Unprivileged containers

V

Vedat Nommaz

New Member
Dec 13, 2015
4
0
1
I understand this is in tech preview as of 4.1, but couldn't find any documentation. How can we experiment with this new feature?
 
Please use the --unprivileged flag when you create the container, for example:

# pct create 120 local:vztmpl/debian-8.0-standard_8.0-1_amd64.tar.gz --unprivileged
 
can this be changed for a container that already exists?

is it this option inside the webinterface?
 

Attachments

  • 2016-02-21 14_03_12-root12 - Proxmox Virtual Environment.png
    2016-02-21 14_03_12-root12 - Proxmox Virtual Environment.png
    900 bytes · Views: 110
Currently only via backup&restore. (You can pass --unprivileged to `pct restore`).
 
Hi, i have the same problem. Id like to unprivileg a priveleged container, but if i try with "pct restore" i get errors:
Code: 
pct restore 109 dump/vzdump-lxc-109-2016_04_18-00_33_19.tar.lzo --unprivileged
...
extracting archive '/var/lib/vz/dump/vzdump-lxc-109-2016_04_18-00_33_19.tar.lzo'
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
Total bytes read: 1186508800 (1.2GiB, 306MiB/s)
tar: Exiting with failure status due to previous errors
command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf /var/lib/vz/dump/vzdump-lxc-109-2016_04_18-00_33_19.tar.lzo --totals --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-xattr-write' -C /var/lib/lxc/109/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2

Any Ideas?

Best regards
Patric
 
Unprivileged container templates are extracted _as_ the unprivileged user, so it can only extract things the user would otherwise be able to create. This does not include device nodes, which means you'll have to remove them from the archive and either change the postfix configuration or mount the container after restoring and create those devices manually.
 
wbumiller said:
... This does not include device nodes, which means you'll have to remove them from the archive and either change the postfix configuration or mount the container after restoring and create those devices manually.
Click to expand...

What exactly is a Device Node? I'm searching for that term on the Prox wiki and don't see anything. Are you referring to hardware devices like NICs or Drives?
 
From my tests, the error
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted, shows when trying to restore an unprivileged container from a backup of privileged container. The cause is privileged container missing mount | grep udev ?

This is very strange, because the error is random, sometimes works even for the above use case!

Inside unprivileged container:
mount | grep udev
udev on /dev/console type devtmpfs (rw,relatime,size=10240k,nr_inodes=4101883,mode=755)
udev on /dev/full type devtmpfs (rw,relatime,size=10240k,nr_inodes=4101883,mode=755)
udev on /dev/null type devtmpfs (rw,relatime,size=10240k,nr_inodes=4101883,mode=755)
udev on /dev/random type devtmpfs (rw,relatime,size=10240k,nr_inodes=4101883,mode=755)
udev on /dev/tty type devtmpfs (rw,relatime,size=10240k,nr_inodes=4101883,mode=755)
udev on /dev/urandom type devtmpfs (rw,relatime,size=10240k,nr_inodes=4101883,mode=755)
udev on /dev/zero type devtmpfs (rw,relatime,size=10240k,nr_inodes=4101883,mode=755)

Inside privileged container
mount | grep udev
... NO RESULTS
 
Jim J said:
What exactly is a Device Node? I'm searching for that term on the Prox wiki and don't see anything. Are you referring to hardware devices like NICs or Drives?
Click to expand...
A device node is a special file in /dev. These create "file" entries that expose access to devices. Unprivileged containers cannot create them, their /dev is populated by the lxc startup process.

Ideally they'd switch to bind mounting the desired device nodes from /dev instead of creating/shipping them in /var/spool/postfix/dev... but as it is now, in unprivileged containers postfix cannot be used with a chroot configuration as it cannot create the device nodes, there's not much we can do about this currently.
 
  • Like
Reactions: EuroDomenii
Thats crazy! Why the restore is not running without this things they cant restore? Expl. with a separate switch option?
So example: A customer has problems to get plesk to run, about the aparamor - mount - problems! Now they find in one dokumentation only the possiblity, to change the server to "unpreviliged server" - but the bottom is blocked - and read again in the forums and get the information to backup the server only and restore. About this they delete the container and restore it and then the restore as an "unpreviliged server" will not work about other problems and the customer must now read and search a new solution! When its a big container, the production is stopped possible many hours or days? ... only I thing so, that the informations are not complete!

So, what we can do?

Is their an (un)written possility to set only for one LXC-container the allownes that mounts inside the container are allowed? I found an example for this, but where we can set this for one container?

What a customer need to doe, to come out this not ending loop? Expl. restore as an normal container - who delete the files or how backup so, that the folders not been backuped? ... or something more informations, that we not follow everytime in a new not knowed existing black hole!
 
So is this Postfix Bug already fixed? Got the same Permission Problem with turnkey LXC Containers
 
Unprivileged container templates are extracted _as_ the unprivileged user, so it can only extract things the user would otherwise be able to create. This does not include device nodes, which means you'll have to remove them from the archive and either change the postfix configuration or mount the container after restoring and create those devices manually.
Click to expand...

So from where I sit, this basically means, don't use Unprivileged containers yet.
 
is there any solution to this problem available already? A simple use case: Proxmox admin creates a new privileged container based on "debian-8.0-standard_8.6-1_amd64.tar.gz" image, runs apt-get update && apt-get dist-upgrade -y plus installs some etherpad or wordpress or whatever, then after a reboot reads about unprivileged containers and wants to backup+restore to unprivileged container. restore aborts after deleting the previously fine container showing the message "tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted". Now after a few seconds the admin might be shocked because the CT is completely gone... hope the backup actually worked, learn about this problem in this forum thread and restore to privileged container again.
Now that person most likely is stuck, because there is no actual solution described in detail here. Maybe some information about how to exclude postfix from the backup (as suggested in this thread) would be nice.
 
  • Like
Reactions: Sven Jörns
so this isnt fixed yet?
does not only occure at restore.
i run into the same problem when creating new unprivileged lxc-turnkey-container. it happend so far with fileserver and mediaserver.
any help is appreciated

Code: 
extracting archive '/MasterPool/template/cache/debian-8-turnkey-mediaserver_14.2-1_amd64.tar.gz'
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
Total bytes read: 957327360 (913MiB, 100MiB/s)
tar: Exiting with failure status due to previous errors
TASK ERROR: command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- tar xpf /proc/self/fd/11 --totals --one-file-system -p --sparse --numeric-owner --acls --xattrs '--xattrs-include=user.*' '--xattrs-include=security.capability' '--warning=no-file-ignored' '--warning=no-xattr-write' -C /var/lib/lxc/233/rootfs --skip-old-files --anchored --exclude './dev/*'' failed: exit code 2
 
  • Like
Reactions: rcd
I also tried to make an privileged LXC to and unprivileged LXC via backup & restore (see guide in the wiki).
With the command below
Code: 
pct restore 1110 /my/vzdump_backup/vzdump-lxc-1100-2018_03_02-02_31_03.tar.gz -ignore-unpack-errors 1 -unprivileged --storage myStorage
i am gettting the same error:
Code: 
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
What does that mean? Are some users / new created users inside the LXC mapped to the postfix user of the host? (same UID?). I tried it with several LXC (all privileged) and always getting the same error so it seems like a general problem?
 
Unprivileged containers are not allowed to create device nodes. The postfix setup in your container uses a chrooted environment with some device nodes created in /var/spool/postfix/dev. In order to use it in an unprivileged container you first have to get rid of those files in the container you want to convert before creating a backup. After restoring it as an unprivileged container you then have to either change postfix to not use a chroot or have the device nodes it needs bind-mounted from /dev to /var/... .
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back