Issue with chattr inside LXC container

S

silverstone

Well-Known Member
Apr 28, 2018
81
5
48
35
I recently started playing with Proxmox VE 5.1.3 and so far my impressions are good.

Due to some performance overhead of KVM for a distcc compile server, I tried LXC and I get bare metal performance essentially.

The only problem is that, in order to avoid filling the local disk, I want to force some folders to the immutable flag: chattr -i /my/folder

The problem I encounter is that I am not able to do it. I don't have the error message at hand but it was like "permission denied" or something like that. All that while running the command as root. If root doesn't have the permissions, this leads me to believe it's something related to LXC. Never had such a problem before on either Gentoo or Debian.

I am using Unprivileged container. Not sure if the issue is due to user remapping or what else par of the container configuration :(. Using Debian 9.4 inside LXC if that helps.

Thank you for your help and keep the great work up ;)
 
I am unable to reproduce that bug. Please can you post exact steps to reproduce the problem?
 
I will gladly provide any information that could help solve this issue but I'm not sure what I can give more as information ...
I am just forcing a folder to be immutable with the "+i" flag. I don't want the system to be able to write to that folder without the ramdisk (tmpfs) being mounted.

Steps to reproduce (all commands run as root):
- Install LXC template of Debian GNU/Linux amd64
- Update to latest version (aptitude update && aptitude safe-upgrade)
- "Reboot" to Debian 9.4
- chattr +i /tools/tmp -> permission denied

Possible issues:
- Unpriviliged container
- UID/GID remapping
- /tools/tmp is defined in /etc/fstab of the container as a tmpfs mount. This is done the same way as a "regular" system (no adaption of path, uid/gid, ...)

Is there any command I should run to give you more informations?
 
OK, this seem LXC default behavior for unprivileged containers. I will try to investigate further ...
 
Hi Dietmar, do you have any news about this issue? Was able to repoduce it also on ubuntu 18.04 lxc:

root@web001:~# chattr +i /root/tmp/
chattr: Operation not permitted while setting flags on /root/tmp/

Best Regards
Raphael
 
ScIT said:
Hi Dietmar, do you have any news about this issue?
Click to expand...

This is still the default behavior for unprivileged containers.
 
It's not something to be "fixed" exactly. This happens because of the way unprivileged containers work. You can use a privileged container or try to find a workaround if you absolutely need it.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back