conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only bind mounts can currently be idmapped)

Debian Bug Tracking System Thu, 26 Feb 2026 04:11:19 -0800

Your message dated Thu, 26 Feb 2026 13:08:55 +0100
with message-id <[email protected]>
and subject line Re: lxc: ../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - 
Invalid argument - Only bind mounts can currently be idmapped
has caused the Debian Bug report #1129002,
regarding lxc: ../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid 
argument - Only bind mounts can currently be idmapped
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1129002: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129002
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: lxc
Version: 1:6.0.5-2
Severity: important

Hi,

I'm reporting the issue against sid but I first experienced the issue in
trixie.

I have a bunch of LXC which I'm currently converting to unprivileged
ones using the idmap options.

I need to have some bind mounts insides the container, and I tried to
use the idmap=container option to those entries.

When adding this option, the container fails to start and the log
(attached) show the following lines:

lxc-start test 20260225171244.630 ERROR    conf - 
../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only 
bind mounts can currently be idmapped
lxc-start test 20260225171244.630 ERROR    conf - 
../src/lxc/conf.c:lxc_idmapped_mounts_child:2888 - Invalid argument - Failed to 
setup idmapped mount entries 
lxc-start test 20260225171244.630 ERROR    conf - 
../src/lxc/conf.c:lxc_setup:3916 - Invalid argument - Failed to attached 
detached idmapped mounts
lxc-start test 20260225171244.630 ERROR    start - 
../src/lxc/start.c:do_start:1273 - Failed to setup container "test"

This error looks spurious because the relevant from the (attached)
configuration is:

lxc.mount.entry = /var/log/ var/log/ bind 
bind,rw,nosuid,nodev,noexec,idmap=container

Looking at the source code
(https://sources.debian.org/src/lxc/1%3A6.0.5-2/src/lxc/conf.c#L2704) it
should only happen when the `mnttype` is none which I don't think
is/should be the case here (the line explicitely sets it to 'bind').

Either I'm doing something wrong (what?) or it looks like a bug here.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: forky/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(450, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.18.12+deb14-amd64 (SMP w/14 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc depends on:
ii  debconf [debconf-2.0]        1.5.92
ii  dnsmasq-base [dnsmasq-base]  2.92-2
ii  iproute2                     6.19.0-1
ii  iptables                     1.8.12-1
ii  libapparmor1                 4.1.6-2
ii  libc6                        2.42-13
ii  libcap2                      1:2.75-10+b5
ii  libdbus-1-3                  1.16.2-4
ii  libgcc-s1                    15.2.0-14
ii  liblxc-common                1:6.0.5-2
ii  liblxc1t64                   1:6.0.5-2
ii  libseccomp2                  2.6.0-2+b1
ii  libselinux1                  3.9-4+b1
ii  nftables                     1.1.6-1

Versions of packages lxc recommends:
ii  apparmor       4.1.6-2
ii  debootstrap    1.0.142
ii  dirmngr        2.4.8-5
pn  distrobuilder  <none>
ii  gnupg          2.4.8-5
pn  libpam-cgfs    <none>
pn  lxcfs          <none>
ii  openssl        3.5.5-1
ii  rsync          3.4.1+ds1-7
ii  uidmap         1:4.19.3-1
ii  wget           1.25.0-2

Versions of packages lxc suggests:
pn  btrfs-progs  <none>
pn  criu         <none>
ii  lvm2         2.03.31-2+b1
pn  python3-lxc  <none>

-- debconf information:
  lxc/auto_update_config:

lxc.uts.name = test
lxc.autodev = 1
lxc.mount.auto = proc:mixed
lxc.mount.auto = sys:mixed
lxc.mount.auto = cgroup:mixed

# Unprivileged
lxc.idmap = u 0 1600000 65535
lxc.idmap = g 0 1600000 65536

# fstab
lxc.rootfs.path = /srv/rootfs
lxc.rootfs.options=idmap=container
lxc.mount.entry = /var/log/ var/log/ bind 
bind,rw,nosuid,nodev,noexec,idmap=container

