Debian Trixie: problems with Lxc unprivileged Containers

On Debian 12 bullseye all works fine. This is the situation on Debian Trixie (released stable some days ago) lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3227 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3312 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3312 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3312 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3382 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3382 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3382 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3436 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3436 to "net" of 3 lxc-ls: ../src/lxc/utils.c: switch_to_ns: 900 Operation not permitted - Failed to set process 3436 to "net" of 3 NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED cacti1 RUNNING 0 - - - true certauth1 RUNNING 0 - - - true dns1 RUNNING 0 - - - true Seems working, but.. lxc-attach dns1 lxc-attach: dns1: ../src/lxc/cgroups/cgfsng.c: enter_scope: 1335 Failed opening dbus connection lxc-attach: dns1: ../src/lxc/cgroups/cgfsng.c: cgroup_attach_move_into_leaf: 2859 Failed entering scope 'lxc-dns1-0.scope' lxc-attach: dns1: ../src/lxc/cgroups/cgfsng.c: cgroup_attach_move_into_leaf: 2897 Permission denied - Failed to move process into target cgroup via fd 7 and 8 lxc-attach: dns1: ../src/lxc/conf.c: userns_exec_minimal: 4685 Permission denied - Running parent function failed lxcunpriv@nas:~$ lxc-attach: dns1: ../src/lxc/attach.c: do_attach: 1238 No data available - Failed to receive lsm label fd lxc-attach: dns1: ../src/lxc/attach.c: do_attach: 1376 Failed to attach to container The containers are unprivileged I have tried with systemd.unified_cgroup_hierarchy=false and not but same result. After some seconds all containers fails NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED cacti1 STOPPED 0 - - - true certauth1 STOPPED 0 - - - true dns1 STOPPED 0 - - - true Trying with debug lxc-start -n dns1 -F -l DEBUG -o /tmp/lxc-nomecontainer.log lxc-start: dns1: ../src/lxc/cgroups/cgfsng.c: unpriv_systemd_create_scope: 1526 Failed opening dbus connection Failed to mount cgroup at /sys/fs/cgroup/systemd: Operation not permitted [!!!!!!] Failed to mount API filesystems. Exiting PID 1... lxc-checkconfig report all fine lxc-checkconfig LXC version 6.0.4 Kernel configuration not found at /proc/config.gz; searching... Kernel configuration found at /boot/config-6.12.38+deb13-amd64 --- Namespaces --- Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: enabled Network namespace: enabled Namespace limits: cgroup: 127838 ipc: 127838 mnt: 127838 net: 127838 pid: 127838 time: 127838 user: 127838 uts: 127838 --- Control groups --- Cgroups: enabled Cgroup namespace: enabled Cgroup v1 mount points: Cgroup v2 mount points: - /sys/fs/cgroup Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --- Veth pair device: enabled, loaded Macvlan: enabled, not loaded Vlan: enabled, loaded Bridges: enabled, loaded Advanced netfilter: enabled, loaded CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded FUSE (for use with lxcfs): enabled, not loaded --- Checkpoint/Restore --- checkpoint restore: enabled CONFIG_FHANDLE: enabled CONFIG_EVENTFD: enabled CONFIG_EPOLL: enabled CONFIG_UNIX_DIAG: enabled CONFIG_INET_DIAG: enabled CONFIG_PACKET_DIAG: enabled CONFIG_NETLINK_DIAG: enabled File capabilities: enabled Note: Before booting a new kernel, you can check its configuration with: CONFIG=/path/to/config /usr/bin/lxc-checkconfig Any idea? EDIT1: This script which fix something on some lxc versions fail completely #!/bin/bash # this is for the password in cache printf '\n\033[42mCreating cgroup hierarchy\033[m\n\n' && for d in /sys/fs/cgroup/*; do f=$(basename $d) echo "looking at $f" if [ "$f" = "cpuset" ]; then echo 1 | sudo tee -a $d/cgroup.clone_children; elif [ "$f" = "memory" ]; then echo 1 | sudo tee -a $d/memory.use_hierarchy; fi sudo mkdir -p $d/$USER sudo chown -R $USER $d/$USER # add current process to cgroup #echo $PPID > $d/$USER/tasks done mkdir: cannot create directory ‘/sys/fs/cgroup/cgroup.controllers’: not a directory chown: impossible to access on '/sys/fs/cgroup/cgroup.controllers/lxcunpriv': not a directory