LXC Containers use an AppArmor profile to provide ressource isolation in the container. This works by blocking system calls like 'mount' who are denied being executed in the container. You can trace the AppArmor activity with:
dmesg | grep apparmor
If you want to disable AppArmor for a container, you can add the stanza
lxc.aa_profile = unconfined
at the end of the configuration file ( located in /etc/pve/lxc/CTID.conf ) Note that this is not a recommended setup for production.
Migrate container from OpenVZ to Linux container
Follow this howto: