* [pve-devel] [PATCH container 0/1] close #1543: allow low-level lxc update
@ 2025-01-23 22:29 Simon LEONARD
2025-01-23 22:29 ` [pve-devel] [PATCH container 1/1] " Simon LEONARD
0 siblings, 1 reply; 6+ messages in thread
From: Simon LEONARD @ 2025-01-23 22:29 UTC (permalink / raw)
To: pve-devel; +Cc: Simon LEONARD
Hello,
I'm trying to fully automate my homelab with Proxmox and infra as code
with Pulumi.
A missing feature is to allow the modification of low-level lxc settings
via the API, as spotted in #1543. Today, the GET config endpoint returns
the current low-level configuration but don't allow to edit it (PUT).
I've tried to implement this feature, and it works on my instance.
However I'm really new to Proxmox, Perl and git send-email so input
would be appreciated/necessary.
Originally (wrongly) posted in https://forum.proxmox.com/threads/161059/
Simon LEONARD (1):
close #1543: allow low-level lxc config update
src/PVE/API2/LXC/Config.pm | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--
2.48.1
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH container 1/1] close #1543: allow low-level lxc update
2025-01-23 22:29 [pve-devel] [PATCH container 0/1] close #1543: allow low-level lxc update Simon LEONARD
@ 2025-01-23 22:29 ` Simon LEONARD
2025-01-27 11:05 ` Fabian Grünbichler
0 siblings, 1 reply; 6+ messages in thread
From: Simon LEONARD @ 2025-01-23 22:29 UTC (permalink / raw)
To: pve-devel; +Cc: Simon LEONARD
Signed-off-by: Simon LEONARD <git-1001af4@sinux.sh>
---
src/PVE/API2/LXC/Config.pm | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
index 5cbc014..0697043 100644
--- a/src/PVE/API2/LXC/Config.pm
+++ b/src/PVE/API2/LXC/Config.pm
@@ -123,7 +123,13 @@ __PACKAGE__->register_method({
description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
maxLength => 40,
optional => 1,
- }
+ },
+ lxc => {
+ description => "Array of lxc low-level configurations ([[key1, value1], [key2, value2] ...]).",
+ type => 'array',
+ items => { type => 'array', items => { type => 'string' }},
+ optional => 1,
+ },
}),
},
returns => { type => 'null'},
@@ -208,6 +214,10 @@ __PACKAGE__->register_method({
my $running = PVE::LXC::check_running($vmid);
+ if (defined($param->{lxc})) {
+ $conf->{lxc} = $param->{lxc};
+ }
+
my $errors = PVE::LXC::Config->update_pct_config($vmid, $conf, $running, $param, \@delete, \@revert);
# don't write to config if we get any errors – this can result in a broken config
raise_param_exc($errors) if scalar(keys %$errors);
--
2.48.1
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH container 1/1] close #1543: allow low-level lxc update
2025-01-23 22:29 ` [pve-devel] [PATCH container 1/1] " Simon LEONARD
@ 2025-01-27 11:05 ` Fabian Grünbichler
2025-03-22 18:05 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Simon LEONARD
0 siblings, 1 reply; 6+ messages in thread
From: Fabian Grünbichler @ 2025-01-27 11:05 UTC (permalink / raw)
To: Proxmox VE development discussion; +Cc: Simon LEONARD
On January 23, 2025 11:29 pm, Simon LEONARD wrote:
> Signed-off-by: Simon LEONARD <git-1001af4@sinux.sh>
> ---
> src/PVE/API2/LXC/Config.pm | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
> index 5cbc014..0697043 100644
> --- a/src/PVE/API2/LXC/Config.pm
> +++ b/src/PVE/API2/LXC/Config.pm
> @@ -123,7 +123,13 @@ __PACKAGE__->register_method({
> description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
> maxLength => 40,
> optional => 1,
> - }
> + },
> + lxc => {
> + description => "Array of lxc low-level configurations ([[key1, value1], [key2, value2] ...]).",
> + type => 'array',
> + items => { type => 'array', items => { type => 'string' }},
> + optional => 1,
> + },
> }),
> },
> returns => { type => 'null'},
> @@ -208,6 +214,10 @@ __PACKAGE__->register_method({
>
> my $running = PVE::LXC::check_running($vmid);
>
> + if (defined($param->{lxc})) {
> + $conf->{lxc} = $param->{lxc};
this would need to at least check that the provided values are valid
(PVE::LXC::Config::is_valid_lxc_conf_key)..
but it would also need to be limited to root@pam only (in
PVE::LXC::check_ct_modify_config_perm), since it allows overriding
fundamental settings also related to the security of the container..
what options are you frequently setting that would require this? we try
to move those to PVE-provided options with proper ACLs to avoid the need
for such root-only calls..
