X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FLXC%2FConfig.pm;h=cde244539b0f134cbaa22e2bac37fab940563702;hb=5a63f1c5d3b995dd682a70e7fbd1364240e09278;hp=a3e6e6489b33f6a981b1554fd0ead327af7cc769;hpb=67779c3cd4ef2fd938fa832f36e5142e29e1055e;p=pve-container.git diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm index a3e6e64..cde2445 100644 --- a/src/PVE/LXC/Config.pm +++ b/src/PVE/LXC/Config.pm @@ -272,6 +272,41 @@ PVE::JSONSchema::register_standard_option('pve-lxc-snapshot-name', { maxLength => 40, }); +my $features_desc = { + mount => { + optional => 1, + type => 'string', + description => "Allow mounting file systems of specific types." + ." This should be a list of file system types as used with the mount command." + ." Note that this can have negative effects on the container's security." + ." With access to a loop device, mounting a file can circumvent the mknod" + ." permission of the devices cgroup, mounting an NFS file system can" + ." block the host's I/O completely and prevent it from rebooting, etc.", + format_description => 'fstype;fstype;...', + pattern => qr/[a-zA-Z0-9; ]+/, + }, + nesting => { + optional => 1, + type => 'boolean', + default => 0, + description => "Allow nesting." + ." Best used with unprivileged containers with additional id mapping." + ." Note that this will expose procfs and sysfs contents of the host" + ." to the guest.", + }, + keyctl => { + optional => 1, + type => 'boolean', + default => 0, + description => "For unprivileged containers only: Allow the use of the keyctl() system call." + ." This is required to use docker inside a container." + ." By default unprivileged containers will see this system call as non-existent." + ." This is mostly a workaround for systemd-networkd, as it will treat it as a fatal" + ." error when some keyctl() operations are denied by the kernel due to lacking permissions." + ." Essentially, you can choose between running systemd-networkd or docker.", + }, +}; + my $confdesc = { lock => { optional => 1, @@ -295,7 +330,7 @@ my $confdesc = { arch => { optional => 1, type => 'string', - enum => ['amd64', 'i386'], + enum => ['amd64', 'i386', 'arm64', 'armhf'], description => "OS architecture type.", default => 'amd64', }, @@ -409,11 +444,19 @@ my $confdesc = { description => "Makes the container run as unprivileged user. (Should not be modified manually.)", default => 0, }, + features => { + optional => 1, + type => 'string', + format => $features_desc, + description => "Allow containers access to advanced features.", + }, }; my $valid_lxc_conf_keys = { 'lxc.apparmor.profile' => 1, 'lxc.apparmor.allow_incomplete' => 1, + 'lxc.apparmor.allow_nesting' => 1, + 'lxc.apparmor.raw' => 1, 'lxc.selinux.context' => 1, 'lxc.include' => 1, 'lxc.arch' => 1, @@ -870,6 +913,9 @@ sub update_pct_config { } } elsif ($opt eq 'unprivileged') { die "unable to delete read-only option: '$opt'\n"; + } elsif ($opt eq 'features') { + next if $hotplug_error->($opt); + delete $conf->{$opt}; } else { die "implement me (delete: $opt)" } @@ -1023,6 +1069,9 @@ sub update_pct_config { } elsif ($opt eq 'ostype') { next if $hotplug_error->($opt); $conf->{$opt} = $value; + } elsif ($opt eq 'features') { + next if $hotplug_error->($opt); + $conf->{$opt} = $value; } else { die "implement me: $opt"; } @@ -1174,6 +1223,12 @@ sub parse_lxc_network { return $res; } +sub parse_features { + my ($class, $data) = @_; + return {} if !$data; + return PVE::JSONSchema::parse_property_string($features_desc, $data); +} + sub option_exists { my ($class, $name) = @_;