From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH container] oci create: fix creating privileged containers
Date: Wed, 26 Nov 2025 09:31:44 +0100 [thread overview]
Message-ID: <1764145853.pp0ipj03q9.astroid@yuna.none> (raw)
In-Reply-To: <20251125141922.165771-1-f.schauer@proxmox.com>
On November 25, 2025 3:19 pm, Filip Schauer wrote:
> Previously, creating privileged containers from OCI images failed with:
> `unable to create CT 123 - Invalid argument`
>
> This was caused by an empty $id_map being passed to run_in_userns.
>
> This commit fixes this by making the call to run_in_userns conditional,
> based on whether $id_map is empty or not.
>
> Reported in the Proxmox forum:
> https://forum.proxmox.com/threads/proxmox-virtual-environment-9-1-available.176255/post-818600
>
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
or we could forbid creating them, since we want to get rid of privileged
containers mid-to-longterm anyway?
> ---
> src/PVE/LXC/Create.pm | 47 +++++++++++++++++++++++++------------------
> 1 file changed, 27 insertions(+), 20 deletions(-)
>
> diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
> index dc97327..9956cf9 100644
> --- a/src/PVE/LXC/Create.pm
> +++ b/src/PVE/LXC/Create.pm
> @@ -674,12 +674,17 @@ sub restore_oci_archive {
>
> my ($id_map, undef, undef) = PVE::LXC::parse_id_maps($conf);
> # NOTE: values of $unsafe_oci_config are untrusted! do NOT use them as is, only via the helpers!
> - my $unsafe_oci_config = PVE::LXC::Namespaces::run_in_userns(
> - sub {
> - PVE::RS::OCI::parse_and_extract_image($archive_file, $rootdir);
> - },
> - $id_map,
> - );
> + my $unsafe_oci_config;
> + if (@$id_map) {
> + $unsafe_oci_config = PVE::LXC::Namespaces::run_in_userns(
> + sub {
> + PVE::RS::OCI::parse_and_extract_image($archive_file, $rootdir);
> + },
> + $id_map,
> + );
> + } else {
> + $unsafe_oci_config = PVE::RS::OCI::parse_and_extract_image($archive_file, $rootdir);
> + }
>
> # should we rather validate this on the rust side already?
> my $has_ctrl_char = sub { return $_[0] =~ /[\x00-\x08\x10-\x1F\x7F]/; };
> @@ -715,20 +720,22 @@ sub restore_oci_archive {
> # This will also keep the cases working where a user does know about them and
> # added MPs at this locations, at they will simply get mounted there correctly then.
> # TODO: should the folders always be owned by the CT root user though?
> - PVE::LXC::Namespaces::run_in_userns(
> - sub {
> - # we're now in the correct user namespace, but not in the mount namespace, so chroot
> - # into the rootdir to ensure that make_path is safe from ../ and symlinks!
> - chroot($rootdir) or die "failed to change root to: $rootdir: $!\n";
> - chdir('/') or die "failed to change to root directory\n";
> -
> - for my $path (@data_volume_paths) {
> - print "creating base directory for volume at $path\n";
> - make_path("/$path"); # chrooted to /$rootdir above already
> - }
> - },
> - $id_map,
> - );
> + my $create_volume_paths = sub {
> + # we're not in the correct mount namespace, so chroot into the rootdir
> + # to ensure that make_path is safe from ../ and symlinks!
> + chroot($rootdir) or die "failed to change root to: $rootdir: $!\n";
> + chdir('/') or die "failed to change to root directory\n";
> +
> + for my $path (@data_volume_paths) {
> + print "creating base directory for volume at $path\n";
> + make_path("/$path"); # chrooted to /$rootdir above already
> + }
> + };
> + if (@$id_map) {
> + PVE::LXC::Namespaces::run_in_userns($create_volume_paths, $id_map);
> + } else {
> + PVE::Tools::run_fork($create_volume_paths);
> + }
> }
>
> my $init_cmd = [];
> --
> 2.47.3
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-26 8:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-25 14:19 Filip Schauer
2025-11-26 8:31 ` Fabian Grünbichler [this message]
2025-11-26 8:55 ` Thomas Lamprecht
2025-11-26 8:59 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1764145853.pp0ipj03q9.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox