From: Robert Obkircher <r.obkircher@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH v2 pve-container 1/2] fix 6897: warn that nesting may be required for systemd
Date: Mon, 27 Oct 2025 15:16:54 +0100 [thread overview]
Message-ID: <20251027141752.191696-2-r.obkircher@proxmox.com> (raw)
In-Reply-To: <20251027141752.191696-1-r.obkircher@proxmox.com>
Recent versions of systemd require nesting to isolate services. If
nesting is disabled Debian 11 and 12 containers hang for 25 seconds
after login and Debian 13 just shows an empty console. To make this
less confusing for users, add a task-log warning on CT start if a
systemd version >241 (used by Debian 10) is detected.
Also introduce a callback to log warnings to a file when the
RESTEnvironment is not available and ensure that it is printed if
vm_start fails.
Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
---
src/PVE/LXC.pm | 3 ++-
src/PVE/LXC/Setup.pm | 12 ++++++++++--
src/PVE/LXC/Setup/Base.pm | 19 +++++++++++++++++++
src/lxc-pve-prestart-hook | 3 ++-
4 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index a445a85..e835e53 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -2975,7 +2975,8 @@ sub vm_start {
# if debug is requested, print the log it also when the start succeeded
print_ct_stderr_log($vmid) if $is_debug;
-
+ };
+ eval {
print_ct_warn_log($vmid); # always print warn log, if any
};
if (my $err = $@) {
diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index 87330c4..da2df5d 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -6,6 +6,7 @@ use warnings;
use POSIX;
use Cwd 'abs_path';
+use PVE::RESTEnvironment;
use PVE::Tools;
use PVE::LXC::Setup::Alpine;
@@ -97,11 +98,13 @@ my $autodetect_type = sub {
};
sub new {
- my ($class, $conf, $rootdir, $type) = @_;
+ my ($class, $conf, $rootdir, $type, $log_warn) = @_;
die "no root directory\n" if !$rootdir || $rootdir eq '/';
- my $self = bless { conf => $conf, rootdir => $rootdir }, $class;
+ $log_warn ||= sub { PVE::RESTEnvironment::log_warn(@_); };
+
+ my $self = bless { conf => $conf, rootdir => $rootdir, log_warn => $log_warn }, $class;
my $os_release = $self->get_ct_os_release();
@@ -297,6 +300,11 @@ sub pre_start_hook {
my ($self) = @_;
$self->protected_call(sub { $self->{plugin}->pre_start_hook($self->{conf}) });
+
+ my $init = $self->get_ct_init_path();
+ # not a protected_call because it calls objdump
+ my $warning = $self->{plugin}->check_systemd_nesting($self->{conf}, $init);
+ $self->{log_warn}->($warning) if $warning;
}
sub post_clone_hook {
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index a2c88ed..671e8c8 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -647,6 +647,25 @@ sub get_ct_init_path {
return $init_path;
}
+sub check_systemd_nesting {
+ my ($self, $conf, $init) = @_;
+
+ my $features = PVE::LXC::Config->parse_features($conf->{features});
+ return if $features->{nesting};
+
+ return if (!defined($init) || $init !~ m@/systemd$@);
+
+ my $sdver = $self->get_systemd_version($init);
+
+ # 241 is the systemd version used by Debian 10. It was chosen based
+ # on a forum post that suggested enabling nesting for the upgrade
+ # from PMG 6.x to 7 and after a quick test where a Debian 11 container
+ # hung 25 seconds after login.
+ return if (!defined($sdver) || $sdver <= 241);
+
+ return "Systemd $sdver detected. You may need to enable nesting.";
+}
+
sub ssh_host_key_types_to_generate {
my ($self) = @_;
diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
index 73125e1..0e69630 100755
--- a/src/lxc-pve-prestart-hook
+++ b/src/lxc-pve-prestart-hook
@@ -155,7 +155,8 @@ PVE::LXC::Tools::lxc_hook(
PVE::LXC::Config->foreach_passthrough_device($conf, $setup_passthrough_device);
- my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
+ my $warn_sub = sub { log_warn($vmid, @_); };
+ my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir, undef, $warn_sub);
$lxc_setup->pre_start_hook();
if (PVE::CGroup::cgroup_mode() == 2) {
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-10-27 14:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 14:16 [pve-devel] [PATCH v2 pve-container 0/2] warn that nesting may be required Robert Obkircher
2025-10-27 14:16 ` Robert Obkircher [this message]
2025-10-27 14:16 ` [pve-devel] [PATCH v2 pve-container 2/2] Propagate prestart-hook warnings to task-log Robert Obkircher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251027141752.191696-2-r.obkircher@proxmox.com \
--to=r.obkircher@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox