Unprivileged containers

bogo22 said:
I also tried to make an privileged LXC to and unprivileged LXC via backup & restore (see guide in the wiki).
i am gettting the same error:
Code: 
tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted
tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted
Click to expand...
It's working for me, here are the steps I completed. Some may be redundant, but won't hurt:
  1. Make backup of container
  2. From inside the container:
    Code: 
    rm /var/spool/postfix/dev/random 
rm /var/spool/postfix/dev/urandom
touch /var/spool/postfix/dev/random
touch /var/spool/postfix/dev/urandom
  3. Add the following lines to your container's conf:
    Code: 
    lxc.mount.entry: /dev/random dev/random none bind,ro 0 0
lxc.mount.entry: /dev/urandom dev/urandom none bind,ro 0 0
lxc.mount.entry: /dev/random var/spool/postfix/dev/random none bind,ro 0 0
lxc.mount.entry: /dev/urandom var/spool/postfix/dev/urandom none bind,ro 0 0
  4. Shutdown container
  5. Restore backup as unpriviliged
  6. ???
  7. Profit!
The reason I also mount to /dev/random and /dev/urandom is because postfix's init.d script references those mount points:
Code: 
(echo /dev/random; echo /dev/urandom) | cpio -pdL --quiet . 2>/dev/null || true
I believe if they're not also mounted, either the container will fail to restore as unprivilged or postfix will fail to work. Maybe both.
 
Not a simple fix, unfortunately.

Is there a way to list specific device nodes as available to all unprivileged containers, I cant imagine a major risk exposing a read-only /dev/random or /dev/urandom to containers.

How are /dev/null and /dev/zero allowed?

Seems /usr/share/lxc/config/common.conf contains some definitions but /dev/random and urandom are already in there - so why arent they allowed?
 
Last edited:
mathx said:
Is there a way to list specific device nodes as available to all unprivileged containers
Click to expand...
This is by design not possible in unprivileged containers. You need to use bind mounts.
 
Why are /dev/null and /dev/zero allowed then? Urandom is a pretty safe device node and important to many pieces of unthreatening software.
 
The kernel simply generally forbids using the mknod() system call required to create device nodes, no matter what permissions you otherwise have. If this changes in the future, those will definitely be on the whitelist. There are some mechanisms available already which could be used, such as an mknod permission in the devices cgroup, but for now the kernel still ignores all that when user namespaces are used.
 
Got into this error while restoring my server with a clean proxmox install and restoring from backups. Are there any improvements to this in Proxmox VE 6.X?
 
Nixellion said:
Got into this error while restoring my server with a clean proxmox install and restoring from backups. Are there any improvements to this in Proxmox VE 6.X?
Click to expand...

if you are talking about the 'Cannot mknod: Operation not permitted' error, then it doesn't have much to do with Proxmox in particular, but with the container template you are using. some containers just won't work by default as unprivileged (which happens to be our default), and they will need to be created/restored as privileged. you can follow this workaround in this thread[0] if you want to use them unprivileged. otherwise, just uncheck the 'unprivileged' box while restoring.

[0]: https://forum.proxmox.com/threads/unprivileged-containers.26148/page-2#post-207631
 
SamTzu said:
Helloouuu :)
Why not just clear the "Unprivileged container" tab before you press the "Restore" button?
Click to expand...

There is some security risk to that. It should not be done without knowledge of what its effects are.
 
John Morrison said:
pct restore 1234 /data/dump/vzdump-lxc-110-2020_11_06-22_38_25.tar.zst -ignore-unpack-errors 1 -unprivileged --storage data


should do it :) tick the feature keyctl and nested and run
Click to expand...
This also worked for a privileged container. Just remove the '-privileged' command parameter.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back