* [pve-devel] [PATCH v2 pve-container 1/2] fix 6897: warn that nesting may be required for systemd
2025-10-27 14:16 [pve-devel] [PATCH v2 pve-container 0/2] warn that nesting may be required Robert Obkircher
@ 2025-10-27 14:16 ` Robert Obkircher
2025-10-27 14:16 ` [pve-devel] [PATCH v2 pve-container 2/2] Propagate prestart-hook warnings to task-log Robert Obkircher
1 sibling, 0 replies; 3+ messages in thread
From: Robert Obkircher @ 2025-10-27 14:16 UTC (permalink / raw)
To: pve-devel
Recent versions of systemd require nesting to isolate services. If
nesting is disabled Debian 11 and 12 containers hang for 25 seconds
after login and Debian 13 just shows an empty console. To make this
less confusing for users, add a task-log warning on CT start if a
systemd version >241 (used by Debian 10) is detected.
Also introduce a callback to log warnings to a file when the
RESTEnvironment is not available and ensure that it is printed if
vm_start fails.
Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
---
src/PVE/LXC.pm | 3 ++-
src/PVE/LXC/Setup.pm | 12 ++++++++++--
src/PVE/LXC/Setup/Base.pm | 19 +++++++++++++++++++
src/lxc-pve-prestart-hook | 3 ++-
4 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index a445a85..e835e53 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -2975,7 +2975,8 @@ sub vm_start {
# if debug is requested, print the log it also when the start succeeded
print_ct_stderr_log($vmid) if $is_debug;
-
+ };
+ eval {
print_ct_warn_log($vmid); # always print warn log, if any
};
if (my $err = $@) {
diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index 87330c4..da2df5d 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -6,6 +6,7 @@ use warnings;
use POSIX;
use Cwd 'abs_path';
+use PVE::RESTEnvironment;
use PVE::Tools;
use PVE::LXC::Setup::Alpine;
@@ -97,11 +98,13 @@ my $autodetect_type = sub {
};
sub new {
- my ($class, $conf, $rootdir, $type) = @_;
+ my ($class, $conf, $rootdir, $type, $log_warn) = @_;
die "no root directory\n" if !$rootdir || $rootdir eq '/';
- my $self = bless { conf => $conf, rootdir => $rootdir }, $class;
+ $log_warn ||= sub { PVE::RESTEnvironment::log_warn(@_); };
+
+ my $self = bless { conf => $conf, rootdir => $rootdir, log_warn => $log_warn }, $class;
my $os_release = $self->get_ct_os_release();
@@ -297,6 +300,11 @@ sub pre_start_hook {
my ($self) = @_;
$self->protected_call(sub { $self->{plugin}->pre_start_hook($self->{conf}) });
+
+ my $init = $self->get_ct_init_path();
+ # not a protected_call because it calls objdump
+ my $warning = $self->{plugin}->check_systemd_nesting($self->{conf}, $init);
+ $self->{log_warn}->($warning) if $warning;
}
sub post_clone_hook {
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index a2c88ed..671e8c8 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -647,6 +647,25 @@ sub get_ct_init_path {
return $init_path;
}
+sub check_systemd_nesting {
+ my ($self, $conf, $init) = @_;
+
+ my $features = PVE::LXC::Config->parse_features($conf->{features});
+ return if $features->{nesting};
+
+ return if (!defined($init) || $init !~ m@/systemd$@);
+
+ my $sdver = $self->get_systemd_version($init);
+
+ # 241 is the systemd version used by Debian 10. It was chosen based
+ # on a forum post that suggested enabling nesting for the upgrade
+ # from PMG 6.x to 7 and after a quick test where a Debian 11 container
+ # hung 25 seconds after login.
+ return if (!defined($sdver) || $sdver <= 241);
+
+ return "Systemd $sdver detected. You may need to enable nesting.";
+}
+
sub ssh_host_key_types_to_generate {
my ($self) = @_;
diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
index 73125e1..0e69630 100755
--- a/src/lxc-pve-prestart-hook
+++ b/src/lxc-pve-prestart-hook
@@ -155,7 +155,8 @@ PVE::LXC::Tools::lxc_hook(
PVE::LXC::Config->foreach_passthrough_device($conf, $setup_passthrough_device);
- my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
+ my $warn_sub = sub { log_warn($vmid, @_); };
+ my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir, undef, $warn_sub);
$lxc_setup->pre_start_hook();
if (PVE::CGroup::cgroup_mode() == 2) {
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread* [pve-devel] [PATCH v2 pve-container 2/2] Propagate prestart-hook warnings to task-log.
2025-10-27 14:16 [pve-devel] [PATCH v2 pve-container 0/2] warn that nesting may be required Robert Obkircher
2025-10-27 14:16 ` [pve-devel] [PATCH v2 pve-container 1/2] fix 6897: warn that nesting may be required for systemd Robert Obkircher
@ 2025-10-27 14:16 ` Robert Obkircher
1 sibling, 0 replies; 3+ messages in thread
From: Robert Obkircher @ 2025-10-27 14:16 UTC (permalink / raw)
To: pve-devel
Replace RESTEnvironment::log_warn in the setup plugins with the
callback that writes them to a file during the prestart-hook. Also
improve the callback so it works inside the protected_call chroot.
Calls to "warn" are left unmodified for now.
Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
---
src/PVE/LXC/Setup.pm | 2 +-
src/PVE/LXC/Setup/Base.pm | 2 +-
src/PVE/LXC/Setup/Debian.pm | 5 ++---
src/PVE/LXC/Setup/Plugin.pm | 2 +-
src/PVE/LXC/Setup/Ubuntu.pm | 5 ++---
src/lxc-pve-prestart-hook | 25 +++++++++++--------------
6 files changed, 18 insertions(+), 23 deletions(-)
diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index da2df5d..500b63c 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -124,7 +124,7 @@ sub new {
my $plugin_class = $plugins->{$type} || die "no such OS type '$type'\n";
- my $plugin = $plugin_class->new($conf, $rootdir, $os_release);
+ my $plugin = $plugin_class->new($conf, $rootdir, $os_release, $log_warn);
$self->{plugin} = $plugin;
$self->{in_chroot} = 0;
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 671e8c8..829b685 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -24,7 +24,7 @@ use PVE::LXC::Tools;
use base qw(PVE::LXC::Setup::Plugin);
sub new {
- my ($class, $conf, $rootdir, $os_release) = @_;
+ my ($class, $conf, $rootdir, $os_release, $log_warn) = @_;
return bless { conf => $conf, rootdir => $rootdir, os_release => $os_release }, $class;
}
diff --git a/src/PVE/LXC/Setup/Debian.pm b/src/PVE/LXC/Setup/Debian.pm
index 030d934..dbb5050 100644
--- a/src/PVE/LXC/Setup/Debian.pm
+++ b/src/PVE/LXC/Setup/Debian.pm
@@ -6,7 +6,6 @@ use warnings;
use PVE::Tools qw($IPV6RE);
use PVE::LXC;
use PVE::Network;
-use PVE::RESTEnvironment qw(log_warn);
use File::Path;
@@ -20,7 +19,7 @@ use constant {
};
sub new {
- my ($class, $conf, $rootdir) = @_;
+ my ($class, $conf, $rootdir, $os_release, $log_warn) = @_;
my $version = PVE::Tools::file_read_firstline("$rootdir/etc/debian_version");
@@ -47,7 +46,7 @@ sub new {
die "Container Debian version '$version' is too old\n" if $version < DEBIAN_MINIMUM_RELEASE;
if ($version >= (DEBIAN_MAXIMUM_RELEASE + 1)) { # also allow all MAX.X point releases.
- log_warn("The container's Debian version '$version' is newer than the tested version '"
+ $log_warn->("The container's Debian version '$version' is newer than the tested version '"
. DEBIAN_MAXIMUM_RELEASE
. "'. While everything may work fine, full compatibility cannot be guaranteed."
. " Please check for PVE system updates.\n");
diff --git a/src/PVE/LXC/Setup/Plugin.pm b/src/PVE/LXC/Setup/Plugin.pm
index b9d9c2d..fbcfa8e 100644
--- a/src/PVE/LXC/Setup/Plugin.pm
+++ b/src/PVE/LXC/Setup/Plugin.pm
@@ -8,7 +8,7 @@ use warnings;
use Carp;
sub new {
- my ($class, $conf, $rootdir, $os_release) = @_;
+ my ($class, $conf, $rootdir, $os_release, $log_warn) = @_;
croak "implement me in sub-class\n";
}
diff --git a/src/PVE/LXC/Setup/Ubuntu.pm b/src/PVE/LXC/Setup/Ubuntu.pm
index e364fa8..a213541 100644
--- a/src/PVE/LXC/Setup/Ubuntu.pm
+++ b/src/PVE/LXC/Setup/Ubuntu.pm
@@ -5,7 +5,6 @@ use warnings;
use PVE::Tools;
use PVE::LXC;
-use PVE::RESTEnvironment qw(log_warn);
use File::Path;
@@ -43,7 +42,7 @@ my $known_versions = {
};
sub new {
- my ($class, $conf, $rootdir) = @_;
+ my ($class, $conf, $rootdir, $os_release, $log_warn) = @_;
my $lsb_fn = "$rootdir/etc/lsb-release";
my $lsbinfo = PVE::Tools::file_get_contents($lsb_fn);
@@ -64,7 +63,7 @@ sub new {
# cannot support 16.10 or older, their systemd is not cgroupv2 ready
die "unsupported ancient Ubuntu version '$version'\n" if $major < 17;
- log_warn("The container's Ubuntu version '$version' is not in the known version list."
+ $log_warn->("The container's Ubuntu version '$version' is not in the known version list."
. " As it's newer than the minimum supported version it's likely to work OK, but full"
. " compatibility cannot be guaranteed. Please check for PVE system updates.\n");
} else {
diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
index 0e69630..6520a1c 100755
--- a/src/lxc-pve-prestart-hook
+++ b/src/lxc-pve-prestart-hook
@@ -28,17 +28,6 @@ eval {
$have_sdn = 1;
};
-my $WARNFD;
-
-sub log_warn {
- my ($vmid, $message) = @_;
-
- if (!defined($WARNFD)) {
- open($WARNFD, '>', "/run/pve/ct-${vmid}.warnings");
- }
- print $WARNFD "$message\n";
-}
-
PVE::LXC::Tools::lxc_hook(
'pre-start',
'lxc',
@@ -53,6 +42,15 @@ PVE::LXC::Tools::lxc_hook(
PVE::RESTEnvironment->setup_default_cli_env();
+ my $warn_file = "/run/pve/ct-${vmid}.warnings";
+ # open eagerly so logging works inside the protected_call chroot
+ open(my $warnfd, '>', $warn_file) or die "Failed to open $warn_file: $!";
+ my $log_warn = sub {
+ my ($message) = @_;
+ print $warnfd "$message\n";
+ $warnfd->flush; # required because protected_call calls POSIX::_exit
+ };
+
return undef if !-f PVE::LXC::Config->config_file($vmid);
my $conf = PVE::LXC::Config->load_config($vmid);
@@ -155,13 +153,12 @@ PVE::LXC::Tools::lxc_hook(
PVE::LXC::Config->foreach_passthrough_device($conf, $setup_passthrough_device);
- my $warn_sub = sub { log_warn($vmid, @_); };
- my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir, undef, $warn_sub);
+ my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir, undef, $log_warn);
$lxc_setup->pre_start_hook();
if (PVE::CGroup::cgroup_mode() == 2) {
if (!$lxc_setup->unified_cgroupv2_support()) {
- log_warn(
+ $log_warn->(
$vmid,
"old systemd (< v232) detected, container won't run in a pure cgroupv2"
. " environment! Please see documentation -> container -> cgroup version.",
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 3+ messages in thread