Problem converting previleged container to unprevileged container.

B

bad_docker

New Member
Oct 10, 2024
3
0
1
Hi good morning,
I've PVE 8.2.7 running with 2 LXC plex & jellyfin (proxmox script install) running as previleged with NFS share mount from my virtual NAS. I want to convert to unprevilaged so i can make it more secure and use bind mount. But i'm not as per other guides, i did backup and tried to restore as unprevilaged its throwing error 2 and deleting the whole LXC itself. Only way to restore is as previleged LXC.
recovering backed-up configuration from 'local:backup/vzdump-lxc-106-2024_10_09-12_25_41.tar.zst'
Logical volume "vm-106-disk-0" created.
Creating filesystem with 5242880 4k blocks and 1310720 inodes
Filesystem UUID: f788ff14-164d-40e6-a4ac-3fc021ec6174
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
Logical volume "vm-106-disk-1" successfully removed.
restoring 'local:backup/vzdump-lxc-106-2024_10_09-12_25_41.tar.zst' now..
extracting archive '/var/lib/vz/dump/vzdump-lxc-106-2024_10_09-12_25_41.tar.zst'
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
Total bytes read: 2822144000 (2.7GiB, 369MiB/s)
tar: Exiting with failure status due to previous errors
Logical volume "vm-106-disk-0" successfully removed.
TASK ERROR: unable to restore CT 106 - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf - --zstd --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' -C /var/lib/lxc/106/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2
 
maybe due to limitation with unpriviled contanier and NFS mount option.
Mounting any kind of Share in LXC can only be with privilegied state.
 
you can try removing those two device nodes prior to making a backup - it might require some changes to the postfix config though..
 
Hi @fabian thx for reply. i'm linux noob. i searched around only to find 1 or 2 posts related to this issue.
if you could elaborate it would help other people having similar issue like me.
yeah i did have NFS mount before taking backup, but i did try removing that NFS mount followed by backup and restore as unprivileged lxc yet it fails.
 
Code: 
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted

these two files are special (device nodes), which doesn't work in unprivileged mode. postfix only needs them in certain configurations, so it should be fine to remove them (and potentially, update the config).
 
fabian said:
Code: 
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted

these two files are special (device nodes), which doesn't work in unprivileged mode. postfix only needs them in certain configurations, so it should be fine to remove them (and potentially, update the config).
Click to expand...
and how to do that? where is this file to be edited or modified? any guide?
 
Not very helpful comments from fabian. I'll see about this in the next couple of days. I am having the exact same issue and would like to sort this out. I am able to restore to privileged, just not unprivileged.
 
ecotechie said:
Not very helpful comments from fabian. I'll see about this in the next couple of days. I am having the exact same issue and would like to sort this out. I am able to restore to privileged, just not unprivileged.
Click to expand...
I beg to differ. He gave some pointers which should lead to the correct way to approach this. Why isn't it helpful to give some primers for a google search?

I searched for "postfix and /var/spol/postfix/dev/urandom:
https://www.google.com/search?q=/var/spool/postfix/dev/urandom+postfix

First hit was this thread from 2016:
V

Thread 'Unprivileged containers'

I understand this is in tech preview as of 4.1, but couldn't find any documentation. How can we experiment with this new feature?

The thread says that the root cause is that postfix is usually set up with chroot to /var/spool/postfix For chroot there is a wikipedia article (https://en.wikipedia.org/wiki/Chroot). It explains that basically chroot is a kind of "container" technology before there were containers: It allows to create an isolated environment for applications so they don't see files outside of this environment. But (at least 2016 and it seems also right now) it needs root or privileged access to work since the normal rights doesn't allow to create the devices nodes needed by postfix chroot environment. In the 2016 thread this was solved by creating the device nodes manually and mount binding them to the lxc environment.
If you are interested why postfix can be configured for this following thread from serverfault might be of interest:
https://serverfault.com/questions/1158072/why-its-recommended-to-run-postfix-in-a-chroot-jail

Another solution would be to reconfigure postfix to not use chroot, searching for chroot+postfix yields following results:
https://www.google.com/search?q=chroot+postfix

Third hit is BASIC CONFIGURATION from the postfix website:
https://www.postfix.org/BASIC_CONFIGURATION_README.html

It explains that you need to edit the master.cf configuration file of postfix and link it's manual:
https://www.postfix.org/master.5.html

Now I never did this myself but I spent just five to ten minutes with this search (1) and now I'm quite confident that I could make this work.

Returning to the OPs question: He wrote that he set up everything with a helper script, which is just another example why helper scripts are actually not very helpful for newbies (2) at all : The abstract the complexity behind the setup away which means that the users assume that they can get away with not doing much system administration. But at some point (some sooner, some later) they run into problems and can't resolve them since they don't know where to start. If they would have done the setup manually or by understanding the how the script works and changing it to their wishes they at least would have an idea where to start.

What I don't get why the container was created privileged in the first place. I looked up the source code of the hellish script at https://github.com/community-scripts/ProxmoxVE/blob/main/ct/jellyfin.sh it sets the container type to the value 1 and references https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func

According to this file a vslue of 1 means unpriviliged so I don't understand how OP ended up with a priviliged container.

In this case I think it's way easier for the OP to recreate the container (this time unprivileged) and migrate the data which is not on the NFS share but inside the container (if there even is any container).

But to be honest I would recommend to ditch the container approach all together but set up a vm with your favourite Linux distribution (I personally prefer Debian but that's just because it's what I'm used too, if you prefer Fedora, alpine or ubuntu that's fine) and docker/podman with dock.ge or portainer and setup your services as docker containers. That way you will get the stricter isolation of a vm, you will have much less trouble in setting up the services (since docker takes care of most of it) and you can use NFS mounts and friends without any shenganians with lxc privileged versus lxc unprivileged). If you are worried because of the ressources: Of course you couldn't use one VM for every service like you could do with lxcs.
But that's not really an issue: If you use one VM for all docker containers you want to use your ressources should still be enough.
If you want to learn how to set this up without portainer Jellyfin has a nice tutorial: https://jellyfin.org/docs/general/installation/container ( I would use podman but this is just my preference).
One caveat though: If you want to use the GPU for jellyfin going lxc is propably still the easier approach (with or without helper script,). In that case I would setup a container of one of the distributions mentioned on https://jellyfin.org/docs/general/installation/linux and follow the instructions on that page.

(1) After finishing the post I realized I I spent more time writing it than on my search ;)
(2) At least if the goal is to get some services running. For learning shell programming and system administration they are a great ressource: Read a script, try to understand how it works. Tweak it, look whether your changes work like you expected. Rince, repeat. But most people seems to use them because they want to just have some services running on a homeserver without learning system administration. This is understandable and absolutely legitimate. But personally I think that ProxmoxVE is not the right tool for it, UnRAID, OpenMediaVault or some other NAS OS with docker/podman support would propably be a better fit. For learning virtualization, system and network administration however ProxmoxVE is phantastic as helper scripts are for learning shell programming
 
Last edited:
  • Like
Reactions: fba
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom