[pve-devel] [RFC pve-container 0/6] Unprivileged containers

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Nov 12 14:00:23 CET 2015

A few changes are needed for unprivileged containers:
1) Mounting has to happen in the pre-start hook, as the mount and
pre-mount hooks don't have the required permissions when executing
under a user-namespace.
So mounts now happen onto /var/lib/lxc/${vmid}/rootfs, and the LXC
config simply gets that path as root fs.
This means that mounting happens before entering the container's
namespace, so we now unshare the host's namespace before starting
lxc-start (patch 4).

2+3) Unprivileged containers are created by passing the 'unprivileged'
flag. This will create a default id map of `0 100000 65536`.
Extracting a template now uses lxc-usernsexec to do the extraction
in the target namespace. As for other actions happening in LXC::Setup,
the ct_* file access wrappers now reown created files to the mapped
target root user (usually 100000), but if the config specifies a custom
id_map via lxc.id_map properties they will be taken into account.

When restoring from a backup the 'unprivileged' option is deleted from
the old config. In order to restore as unprivileged container the
parameter has to be passed to the restore command just like with the
create command.

4) In order to not clobber the host namespace with mounts we now
unshare the mount namespace before running lxc-start.

5) For vzdump support we use the same lxc-usernsexec command only for
the `tar` command. That way there's no visible difference between the
backup of a privileged and an unprivileged container other than the
value of the 'unprivileged' property found in the contained pct.conf
which is replaced at restore time.

This means backup+restore can be used to convert between privileged
and unprivileged containers.

TODO: Discuss whether to introduce permissions+checks for the
unprivileged flag in create/restore.

Wolfgang Bumiller (6):
  mount in pre-start, unmount in post-stop
  LXC::Setup: id_map support for file wrappers
  added the unprivileged flag
  unshare lxc-start into a slave mount namespace
  vzdump: userns support
  remove --totals from COMMON_TAR_FLAGS

 src/Makefile               |   3 +-
 src/PVE/API2/LXC.pm        |   5 ++
 src/PVE/API2/LXC/Status.pm |   3 +-
 src/PVE/LXC.pm             |  70 +++++++++++++++++++++--
 src/PVE/LXC/Create.pm      |  15 +++--
 src/PVE/LXC/Setup.pm       |   8 +++
 src/PVE/LXC/Setup/Base.pm  |  34 +++++++++--
 src/PVE/VZDump/LXC.pm      |   6 +-
 src/lxc-pve-mount-hook     | 139 ---------------------------------------------
 src/lxc-pve-poststop-hook  |   4 ++
 src/lxc-pve-prestart-hook  |  39 ++++++++++++-
 src/lxc-pve.conf           |   1 -
 12 files changed, 163 insertions(+), 164 deletions(-)
 delete mode 100755 src/lxc-pve-mount-hook


More information about the pve-devel mailing list