[PVE-User] Debian buster, systemd, container and nesting=1

Tue Mar 3 18:50:14 CET 2020

Mandi! Stoiko Ivanov
  In chel di` si favelave...

> AFAICU one robust (although not very performant way) to run a AD DC with
> NTACLs on a unprivileged container would be to use the xattr_tdb module
> (not actively tested though):
> https://wiki.samba.org/index.php/Using_the_xattr_tdb_VFS_Module

Specifically asked in samba ML; xattr_tdb i a test module, broken, that
HAVE NOT to be used in production.
The only ''supported'' way to run Samba AD DC is via filesystem XATTR.

Also, seems the same 'troubles' hit BSD Jails:

	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220844
	https://bugzilla.samba.org/show_bug.cgi?id=12912

see:
	https://lists.samba.org/archive/samba/2020-February/228653.html

> They are independent - a good explanation of what nesting does can be
> found in our source:
> https://git.proxmox.com/?p=pve-container.git;a=blob;f=src/PVE/LXC.pm;h=34ca2a357294f63e8b49d965bd54c24905642e17;hb=HEAD#l581
> (it allows among other things to mount /proc, and /sys, which is
> problematic for privileged containers
> 
> The issue with apache('s systemd-unit) in the privileged container, is
> that the mount is denied by apparmor (the apparmor rules are stricter for
> privileged containers, than for unprivileged, because if someone breaks
> out of an unprivileged container they are only a regular user on the host)
> 
> I hope this explains it.

Ahem, no. ;-)

But indeed is my fault that i know very little about systemd, apparmor
and all those new wizardry... ;-)

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)