change LXC from unprivileged back to privileged

thommie

thommie

Member
Proxmox Subscriber
Aug 19, 2019
57
7
13
Hi,
I am having problems with backing up lxc containers which were accidently created with the "unprivileged" flag. I want to test if using them in "privileged" state solves the backup problem. But how can I change that?

In pct on the command line there is no option to change the unprivileged state to privileged, only vice versa

(
--unprivileged <boolean> (default = 0)
Makes the container run as unprivileged user. (Should not be modified manually.)
)

What is the best strategy here? Cloning, something else?

Thx, Thommie
 
Hi,
thommie said:
I want to test if using them in "privileged" state solves the backup problem. But how can I change that?
Click to expand...

You can backup the CT and (re)select the privilege mode on restore. Live switch is not possible, as the CTs and their files are completely different regarding owner, among other things, depending mode.
 
  • Like
Reactions: takeokun and SwissLord
The problem is, that I can not even create the initial backup. In both snapshot and "stop" backup modes, I get the following errors:

INFO: starting new backup job: vzdump 106 --mode stop --compress gzip --remove 0 --node tokoeka --storage storagebox_191707
INFO: filesystem type on dumpdir is 'cifs' -using /var/tmp/vzdumptmp376096 for temporary files
INFO: Starting Backup of VM 106 (lxc)
INFO: Backup started at 2020-02-17 22:24:12
INFO: status = stopped
INFO: backup mode: stop
INFO: ionice priority: 7
INFO: CT Name: db1
INFO: creating archive '/mnt/backupsb/dump/vzdump-lxc-106-2020_02_17-22_24_12.tar.gz'
INFO: tar: ./etc/apparmor.d/cache/usr.bin.man-ejIO1k: Cannot open: Permission denied
INFO: tar: ./etc/apparmor.d/cache/usr.sbin.tcpdump-Tut2uG: Cannot open: Permission denied
INFO: tar: ./etc/apparmor.d/cache/usr.sbin.tcpdump-WcraRc: Cannot open: Permission denied
INFO: tar: ./etc/apparmor.d/cache/sbin.dhclient-7kp4Lu: Cannot open: Permission denied
INFO: tar: ./etc/apparmor.d/cache/usr.bin.man-JvbWkc: Cannot open: Permission denied

The backup can not be finished successfully. And I think that the reason for this -maybe- is the unprivileged mode of the CT.

Any idea what to do?

Thommie
 
thommie said:
The backup can not be finished successfully. And I think that the reason for this -maybe- is the unprivileged mode of the CT.
Click to expand...

no this only happens if one manually tinkers around, i.e.,
* manually change the unprivileged flag in the config then start the CT
* mount the CT on the host, e.g., with pct mount, and create/alter files so that those then have a user/group ID from the host, not a shifted unprivileged one..

You cannot get a permission denied if not something of this got done, that's simply not possible...

thommie said:
Any idea what to do?
Click to expand...

mount the CT with pct mount 106 then remove the whole "etc/apparmor.d/cache" folder iniside the CT mount, then unmount (pct unmount 106) again and retry.
 
Hi Thomas,

ok, thanks, the CT runs for some time and I simply don't know if there was some manual manipulation before. There was a mixture of "standard" UIDs and mapped UIDs from namespaces in /va/log/, /cache /lib. Deletion of the "old style" temp files helped, backup is successful now.
 
t.lamprecht said:
Hi,


You can backup the CT and (re)select the privilege mode on restore. Live switch is not possible, as the CTs and their files are completely different regarding owner, among other things, depending mode.
Click to expand...

I was in a similar situation and backed up the CT, however on restore I get the error

vm 0 - unable to parse value of 'unpriviliged' - unknown setting 'unpriviliged'

Any chance of recovering this CT ?
 
rcd said:
I was in a similar situation and backed up the CT, however on restore I get the error
Click to expand...
How do you try to restore?

And what Proxmox VE version is running there? As this sounds like either it's tried to get restored as VM not CT which won't work, or an ancient Proxmox VE version.
 
Ok, that was a bit weird ...
1613472738381.png

I restored it through the GUI and it chooses CT itself. I just tried again and this time it went through. When I tried yesterday it threw a whole bunch of errors so I'm not sure whats different today.

For the "unpriviliged" error, it was because of my misspelling of unprivileged.

So I was able to restore it, and fix the typo, and for all purposes it seems to now be back in good nick as an unprivileged container.

I need it to be privileged, so I then went ahead to try to make a new backup so I can restore it as privileged, but it now fails with a bunch of errors:

Code: 
INFO: starting new backup job: vzdump 252 --remove 0 --node pve2 --storage local-backup --compress zstd --mode snapshot
INFO: filesystem type on dumpdir is 'zfs' -using /var/tmp/vzdumptmp3078211_252 for temporary files
INFO: Starting Backup of VM 252 (lxc)
INFO: Backup started at 2021-02-16 13:06:57
INFO: status = running
INFO: CT Name: media
INFO: including mount point rootfs ('/') in backup
INFO: excluding bind mount point mp0 ('/secdata') from backup (not a volume)
INFO: backup mode: snapshot
INFO: ionice priority: 7
INFO: create storage snapshot 'vzdump'
INFO: creating vzdump archive '/poolz/secdata/backup/dump/vzdump-lxc-252-2021_02_16-13_06_57.tar.zst'
INFO: tar: ./var/lib/private: Cannot open: Permission denied
INFO: tar: ./var/cache/private: Cannot open: Permission denied
INFO: tar: ./var/log/kern.log: Cannot open: Permission denied
INFO: tar: ./var/log/btmp: Cannot open: Permission denied
INFO: tar: ./var/log/private: Cannot open: Permission denied
INFO: Total bytes written: 4273827840 (4.0GiB, 74MiB/s)
INFO: tar: Exiting with failure status due to previous errors
INFO: cleanup temporary 'vzdump' snapshot
ERROR: Backup of VM 252 failed - command 'set -o pipefail && lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar cpf - --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' --one-file-system '--warning=no-file-ignored' '--directory=/var/tmp/vzdumptmp3078211_252' ./etc/vzdump/pct.conf ./etc/vzdump/pct.fw '--directory=/mnt/vzsnap0' --no-anchored '--exclude=lost+found' --anchored '--exclude=./tmp/?*' '--exclude=./var/tmp/?*' '--exclude=./var/run/?*.pid' ./ | zstd --rsyncable '--threads=1' >/poolz/secdata/backup/dump/vzdump-lxc-252-2021_02_16-13_06_57.tar.dat' failed: exit code 2
INFO: Failed at 2021-02-16 13:07:53
INFO: Backup job finished with errors
TASK ERROR: job errors

The "Permission denied" entries are nobody.nogroup, so I suppose just how things are in an unprivileged container?

How to fix this?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back