[pve-devel] applied series: [PATCH container/manager v2] default nesting for unpriv containers in ui

[Wolfgang Bumiller <w.bumiller@proxmox.com>]

applied series

On Wed, Aug 04, 2021 at 12:51:06PM +0200, Dominik Csapak wrote:
> since many modern containers need the nesting feature to work properly
> (thanks systemd...), we add a checkbox that is on by default
> (and disables with unprivileged, since nested privileged containers
> are not very secure)
> 
> to do that, we first have to loosen the nesting constraints in the api
> a bit. we do that by allowing to set that for unprivileged containers
> when the user has the 'VM.Allocate' privilege.
> 
> (just to note: a user with that right can also create privileged
> containers, but could not enable nesting for them)
> 
> changes from v1:
> * prevent comparing undefined $(old)features->{$features} by first
>   extracting it into a variable with a fallback of '' and compare that
> * reorder the permission checks so that they are returned consistently
> * add patch that removes features when restoring an unprivileged
>   container as privileged
> 
> pve-container:
> 
> Dominik Csapak (3):
>   add old config and unprivileged to check_ct_modify_config_perm
>   allow nesting to be changed for VM.Allocate on unprivileged containers
>   skip features when restoring an unprivileged container as privileged
> 
>  src/PVE/API2/LXC.pm        |  6 +--
>  src/PVE/API2/LXC/Config.pm | 95 +++++++++++++++++++-------------------
>  src/PVE/LXC.pm             | 47 +++++++++++++++++--
>  src/PVE/LXC/Create.pm      |  5 ++
>  4 files changed, 100 insertions(+), 53 deletions(-)
> 
> pve-manager:
> 
> Dominik Csapak (2):
>   ui: lxc/Options: allow opening features window for VM.Allocate
>   ui: lxc/CreateWizard: add a 'nesting' checkbox and enable it by
>     default
> 
>  www/manager6/lxc/CreateWizard.js | 10 ++++++++++
>  www/manager6/lxc/Options.js      |  2 +-
>  2 files changed, 11 insertions(+), 1 deletion(-)
> 
> -- 
> 2.30.2