What I find interesting that libvirtd seems to be probing _its_ libvirtd.service cgroup but it should really be interested in the container .scope cgroup under machine.slice (to see what's was delegated to the container) or the root cgroup (to see what is available on the host (for further delegation)). The reason might be that other distros enable DefaultMemoryAccounting=yes and in such a case even libvirtd.service would have memory controller enabled in itself which is likely enough to trick lxc.