Comment 4 for bug 1347020

I prepared a minimal vivid container with systemd-sysv, and tried to boot it (vivid host):

$ sudo lxc-start -n vivid-systemd -F
Failed to mount cgroup at /sys/fs/cgroup/systemd: Permission denied
[... hangs ...]

In apparmor I see:
[10072.122514] audit: type=1400 audit(1416213339.298:50): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/systemd/" pid=16469 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"

After setting "lxc.aa_profile = unconfined", the container boots (with similar error message spew as in #1, which we can ignore for now), but logging in on the console takes a long time. systemd-journal (in the guest) starts spinning the CPU to 100%. "sudo journalctl" shows me the logs. stracing shows

read(9, "", 8192) = 0
epoll_wait(7, {{EPOLLIN|EPOLLERR|EPOLLHUP, {u32=3073693008, u64=140547288520016}}, {EPOLLIN, {u32=3073692768, u64=140547288519776}}, {EPOLLIN, {u32=3073692288, u64=140547288519296}}, {EPOLLIN, {u32=3073692528, u64=140547288519536}}}, 14, 0) = 4
clock_gettime(0x7 /* CLOCK_??? */, {10618, 410721720}) = 0
writev(2, [{"/dev/kmsg buffer overrun, some m"..., 45}, {"\n", 1}], 2) = 46

I tried to set "lxc.kmsg = 0" as Serge indicated in comment 2, but this doesn't seem to have the intended effect: in the container I still see "/dev/kmsg -> console".

For the record: booting and journal work fine in systemd-nspawn; but this has neither apparmor protection nor does it do the /dev/kmsg -> /dev/lxc/console trick; instead, /dev/kmsg does not exist at all there.