Can't get networking w/ unprivileged container as user

[xmready]

System information

• Distribution: Debian
• Distribution version: Bookworm
• The output of

  • $ lxc-start --version
    5.0.2
    

  • $ lxc-checkconfig 
    LXC version 5.0.2
    Kernel configuration not found at /proc/config.gz; searching...
    Kernel configuration found at /boot/config-6.1.0-20-amd64
    
    --- Namespaces ---
    Namespaces: enabled
    Utsname namespace: enabled
    Ipc namespace: enabled
    Pid namespace: enabled
    User namespace: enabled
    Network namespace: enabled
    
    --- Control groups ---
    Cgroups: enabled
    Cgroup namespace: enabled
    Cgroup v1 mount points: 
    Cgroup v2 mount points: 
    - /sys/fs/cgroup
    Cgroup device: enabled
    Cgroup sched: enabled
    Cgroup cpu account: enabled
    Cgroup memory controller: enabled
    Cgroup cpuset: enabled
    
    --- Misc ---
    Veth pair device: enabled, loaded
    Macvlan: enabled, not loaded
    Vlan: enabled, not loaded
    Bridges: enabled, loaded
    Advanced netfilter: enabled, loaded
    CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
    CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
    CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
    CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
    FUSE (for use with lxcfs): enabled, loaded
    
    --- Checkpoint/Restore ---
    checkpoint restore: enabled
    CONFIG_FHANDLE: enabled
    CONFIG_EVENTFD: enabled
    CONFIG_EPOLL: enabled
    CONFIG_UNIX_DIAG: enabled
    CONFIG_INET_DIAG: enabled
    CONFIG_PACKET_DIAG: enabled
    CONFIG_NETLINK_DIAG: enabled
    File capabilities: enabled
    

  • $ uname -a
    Linux 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64 GNU/Linux
    

  • $ cat /proc/self/cgroup
    0::/user.slice/user-1001.slice/session-7.scope
    

  • $ cat /proc/1/mounts
    sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
    proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
    udev /dev devtmpfs rw,nosuid,relatime,size=16356108k,nr_inodes=4089027,mode=755,inode64 0 0
    devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
    tmpfs /run tmpfs rw,nosuid,nodev,noexec,relatime,size=3278296k,mode=755,inode64 0 0
    /dev/mapper/gaby--vg-root / ext4 rw,relatime,errors=remount-ro 0 0
    securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
    tmpfs /dev/shm tmpfs rw,nosuid,nodev,inode64 0 0
    tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k,inode64 0 0
    cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime 0 0
    pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
    efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0
    bpf /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
    systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=17573 0 0
    mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
    hugetlbfs /dev/hugepages hugetlbfs rw,relatime,pagesize=2M 0 0
    debugfs /sys/kernel/debug debugfs rw,nosuid,nodev,noexec,relatime 0 0
    tracefs /sys/kernel/tracing tracefs rw,nosuid,nodev,noexec,relatime 0 0
    fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
    configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
    ramfs /run/credentials/systemd-sysusers.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
    ramfs /run/credentials/systemd-tmpfiles-setup-dev.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
    /dev/sda2 /boot ext2 rw,relatime 0 0
    /dev/sda1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0
    ramfs /run/credentials/systemd-tmpfiles-setup.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
    binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
    ramfs /run/credentials/systemd-sysctl.service ramfs ro,nosuid,nodev,noexec,relatime,mode=700 0 0
    lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
    gdrive: /mnt/gdrive fuse.rclone rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
    vault: /mnt/vault fuse.rclone rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
    tmpfs /run/user/1000 tmpfs rw,nosuid,nodev,relatime,size=3278292k,nr_inodes=819573,mode=700,uid=1000,gid=1000,inode64 0 0
    gvfsd-fuse /run/user/1000/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
    portal /run/user/1000/doc fuse.portal rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
    tmpfs /run/user/1001 tmpfs rw,nosuid,nodev,relatime,size=3278292k,nr_inodes=819573,mode=700,uid=1001,gid=1001,inode64 0 0
    gvfsd-fuse /run/user/1001/gvfs fuse.gvfsd-fuse rw,nosuid,nodev,relatime,user_id=1001,group_id=1001 0 0
    

Issue description

Networking not working on unprivileged container as a user.

Steps to reproduce

1. Follow the getting started guide, Debian preparations, and Debian non-root containers
2. $ lxc-unpriv-start -n cs50-env --logfile=/tmp/cs50-env.txt

Information to attach

• Log file output

lxc-start cs50-env 20240515233001.965 ERROR    cgfsng - ../src/lxc/cgroups/cgfsng.c:__cgfsng_delegate_controllers:3341 - Device or resource busy - Could not enable "+cpu +memory +pids" controllers in the unified cgroup 11

• Container configuration

# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template:
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.include = /usr/share/lxc/config/userns.conf
lxc.arch = linux64

# Container specific configuration
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 165536 65536
lxc.idmap = g 0 165536 65536
lxc.rootfs.path = dir:/home/lxc-user/.local/share/lxc/cs50-env/rootfs
lxc.uts.name = cs50-env

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up

• cgroup.controllers file

$ cat /sys/fs/cgroup/user.slice/user-1001.slice/cgroup.controllers 
cpu memory pids

• lxc-usernet file

$ cat /etc/lxc/lxc-usernet 
lxc-user veth lxcbr0 10

• lxc-ls --fancy output

$ lxc-ls --fancy
NAME     STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED 
cs50-env RUNNING 0         -      -    -    true

[mihalicyn]

Hi @xmready !

Can you please provide us with some extra information:

# from inside the container
ip a
ip route

# from the host
ip a