Proxmox containers - won't run as privileged containers OOTB

[JedMeister]

Users have noted in comments on the v16.0 announcement blog that our v16.0 containers do not run on Promxox properly as privileged containers. They produce "'namespace' errors" resulting in many/most services (e.g. Apache2, MySQL/MariaDB, etc) refusing to start!

I can confirm the issue using our v16.0 LAMP appliance on my local Proxmox server (Proxmox v5.x - based on Debian 9/Stretch). Note that my tests also confirmed that unprivileged containers work fine!

A bit of searching reveals that the issue is caused by a combination of LXC on the host and SystemD in the guest (and perhaps AppAmour too?!).

It appears that the bug is actually within LXC. According to the related Debian bug it's been resolved in the 10/Buster LXC package (so shouldn't be an issue in the TurnKey LXC appliance once we produce the v16.0 release). There is a (still open) Proxmox bug, but that applies to Proxmox v5.x - so I would assume that it's fixed in the current Proxmox v6.x?! Although I'm not currently able to confirm either way.

So it seems that likely the best "fix" is to upgrade Proxmox to v6.x? Although it's worth noting that a {Proxmox forum thread]() hints that this may have still be an issue in Proxmox v6.x (at least in v6.0-9)?

Regardless, a reliable workaround appears to be enabling "Nesting" for the privileged container via Container -> Options -> Features -> Nesting (source: Proxmox forum thread). Note that there are security implications to this workaround (e.g. exposing the hosts /proc & /sys as read/write) so where possible, running a unprivileged container is preferable.

There may be other service specific workarounds, but I've not tested any so won't note any specific ones here.

[JedMeister]

This should be resolved as of v17.x