Using API to set NESTING feature flag.

[new2proxmox]

I'm trying to use the API to set the NESTING feature flag when creating a container.

I am using a TOKEN tied to the root user and assigned the ADMINISTRATOR role for the pool.

However, that is not working.

In searching the forums, I ran into this thread: https://forum.proxmox.com/threads/set-features-via-http-api2-doesnt-work.102966/

The final entry from a non-staff member mentioned that this isn't supported.

I was wondering if that is indeed true.

Can a Proxmox staff member perhaps weigh in on this thread (or that older thread) on whether you can use the API along with a TOKEN (tied to the root user) to set the NESTING feature for a container? It would be very much appreciated.

Thanks very much!

 

[t.lamprecht]

However, that is not working.

What did you try and what is not working? Are basic API requests like a simple GET of the Container config working?

The final entry from a non-staff member mentioned that this isn't supported.

The reply implies from that thread context that it isn't supported for non-root on privileged CTs, not in general - our GUI uses just the same API for setting this flag after all.

Can a Proxmox staff member perhaps weigh in on this thread (or that older thread) on whether you can use the API along with a TOKEN (tied to the root user) to set the NESTING feature for a container? It would be very much appreciated.

For root it should work either way. And it's possible in general as long as the container is an unprivileged one, as nesting on privileged containers is allowing really a lot and is dangerous if one cannot trust the programs running inside CT, so only root can decide nesting for such privileged ones.

Ensure you pass unprivileged=1 on creation.

 

[new2proxmox]

Hi:

To be more precise, just like the referenced thread in the opening post, the return from the API call is empty when using a token tied to the root user (with administrator role for token for the resource pool) and sending the 'nesting=1,fuse=1' feature flags. The container fails to be created.

If I remove the nesting flag, the container is created just fine with a token tied to the same root user.

If I send a request using the root user name and password (instead of a token) along with the 'nesting=1,fuse=1' feature flags, the container is created and the nesting flag is enabled.

This is reproducible consistently.

Summary: If a token is used when creating a container via the API, you cannot enable the nesting feature. You can only enable nesting if using the root user and password as the api credentials.

The reason it works in the UI is because the admin is logged in with the root user, not a token.

 

[t.lamprecht]

Ensure you pass unprivileged=1 on creation.

?!

 

[t.lamprecht]

'nesting=1,fuse=1'

Yeah well, nesting AND fuse is something different than just setting nesting.

I'd think that you probably got even the changing feature flags (*except nesting*) is only allowed for root\@pam error. Opening that up for fully privileged API tokens (i.e., no priv. separation) sounds sensible though.

The reason it works in the UI is because the admin is logged in with the root user, not a token.

No, it works too for completely different users with enough privileges as root, at least for nesting (not fuse).