[pve-devel] [PATCH container] oci create: fix creating privileged containers
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed Nov 26 09:55:08 CET 2025
Am 26.11.25 um 09:31 schrieb Fabian Grünbichler:
> On November 25, 2025 3:19 pm, Filip Schauer wrote:
>> Previously, creating privileged containers from OCI images failed with:
>> `unable to create CT 123 - Invalid argument`
>>
>> This was caused by an empty $id_map being passed to run_in_userns.
>>
>> This commit fixes this by making the call to run_in_userns conditional,
>> based on whether $id_map is empty or not.
>>
>> Reported in the Proxmox forum:
>> https://forum.proxmox.com/threads/proxmox-virtual-environment-9-1-available.176255/post-818600
>>
>> Signed-off-by: Filip Schauer <f.schauer at proxmox.com>
> or we could forbid creating them, since we want to get rid of privileged
> containers mid-to-longterm anyway?
Yeah, I had a similar reply as draft here. If it never worked at all for OCI,
that might be indeed the better route. It might be better to put your energy
into improving the UX for unprivileged CTs (uid shifts, bind mounts, ...?)
so that any still existing need (or simply less friction) for using privileged
ones goes away. As with that we could indeed start sunsetting them with PVE 10
(e.g. remove from UI in that version, then in PVE 11 from the create API, only
allowing to run pre-existing CTs).
More information about the pve-devel
mailing list