A few changes are needed for unprivileged containers:
1) Mounting has to happen in the pre-start hook, as the mount and
pre-mount hooks don't have the required permissions when executing
under a user-namespace.
So mounts now happen onto /var/lib/lxc/${vmid}/rootfs, and the LXC
config simply gets that path as root fs.
This means that mounting happens before entering the container's
namespace, so we now unshare the host's namespace before starting
lxc-start (patch 4).2+3) Unprivileged containers are created by passing the 'unprivileged' flag. This will create a default id map of `0 100000 65536`. Extracting a template now uses lxc-usernsexec to do the extraction in the target namespace. As for other actions happening in LXC::Setup, the ct_* file access wrappers now reown created files to the mapped target root user (usually 100000), but if the config specifies a custom id_map via lxc.id_map properties they will be taken into account. When restoring from a backup the 'unprivileged' option is deleted from the old config. In order to restore as unprivileged container the parameter has to be passed to the restore command just like with the create command. 4) In order to not clobber the host namespace with mounts we now unshare the mount namespace before running lxc-start. 5) For vzdump support we use the same lxc-usernsexec command only for the `tar` command. That way there's no visible difference between the backup of a privileged and an unprivileged container other than the value of the 'unprivileged' property found in the contained pct.conf which is replaced at restore time. This means backup+restore can be used to convert between privileged and unprivileged containers. TODO: Discuss whether to introduce permissions+checks for the unprivileged flag in create/restore. Wolfgang Bumiller (6): mount in pre-start, unmount in post-stop LXC::Setup: id_map support for file wrappers added the unprivileged flag unshare lxc-start into a slave mount namespace vzdump: userns support remove --totals from COMMON_TAR_FLAGS src/Makefile | 3 +- src/PVE/API2/LXC.pm | 5 ++ src/PVE/API2/LXC/Status.pm | 3 +- src/PVE/LXC.pm | 70 +++++++++++++++++++++-- src/PVE/LXC/Create.pm | 15 +++-- src/PVE/LXC/Setup.pm | 8 +++ src/PVE/LXC/Setup/Base.pm | 34 +++++++++-- src/PVE/VZDump/LXC.pm | 6 +- src/lxc-pve-mount-hook | 139 --------------------------------------------- src/lxc-pve-poststop-hook | 4 ++ src/lxc-pve-prestart-hook | 39 ++++++++++++- src/lxc-pve.conf | 1 - 12 files changed, 163 insertions(+), 164 deletions(-) delete mode 100755 src/lxc-pve-mount-hook -- 2.1.4 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
