Package: lxc Version: 1:4.0.6-1 Severity: normal The default location for the configuration files of unprivileged containers created by non-root users seems to be $HOME/.local/share, but such containers will fail to start, since they don't have permission to access that directory, since it isn't world accessible.
On this Sid system, $HOME and $HOME/.local are 755, but $HOME/.local/share is 700. On a Buster system of mine, $HOME is 755, but the other two are only 700. On both these systems, starting unprivileged containers fails with something like: lxc-start: my-container: start.c: print_top_failing_dir: 125 Permission denied - Could not access /home/username/.local/share. Please grant it x access, or add an ACL for the container root lxc-start: my-container: sync.c: __sync_wait: 62 An error occurred in another process (expected sequence number 3) lxc-start: my-container: start.c: __lxc_start: 1951 Failed to spawn container "my-container" lxc-start: my-container: tools/lxc_start.c: main: 330 The container failed to start lxc-start: my-container: tools/lxc_start.c: main: 336 Additional information can be obtained by setting the --logfile and --logpriority options The solution is obviously to grant the appropriate permissions, but I think this should be handled automatically by the system, or at the very least, documentation should be added explaining the issue, instead of requiring users to figure this out on their own. Here's a suggestion for a paragraph to be added to the "Unprivileged containers" section of README.Debian: ***** Unprivileged containers started by non-root users store their configuration in ~/.local/share, and so must have permission to access that directory. This can be granted via a command like (assuming the acl package is installed): setfacl --modify user:nnnnnnnn:x . .local .local/share where nnnnnnnn is the subuid mapped to 0 in ~/.config/lxc/default.conf ***** -- System Information: Debian Release: 11.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-6-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lxc depends on: ii bridge-utils 1.7-1 ii debconf [debconf-2.0] 1.5.76 ii dnsmasq-base [dnsmasq-base] 2.85-1 ii iproute2 5.10.0-4 ii iptables 1.8.7-1 ii libc6 2.31-11 ii libcap2 1:2.44-1 ii libgcc-s1 10.2.1-6 ii liblxc1 1:4.0.6-1 ii libseccomp2 2.5.1-1 ii libselinux1 3.1-3 ii lsb-base 11.1.0 Versions of packages lxc recommends: ii apparmor 2.13.6-10 ii debootstrap 1.0.123 ii dirmngr 2.2.27-1 ii gnupg 2.2.27-1 pn libpam-cgfs <none> ii lxc-templates 3.0.4-5 pn lxcfs <none> ii openssl 1.1.1k-1 ii rsync 3.2.3-4 ii uidmap 1:4.8.1-1 ii wget 1.21-1+b1 Versions of packages lxc suggests: ii btrfs-progs 5.10.1-1 ii lvm2 2.03.11-2.1 pn python3-lxc <none> -- debconf information: lxc/auto_update_config: