my $same_container_exists = -f $basecfg_fn;
+ # 'unprivileged' is read-only, so we can't pass it to update_pct_config
+ my $unprivileged = extract_param($param, 'unprivileged');
+
my $restore = extract_param($param, 'restore');
if ($restore) {
PVE::LXC::update_pct_config($vmid, $conf, 0, $no_disk_param);
+ $conf->{unprivileged} = 1 if $unprivileged;
+
my $check_vmid_usage = sub {
if ($force) {
die "can't overwrite running container\n"
description => "Sets the protection flag of the container. This will prevent the remove operation. This will prevent the CT or CT's disk remove/update operation.",
default => 0,
},
+ unprivileged => {
+ optional => 1,
+ type => 'boolean',
+ description => "Makes the container run as unprivileged user. (Should not be modified manually.)",
+ default => 0,
+ },
};
my $valid_lxc_conf_keys = {
die "missing 'arch' - internal error" if !$conf->{arch};
$raw .= "lxc.arch = $conf->{arch}\n";
+ my $unprivileged = $conf->{unprivileged};
+ my $custom_idmap = grep { $_->[0] eq 'lxc.id_map' } @{$conf->{lxc}};
+
my $ostype = $conf->{ostype} || die "missing 'ostype' - internal error";
if ($ostype =~ /^(?:debian | ubuntu | centos | archlinux)$/x) {
$raw .= "lxc.include = /usr/share/lxc/config/$ostype.common.conf\n";
+ if ($unprivileged || $custom_idmap) {
+ $raw .= "lxc.include = /usr/share/lxc/config/$ostype.userns.conf\n"
+ }
} else {
die "implement me";
}
+ # Should we read them from /etc/subuid?
+ if ($unprivileged && !$custom_idmap) {
+ $raw .= "lxc.id_map = u 0 100000 65536\n";
+ $raw .= "lxc.id_map = g 0 100000 65536\n";
+ }
+
if (!has_dev_console($conf)) {
$raw .= "lxc.console = none\n";
$raw .= "lxc.cgroup.devices.deny = c 5:1 rwm\n";
my $mountpoint = parse_ct_mountpoint($conf->{$opt});
add_unused_volume($conf, $mountpoint->{volume});
delete $conf->{$opt};
+ } elsif ($opt eq 'unprivileged') {
+ die "unable to delete read-only option: '$opt'\n";
} else {
die "implement me"
}
} elsif ($opt eq 'rootfs') {
check_protection($conf, "can't update CT $vmid drive '$opt'");
die "implement me: $opt";
+ } elsif ($opt eq 'unprivileged') {
+ die "unable to modify read-only option: '$opt'\n";
} else {
die "implement me: $opt";
}
my $oldconf = PVE::LXC::parse_pct_config("/lxc/$vmid.conf", $raw);
foreach my $key (keys %$oldconf) {
- next if $key eq 'digest' || $key eq 'rootfs' || $key eq 'snapshots';
+ next if $key eq 'digest' || $key eq 'rootfs' || $key eq 'snapshots' || $key eq 'unprivileged';
$conf->{$key} = $oldconf->{$key} if !defined($conf->{$key});
}
unlink($pct_cfg_fn);
PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $old_conf);
# do not copy all settings to restored container
- foreach my $opt (qw(rootfs digest snapshots arch ostype)) {
+ foreach my $opt (qw(rootfs digest snapshots arch ostype unprivileged)) {
delete $old_conf->{$opt};
}
foreach my $opt (keys %$old_conf) {