Running an unprivileged lxc container with recent systemd

Recent builds of systemd (around version 252) implemented a bunch of features that break proxmox/lxc containers. The canonical way of working around this is to enable nesting, but this isn’t really recommended as it gives access to the host’s /proc and /sys.. it only takes a bug and breaking out of the container becomes possible.

There is a workaround script for this.. it’s not installed by default, and as far as I know not in any packages.. it’s a better solution with the caveat that it changes as systemd changes (I’ve already had breakage due to updates to systemd) so it’s something that requires maintenence.. perhaps a proper fix will appear someday.

Put this in a script somewhere:

mkdir /etc/systemd/system-generators
cd /etc/systemd/system/generators
wget -O lxc https://raw.githubusercontent.com/lxc/distrobuilder/main/distrobuilder/lxc.generator
chmod 755 lxc

If you’re paranoid you could run this in a cron job but I’ve found it not to be necessary since if I need to rerun it I’ve probably just manually updated anyway.