @_;
>  
>      $self->protected_call(sub { $self->{plugin}->pre_start_hook($self->{conf}) });
> +
> +    my $init = $self->get_ct_init_path();
> +    # not a protected_call because it calls objdump
> +    my $warning = $self->{plugin}->check_systemd_nesting($self->{conf}, $init);
> +    $self->{log_warn}->($warning) if $warning;

this part here

>  }
>  
>  sub post_clone_hook {
> diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
> index a2c88ed..671e8c8 100644
> --- a/src/PVE/LXC/Setup/Base.pm
> +++ b/src/PVE/LXC/Setup/Base.pm
> @@ -647,6 +647,25 @@ sub get_ct_init_path {
>      return $init_path;
>  }
>  
> +sub check_systemd_nesting {
> +    my ($self, $conf, $init) = @_;
> +
> +    my $features = PVE::LXC::Config->parse_features($conf->{features});
> +    return if $features->{nesting};
> +
> +    return if (!defined($init) || $init !~ m@/systemd$@);
> +
> +    my $sdver = $self->get_systemd_version($init);
> +
> +    # 241 is the systemd version used by Debian 10. It was chosen based
> +    # on a forum post that suggested enabling nesting for the upgrade
> +    # from PMG 6.x to 7 and after a quick test where a Debian 11 container
> +    # hung 25 seconds after login.
> +    return if (!defined($sdver) || $sdver <= 241);
> +
> +    return "Systemd $sdver detected. You may need to enable nesting.";
> +}

and this part here should be a separate patch, and the rest of this
patch could be combined with the first patch:

patch 1: introduce new log_warn functionality and migrate warnings
patch 2: add nesting check that uses it

or, if you want to split it further:

patch 1: introduce new log_warn functionality
patch 2: switch existing warnings over to use it
patch 3: improve warning handling in container start, in case startup
fails (first hunk of this patch)
patch 4: add nesting check

> +
>  sub ssh_host_key_types_to_generate {
>      my ($self) = @_;
>  
> diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
> index 73125e1..0e69630 100755
> --- a/src/lxc-pve-prestart-hook
> +++ b/src/lxc-pve-prestart-hook
> @@ -155,7 +155,8 @@ PVE::LXC::Tools::lxc_hook(
>  
>          PVE::LXC::Config->foreach_passthrough_device($conf, $setup_passthrough_device);
>  
> -        my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
> +        my $warn_sub = sub { log_warn($vmid, @_); };
> +        my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir, undef, $warn_sub);
>          $lxc_setup->pre_start_hook();
>  
>          if (PVE::CGroup::cgroup_mode() == 2) {
> -- 
> 2.47.3
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel