After wrestling with permissions ( https://forum.proxmox.com/threads/cannot-change-lxc-features-nesting-nfs-as-pveadmin.49513 ) and an attempt to get unprivileged containers to work ( https://forum.proxmox.com/threads/5...tainers-docker-works-mount-nfs-does-not.49624 ) I am now back to using privileged containers but it seems the previous hacks (mucking with lxc / apparmor settings) don't work anymore because settings are now auto generated based on the entries in the "features:" setting. Unfortunately changing features requires root access and the tool I maintain to allow users self service command line access without giving them access to the proxmox hosts now fails. This tool ( https://pypi.org/project/proxmox-tools/ ) allows users to deploy multiple lxc containers and install docker with a single command (e.g. prox new --docker --mem 8G host1 host2 host3). Without setting features: nesting=1 this does not seem to work anymore (or I did not find a proper way to do this) and setting "features" requires root access which I cannot give to my users.
In my desperation I have been patching LXC.pm (see below) but is there another way that won't be wiped out at the next proxmox update ?
Thanks
dipe
--- /usr/share/perl5/PVE/LXC.pm 2018-12-11 07:46:32.728796592 -0800
+++ /root/pve-config/usr/share/perl5/PVE/LXC.pm 2018-12-11 07:43:04.281736104 -0800
@@ -482,9 +482,10 @@
# In the default profile in /etc/apparmor.d we patch this in because
# otherwise a container can for example run `chown` on /sys, breaking
# access to it for non-CAP_DAC_OVERRIDE tools on the host:
- $raw .= "lxc.apparmor.raw = deny mount -> /proc/,\n";
- $raw .= "lxc.apparmor.raw = deny mount -> /sys/,\n";
- # Preferably we could use the 'remount' flag but this does not sit well
+ #$raw .= "lxc.apparmor.raw = deny mount -> /proc/,\n";
+ #$raw .= "lxc.apparmor.raw = deny mount -> /sys/,\n";
+ $raw .= "lxc.apparmor.allow_nesting = 1\n"
+ # Preferably we could use the 'remount' flag but this does not sit well
# with apparmor_parser currently:
# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
}
@@ -495,6 +496,7 @@
$raw .= "lxc.apparmor.raw = mount fstype=$fs,\n";
}
}
+ $raw .= "lxc.apparmor.raw = mount fstype=nfs,\n";
# More to come?
In my desperation I have been patching LXC.pm (see below) but is there another way that won't be wiped out at the next proxmox update ?
Thanks
dipe
--- /usr/share/perl5/PVE/LXC.pm 2018-12-11 07:46:32.728796592 -0800
+++ /root/pve-config/usr/share/perl5/PVE/LXC.pm 2018-12-11 07:43:04.281736104 -0800
@@ -482,9 +482,10 @@
# In the default profile in /etc/apparmor.d we patch this in because
# otherwise a container can for example run `chown` on /sys, breaking
# access to it for non-CAP_DAC_OVERRIDE tools on the host:
- $raw .= "lxc.apparmor.raw = deny mount -> /proc/,\n";
- $raw .= "lxc.apparmor.raw = deny mount -> /sys/,\n";
- # Preferably we could use the 'remount' flag but this does not sit well
+ #$raw .= "lxc.apparmor.raw = deny mount -> /proc/,\n";
+ #$raw .= "lxc.apparmor.raw = deny mount -> /sys/,\n";
+ $raw .= "lxc.apparmor.allow_nesting = 1\n"
+ # Preferably we could use the 'remount' flag but this does not sit well
# with apparmor_parser currently:
# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
}
@@ -495,6 +496,7 @@
$raw .= "lxc.apparmor.raw = mount fstype=$fs,\n";
}
}
+ $raw .= "lxc.apparmor.raw = mount fstype=nfs,\n";
# More to come?