struggle with new 5.3 LXC "features"


Active Member
Mar 21, 2013
After wrestling with permissions ( ) and an attempt to get unprivileged containers to work ( ) I am now back to using privileged containers but it seems the previous hacks (mucking with lxc / apparmor settings) don't work anymore because settings are now auto generated based on the entries in the "features:" setting. Unfortunately changing features requires root access and the tool I maintain to allow users self service command line access without giving them access to the proxmox hosts now fails. This tool ( ) allows users to deploy multiple lxc containers and install docker with a single command (e.g. prox new --docker --mem 8G host1 host2 host3). Without setting features: nesting=1 this does not seem to work anymore (or I did not find a proper way to do this) and setting "features" requires root access which I cannot give to my users.

In my desperation I have been patching (see below) but is there another way that won't be wiped out at the next proxmox update ?


--- /usr/share/perl5/PVE/ 2018-12-11 07:46:32.728796592 -0800
+++ /root/pve-config/usr/share/perl5/PVE/ 2018-12-11 07:43:04.281736104 -0800
@@ -482,9 +482,10 @@
# In the default profile in /etc/apparmor.d we patch this in because
# otherwise a container can for example run `chown` on /sys, breaking
# access to it for non-CAP_DAC_OVERRIDE tools on the host:
- $raw .= "lxc.apparmor.raw = deny mount -> /proc/,\n";
- $raw .= "lxc.apparmor.raw = deny mount -> /sys/,\n";
- # Preferably we could use the 'remount' flag but this does not sit well
+ #$raw .= "lxc.apparmor.raw = deny mount -> /proc/,\n";
+ #$raw .= "lxc.apparmor.raw = deny mount -> /sys/,\n";
+ $raw .= "lxc.apparmor.allow_nesting = 1\n"
+ # Preferably we could use the 'remount' flag but this does not sit well
# with apparmor_parser currently:
# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
@@ -495,6 +496,7 @@
$raw .= "lxc.apparmor.raw = mount fstype=$fs,\n";
+ $raw .= "lxc.apparmor.raw = mount fstype=nfs,\n";
# More to come?


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!