lxc-start test 20260225171244.599 INFO     confile - 
../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type u nsid 0 
hostid 1600000 range 65535
lxc-start test 20260225171244.599 INFO     confile - 
../src/lxc/confile.c:set_config_idmaps:2273 - Read uid map: type g nsid 0 
hostid 1600000 range 65536
lxc-start test 20260225171244.599 INFO     lxccontainer - 
../src/lxc/lxccontainer.c:do_lxcapi_start:954 - Set process title to [lxc 
monitor] /var/lib/lxc test
lxc-start test 20260225171244.600 DEBUG    lxccontainer - 
../src/lxc/lxccontainer.c:wait_on_daemonized_start:813 - First child 112151 
exited
lxc-start test 20260225171244.600 INFO     lsm - 
../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver 
AppArmor
lxc-start test 20260225171244.600 INFO     cgfsng - 
../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1508 - Running 
privileged, not using a systemd unit
lxc-start test 20260225171244.600 INFO     start - 
../src/lxc/start.c:lxc_init:882 - Container "test" is initialized
lxc-start test 20260225171244.600 INFO     cgfsng - 
../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_create:1682 - The monitor process 
uses "lxc.monitor.test" as cgroup
lxc-start test 20260225171244.621 DEBUG    storage - 
../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
lxc-start test 20260225171244.621 DEBUG    storage - 
../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
lxc-start test 20260225171244.622 INFO     cgfsng - 
../src/lxc/cgroups/cgfsng.c:cgfsng_payload_create:1790 - The container process 
uses "lxc.payload.test" as inner and "lxc.payload.test" as limit cgroup
lxc-start test 20260225171244.622 INFO     start - 
../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUSER
lxc-start test 20260225171244.622 INFO     start - 
../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWNS
lxc-start test 20260225171244.622 INFO     start - 
../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWPID
lxc-start test 20260225171244.622 INFO     start - 
../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWUTS
lxc-start test 20260225171244.622 INFO     start - 
../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWIPC
lxc-start test 20260225171244.622 INFO     start - 
../src/lxc/start.c:lxc_spawn:1774 - Cloned CLONE_NEWCGROUP
lxc-start test 20260225171244.622 DEBUG    start - 
../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved user namespace 
via fd 20 and stashed path as user:/proc/112152/fd/20
lxc-start test 20260225171244.622 DEBUG    start - 
../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved mnt namespace via 
fd 21 and stashed path as mnt:/proc/112152/fd/21
lxc-start test 20260225171244.622 DEBUG    start - 
../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved pid namespace via 
fd 22 and stashed path as pid:/proc/112152/fd/22
lxc-start test 20260225171244.622 DEBUG    start - 
../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved uts namespace via 
fd 23 and stashed path as uts:/proc/112152/fd/23
lxc-start test 20260225171244.622 DEBUG    start - 
../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved ipc namespace via 
fd 24 and stashed path as ipc:/proc/112152/fd/24
lxc-start test 20260225171244.622 DEBUG    start - 
../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved cgroup namespace 
via fd 25 and stashed path as cgroup:/proc/112152/fd/25
lxc-start test 20260225171244.622 DEBUG    idmap_utils - 
../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary 
"/usr/bin/newuidmap" does have the setuid bit set
lxc-start test 20260225171244.622 DEBUG    idmap_utils - 
../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary 
"/usr/bin/newgidmap" does have the setuid bit set
lxc-start test 20260225171244.622 DEBUG    idmap_utils - 
../src/lxc/idmap_utils.c:lxc_map_ids:178 - Functional newuidmap and newgidmap 
binary found
lxc-start test 20260225171244.627 DEBUG    idmap_utils - 
../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary 
"/usr/bin/newuidmap" does have the setuid bit set
lxc-start test 20260225171244.627 DEBUG    idmap_utils - 
../src/lxc/idmap_utils.c:idmaptool_on_path_and_privileged:93 - The binary 
"/usr/bin/newgidmap" does have the setuid bit set
lxc-start test 20260225171244.627 INFO     idmap_utils - 
../src/lxc/idmap_utils.c:lxc_map_ids:176 - Caller maps host root. Writing 
mapping directly
lxc-start test 20260225171244.627 NOTICE   utils - 
../src/lxc/utils.c:lxc_drop_groups:1481 - Dropped supplimentary groups
lxc-start test 20260225171244.628 INFO     start - 
../src/lxc/start.c:do_start:1105 - Unshared CLONE_NEWNET
lxc-start test 20260225171244.628 NOTICE   utils - 
../src/lxc/utils.c:lxc_drop_groups:1481 - Dropped supplimentary groups
lxc-start test 20260225171244.628 NOTICE   utils - 
../src/lxc/utils.c:lxc_switch_uid_gid:1457 - Switched to gid 0
lxc-start test 20260225171244.628 NOTICE   utils - 
../src/lxc/utils.c:lxc_switch_uid_gid:1466 - Switched to uid 0
lxc-start test 20260225171244.629 DEBUG    start - 
../src/lxc/start.c:lxc_try_preserve_namespace:140 - Preserved net namespace via 
fd 7 and stashed path as net:/proc/112152/fd/7
lxc-start test 20260225171244.629 DEBUG    storage - 
../src/lxc/storage/storage.c:storage_query:231 - Detected rootfs type "dir"
lxc-start test 20260225171244.629 DEBUG    conf - 
../src/lxc/conf.c:lxc_mount_rootfs:1223 - Mounted rootfs "/srv/rootfs" onto 
"/usr/lib/x86_64-linux-gnu/lxc/rootfs" with options "idmap=container"
lxc-start test 20260225171244.629 INFO     conf - 
../src/lxc/conf.c:setup_utsname:671 - Set hostname to "cloud"
lxc-start test 20260225171244.629 INFO     conf - 
../src/lxc/conf.c:mount_autodev:1006 - Preparing "/dev"
lxc-start test 20260225171244.629 INFO     conf - 
../src/lxc/conf.c:mount_autodev:1067 - Prepared "/dev"
lxc-start test 20260225171244.629 DEBUG    conf - 
../src/lxc/conf.c:lxc_mount_auto_mounts:531 - Invalid argument - Tried to 
ensure procfs is unmounted
lxc-start test 20260225171244.629 DEBUG    conf - 
../src/lxc/conf.c:lxc_mount_auto_mounts:554 - Invalid argument - Tried to 
ensure sysfs is unmounted
lxc-start test 20260225171244.630 ERROR    conf - 
../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only 
bind mounts can currently be idmapped
lxc-start test 20260225171244.630 ERROR    conf - 
../src/lxc/conf.c:lxc_idmapped_mounts_child:2888 - Invalid argument - Failed to 
setup idmapped mount entries
lxc-start test 20260225171244.630 ERROR    conf - 
../src/lxc/conf.c:lxc_setup:3916 - Invalid argument - Failed to attached 
detached idmapped mounts
lxc-start test 20260225171244.630 ERROR    start - 
../src/lxc/start.c:do_start:1273 - Failed to setup container "test"
lxc-start test 20260225171244.630 ERROR    sync - 
../src/lxc/sync.c:sync_wait:34 - An error occurred in another process (expected 
sequence number 4)
lxc-start test 20260225171244.630 DEBUG    network - 
../src/lxc/network.c:lxc_delete_network:4221 - Deleted network devices
lxc-start test 20260225171244.630 ERROR    lxccontainer - 
../src/lxc/lxccontainer.c:wait_on_daemonized_start:832 - Received container 
state "ABORTING" instead of "RUNNING"
lxc-start test 20260225171244.630 ERROR    lxc_start - 
../src/lxc/tools/lxc_start.c:lxc_start_main:307 - The container failed to start
lxc-start test 20260225171244.630 ERROR    lxc_start - 
../src/lxc/tools/lxc_start.c:lxc_start_main:310 - To get more details, run the 
container in foreground mode
lxc-start test 20260225171244.630 ERROR    lxc_start - 
../src/lxc/tools/lxc_start.c:lxc_start_main:312 - Additional information can be 
obtained by setting the --logfile and --logpriority options
lxc-start test 20260225171244.630 ERROR    start - 
../src/lxc/start.c:__lxc_start:2119 - Failed to spawn container "test"
lxc-start test 20260225171244.630 WARN     start - 
../src/lxc/start.c:lxc_abort:1037 - No such process - Failed to send SIGKILL 
via pidfd 19 for process 112153

--- End Message ---

--- Begin Message ---

On Wed, Feb 25, 2026 at 06:20:01PM +0100, Yves-Alexis Perez wrote:
> lxc-start test 20260225171244.630 ERROR    conf - 
> ../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only 
> bind mounts can currently be idmapped
> lxc-start test 20260225171244.630 ERROR    conf - 
> ../src/lxc/conf.c:lxc_idmapped_mounts_child:2888 - Invalid argument - Failed 
> to setup idmapped mount entries 
> lxc-start test 20260225171244.630 ERROR    conf - 
> ../src/lxc/conf.c:lxc_setup:3916 - Invalid argument - Failed to attached 
> detached idmapped mounts
> lxc-start test 20260225171244.630 ERROR    start - 
> ../src/lxc/start.c:do_start:1273 - Failed to setup container "test"
> 
> This error looks spurious because the relevant from the (attached)
> configuration is:
> 
> lxc.mount.entry = /var/log/ var/log/ bind 
> bind,rw,nosuid,nodev,noexec,idmap=container
> 
[...]
> Either I'm doing something wrong (what?) or it looks like a bug here.

So I was indeed doing something wrong. The code expects the fstype to be
'none' (and not 'bind', which is OK in standard fstab for a bind mount).
It seems to work fine if I update the entry line to:

> lxc.mount.entry = /var/log/ var/log/ none 
> bind,rw,nosuid,nodev,noexec,idmap=container

Sorry for the noise.
-- 
Yves-Alexis Perez

--- End Message ---

Bug#1129002: marked as done (lxc: ../src/lxc/conf.c:__lxc_idmapped_mounts_child:2704 - Invalid argument - Only bind mounts can currently be idmapped)

Reply via email to