Convert privileged to unprivileged container

proxbob

New Member
May 15, 2016
14
0
1
53
Hi,

In a production environement, we have two privileged containers running, One running debian 8 and the other CentOs 6.

We want to convert them to unprivileged containers to increase the security as they are both facing the internet.

Any how-to ?

Regards,
 

wbumiller

Proxmox Staff Member
Staff member
Jun 23, 2015
647
88
48
Currently yes. But we'll be exposing options for unprivileged containers to the GUI soon.
 

proxbob

New Member
May 15, 2016
14
0
1
53
it worked very well with the command line.
for any one if it can help here are the steps :

from the web Gui :
- backup the lxc in stop mode
from host ssh :
- pct restore 1002 /var/lib/vz/backups/dump/vzdump-lxc-1001-2016_12_17-tar.lzo -ignore-unpack-errors 1 -unprivileged
(1002 is the new lxc ID, 1001 is the old)
from the web Gui :
- stop lxc 1001
- start lxc 1002
(don't forget to uncheck "start at boot" for 1001)

it's thats easy !
 
Last edited:

matthew

Active Member
Jul 28, 2011
208
5
38
Are there any disadvantages of converting from privileged to unprivileged vs reinstalling?

Is there anyway to make the Proxmox GUI default to unprivileged?
 
  • Like
Reactions: RollMops and chrone

Borut

Member
May 16, 2018
39
0
6
65
After backup through web GUI in stop mode I couldn't restore CT:

# pct restore 1001 /var/lib/vz/dump/vzdump-lxc-102-2018_05_28-13_57_32.tar -ignore-unpack-errors 1 -unprivileged
400 Parameter verification failed.
storage: storage 'local' does not support container directories
pct restore <vmid> <ostemplate> [OPTIONS]

What am I doing wrong?
 

Borut

Member
May 16, 2018
39
0
6
65
After backup through web GUI in stop mode I couldn't restore CT:

# pct restore 1001 /var/lib/vz/dump/vzdump-lxc-102-2018_05_28-13_57_32.tar -ignore-unpack-errors 1 -unprivileged
400 Parameter verification failed.
storage: storage 'local' does not support container directories
pct restore <vmid> <ostemplate> [OPTIONS]

What am I doing wrong?
I add "-storage cts" and got:

# pct restore 1001 /var/lib/vz/dump/vzdump-lxc-102-2018_05_28-13_57_32.tar -ignore-unpack-errors 1 -unprivileged -storage cts
extracting archive '/var/lib/vz/dump/vzdump-lxc-102-2018_05_28-13_57_32.tar'
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
Total bytes read: 1071175680 (1022MiB, 76MiB/s)
tar: Exiting with failure status due to previous errors
Detected container architecture: amd64

"pct restore" should restore CT to the same location where original CT was backed up from...

Restore didn't go well. Any fix for this?
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,578
336
103
Austria
www.proxmox.com
The original container was privileged, and /dev/random cannot be create on unprivileged containers (it is simply not permitted).
 

Borut

Member
May 16, 2018
39
0
6
65
You said /dev/random is not permitted on unprivileged containers.
After restore there are no random and urandom in /wpool/cts/subvol-1001-disk-1/var/spool/postfix/dev/
So, then is everything perfect...No need to do anything. Thank you!

Best regards,
Borut
 

0a797182

New Member
Aug 10, 2019
7
1
3
50
Hi there!

Also you can do this via terminal:
  1. Stop pct (ex.: vmid is 100):
    Code:
    pct stop 100
  2. Make backup
  3. Make temp dir (ex.: /tmp/100):
    Code:
    mkdir /tmp/100
  4. Mount container
    Code:
    mount -o loop /path/to/vm-100-disk... /tmp/100
  5. Run follow commands:
    Code:
    find /tmp/100 -type f | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
    find /tmp/100 -type d | while read S; do U="$(ls -lnd "${S}" | awk '{print$3}')"; G="$(ls -lnd "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
    [ -e /tmp/100/var/spool/postfix/dev/-random ] && rm -ri /tmp/100/var/spool/postfix/dev/-random
    [ -e /tmp/100/var/spool/postfix/dev/-urandom ] && rm -ri /tmp/100/var/spool/postfix/dev/-urandom
  6. As well if you are using sudo in lxc you should check the 'set owner id on execution' because some time it can be changed:
    Code:
    [ -e /tmp/100/usr/bin/sudo ] && chmod u+s /tmp/100/usr/bin/sudo
  7. Unmount container:
    Code:
    umount /tmp/100
  8. Change config:
    Code:
    echo -e "\nunprivileged: 1" >> /path/to/lxc100.conf
  9. Run pct:
    Code:
    pct start 100
    (use --verbose option if you need)
  10. Enjoy.
Tested on Debian 8, 10 for default subid settings.

Regards!
 
Last edited:
  • Like
Reactions: hverbeek

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!