lsh does not call PAM, breaking unprivileged lxc containers

Seems like I've hit the bug #1413927 but as requested in comments I'm filing new one.

lxc-start -n asterisk -l debug -F --logfile /dev/stdout

      lxc-start 1434992414.067 INFO lxc_start_ui - lxc_start.c:main:264 - using rcfile /home/x/.local/share/lxc/asterisk/config
      lxc-start 1434992414.067 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1434992414.067 WARN lxc_confile - confile.c:config_pivotdir:1768 - lxc.pivotdir is ignored. It will soon become an error.
      lxc-start 1434992414.069 INFO lxc_confile - confile.c:config_idmap:1376 - read uid map: type u nsid 0 hostid 100000 range 65536
      lxc-start 1434992414.069 INFO lxc_confile - confile.c:config_idmap:1376 - read uid map: type g nsid 0 hostid 100000 range 65536
      lxc-start 1434992414.069 WARN lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized
      lxc-start 1434992414.075 WARN lxc_cgmanager - cgmanager.c:cgm_get:963 - do_cgm_get exited with error
      lxc-start 1434992414.076 WARN lxc_start - start.c:lxc_check_inherited:224 - inherited fd 7
      lxc-start 1434992414.076 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver AppArmor
      lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .reject_force_umount # comment this to allow umount -f; not recommended.
      lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for reject_force_umount action 0
      lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - Setting seccomp rule to reject force umounts
      lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for reject_force_umount action 0
      lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:parse_config_v2:438 - Adding non-compat rule bc nr1 == nr2 (-1, -1)
      lxc-start 1434992414.076 INFO lxc_seccomp - seccomp.c:do_resolve_add_rule:210 - Setting seccomp rule to reject force umounts

      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .[all].
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .kexec_load errno 1.
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for kexec_load action 327681
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for kexec_load action 327681
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (283, 246)
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .open_by_handle_at errno 1.
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for open_by_handle_at action 327681
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for open_by_handle_at action 327681
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (342, 304)
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .init_module errno 1.
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for init_module action 327681
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for init_module action 327681
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (128, 175)
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .finit_module errno 1.
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for finit_module action 327681
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for finit_module action 327681
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (350, 313)
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:316 - processing: .delete_module errno 1.
      lxc-start 1434992414.077 INFO lxc_seccomp - seccomp.c:parse_config_v2:419 - Adding non-compat rule for delete_module action 327681
      lxc-start 1434992414.078 INFO lxc_seccomp - seccomp.c:parse_config_v2:430 - Adding compat rule for delete_module action 327681
      lxc-start 1434992414.078 INFO lxc_seccomp - seccomp.c:parse_config_v2:443 - Really adding compat rule bc nr1 == nr2 (129, 176)
      lxc-start 1434992414.078 INFO lxc_seccomp - seccomp.c:parse_config_v2:451 - Merging in the compat seccomp ctx into the main one
      lxc-start 1434992414.078 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1434992414.078 DEBUG lxc_start - start.c:setup_signal_fd:259 - sigchild handler set
      lxc-start 1434992414.080 DEBUG lxc_console - console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer
      lxc-start 1434992414.081 INFO lxc_caps - caps.c:lxc_caps_up:101 - Last supported cap was 36
      lxc-start 1434992414.081 DEBUG lxc_console - console.c:lxc_console_peer_default:506 - using '/dev/tty' as console
      lxc-start 1434992414.081 DEBUG lxc_console - console.c:lxc_console_sigwinch_init:179 - 974 got SIGWINCH fd 10
      lxc-start 1434992414.081 DEBUG lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:6 cols:160 rows:25
      lxc-start 1434992414.155 INFO lxc_start - start.c:lxc_init:451 - 'asterisk' is initialized
      lxc-start 1434992414.157 DEBUG lxc_start - start.c:__lxc_start:1137 - Not dropping cap_sys_boot or watching utmp
      lxc-start 1434992414.158 INFO lxc_start - start.c:resolve_clone_flags:848 - Cloning a new user namespace
      lxc-start 1434992414.158 INFO lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgmanager initing for asterisk
      lxc-start 1434992414.176 ERROR lxc_cgmanager - cgmanager.c:lxc_cgmanager_enter:694 - call to cgmanager_move_pid_sync failed: invalid request
lxc-start: cgmanager.c: lxc_cgmanager_enter: 694 call to cgmanager_move_pid_sync failed: invalid request
      lxc-start 1434992414.177 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1434992414.197 ERROR lxc_start - start.c:__lxc_start:1164 - failed to spawn 'asterisk'
lxc-start: start.c: __lxc_start: 1164 failed to spawn 'asterisk'
      lxc-start 1434992414.197 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1434992414.197 INFO lxc_utils - utils.c:get_rundir:483 - XDG_RUNTIME_DIR isn't set in the environment.
      lxc-start 1434992414.199 ERROR lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
lxc-start: lxc_start.c: main: 344 The container failed to start.
      lxc-start 1434992414.200 ERROR lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.
lxc-start: lxc_start.c: main: 348 Additional information can be obtained by setting the --logfile and --logpriority options.

I have also added bridge configured with systemdnetworkd into /etc/lxc/lxc-usernet:
x veth ibr1 4

and corresponding file /etc/systemd/network/internalbridge1.netdev
[NetDev]
Name=ibr1
Kind=bridge

The container config:
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.include = /etc/lxc/default.conf
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/x/.local/share/lxc/asterisk/rootfs
lxc.utsname = asterisk

# Network configuration
lxc.network.type = veth
lxc.network.link = ibr1
lxc.network.flags = up
lxc.network.name = internal
lxc.network.ipv4 = 10.1.1.2/24
lxc.network.ipv4.gateway = 10.1.1.1