lxc_config: mount /sys as mixed for unprivileged by default

[pve-container.git] / src / PVE / LXC / Config.pm

diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 310aba6e7858df109448dc0ff2f38ba64122a54e..0909773f312432526d2f64f5ca42e1f06681b437 100644 (file)
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -331,6 +331,13 @@ my $features_desc = {
            ." This requires a kernel with seccomp trap to user space support (5.3 or newer)."
            ." This is experimental.",
     },
+    force_rw_sys => {
+       optional => 1,
+       type => 'boolean',
+       default => 0,
+       description => "Mount /sys in unprivileged containers as `rw` instead of `mixed`."
+           ." This can break networking under newer (>= v245) systemd-network use."
+    },
 };
 
 my $confdesc = {
@@ -1268,7 +1275,6 @@ sub vmconfig_apply_pending {
     # FIXME: $force deletion is not implemented for CTs
     foreach my $opt (sort keys %$pending_delete_hash) {
        next if $selection && !$selection->{$opt};
-       $class->cleanup_pending($conf);
        eval {
            if ($opt =~ m/^mp(\d+)$/) {
                my $mp = $class->parse_ct_mountpoint($conf->{$opt});
@@ -1289,6 +1295,8 @@ sub vmconfig_apply_pending {
        }
     }
 
+    $class->cleanup_pending($conf);
+
     foreach my $opt (sort keys %{$conf->{pending}}) { # add/change
        next if $opt eq 'delete'; # just to be sure
        next if $selection && !$selection->{$opt};
@@ -1304,7 +1312,6 @@ sub vmconfig_apply_pending {
        if (my $err = $@) {
            $add_apply_error->($opt, $err);
        } else {
-           $class->cleanup_pending($conf);
            $conf->{$opt} = delete $conf->{pending}->{$opt};
        }
     }