[pve-devel] [PATCH v3 pve-container 1/2] fix 6897: warn that nesting may be required for systemd

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Nov 4 13:12:04 CET 2025 

patch organization comments below, other than that the mechanism seems
to work as expected and also fix the existing warnings that were only
logged correctly sometimes.

on more addition that might be nice would be to also call the check on
container creation, i.e. as part of the post_clone/post_create hooks?

On October 28, 2025 11:35 am, Robert Obkircher wrote:
> Recent versions of systemd require nesting to isolate services. If
> nesting is disabled Debian 11 and 12 containers hang for 25 seconds
> after login and Debian 13 just shows an empty console. To make this
> less confusing for users, add a task-log warning on CT start if a
> systemd version >241 (used by Debian 10) is detected.
> 
> Also introduce a callback to log warnings to a file when the
> RESTEnvironment is not available and ensure that it is printed if
> vm_start fails.
> 
> Signed-off-by: Robert Obkircher <r.obkircher at proxmox.com>
> ---
>  src/PVE/LXC.pm            |  6 ++++--
>  src/PVE/LXC/Setup.pm      | 12 ++++++++++--
>  src/PVE/LXC/Setup/Base.pm | 19 +++++++++++++++++++
>  src/lxc-pve-prestart-hook |  3 ++-
>  4 files changed, 35 insertions(+), 5 deletions(-)
> 
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index a445a85..d2375c4 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -2975,10 +2975,12 @@ sub vm_start {
>  
>          # if debug is requested, print the log it also when the start succeeded
>          print_ct_stderr_log($vmid) if $is_debug;
> -
> +    };
> +    my $err = $@;
> +    eval {
>          print_ct_warn_log($vmid); # always print warn log, if any
>      };
> -    if (my $err = $@) {
> +    if ($err) {
>          unlink $skiplock_flag_fn;
>          die $err;
>      }
> diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
> index 87330c4..da2df5d 100644
> --- a/src/PVE/LXC/Setup.pm
> +++ b/src/PVE/LXC/Setup.pm
> @@ -6,6 +6,7 @@ use warnings;
>  use POSIX;
>  use Cwd 'abs_path';
>  
> +use PVE::RESTEnvironment;
>  use PVE::Tools;
>  
>  use PVE::LXC::Setup::Alpine;
> @@ -97,11 +98,13 @@ my $autodetect_type = sub {
>  };
>  
>  sub new {
> -    my ($class, $conf, $rootdir, $type) = @_;
> +    my ($class, $conf, $rootdir, $type, $log_warn) = @_;
>  
>      die "no root directory\n" if !$rootdir || $rootdir eq '/';
>  
> -    my $self = bless { conf => $conf, rootdir => $rootdir }, $class;
> +    $log_warn ||= sub { PVE::RESTEnvironment::log_warn(@_); };
> +
> +    my $self = bless { conf => $conf, rootdir => $rootdir, log_warn => $log_warn }, $class;
>  
>      my $os_release = $self->get_ct_os_release();
>  
> @@ -297,6 +300,11 @@ sub pre_start_hook {
>      my ($self) = @_;
>  
>      $self->protected_call(sub { $self->{plugin}->pre_start_hook($self->{conf}) });
> +
> +    my $init = $self->get_ct_init_path();
> +    # not a protected_call because it calls objdump
> +    my $warning = $self->{plugin}->check_systemd_nesting($self->{conf}, $init);
> +    $self->{log_warn}->($warning) if $warning;

this part here

>  }
>  
>  sub post_clone_hook {
> diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
> index a2c88ed..671e8c8 100644
> --- a/src/PVE/LXC/Setup/Base.pm
> +++ b/src/PVE/LXC/Setup/Base.pm
> @@ -647,6 +647,25 @@ sub get_ct_init_path {
>      return $init_path;
>  }
>  
> +sub check_systemd_nesting {
> +    my ($self, $conf, $init) = @_;
> +
> +    my $features = PVE::LXC::Config->parse_features($conf->{features});
> +    return if $features->{nesting};
> +
> +    return if (!defined($init) || $init !~ m@/systemd$@);
> +
> +    my $sdver = $self->get_systemd_version($init);
> +
> +    # 241 is the systemd version used by Debian 10. It was chosen based
> +    # on a forum post that suggested enabling nesting for the upgrade
> +    # from PMG 6.x to 7 and after a quick test where a Debian 11 container
> +    # hung 25 seconds after login.
> +    return if (!defined($sdver) || $sdver <= 241);
> +
> +    return "Systemd $sdver detected. You may need to enable nesting.";
> +}

and this part here should be a separate patch, and the rest of this
patch could be combined with the first patch:

patch 1: introduce new log_warn functionality and migrate warnings
patch 2: add nesting check that uses it

or, if you want to split it further:

patch 1: introduce new log_warn functionality
patch 2: switch existing warnings over to use it
patch 3: improve warning handling in container start, in case startup
fails (first hunk of this patch)
patch 4: add nesting check

> +
>  sub ssh_host_key_types_to_generate {
>      my ($self) = @_;
>  
> diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
> index 73125e1..0e69630 100755
> --- a/src/lxc-pve-prestart-hook
> +++ b/src/lxc-pve-prestart-hook
> @@ -155,7 +155,8 @@ PVE::LXC::Tools::lxc_hook(
>  
>          PVE::LXC::Config->foreach_passthrough_device($conf, $setup_passthrough_device);
>  
> -        my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir);
> +        my $warn_sub = sub { log_warn($vmid, @_); };
> +        my $lxc_setup = PVE::LXC::Setup->new($conf, $rootdir, undef, $warn_sub);
>          $lxc_setup->pre_start_hook();
>  
>          if (PVE::CGroup::cgroup_mode() == 2) {
> -- 
> 2.47.3
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>

More information about the pve-devel mailing list