That should be enough for snapd on unprivileged containers. For privileged containers we'd also need a way to not drop the mac_admin capability - not sure we'd want that.
Signed-off-by: Wolfgang Bumiller <[email protected]> --- With this patch you can run snaps in unprivileged ubuntu containers via: pct set $vmid --features nesting=1,fuse=1 For privileged containers you also need to allow mac_admin for the container to be able to create apparmor profiles. (They do stay stacked with the lxc profile, but I'd still not recommend it...) lxc.cap.drop = lxc.cap.drop = mac_override sys_time sys_module sys_rawio (The list above is from common.conf with just mac_admin removed) To test: apt install squashfuse apt install snapd snapd install --beta mysql src/PVE/LXC.pm | 9 +++++++++ src/PVE/LXC/Config.pm | 7 +++++++ 2 files changed, 16 insertions(+) diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm index d1b5fcc..787d34f 100644 --- a/src/PVE/LXC.pm +++ b/src/PVE/LXC.pm @@ -465,6 +465,11 @@ sub make_apparmor_config { my $raw = "lxc.apparmor.profile = generated\n"; my @profile_uses; + if ($features->{fuse}) { + # For the informational warning: + push @profile_uses, 'features:fuse'; + } + # There's lxc.apparmor.allow_nesting now, which will add the necessary # apparmor lines, create an apparmor namespace for the container, but also # adds proc and sysfs mounts to /dev/.lxc/{proc,sys}. These do not have @@ -539,6 +544,10 @@ sub update_lxc_config { $raw .= make_seccomp_config($conf, $unprivileged, $features); $raw .= make_apparmor_config($conf, $unprivileged, $features); + if ($features->{fuse}) { + $raw .= "lxc.apparmor.raw = mount fstype=fuse,\n"; + $raw .= "lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0\n"; + } # WARNING: DO NOT REMOVE this without making sure that loop device nodes # cannot be exposed to the container with r/w access (cgroup perms). diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm index cde2445..9987f50 100644 --- a/src/PVE/LXC/Config.pm +++ b/src/PVE/LXC/Config.pm @@ -305,6 +305,13 @@ my $features_desc = { ." error when some keyctl() operations are denied by the kernel due to lacking permissions." ." Essentially, you can choose between running systemd-networkd or docker.", }, + fuse => { + optional => 1, + type => 'boolean', + default => 0, + description => "Allow using 'fuse' file systems in a container." + ." Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.", + }, }; my $confdesc = { -- 2.11.0 _______________________________________________ pve-devel mailing list [email protected] https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
