[pve-devel] [PATCH container 1/1] close #1543: allow low-level lxc update

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Jan 27 12:05:33 CET 2025 

On January 23, 2025 11:29 pm, Simon LEONARD wrote:
> Signed-off-by: Simon LEONARD <git-1001af4 at sinux.sh>
> ---
>  src/PVE/API2/LXC/Config.pm | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
> index 5cbc014..0697043 100644
> --- a/src/PVE/API2/LXC/Config.pm
> +++ b/src/PVE/API2/LXC/Config.pm
> @@ -123,7 +123,13 @@ __PACKAGE__->register_method({
>  		    description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
>  		    maxLength => 40,
>  		    optional => 1,
> -		}
> +		},
> +		lxc => {
> +		    description => "Array of lxc low-level configurations ([[key1, value1], [key2, value2] ...]).",
> +		    type => 'array',
> +		    items => { type => 'array', items => { type => 'string' }},
> +		    optional => 1,
> +		},
>  	    }),
>      },
>      returns => { type => 'null'},
> @@ -208,6 +214,10 @@ __PACKAGE__->register_method({
>  
>  	    my $running = PVE::LXC::check_running($vmid);
>  
> +	    if (defined($param->{lxc})) {
> +		$conf->{lxc} = $param->{lxc};

this would need to at least check that the provided values are valid
(PVE::LXC::Config::is_valid_lxc_conf_key)..

but it would also need to be limited to root at pam only (in
PVE::LXC::check_ct_modify_config_perm), since it allows overriding
fundamental settings also related to the security of the container..

what options are you frequently setting that would require this? we try
to move those to PVE-provided options with proper ACLs to avoid the need
for such root-only calls..

> +	    }
> +
>  	    my $errors = PVE::LXC::Config->update_pct_config($vmid, $conf, $running, $param, \@delete, \@revert);
>  	    # don't write to config if we get any errors – this can result in a broken config
>  	    raise_param_exc($errors) if scalar(keys %$errors);
> -- 
> 2.48.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

More information about the pve-devel mailing list