Convert privileged to unprivileged container

proxbob

Member
May 15, 2016
20
0
21
58
Hi,

In a production environement, we have two privileged containers running, One running debian 8 and the other CentOs 6.

We want to convert them to unprivileged containers to increase the security as they are both facing the internet.

Any how-to ?

Regards,
 
Currently yes. But we'll be exposing options for unprivileged containers to the GUI soon.
 
it worked very well with the command line.
for any one if it can help here are the steps :

from the web Gui :
- backup the lxc in stop mode
from host ssh :
- pct restore 1002 /var/lib/vz/backups/dump/vzdump-lxc-1001-2016_12_17-tar.lzo -ignore-unpack-errors 1 -unprivileged
(1002 is the new lxc ID, 1001 is the old)
from the web Gui :
- stop lxc 1001
- start lxc 1002
(don't forget to uncheck "start at boot" for 1001)

it's thats easy !
 
Last edited:

After backup through web GUI in stop mode I couldn't restore CT:

# pct restore 1001 /var/lib/vz/dump/vzdump-lxc-102-2018_05_28-13_57_32.tar -ignore-unpack-errors 1 -unprivileged
400 Parameter verification failed.
storage: storage 'local' does not support container directories
pct restore <vmid> <ostemplate> [OPTIONS]

What am I doing wrong?
 
After backup through web GUI in stop mode I couldn't restore CT:

# pct restore 1001 /var/lib/vz/dump/vzdump-lxc-102-2018_05_28-13_57_32.tar -ignore-unpack-errors 1 -unprivileged
400 Parameter verification failed.
storage: storage 'local' does not support container directories
pct restore <vmid> <ostemplate> [OPTIONS]

What am I doing wrong?

I add "-storage cts" and got:

# pct restore 1001 /var/lib/vz/dump/vzdump-lxc-102-2018_05_28-13_57_32.tar -ignore-unpack-errors 1 -unprivileged -storage cts
extracting archive '/var/lib/vz/dump/vzdump-lxc-102-2018_05_28-13_57_32.tar'
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
Total bytes read: 1071175680 (1022MiB, 76MiB/s)
tar: Exiting with failure status due to previous errors
Detected container architecture: amd64

"pct restore" should restore CT to the same location where original CT was backed up from...

Restore didn't go well. Any fix for this?
 
The original container was privileged, and /dev/random cannot be create on unprivileged containers (it is simply not permitted).
 
You said /dev/random is not permitted on unprivileged containers.
After restore there are no random and urandom in /wpool/cts/subvol-1001-disk-1/var/spool/postfix/dev/
So, then is everything perfect...No need to do anything. Thank you!

Best regards,
Borut
 
Hi there!

Also you can do this via terminal:
  1. Stop pct (ex.: vmid is 100):
    Code:
    pct stop 100
  2. Make backup
  3. Make temp dir (ex.: /tmp/100):
    Code:
    mkdir /tmp/100
  4. Mount container
    Code:
    mount -o loop /path/to/vm-100-disk... /tmp/100
  5. Run follow commands:
    Code:
    find /tmp/100 -type f | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
    find /tmp/100 -type d | while read S; do U="$(ls -lnd "${S}" | awk '{print$3}')"; G="$(ls -lnd "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
    [ -e /tmp/100/var/spool/postfix/dev/-random ] && rm -ri /tmp/100/var/spool/postfix/dev/-random
    [ -e /tmp/100/var/spool/postfix/dev/-urandom ] && rm -ri /tmp/100/var/spool/postfix/dev/-urandom
  6. As well if you are using sudo in lxc you should check the 'set owner id on execution' because some time it can be changed:
    Code:
    [ -e /tmp/100/usr/bin/sudo ] && chmod u+s /tmp/100/usr/bin/sudo
  7. Unmount container:
    Code:
    umount /tmp/100
  8. Change config:
    Code:
    echo -e "\nunprivileged: 1" >> /path/to/lxc100.conf
  9. Run pct:
    Code:
    pct start 100
    (use --verbose option if you need)
  10. Enjoy.
Tested on Debian 8, 10 for default subid settings.

Regards!
 
Last edited:
  • Like
Reactions: treki and hverbeek
Hi there!

Also you can do this via terminal:
  1. Stop pct (ex.: vmid is 100):
    Code:
    pct stop 100
  2. Make backup
  3. Make temp dir (ex.: /tmp/100):
    Code:
    mkdir /tmp/100
  4. Mount container
    Code:
    mount -o loop /path/to/vm-100-disk... /tmp/100
  5. Run follow commands:
    Code:
    find /tmp/100 -type f | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
    find /tmp/100 -type d | while read S; do U="$(ls -lnd "${S}" | awk '{print$3}')"; G="$(ls -lnd "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
    [ -e /tmp/100/var/spool/postfix/dev/-random ] && rm -ri /tmp/100/var/spool/postfix/dev/-random
    [ -e /tmp/100/var/spool/postfix/dev/-urandom ] && rm -ri /tmp/100/var/spool/postfix/dev/-urandom
  6. As well if you are using sudo in lxc you should check the 'set owner id on execution' because some time it can be changed:
    Code:
    [ -e /tmp/100/usr/bin/sudo ] && chmod u+s /tmp/100/usr/bin/sudo
  7. Unmount container:
    Code:
    umount /tmp/100
  8. Change config:
    Code:
    echo -e "\nunprivileged: 1" >> /path/to/lxc100.conf
  9. Run pct:
    Code:
    pct start 100
    (use --verbose option if you need)
  10. Enjoy.
Tested on Debian 8, 10 for default subid settings.

Regards!

Does anyone know if the above still works in Proxmox 7.1?
I'm trying to mount a volume, as per p.4, however getting the following error:
Code:
mount -o loop /rpool/data/subvol-320-disk-0 /tmp/320
mount: /tmp/320: failed to setup loop device for /rpool/data/subvol-320-disk-0.

Thanks
 
I'm trying to convert a privileged to unprivileged container.
The backup is on PBS, is there a way to fix/bypass this ?

Knowing that "The official Proxmox VE way is backup and restore." I guess there should be at least a workaround.


Error: error extracting archive - encountered unexpected error during extraction: error at entry "random": failed to extract device: failed to create device node: Operation not permitted (os error 1)
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!