privileged versus unprivileged LXC

S

stappers

New Member
Feb 17, 2018
20
0
1
61
Hi,

Where to see if a linux container is privileged or not?

Rephrased: How to check if a CT is unprivileged?


At https..//pve.proxmox.com/wiki/Unprivileged_LXC_containers is only stated
it must be set during create. Nothing the check the result.

I did create through rest API
and can't see the difference between one with unprivileged parameter (default 0 ) and one with parameter unprivileged 1

Cheers
Geert Stappers
 
Hi,

you can check it in the lxc.config it is located

/var/lib/lxc/<VMID>/config

If it is an unprivileged container you see this 2 lines.

Code: 
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
 
Hello,

is it safe to use in Proxmox 6 privileged LXC containers in a production environment? Because if I use unprivileged LXC container, I cannot install control panels such as, for example Plesk, cPanel and similar.

Regards,
 
MihaG said:
Hello,

is it safe to use in Proxmox 6 privileged LXC containers in a production environment?
Click to expand...

running a privileged container basically means that the 'root' user in the container is the 'root' user of the host, so if someone were to compromise your container and break out of it, they would have root access on your host.

MihaG said:
Because if I use unprivileged LXC container, I cannot install control panels such as, for example Plesk, cPanel and similar.
Click to expand...

usually you can get away with enabling the 'nesting' option on an unprivileged container (can be found in GUI, under 'Options -> Features') to run stuff like that
 
Hello,

thanks for answer. Do you maybe know what feature should I enable? Maybe keyctl?

Regards,
 
hi i got this error "ERROR: Backup of VM 10004 failed - command 'set -o pipefail && lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar cpf - --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' --one-file-system '--warning=no-file-ignored' '--directory=/mnt/pve/nfs04-dump/dump/vzdump-lxc-10004-2024_09_23-02_00_02.tmp' ./etc/vzdump/pct.conf ./etc/vzdump/pct.fw '--directory=/mnt/pve/nfs04-dump/dump/vzdump-lxc-10004-2024_09_23-02_00_02.tmp' --no-anchored '--exclude=lost+found' --anchored '--exclude=./tmp/?*' '--exclude=./var/tmp/?*' '--exclude=./var/run/?*.pid' . | zstd '--threads=1' >/mnt/pve/nfs04-dump/dump/vzdump-lxc-10004-2024_09_23-02_00_02.tar.dat' failed: exit code 2"

can i simply fix this by changing to privilleged LXC from Unprivilleged : Yes ?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back