On Mon, Mar 02, 2026 at 07:05:09PM +0100, Filip Schauer wrote:
> On 02/03/2026 17:37, Filip Schauer wrote:
> > On 27/02/2026 16:33, Wolfgang Bumiller wrote:
> > > We probably want a way to just say "undo the container user
> > > namespace". The pre-start hook gets a `$namespaces` hash passed as 3rd
> > > parameter, we can just open the user namespace fd there for this
> > > purpose.
> >
> > When `lxc.hook.version = 0` (which seems to be the default), $namespaces
> > remains empty. So yes, we could try to get the namespace fd from
> > $namespaces, but we would just have to fall back to obtaining the
> > namespace manually unless `lxc.hook.version = 1` is set explicitly.
>
> Or we could fix `PVE::LXC::Tools::lxc_hook`, such that it always finds
> the namespaces.
That.
Alternatively, I'm not sure containers really "work fine" with PVE if
people override `lxc.hook.*` manually, so maybe we should consider
dropping those from the list of valid custom keys and just force version
1?
If that's not an option, maybe we should add `lxc.hook.${hook}.version`
settings to lxc for per-hook versioning...
