From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 747341FF13B
	for <inbox@lore.proxmox.com>; Wed, 11 Feb 2026 15:40:48 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id EFDA5300CE;
	Wed, 11 Feb 2026 15:41:33 +0100 (CET)
From: Filip Schauer <f.schauer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH container v2 1/2] make mount point attribute preservation
 configurable
Date: Wed, 11 Feb 2026 15:41:09 +0100
Message-ID: <20260211144111.123837-2-f.schauer@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260211144111.123837-1-f.schauer@proxmox.com>
References: <20260211144111.123837-1-f.schauer@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1770820803376
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.000 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: UYRTEPRBV5FBXN2KKJ34SK7N45HLZY7T
X-Message-ID-Hash: UYRTEPRBV5FBXN2KKJ34SK7N45HLZY7T
X-MailFrom: f.schauer@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

The commit 0db559517ac6 (mountpoint_insert_staged: inherit attributes if
directory already exists) introduced automatic propagation of uid, gid,
and mode from the target directory to the mounted filesystem. While this
improves compatibility with some OCI images, it also caused undesired
ownership changes on some mount points.

Since attribute preservation is not always desired, make this behavior
configurable via a new "keepattrs" mountpoint flag. Default to disabled
to preserve historical behavior.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
Changed since v1:
* Replace "target path" with "mount point directory"
* Replace "attributes" with more specific description
* Add verbose_description

 src/PVE/LXC.pm            | 4 +---
 src/PVE/LXC/Config.pm     | 9 +++++++++
 src/lxc-pve-prestart-hook | 2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 41ea991..2c02e9a 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -2478,10 +2478,8 @@ sub mountpoint_hotplug : prototype($$$$$) {
         chdir('/')
             or die "failed to change root directory within the container's mount namespace: $!\n";
 
-        my $keep_attrs = $mp->{type} eq 'volume';
-
         mountpoint_insert_staged(
-            $mount_fd, undef, $mp->{mp}, $opt, $root_uid, $root_gid, $keep_attrs,
+            $mount_fd, undef, $mp->{mp}, $opt, $root_uid, $root_gid, $mp->{keepattrs},
         );
     });
 }
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 6f54e9f..5442586 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -987,6 +987,15 @@ my $mp_desc = {
         verbose_description => "Path to the mount point as seen from inside the container.\n\n"
             . "NOTE: Must not contain any symlinks for security reasons.",
     },
+    keepattrs => {
+        type => 'boolean',
+        description => "Inherit ownership and permissions from the mount point directory.",
+        verbose_description =>
+            "Inherit UID, GID and access mode from the mount point directory, "
+            . "if it exists already.",
+        optional => 1,
+        default => 0,
+    },
 };
 PVE::JSONSchema::register_format('pve-ct-mountpoint', $mp_desc);
 
diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
index f900c12..9862509 100755
--- a/src/lxc-pve-prestart-hook
+++ b/src/lxc-pve-prestart-hook
@@ -100,7 +100,7 @@ PVE::LXC::Tools::lxc_hook(
                 # Mount relative to the rootdir fd.
                 $dest_base_fd = $rootdir_fd;
                 $dest_dir = './' . $mountpoint->{mp};
-                $keep_attrs = $mountpoint->{type} eq 'volume';
+                $keep_attrs = $mountpoint->{keepattrs};
             } else {
                 # Assert that 'rootfs' is the first one:
                 die "foreach_mount() error\n" if $opt ne 'rootfs';
-- 
2.47.3