[pve-devel] [PATCH container/manager v2] default nesting for unpriv containers in ui

[Dominik Csapak]

since many modern containers need the nesting feature to work properly
(thanks systemd...), we add a checkbox that is on by default
(and disables with unprivileged, since nested privileged containers
are not very secure)

to do that, we first have to loosen the nesting constraints in the api
a bit. we do that by allowing to set that for unprivileged containers
when the user has the 'VM.Allocate' privilege.

(just to note: a user with that right can also create privileged
containers, but could not enable nesting for them)

changes from v1:
* prevent comparing undefined $(old)features->{$features} by first
  extracting it into a variable with a fallback of '' and compare that
* reorder the permission checks so that they are returned consistently
* add patch that removes features when restoring an unprivileged
  container as privileged

pve-container:

Dominik Csapak (3):
  add old config and unprivileged to check_ct_modify_config_perm
  allow nesting to be changed for VM.Allocate on unprivileged containers
  skip features when restoring an unprivileged container as privileged

 src/PVE/API2/LXC.pm        |  6 +--
 src/PVE/API2/LXC/Config.pm | 95 +++++++++++++++++++-------------------
 src/PVE/LXC.pm             | 47 +++++++++++++++++--
 src/PVE/LXC/Create.pm      |  5 ++
 4 files changed, 100 insertions(+), 53 deletions(-)

pve-manager:

Dominik Csapak (2):
  ui: lxc/Options: allow opening features window for VM.Allocate
  ui: lxc/CreateWizard: add a 'nesting' checkbox and enable it by
    default

 www/manager6/lxc/CreateWizard.js | 10 ++++++++++
 www/manager6/lxc/Options.js      |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

-- 
2.30.2