> + }
> +
> my $errors = PVE::LXC::Config->update_pct_config($vmid, $conf, $running, $param, \@delete, \@revert);
> # don't write to config if we get any errors – this can result in a broken config
> raise_param_exc($errors) if scalar(keys %$errors);
> --
> 2.48.1
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config
2025-01-27 11:05 ` Fabian Grünbichler
@ 2025-03-22 18:05 ` Simon LEONARD
2025-03-22 18:05 ` [pve-devel] [PATCH container v2 1/1] close #1543: allow low-level lxc config update Simon LEONARD
2025-03-24 15:01 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Fabian Grünbichler
0 siblings, 2 replies; 6+ messages in thread
From: Simon LEONARD @ 2025-03-22 18:05 UTC (permalink / raw)
To: f.gruenbichler; +Cc: pve-devel, git-1001af4
Hello Fabian,
I added the validify check for each key.
I'm not keen to allow only root@pam to change this setting, as it would
kill any attempt at automating the container creation via the API.
But maybe it should be part of a permission?
Simon LEONARD (1):
close #1543: allow low-level lxc config update
src/PVE/API2/LXC/Config.pm | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
--
2.48.1
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH container v2 1/1] close #1543: allow low-level lxc config update
2025-03-22 18:05 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Simon LEONARD
@ 2025-03-22 18:05 ` Simon LEONARD
2025-03-24 15:01 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Fabian Grünbichler
1 sibling, 0 replies; 6+ messages in thread
From: Simon LEONARD @ 2025-03-22 18:05 UTC (permalink / raw)
To: f.gruenbichler; +Cc: pve-devel, git-1001af4
Signed-off-by: Simon LEONARD <git-1001af4@sinux.sh>
---
src/PVE/API2/LXC/Config.pm | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm
index 5cbc014..5e48338 100644
--- a/src/PVE/API2/LXC/Config.pm
+++ b/src/PVE/API2/LXC/Config.pm
@@ -123,7 +123,13 @@ __PACKAGE__->register_method({
description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.',
maxLength => 40,
optional => 1,
- }
+ },
+ lxc => {
+ description => "Array of lxc low-level configurations ([[key1, value1], [key2, value2] ...]).",
+ type => 'array',
+ items => { type => 'array', items => { type => 'string' }},
+ optional => 1,
+ },
}),
},
returns => { type => 'null'},
@@ -208,6 +214,15 @@ __PACKAGE__->register_method({
my $running = PVE::LXC::check_running($vmid);
+ if (defined $param->{lxc}) {
+ for my $entry (@{$param->{lxc}}) {
+ my ($key, $value) = @$entry;
+ die "invalid lxc config key '$key'\n"
+ unless PVE::LXC::Config::is_valid_lxc_conf_key($key);
+ }
+ $conf->{lxc} = $param->{lxc};
+ }
+
my $errors = PVE::LXC::Config->update_pct_config($vmid, $conf, $running, $param, \@delete, \@revert);
# don't write to config if we get any errors – this can result in a broken config
raise_param_exc($errors) if scalar(keys %$errors);
--
2.48.1
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config
2025-03-22 18:05 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Simon LEONARD
2025-03-22 18:05 ` [pve-devel] [PATCH container v2 1/1] close #1543: allow low-level lxc config update Simon LEONARD
@ 2025-03-24 15:01 ` Fabian Grünbichler
1 sibling, 0 replies; 6+ messages in thread
From: Fabian Grünbichler @ 2025-03-24 15:01 UTC (permalink / raw)
To: Simon LEONARD; +Cc: pve-devel
> Simon LEONARD <git-1001af4@sinux.sh> hat am 22.03.2025 19:05 CET geschrieben:
> I added the validify check for each key.
>
> I'm not keen to allow only root@pam to change this setting, as it would
> kill any attempt at automating the container creation via the API.
> But maybe it should be part of a permission?
it needs to be root-only at the moment, because it allows setting a lot
of things that only root is supposed to be able to do:
- various containment features (apparmor, ..)
- arbitrary mounts
- hooks
- ..
most of those don't have an associated privilege and would require
something like 'Sys.Root':
https://bugzilla.proxmox.com/show_bug.cgi?id=2582
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-03-24 15:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-01-23 22:29 [pve-devel] [PATCH container 0/1] close #1543: allow low-level lxc update Simon LEONARD
2025-01-23 22:29 ` [pve-devel] [PATCH container 1/1] " Simon LEONARD
2025-01-27 11:05 ` Fabian Grünbichler
2025-03-22 18:05 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Simon LEONARD
2025-03-22 18:05 ` [pve-devel] [PATCH container v2 1/1] close #1543: allow low-level lxc config update Simon LEONARD
2025-03-24 15:01 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal