This series adds a 'features' config option adding support for nesting, mounting and some quirks the user should know about when dealing with these settings. This makes use of the new apparmor profile generation & namespacing feature in lxc.
This is updated with Thomas' feedback: - Dropped the specific permission checks and simply limited permissions to root@pam for now. We can still soften the restrictions later. - Code cleanup ($unprivileged vs $custom_idmap). For example: Given an unprivileged container `100`: # pct set 100 --features nesting=1 is all that's required to run `lxd` inside the container. With docker the story is slightly different as it requires access to `keyctl` which systemd-networkd _cannot_ have access to, so for nested docker: # pct set 100 --features nesting=1,keyctl=1 And you cannot depend on systemd-networkd in that container. To mount network file systems such as cifs or nfs: # pct set 100 --features mount=cifs;nfs Note that mounting block devices via `loop` devices will not work without also manually passing /dev/loop* to the containers. Since this has a rather large security impact I'm unsure we ever want to make this easy (see my forum post in [1]). [1] https://forum.proxmox.com/threads/mount-via-loop-device-in-container.47398/#post-223325 Wolfgang Bumiller (2): config: whitelist new apparmor related config keys add feature flags using apparmor profile generation debian/control | 2 +- src/PVE/LXC.pm | 105 ++++++++++++++++++++++++++++++++++++++++++++++++-- src/PVE/LXC/Config.pm | 55 ++++++++++++++++++++++++++ 3 files changed, 157 insertions(+), 5 deletions(-) -- 2.11.0 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel