[pve-devel] [RFC pve-container 3/6] added the unprivileged flag

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Nov 12 14:00:26 CET 2015 

This flag (like lxc.id_map entries) should only be set at
create-time in order to make sure the container's filesystem
has the correct ownerships and permissions.
For this reason modification is not allowed via the API.

An unprivileged containers defines lxc.id_map properties,
and includes $ostype.userns.conf in addition to
$ostype.common.conf in its lxc config.
---
 src/PVE/API2/LXC.pm   |  5 +++++
 src/PVE/LXC.pm        | 22 ++++++++++++++++++++++
 src/PVE/LXC/Create.pm |  4 ++--
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index a4e80ec..165e327 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -162,6 +162,9 @@ __PACKAGE__->register_method({
 
 	my $same_container_exists = -f $basecfg_fn;
 
+	# 'unprivileged' is read-only, so we can't pass it to update_pct_config
+	my $unprivileged = extract_param($param, 'unprivileged');
+
 	my $restore = extract_param($param, 'restore');
 
 	if ($restore) {
@@ -263,6 +266,8 @@ __PACKAGE__->register_method({
 
 	PVE::LXC::update_pct_config($vmid, $conf, 0, $no_disk_param);
 
+	$conf->{unprivileged} = 1 if $unprivileged;
+
 	my $check_vmid_usage = sub {
 	    if ($force) {
 		die "can't overwrite running container\n"
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index f38c5bd..07ac4fc 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -192,6 +192,12 @@ my $confdesc = {
 	description => "Sets the protection flag of the container. This will prevent the remove operation. This will prevent the CT or CT's disk remove/update operation.",
 	default => 0,
     },
+    unprivileged => {
+	optional => 1,
+	type => 'boolean',
+	description => "Makes the container run as unprivileged user. (Should not be modified manually.)",
+	default => 0,
+    },
 };
 
 my $valid_lxc_conf_keys = {
@@ -1050,13 +1056,25 @@ sub update_lxc_config {
     die "missing 'arch' - internal error" if !$conf->{arch};
     $raw .= "lxc.arch = $conf->{arch}\n";
 
+    my $unprivileged = $conf->{unprivileged};
+    my $custom_idmap = grep { $_->[0] eq 'lxc.id_map' } @{$conf->{lxc}};
+
     my $ostype = $conf->{ostype} || die "missing 'ostype' - internal error";
     if ($ostype =~ /^(?:debian | ubuntu | centos | archlinux)$/x) {
 	$raw .= "lxc.include = /usr/share/lxc/config/$ostype.common.conf\n";
+	if ($unprivileged || $custom_idmap) {
+	    $raw .= "lxc.include = /usr/share/lxc/config/$ostype.userns.conf\n"
+	}
     } else {
 	die "implement me";
     }
 
+    # Should we read them from /etc/subuid?
+    if ($unprivileged && !$custom_idmap) {
+	$raw .= "lxc.id_map = u 0 100000 65536\n";
+	$raw .= "lxc.id_map = g 0 100000 65536\n";
+    }
+
     if (!has_dev_console($conf)) {
 	$raw .= "lxc.console = none\n";
 	$raw .= "lxc.cgroup.devices.deny = c 5:1 rwm\n";
@@ -1224,6 +1242,8 @@ sub update_pct_config {
 		my $mountpoint = parse_ct_mountpoint($conf->{$opt});
 		add_unused_volume($conf, $mountpoint->{volume});
 		delete $conf->{$opt};
+	    } elsif ($opt eq 'unprivileged') {
+		die "unable to delete read-only option: '$opt'\n";
 	    } else {
 		die "implement me"
 	    }
@@ -1296,6 +1316,8 @@ sub update_pct_config {
         } elsif ($opt eq 'rootfs') {
 	    check_protection($conf, "can't update CT $vmid drive '$opt'");
 	    die "implement me: $opt";
+	} elsif ($opt eq 'unprivileged') {
+	    die "unable to modify read-only option: '$opt'\n";
 	} else {
 	    die "implement me: $opt";
 	}
diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index 5f76b88..441b445 100644
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -157,7 +157,7 @@ sub restore_and_configure {
 	    my $oldconf = PVE::LXC::parse_pct_config("/lxc/$vmid.conf", $raw);
 
 	    foreach my $key (keys %$oldconf) {
-		next if $key eq 'digest' || $key eq 'rootfs' || $key eq 'snapshots';
+		next if $key eq 'digest' || $key eq 'rootfs' || $key eq 'snapshots' || $key eq 'unprivileged';
 		$conf->{$key} = $oldconf->{$key} if !defined($conf->{$key});
 	    }
 	    unlink($pct_cfg_fn);
@@ -198,7 +198,7 @@ sub create_rootfs {
 	PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $old_conf);
 
 	# do not copy all settings to restored container
-	foreach my $opt (qw(rootfs digest snapshots arch ostype)) {
+	foreach my $opt (qw(rootfs digest snapshots arch ostype unprivileged)) {
 	    delete $old_conf->{$opt};
 	}
 	foreach my $opt (keys %$old_conf) {
-- 
2.1.4

More information about the pve-devel mailing list