[pve-devel] applied: [PATCH v2 container 0/2] feature flags

[Thomas Lamprecht]

On 10/2/18 11:13 AM, Wolfgang Bumiller wrote:
> This series adds a 'features' config option adding support for nesting,
> mounting and some quirks the user should know about when dealing with
> these settings.
> This makes use of the new apparmor profile generation & namespacing
> feature in lxc.
> 
> This is updated with Thomas' feedback:
>   - Dropped the specific permission checks and simply limited
>     permissions to root at pam for now. We can still soften the
>     restrictions later.
>   - Code cleanup ($unprivileged vs $custom_idmap).
> 
> For example:
> Given an unprivileged container `100`:
>   # pct set 100 --features nesting=1
> is all that's required to run `lxd` inside the container.
> 
> With docker the story is slightly different as it requires access to
> `keyctl` which systemd-networkd _cannot_ have access to, so for nested
> docker:
>   # pct set 100 --features nesting=1,keyctl=1
> And you cannot depend on systemd-networkd in that container.
> 
> To mount network file systems such as cifs or nfs:
>   # pct set 100 --features mount=cifs;nfs
> 
> Note that mounting block devices via `loop` devices will not work
> without also manually passing /dev/loop* to the containers. Since this
> has a rather large security impact I'm unsure we ever want to make this
> easy (see my forum post in [1]).
> 
> [1] https://forum.proxmox.com/threads/mount-via-loop-device-in-container.47398/#post-223325
> 
> Wolfgang Bumiller (2):
>   config: whitelist new apparmor related config keys
>   add feature flags using apparmor profile generation
> 
>  debian/control        |   2 +-
>  src/PVE/LXC.pm        | 105 ++++++++++++++++++++++++++++++++++++++++++++++++--
>  src/PVE/LXC/Config.pm |  55 ++++++++++++++++++++++++++
>  3 files changed, 157 insertions(+), 5 deletions(-)
> 

applied series, thanks!