Any reason you're running those commands as the container PID1 instead of starting the container and using lxc-attach to run the commands inside it?
What you're doing right now is unsupported as neither chfn nor su are init processes, so they will not know how to setup the container or handled other tasks that init is in charge of (signal handling, child re-parenting and reaping, ...). ** Changed in: lxc (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1501959 Title: "System error" on chfn / su with lxc-start --share-net Status in lxc package in Ubuntu: Incomplete Bug description: When running `lxc-start --share net 1` on a trusty host with a trusty container, chfn / su (and presumably other utilities which use PAM) fail. Test case: lxc-create -t ubuntu -n test1 cat >/var/lib/lxc/test1/rootfs/config <<EOM lxc.include = /usr/share/lxc/config/ubuntu.common.conf lxc.rootfs = /var/lib/lxc/test1/rootfs lxc.mount = /var/lib/lxc/test1/fstab lxc.utsname = test1 lxc.arch = amd64 EOM lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root lxc-start -n test1 -F --share-net 1 -- su - Output: # lxc-start -n test1 -F --share-net 1 -- chfn -f 'test' root chfn: PAM: System error lxc-start: lxc_start.c: main: 342 The container failed to start. lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options. # lxc-start -n test1 -F --share-net 1 -- su - su: System error lxc-start: lxc_start.c: main: 342 The container failed to start. lxc-start: lxc_start.c: main: 346 Additional information can be obtained by setting the --logfile and --logpriority options. Issues in Docker e.g. https://github.com/docker/docker/issues/6345 suggest it's because the AUDIT_WRITE capability is not being set, but it doesn't seem to be the case here as LXC by default is doing subtractive caps: # lxc-info --name test1 -c lxc.cap.keep -c lxc.cap.drop lxc.cap.keep = lxc.cap.drop = sys_module mac_admin mac_override sys_time This issue also appears to have been found in LP: #1430891, but was worked around rather than addressed. Running without --share-net doesn't exhibit this problem. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1501959/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp