Issue with a privileged CT installation

[nebulos]

Hi

I wanted to try out a turnkey solution, to see if there are any advantages compared to installing it myself. I run multiple clean Linux CTs and VMs which work great.

When I try to install an unprivileged container, I get this error:

Cannot mknod: Operation not permitted

extracting archive '/var/lib/vz/template/cache/debian-9-turnkey-whatever_amd64.tar.gz'
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
Total bytes read: 2297661440 (2.2GiB, 104MiB/s)
tar: Exiting with failure status due to previous errors
TASK ERROR: unable to create CT 222 - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf - -z --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' -C /var/lib/lxc/222/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2

It works with a privileged CT.

Question is .. How do I change it back to an unprivileged container after installation?

thx

 

[psionic]

This is the method I've been using for a while

Convert to unprivileged CT for more security
1. Console at container
cd # (if not at root directory)
rm /var/spool/postfix/dev/random
rm /var/spool/postfix/dev/urandom
touch /var/spool/postfix/dev/random
touch /var/spool/postfix/dev/urandom

2. Shell at proxmox node
# add the following lines to container config (e.g. at `/etc/pve/lxc/[ct container#].conf`)
cd # (if not at root directory)
nano /etc/pve/lxc/[ct container#].conf
lxc.mount.entry: /dev/random dev/random none bind,ro 0 0
lxc.mount.entry: /dev/urandom dev/urandom none bind,ro 0 0
lxc.mount.entry: /dev/random var/spool/postfix/dev/random none bind,ro 0 0
lxc.mount.entry: /dev/urandom var/spool/postfix/dev/urandom none bind,ro 0 0

3. backup container (CT)
# Stop CT from ProxMox GUI
# Backup CT from GUI

4. restore backup with option `unprivileged container` checked, will replace original privileged CT with unprivileged CT
5. if using static IP, change CT IP before starting to a unique IP

 

[janssensm]

The easiest way I used, also recommended several times by proxmox staff is to use exclude path, just like here:
https://forum.proxmox.com/threads/unprivileged-containers.26148/post-248550