There is nothing in /usr/share/doc/lxc/README.Debian.gz that provides the work-around. I am using containers managed by root, started when the OS boots.
su - root and then lxc-ls -f reports NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED bind-base STOPPED 0 - - - false Note the right-most column. Nothing in the README about "unprivileged containers" would seem to apply. apparmor is not installed on this system. The only work-around given in the two github issues is to set GRUB_CMDLINE_LINUX=systemd.unified_cgroup_hierarchy=false in /etc/default/grub.d/cgroup.cfg and the Debian README does not mention this work-around. Perhaps it is possible to put systemd.unified_cgroup_hierarchy=false into /etc/sysctl.conf ? Or perhaps some other config file? There is another work-around: mkdir -p /sys/fs/cgroup/systemd && mount -t cgroup cgroup -o none,name=systemd /sys/fs/cgroup/systemd However, sticking this mkdir into some /etc/init.d file does not seem plausible for a server; it feels too hacky. --linas