Issue with a privileged CT installation


Sep 25, 2019

I wanted to try out a turnkey solution, to see if there are any advantages compared to installing it myself. I run multiple clean Linux CTs and VMs which work great.

When I try to install an unprivileged container, I get this error:

Cannot mknod: Operation not permitted

extracting archive '/var/lib/vz/template/cache/debian-9-turnkey-whatever_amd64.tar.gz'
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
Total bytes read: 2297661440 (2.2GiB, 104MiB/s)
tar: Exiting with failure status due to previous errors
TASK ERROR: unable to create CT 222 - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf - -z --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' -C /var/lib/lxc/222/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2

It works with a privileged CT.

Question is .. How do I change it back to an unprivileged container after installation?

This is the method I've been using for a while :)

Convert to unprivileged CT for more security
1. Console at container
cd # (if not at root directory)
rm /var/spool/postfix/dev/random
rm /var/spool/postfix/dev/urandom
touch /var/spool/postfix/dev/random
touch /var/spool/postfix/dev/urandom

2. Shell at proxmox node
# add the following lines to container config (e.g. at `/etc/pve/lxc/[ct container#].conf`)
cd # (if not at root directory)
nano /etc/pve/lxc/[ct container#].conf
lxc.mount.entry: /dev/random dev/random none bind,ro 0 0
lxc.mount.entry: /dev/urandom dev/urandom none bind,ro 0 0
lxc.mount.entry: /dev/random var/spool/postfix/dev/random none bind,ro 0 0
lxc.mount.entry: /dev/urandom var/spool/postfix/dev/urandom none bind,ro 0 0

3. backup container (CT)
# Stop CT from ProxMox GUI
# Backup CT from GUI

4. restore backup with option `unprivileged container` checked, will replace original privileged CT with unprivileged CT
5. if using static IP, change CT IP before starting to a unique IP


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!