Re: [pve-devel] [PATCH container 1/1] close #1543: allow low-level lxc update

Mon, 27 Jan 2025 03:06:26 -0800 

On January 23, 2025 11:29 pm, Simon LEONARD wrote:
> Signed-off-by: Simon LEONARD <git-1001...@sinux.sh>
> ---
>  src/PVE/API2/LXC/Config.pm | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
> index 5cbc014..0697043 100644
> --- a/src/PVE/API2/LXC/Config.pm
> +++ b/src/PVE/API2/LXC/Config.pm
> @@ -123,7 +123,13 @@ __PACKAGE__->register_method({
>                   description => 'Prevent changes if current configuration 
> file has different SHA1 digest. This can be used to prevent concurrent 
> modifications.',
>                   maxLength => 40,
>                   optional => 1,
> -             }
> +             },
> +             lxc => {
> +                 description => "Array of lxc low-level configurations 
> ([[key1, value1], [key2, value2] ...]).",
> +                 type => 'array',
> +                 items => { type => 'array', items => { type => 'string' }},
> +                 optional => 1,
> +             },
>           }),
>      },
>      returns => { type => 'null'},
> @@ -208,6 +214,10 @@ __PACKAGE__->register_method({
>  
>           my $running = PVE::LXC::check_running($vmid);
>  
> +         if (defined($param->{lxc})) {
> +             $conf->{lxc} = $param->{lxc};

this would need to at least check that the provided values are valid
(PVE::LXC::Config::is_valid_lxc_conf_key)..

but it would also need to be limited to root@pam only (in
PVE::LXC::check_ct_modify_config_perm), since it allows overriding
fundamental settings also related to the security of the container..

what options are you frequently setting that would require this? we try
to move those to PVE-provided options with proper ACLs to avoid the need
for such root-only calls..

> +         }
> +
>           my $errors = PVE::LXC::Config->update_pct_config($vmid, $conf, 
> $running, $param, \@delete, \@revert);
>           # don't write to config if we get any errors – this can result in a 
> broken config
>           raise_param_exc($errors) if scalar(keys %$errors);
> -- 
> 2.48.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to