From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <oguz@gaia.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id A511B693A0
 for <pve-devel@lists.proxmox.com>; Tue, 23 Feb 2021 15:56:51 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 96FC81FED9
 for <pve-devel@lists.proxmox.com>; Tue, 23 Feb 2021 15:56:51 +0100 (CET)
Received: from gaia.proxmox.com (212-186-127-178.static.upcbusiness.at
 [212.186.127.178])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 73EE51FECF
 for <pve-devel@lists.proxmox.com>; Tue, 23 Feb 2021 15:56:50 +0100 (CET)
Received: from gaia.proxmox.com (localhost.localdomain [127.0.0.1])
 by gaia.proxmox.com (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTP id
 11NEshZE1069424; Tue, 23 Feb 2021 15:54:43 +0100
Received: (from oguz@localhost)
 by gaia.proxmox.com (8.15.2/8.15.2/Submit) id 11NEshbK1069423;
 Tue, 23 Feb 2021 15:54:43 +0100
From: Oguz Bektas <o.bektas@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Tue, 23 Feb 2021 15:54:42 +0100
Message-Id: <20210223145442.1069341-1-o.bektas@proxmox.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  1
 AWL -0.341 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery
 methods
 KHOP_HELO_FCRDNS        0.001 Relay HELO differs from its IP's reverse DNS
 NO_DNS_FOR_FROM         0.379 Envelope sender has no MX or A DNS records
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_NONE                0.001 SPF: sender does not publish an SPF Record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [lxc.pm]
Subject: [pve-devel] [PATCH v3 container] fix #3313: recover unprivileged
 bit from old config during pct restore
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 14:56:51 -0000

since pct defaults to privileged containers, it restores the container
as privileged when `--unprivileged 1` is not passed.

instead we should check the old configuration and retrieve it
from there.

this way, when one creates an unprivileged container on GUI, it will be
still restored as unprivileged via pct (without having to pass
`--unprivileged 1` parameter)

note: $orig_mp_param assignment is not guarded by $is_root anymore, but
this should still be okay since we do a second recover_config() call on
the archive file if $orig_mp_param is used

Reviewed-by: Fabian Ebner <f.ebner@proxmox.com>
Tested-by: Fabian Ebner <f.ebner@proxmox.com>
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---

thanks fabi for testing and reviewing!

v2->v3:
* remove comment
* wrap post-if according to style guide


 src/PVE/API2/LXC.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index 8ce462f..df0cc88 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -352,7 +352,7 @@ __PACKAGE__->register_method({
 		my $orig_mp_param; # only used if $restore
 		if ($restore) {
 		    die "can't overwrite running container\n" if PVE::LXC::check_running($vmid);
-		    if ($is_root && $archive ne '-') {
+		    if ($archive ne '-') {
 			my $orig_conf;
 			print "recovering backed-up configuration from '$archive'\n";
 			($orig_conf, $orig_mp_param) = PVE::LXC::Create::recover_config($storage_cfg, $archive, $vmid);
@@ -361,7 +361,10 @@ __PACKAGE__->register_method({
 			# causing it to restore the raw lxc entries, among which there may be
 			# 'lxc.idmap' entries. We need to make sure that the extracted contents
 			# of the container match up with the restored configuration afterwards:
-			$conf->{lxc} = $orig_conf->{lxc};
+			$conf->{lxc} = $orig_conf->{lxc} if $is_root;
+
+			$conf->{unprivileged} = $orig_conf->{unprivileged}
+			    if !defined($unprivileged) && defined($orig_conf->{unprivileged});
 		    }
 		}
 		if ($storage_only_mode) {
-- 
2.20.1