From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 680FD6B7B9
 for <pve-devel@lists.proxmox.com>; Wed,  4 Aug 2021 12:51:45 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 5A9731E326
 for <pve-devel@lists.proxmox.com>; Wed,  4 Aug 2021 12:51:15 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 43C431E312
 for <pve-devel@lists.proxmox.com>; Wed,  4 Aug 2021 12:51:14 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 0FE53420D5
 for <pve-devel@lists.proxmox.com>; Wed,  4 Aug 2021 12:51:14 +0200 (CEST)
From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Wed,  4 Aug 2021 12:51:06 +0200
Message-Id: <20210804105111.183355-1-d.csapak@proxmox.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.473 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [config.pm, create.pm, lxc.pm]
Subject: [pve-devel] [PATCH container/manager v2] default nesting for unpriv
 containers in ui
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2021 10:51:45 -0000

since many modern containers need the nesting feature to work properly
(thanks systemd...), we add a checkbox that is on by default
(and disables with unprivileged, since nested privileged containers
are not very secure)

to do that, we first have to loosen the nesting constraints in the api
a bit. we do that by allowing to set that for unprivileged containers
when the user has the 'VM.Allocate' privilege.

(just to note: a user with that right can also create privileged
containers, but could not enable nesting for them)

changes from v1:
* prevent comparing undefined $(old)features->{$features} by first
  extracting it into a variable with a fallback of '' and compare that
* reorder the permission checks so that they are returned consistently
* add patch that removes features when restoring an unprivileged
  container as privileged

pve-container:

Dominik Csapak (3):
  add old config and unprivileged to check_ct_modify_config_perm
  allow nesting to be changed for VM.Allocate on unprivileged containers
  skip features when restoring an unprivileged container as privileged

 src/PVE/API2/LXC.pm        |  6 +--
 src/PVE/API2/LXC/Config.pm | 95 +++++++++++++++++++-------------------
 src/PVE/LXC.pm             | 47 +++++++++++++++++--
 src/PVE/LXC/Create.pm      |  5 ++
 4 files changed, 100 insertions(+), 53 deletions(-)

pve-manager:

Dominik Csapak (2):
  ui: lxc/Options: allow opening features window for VM.Allocate
  ui: lxc/CreateWizard: add a 'nesting' checkbox and enable it by
    default

 www/manager6/lxc/CreateWizard.js | 10 ++++++++++
 www/manager6/lxc/Options.js      |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

-- 
2.30.2