Convert Privileged LCX container to Unprivileged

S

Simpuhl

New Member
Mar 10, 2024
5
1
3
Hello,

Originally this was an Unprivileged container, I did a backup and restore and set it to Privileged.

This was so I can mount a NFS share, at the end I decided to mount it via the host and now I want to go back to Unprivileged.

When I try the same method of "back/restore" and set it to Unprivileged., it doesn't like that and actually ends up deleting the entire LXC container.

What is the proper way for me to convert this back to Unprivileged without losing my container?
 
Hey,

I tried what you described:
  1. Created an unprivileged LXC with ubuntu-23.04-standard_23.04-1_amd64.tar.zst
  2. Backing up on PBS
  3. Deleted the freshly created LXC
  4. Restored it from backup "Privilege Level: From Backup"
  5. Successfully restored LXC
  6. Restored it a second time from backup but this time with "Privilege Level: Privileged" without any issues
How do you backup your LXC? With normal snapshots on a datapool or via PBS?
When you backing up with PBS you can simply destroy that LXC from PVE and restore it with the unprivileged flag from PBS

Best

edit: is nesting enabled?
 
Last edited:
  • Like
Reactions: Kingneutron
Hqu said:
Hey,

I tried what you described:
  1. Created an unprivileged LXC with ubuntu-23.04-standard_23.04-1_amd64.tar.zst
  2. Backing up on PBS
  3. Deleted the freshly created LXC
  4. Restored it from backup "Privilege Level: From Backup"
  5. Successfully restored LXC
  6. Restored it a second time from backup but this time with "Privilege Level: Privileged" without any issues
How do you backup your LXC? With normal snapshots on a datapool or via PBS?
When you backing up with PBS you can simply destroy that LXC from PVE and restore it with the unprivileged flag from PBS

Best

edit: is nesting enabled?
Click to expand...
I just click backups and then backup now. I can also backup to my NAS that is attached via NFS share. How do you backup to PBS?

Edit: I am installing PBS right now and will backup that way

Just to be clear, I am trying to go from privileged to unprivileged. I think your example is doing the opposite.
 
Last edited:
  • Like
Reactions: Hqu
You can choose on restore if you want it to be privileged or unprivileged. And I don't think it has to be PBS and VZDump should work too.
Unprivileged to privileged is harder to achieve than privileged to unprivileged. At least once you tempered with UID/GID mappings as the restore can't handle this and you have to fix stuff yourself by mounting the LXC on the host and chowning all the mapped files/folders manually.
 
  • Like
Reactions: Hqu
Simpuhl said:
I just click backups and then backup now. I can also backup to my NAS that is attached via NFS share. How do you backup to PBS?

Edit: I am installing PBS right now and will backup that way

Just to be clear, I am trying to go from privileged to unprivileged. I think your example is doing the opposite.
Click to expand...
You're correct, I did a typo! Sorry about that.

I'm backing up to PBS directly with the build-in solution and added the server via CLI with:
pvesm add pbs pbs-ds01 --server <pbs-ip> --datastore <datastore> --username <datastore-user> --fingerprint <fingerprint> --password <datastore-user-pwd> --encryption-key <path to key>

Let us know if it worked you that way

Best
 
Dunuin said:
You can choose on restore if you want it to be privileged or unprivileged. And I don't think it has to be PBS and VZDump should work too.
Unprivileged to privileged is harder to achieve than privileged to unprivileged. At least once you tempered with UID/GID mappings as the restore can't handle this and you have to fix stuff yourself by mounting the LXC on the host and chowning all the mapped files/folders manually.
Click to expand...
I tried this multiple times and it fails when I restore using unprivileged. It will fail and delete the entire container.
 
This is the error I get if I try to restore it as unprivileged:

recovering backed-up configuration from 'pbs:backup/ct/103/2024-03-15T17:30:58Z'
Logical volume "vm-110-disk-0" created.
Creating filesystem with 2621440 4k blocks and 655360 inodes
Filesystem UUID: 321c74c0-9fcb-4a50-93fb-876507f966a4
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
restoring 'pbs:backup/ct/103/2024-03-15T17:30:58Z' now..
Error: error extracting archive - encountered unexpected error during extraction: error at entry "random": failed to extract device: failed to create device node: Operation not permitted (os error 1)
Logical volume "vm-110-disk-0" successfully removed.
TASK ERROR: unable to restore CT 110 - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /usr/bin/proxmox-backup-client restore '--crypt-mode=none' ct/103/2024-03-15T17:30:58Z root.pxar /var/lib/lxc/110/rootfs --allow-existing-dirs --repository root@[EMAIL]pam@192.168.0.109[/EMAIL]:pbsbackup' failed: exit code 255
 
I'm getting the same error with a PBS restore of a privileged LXC that I want to convert to unprivileged.
 
Just my 2 cents suggestion:

Maybe those having problems restoring a privileged LXC backup to a non-privileged LXC, have the mountpoints included in the backups, which as a non-privileged LXC are later inaccessible & cause some error in recreating the LXC.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom