From: Robert Obkircher <r.obkircher@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH v4 pve-container 3/5] fix #6897: warn that nesting may be required for systemd
Date: Thu, 13 Nov 2025 16:03:01 +0100 [thread overview]
Message-ID: <20251113150342.101933-4-r.obkircher@proxmox.com> (raw)
In-Reply-To: <20251113150342.101933-1-r.obkircher@proxmox.com>
Recent versions of systemd require nesting to isolate services. If
nesting is disabled Debian 11 and 12 containers hang for 25 seconds
after login and Debian 13 just shows an empty console. To make this
less confusing for users, add a task-log warning on CT start if a
systemd version >241 (used by Debian 10) is detected.
Signed-off-by: Robert Obkircher <r.obkircher@proxmox.com>
---
src/PVE/LXC/Setup.pm | 10 ++++++++++
src/PVE/LXC/Setup/Base.pm | 19 +++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index 57b8df1..adb8d6c 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -296,10 +296,20 @@ sub rewrite_ssh_host_keys {
});
}
+sub check_systemd_nesting {
+ my ($self) = @_;
+
+ my $init = $self->get_ct_init_path();
+ # not a protected_call because it calls objdump
+ my $warning = $self->{plugin}->check_systemd_nesting($self->{conf}, $init);
+ $self->{log_warn}->($warning) if $warning;
+}
+
sub pre_start_hook {
my ($self) = @_;
$self->protected_call(sub { $self->{plugin}->pre_start_hook($self->{conf}) });
+ $self->check_systemd_nesting();
}
sub post_clone_hook {
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 2e1c84c..12e3097 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -648,6 +648,25 @@ sub get_ct_init_path {
return $init_path;
}
+sub check_systemd_nesting {
+ my ($self, $conf, $init) = @_;
+
+ my $features = PVE::LXC::Config->parse_features($conf->{features});
+ return if $features->{nesting};
+
+ return if (!defined($init) || $init !~ m@/systemd$@);
+
+ my $sdver = $self->get_systemd_version($init);
+
+ # 241 is the systemd version used by Debian 10. It was chosen based
+ # on a forum post that suggested enabling nesting for the upgrade
+ # from PMG 6.x to 7 and after a quick test where a Debian 11 container
+ # hung 25 seconds after login.
+ return if (!defined($sdver) || $sdver <= 241);
+
+ return "Systemd $sdver detected. You may need to enable nesting.";
+}
+
sub ssh_host_key_types_to_generate {
my ($self) = @_;
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-13 15:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 15:02 [pve-devel] [PATCH v4 pve-container 0/5] warn that nesting may be required Robert Obkircher
2025-11-13 15:02 ` [pve-devel] [PATCH v4 pve-container 1/5] Ensure that container startup warnings are displayed if startup fails Robert Obkircher
2025-11-13 16:14 ` Fiona Ebner
2025-11-13 15:03 ` [pve-devel] [PATCH v4 pve-container 2/5] Propagate prestart-hook warnings to task-log Robert Obkircher
2025-11-13 16:36 ` Fiona Ebner
2025-11-13 15:03 ` Robert Obkircher [this message]
2025-11-13 15:03 ` [pve-devel] [PATCH v4 pve-container 4/5] fix #6897: constrain and untaint path for systemd version detection Robert Obkircher
2025-11-13 15:03 ` [pve-devel] [PATCH v4 pve-container 4/5] fix #6897: constrain and untaint path when detecting systemd version Robert Obkircher
2025-11-13 15:03 ` [pve-devel] [PATCH v4 pve-container 5/5] fix #6897: also warn in the post_clone and post_create hooks Robert Obkircher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251113150342.101933-4-r.obkircher@proxmox.com \
--to=r.obkircher@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox