Convert Privileged LCX container to Unprivileged

S

Simpuhl

New Member
Mar 10, 2024
5
1
3
Hello,

Originally this was an Unprivileged container, I did a backup and restore and set it to Privileged.

This was so I can mount a NFS share, at the end I decided to mount it via the host and now I want to go back to Unprivileged.

When I try the same method of "back/restore" and set it to Unprivileged., it doesn't like that and actually ends up deleting the entire LXC container.

What is the proper way for me to convert this back to Unprivileged without losing my container?
 
Hey,

I tried what you described:
  1. Created an unprivileged LXC with ubuntu-23.04-standard_23.04-1_amd64.tar.zst
  2. Backing up on PBS
  3. Deleted the freshly created LXC
  4. Restored it from backup "Privilege Level: From Backup"
  5. Successfully restored LXC
  6. Restored it a second time from backup but this time with "Privilege Level: Privileged" without any issues
How do you backup your LXC? With normal snapshots on a datapool or via PBS?
When you backing up with PBS you can simply destroy that LXC from PVE and restore it with the unprivileged flag from PBS

Best

edit: is nesting enabled?
 
Last edited:
  • Like
Reactions: Kingneutron
Hqu said:
Hey,

I tried what you described:
  1. Created an unprivileged LXC with ubuntu-23.04-standard_23.04-1_amd64.tar.zst
  2. Backing up on PBS
  3. Deleted the freshly created LXC
  4. Restored it from backup "Privilege Level: From Backup"
  5. Successfully restored LXC
  6. Restored it a second time from backup but this time with "Privilege Level: Privileged" without any issues
How do you backup your LXC? With normal snapshots on a datapool or via PBS?
When you backing up with PBS you can simply destroy that LXC from PVE and restore it with the unprivileged flag from PBS

Best

edit: is nesting enabled?
Click to expand...
I just click backups and then backup now. I can also backup to my NAS that is attached via NFS share. How do you backup to PBS?

Edit: I am installing PBS right now and will backup that way

Just to be clear, I am trying to go from privileged to unprivileged. I think your example is doing the opposite.
 
Last edited:
  • Like
Reactions: Hqu
You can choose on restore if you want it to be privileged or unprivileged. And I don't think it has to be PBS and VZDump should work too.
Unprivileged to privileged is harder to achieve than privileged to unprivileged. At least once you tempered with UID/GID mappings as the restore can't handle this and you have to fix stuff yourself by mounting the LXC on the host and chowning all the mapped files/folders manually.
 
  • Like
Reactions: Hqu
Simpuhl said:
I just click backups and then backup now. I can also backup to my NAS that is attached via NFS share. How do you backup to PBS?

Edit: I am installing PBS right now and will backup that way

Just to be clear, I am trying to go from privileged to unprivileged. I think your example is doing the opposite.
Click to expand...
You're correct, I did a typo! Sorry about that.

I'm backing up to PBS directly with the build-in solution and added the server via CLI with:
pvesm add pbs pbs-ds01 --server <pbs-ip> --datastore <datastore> --username <datastore-user> --fingerprint <fingerprint> --password <datastore-user-pwd> --encryption-key <path to key>

Let us know if it worked you that way

Best
 
Dunuin said:
You can choose on restore if you want it to be privileged or unprivileged. And I don't think it has to be PBS and VZDump should work too.
Unprivileged to privileged is harder to achieve than privileged to unprivileged. At least once you tempered with UID/GID mappings as the restore can't handle this and you have to fix stuff yourself by mounting the LXC on the host and chowning all the mapped files/folders manually.
Click to expand...
I tried this multiple times and it fails when I restore using unprivileged. It will fail and delete the entire container.
 
This is the error I get if I try to restore it as unprivileged:

recovering backed-up configuration from 'pbs:backup/ct/103/2024-03-15T17:30:58Z'
Logical volume "vm-110-disk-0" created.
Creating filesystem with 2621440 4k blocks and 655360 inodes
Filesystem UUID: 321c74c0-9fcb-4a50-93fb-876507f966a4
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
restoring 'pbs:backup/ct/103/2024-03-15T17:30:58Z' now..
Error: error extracting archive - encountered unexpected error during extraction: error at entry "random": failed to extract device: failed to create device node: Operation not permitted (os error 1)
Logical volume "vm-110-disk-0" successfully removed.
TASK ERROR: unable to restore CT 110 - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /usr/bin/proxmox-backup-client restore '--crypt-mode=none' ct/103/2024-03-15T17:30:58Z root.pxar /var/lib/lxc/110/rootfs --allow-existing-dirs --repository root@[EMAIL]pam@192.168.0.109[/EMAIL]:pbsbackup' failed: exit code 255
 
I'm getting the same error with a PBS restore of a privileged LXC that I want to convert to unprivileged.
 
Just my 2 cents suggestion:

Maybe those having problems restoring a privileged LXC backup to a non-privileged LXC, have the mountpoints included in the backups, which as a non-privileged LXC are later inaccessible & cause some error in recreating the LXC.
 
gfngfn256 said:
Just my 2 cents suggestion:

Maybe those having problems restoring a privileged LXC backup to a non-privileged LXC, have the mountpoints included in the backups, which as a non-privileged LXC are later inaccessible & cause some error in recreating the LXC.
Click to expand...
I gave this theory a try. I removed all mount points from the LXC, backed up and restored as unprivileged. I still get
Code: 
tar: ./var/lib/docker/volumes/backingFsBlockDev: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted

Full log:
Code: 
()
recovering backed-up configuration from 'backups:backup/vzdump-lxc-169-2025_01_01-10_24_04.tar.zst'
  Wiping PMBR signature on /dev/NVR-Storage/vm-169-disk-0.
  Logical volume "vm-169-disk-0" created.
Creating filesystem with 10485760 4k blocks and 2621440 inodes
Filesystem UUID: d65b57d3-a339-4c04-8ed8-4e4b284e01bb
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000, 7962624
restoring 'backups:backup/vzdump-lxc-169-2025_01_01-10_24_04.tar.zst' now..
extracting archive '/Nextcloud.Storage/shared/backups/dump/vzdump-lxc-169-2025_01_01-10_24_04.tar.zst'
tar: ./var/lib/docker/volumes/backingFsBlockDev: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
Total bytes read: 14635161600 (14GiB, 153MiB/s)
tar: Exiting with failure status due to previous errors
  Logical volume "vm-169-disk-0" successfully removed.
TASK ERROR: unable to restore CT 169 - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf - --zstd --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' -C /var/lib/lxc/169/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2
 
You must log in or register to reply here.
Top Bottom