]> git.proxmox.com Git - pve-container.git/blobdiff - src/PVE/LXC/Config.pm
projects / pve-container.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
lxc_config: mount /sys as mixed for unprivileged by default
[pve-container.git] / src / PVE / LXC / Config.pm
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index ffc591101fd3d5402e2372ce72cd0e9af3fb563b..0909773f312432526d2f64f5ca42e1f06681b437 100644 (file)
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -323,6 +323,21 @@ my $features_desc = {
        description => "Allow using 'fuse' file systems in a container."
            ." Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.",
     },
+    mknod => {
+       optional => 1,
+       type => 'boolean',
+       default => 0,
+       description => "Allow unprivileged containers to use mknod() to add certain device nodes."
+           ." This requires a kernel with seccomp trap to user space support (5.3 or newer)."
+           ." This is experimental.",
+    },
+    force_rw_sys => {
+       optional => 1,
+       type => 'boolean',
+       default => 0,
+       description => "Mount /sys in unprivileged containers as `rw` instead of `mixed`."
+           ." This can break networking under newer (>= v245) systemd-network use."
+    },
 };
 
 my $confdesc = {
@@ -1188,7 +1203,7 @@ sub vmconfig_hotplug_pending {
                PVE::LXC::write_cgroup_value("cpu", $vmid, "cpu.cfs_period_us", -1);
                PVE::LXC::write_cgroup_value("cpu", $vmid, "cpu.cfs_quota_us", -1);
            } elsif ($opt eq 'cpuunits') {
-               PVE::LXC::write_cgroup_value("cpu", $vmid, "cpu.shared", $confdesc->{cpuunits}->{default});
+               PVE::LXC::write_cgroup_value("cpu", $vmid, "cpu.shares", $confdesc->{cpuunits}->{default});
            } elsif ($opt =~ m/^net(\d)$/) {
                my $netid = $1;
                PVE::Network::veth_delete("veth${vmid}i$netid");
@@ -1260,7 +1275,6 @@ sub vmconfig_apply_pending {
     # FIXME: $force deletion is not implemented for CTs
     foreach my $opt (sort keys %$pending_delete_hash) {
        next if $selection && !$selection->{$opt};
-       $class->cleanup_pending($conf);
        eval {
            if ($opt =~ m/^mp(\d+)$/) {
                my $mp = $class->parse_ct_mountpoint($conf->{$opt});
@@ -1281,6 +1295,8 @@ sub vmconfig_apply_pending {
        }
     }
 
+    $class->cleanup_pending($conf);
+
     foreach my $opt (sort keys %{$conf->{pending}}) { # add/change
        next if $opt eq 'delete'; # just to be sure
        next if $selection && !$selection->{$opt};
@@ -1296,7 +1312,6 @@ sub vmconfig_apply_pending {
        if (my $err = $@) {
            $add_apply_error->($opt, $err);
        } else {
-           $class->cleanup_pending($conf);
            $conf->{$opt} = delete $conf->{pending}->{$opt};
        }
     }
@@ -1307,8 +1322,7 @@ sub vmconfig_apply_pending {
 my $rescan_volume = sub {
     my ($storecfg, $mp) = @_;
     eval {
-       $mp->{size} = PVE::Storage::volume_size_info($storecfg, $mp->{volume}, 5)
-           if !defined($mp->{size});
+       $mp->{size} = PVE::Storage::volume_size_info($storecfg, $mp->{volume}, 5);
     };
     warn "Could not rescan volume size - $@\n" if $@;
 };
PVE Container Toolkit