[pve-devel] [PATCH v2 container 0/2] feature flags
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Oct 2 11:13:36 CEST 2018
This series adds a 'features' config option adding support for nesting,
mounting and some quirks the user should know about when dealing with
these settings.
This makes use of the new apparmor profile generation & namespacing
feature in lxc.
This is updated with Thomas' feedback:
- Dropped the specific permission checks and simply limited
permissions to root at pam for now. We can still soften the
restrictions later.
- Code cleanup ($unprivileged vs $custom_idmap).
For example:
Given an unprivileged container `100`:
# pct set 100 --features nesting=1
is all that's required to run `lxd` inside the container.
With docker the story is slightly different as it requires access to
`keyctl` which systemd-networkd _cannot_ have access to, so for nested
docker:
# pct set 100 --features nesting=1,keyctl=1
And you cannot depend on systemd-networkd in that container.
To mount network file systems such as cifs or nfs:
# pct set 100 --features mount=cifs;nfs
Note that mounting block devices via `loop` devices will not work
without also manually passing /dev/loop* to the containers. Since this
has a rather large security impact I'm unsure we ever want to make this
easy (see my forum post in [1]).
[1] https://forum.proxmox.com/threads/mount-via-loop-device-in-container.47398/#post-223325
Wolfgang Bumiller (2):
config: whitelist new apparmor related config keys
add feature flags using apparmor profile generation
debian/control | 2 +-
src/PVE/LXC.pm | 105 ++++++++++++++++++++++++++++++++++++++++++++++++--
src/PVE/LXC/Config.pm | 55 ++++++++++++++++++++++++++
3 files changed, 157 insertions(+), 5 deletions(-)
--
2.11.0
More information about the pve-devel
mailing list