Search results

  1. wbumiller

    OpenVPN in unprivileged container

    That should do (unless for some reason your / is mounted with the `nodev` option). You also have to adapt the `lxc.mount.entry` lines to bind this new file instead. lxc.mount.entry = /devcontainer/net/tun dev/net/tun none bind,create=dir
  2. wbumiller

    OpenVPN in unprivileged container

    The autodev hook isn't really usable with unprivileged containers. Neither the `modprobe` nor `mknod` will work. The `lxc.mount.entry` line is correct, but you the permissions will have to be updated on the host side (since you're using device nodes from the host). So you either `chown` it to...
  3. wbumiller

    Multiple U2F tokens

    We do want to support that in the future. It's just not implemented yet.
  4. wbumiller

    Is it possible to run a NFS server within a LXC?

    The nfs server is kernel-side, unprivileged containers won't have any more control over that than privileged containers. IMO it's generally not all that useful to move something which runs in the kernel anyway into a container. There's no option we provide which would "just enable" it. Better...
  5. wbumiller

    [SOLVED] LXC Gentoo didn't stop right over Proxmox

    Lxc usually sends either a SIGPWR (30) or SIGRTMIN+3 (35), you could see if the container's init (pid 1) reacts to either of those. It would be weird though if something from inside gentoo changed that behavior of the init system...
  6. wbumiller

    Unprivileged containers

    The kernel simply generally forbids using the mknod() system call required to create device nodes, no matter what permissions you otherwise have. If this changes in the future, those will definitely be on the whitelist. There are some mechanisms available already which could be used, such as an...
  7. wbumiller

    [SOLVED] TFA [2FA] Two-Factor Authentication Broken in Proxmox 5.4

    Thanks for digging into this. That actually helped pinpointing an issue.
  8. wbumiller

    [SOLVED] TFA [2FA] Two-Factor Authentication Broken in Proxmox 5.4

    Did you also remove the 'yubico' auth type from the authentication realm when you did this? The realm's configured TFA type will conflict otherwise.
  9. wbumiller

    [SOLVED] TFA [2FA] Two-Factor Authentication Broken in Proxmox 5.4

    There have been some changes to the TFA handling and how the configuration is stored in the backend, but both old and new configurations should work with the new code. Can you describe the login process you see on your UI? -) Do you see the OTP input box below the password in the login window...
  10. wbumiller

    ArchLinux / LXC /systemd v240

    `features: nesting=1` sollte auch helfen und nicht ganz so extrem sein
  11. wbumiller

    Why can root user (in guest) write to my mounted directory?

    When you're in the container as root, you are using a user which has the `CAP_DAC_OVERRIDE` capability ("bypass file permission checks", see man 7 capabilities[1]) within its namespace. The directory `git_repositories` is owned by a user for which there exists a valid mapping inside the...
  12. wbumiller

    After updates, LXCs not working

    Update: That said, the change seems mostly about mount point cleanliness, so there's a chance it'll at least be temporarily reverted, as the issue description[1] doesn't seem to mention any actual breakage. (Otherwise it may become configurable. But my recommendation about moving to unprivileged...
  13. wbumiller

    After updates, LXCs not working

    Okay so with *privileged* 14.04 containers I can reproduce this. A bisect revealed an lxc commit which causes no functional change but simply removes an unnecessary mount entry which seems to confuse upstart in some way. Considering the age and soon-to-be-EOL-ness of 14.04 I recommend moving...
  14. wbumiller

    [SOLVED] ARM64 VM emulation on Proxmox 5.3 AMD64

    Almost none of the installer ISOs come with graphics drivers. You need to add a serial socket, and connect to that via the xterm.js button. After installation, when using 'virtio' graphics, you'll be able to see the machine via novnc as well.
  15. wbumiller

    5.3 and unprivileged containers: docker works, mount nfs does not

    The problem with mounting is that the kernel simply won't allow that regardless of any apparmor rules as most file systems (including nfs) simply aren't marked to be allowed in user namespaces. (The mount option checkboxes being enabled on the UI for unprivileged containers was an oversight...
  16. wbumiller

    Firewall Rules for Specific Virtual Machines and Linux Containers Affecting VMs with no Firewall

    This is just what happens when using reject rules currently. There is some basic ebtables support, but to fully support such a confguration we also need to add a way to a) use MAC filtering on input and/or b) add a way for users to configure ebtable rules (iow. the ability to add DROP rules for...
  17. wbumiller

    5.3: Docker on LXC on ZFS

    With privileged containers device usage is very restricted. If you need a privileged container you'll need to allow the use of /dev/net/tun (the c:10:200 it's trying to allow access to, used for tunnel and tap device setup): # /etc/pve/lxc/$vmid.conf (...) lxc.cgroup.devices.allow = c 10:200 rwm...
  18. wbumiller

    LXC apparmor denied

    Only root can change feature flags.
  19. wbumiller

    [SOLVED] Windows guest on Threadripper

    Can you try using the EPYC cpu type? According to this post[1] it should be compatible. [1] https://www.redhat.com/archives/libvir-list/2018-July/msg01242.html
  20. wbumiller

    LXC apparmor denied

    The above shows a generated profile (`lxc.apparmor.profile = generated`, the new default when no custom apparmor profile is found in /etc/pve/lxc/$vmid.conf) which means that you either had the profile previously configured in /var/lib/lxc/$vmid/config manually and started with `lxc-start`, or...

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!