* [pve-devel] [PATCH container 0/1] close #1543: allow low-level lxc update @ 2025-01-23 22:29 Simon LEONARD 2025-01-23 22:29 ` [pve-devel] [PATCH container 1/1] " Simon LEONARD 0 siblings, 1 reply; 6+ messages in thread From: Simon LEONARD @ 2025-01-23 22:29 UTC (permalink / raw) To: pve-devel; +Cc: Simon LEONARD Hello, I'm trying to fully automate my homelab with Proxmox and infra as code with Pulumi. A missing feature is to allow the modification of low-level lxc settings via the API, as spotted in #1543. Today, the GET config endpoint returns the current low-level configuration but don't allow to edit it (PUT). I've tried to implement this feature, and it works on my instance. However I'm really new to Proxmox, Perl and git send-email so input would be appreciated/necessary. Originally (wrongly) posted in https://forum.proxmox.com/threads/161059/ Simon LEONARD (1): close #1543: allow low-level lxc config update src/PVE/API2/LXC/Config.pm | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) -- 2.48.1 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH container 1/1] close #1543: allow low-level lxc update 2025-01-23 22:29 [pve-devel] [PATCH container 0/1] close #1543: allow low-level lxc update Simon LEONARD @ 2025-01-23 22:29 ` Simon LEONARD 2025-01-27 11:05 ` Fabian Grünbichler 0 siblings, 1 reply; 6+ messages in thread From: Simon LEONARD @ 2025-01-23 22:29 UTC (permalink / raw) To: pve-devel; +Cc: Simon LEONARD Signed-off-by: Simon LEONARD <git-1001af4@sinux.sh> --- src/PVE/API2/LXC/Config.pm | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm index 5cbc014..0697043 100644 --- a/src/PVE/API2/LXC/Config.pm +++ b/src/PVE/API2/LXC/Config.pm @@ -123,7 +123,13 @@ __PACKAGE__->register_method({ description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.', maxLength => 40, optional => 1, - } + }, + lxc => { + description => "Array of lxc low-level configurations ([[key1, value1], [key2, value2] ...]).", + type => 'array', + items => { type => 'array', items => { type => 'string' }}, + optional => 1, + }, }), }, returns => { type => 'null'}, @@ -208,6 +214,10 @@ __PACKAGE__->register_method({ my $running = PVE::LXC::check_running($vmid); + if (defined($param->{lxc})) { + $conf->{lxc} = $param->{lxc}; + } + my $errors = PVE::LXC::Config->update_pct_config($vmid, $conf, $running, $param, \@delete, \@revert); # don't write to config if we get any errors – this can result in a broken config raise_param_exc($errors) if scalar(keys %$errors); -- 2.48.1 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH container 1/1] close #1543: allow low-level lxc update 2025-01-23 22:29 ` [pve-devel] [PATCH container 1/1] " Simon LEONARD @ 2025-01-27 11:05 ` Fabian Grünbichler 2025-03-22 18:05 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Simon LEONARD 0 siblings, 1 reply; 6+ messages in thread From: Fabian Grünbichler @ 2025-01-27 11:05 UTC (permalink / raw) To: Proxmox VE development discussion; +Cc: Simon LEONARD On January 23, 2025 11:29 pm, Simon LEONARD wrote: > Signed-off-by: Simon LEONARD <git-1001af4@sinux.sh> > --- > src/PVE/API2/LXC/Config.pm | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm > index 5cbc014..0697043 100644 > --- a/src/PVE/API2/LXC/Config.pm > +++ b/src/PVE/API2/LXC/Config.pm > @@ -123,7 +123,13 @@ __PACKAGE__->register_method({ > description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.', > maxLength => 40, > optional => 1, > - } > + }, > + lxc => { > + description => "Array of lxc low-level configurations ([[key1, value1], [key2, value2] ...]).", > + type => 'array', > + items => { type => 'array', items => { type => 'string' }}, > + optional => 1, > + }, > }), > }, > returns => { type => 'null'}, > @@ -208,6 +214,10 @@ __PACKAGE__->register_method({ > > my $running = PVE::LXC::check_running($vmid); > > + if (defined($param->{lxc})) { > + $conf->{lxc} = $param->{lxc}; this would need to at least check that the provided values are valid (PVE::LXC::Config::is_valid_lxc_conf_key).. but it would also need to be limited to root@pam only (in PVE::LXC::check_ct_modify_config_perm), since it allows overriding fundamental settings also related to the security of the container.. what options are you frequently setting that would require this? we try to move those to PVE-provided options with proper ACLs to avoid the need for such root-only calls.. > + } > + > my $errors = PVE::LXC::Config->update_pct_config($vmid, $conf, $running, $param, \@delete, \@revert); > # don't write to config if we get any errors – this can result in a broken config > raise_param_exc($errors) if scalar(keys %$errors); > -- > 2.48.1 > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config 2025-01-27 11:05 ` Fabian Grünbichler @ 2025-03-22 18:05 ` Simon LEONARD 2025-03-22 18:05 ` [pve-devel] [PATCH container v2 1/1] close #1543: allow low-level lxc config update Simon LEONARD 2025-03-24 15:01 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Fabian Grünbichler 0 siblings, 2 replies; 6+ messages in thread From: Simon LEONARD @ 2025-03-22 18:05 UTC (permalink / raw) To: f.gruenbichler; +Cc: pve-devel, git-1001af4 Hello Fabian, I added the validify check for each key. I'm not keen to allow only root@pam to change this setting, as it would kill any attempt at automating the container creation via the API. But maybe it should be part of a permission? Simon LEONARD (1): close #1543: allow low-level lxc config update src/PVE/API2/LXC/Config.pm | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) -- 2.48.1 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH container v2 1/1] close #1543: allow low-level lxc config update 2025-03-22 18:05 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Simon LEONARD @ 2025-03-22 18:05 ` Simon LEONARD 2025-03-24 15:01 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Fabian Grünbichler 1 sibling, 0 replies; 6+ messages in thread From: Simon LEONARD @ 2025-03-22 18:05 UTC (permalink / raw) To: f.gruenbichler; +Cc: pve-devel, git-1001af4 Signed-off-by: Simon LEONARD <git-1001af4@sinux.sh> --- src/PVE/API2/LXC/Config.pm | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/PVE/API2/LXC/Config.pm b/src/PVE/API2/LXC/Config.pm index 5cbc014..5e48338 100644 --- a/src/PVE/API2/LXC/Config.pm +++ b/src/PVE/API2/LXC/Config.pm @@ -123,7 +123,13 @@ __PACKAGE__->register_method({ description => 'Prevent changes if current configuration file has different SHA1 digest. This can be used to prevent concurrent modifications.', maxLength => 40, optional => 1, - } + }, + lxc => { + description => "Array of lxc low-level configurations ([[key1, value1], [key2, value2] ...]).", + type => 'array', + items => { type => 'array', items => { type => 'string' }}, + optional => 1, + }, }), }, returns => { type => 'null'}, @@ -208,6 +214,15 @@ __PACKAGE__->register_method({ my $running = PVE::LXC::check_running($vmid); + if (defined $param->{lxc}) { + for my $entry (@{$param->{lxc}}) { + my ($key, $value) = @$entry; + die "invalid lxc config key '$key'\n" + unless PVE::LXC::Config::is_valid_lxc_conf_key($key); + } + $conf->{lxc} = $param->{lxc}; + } + my $errors = PVE::LXC::Config->update_pct_config($vmid, $conf, $running, $param, \@delete, \@revert); # don't write to config if we get any errors – this can result in a broken config raise_param_exc($errors) if scalar(keys %$errors); -- 2.48.1 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config 2025-03-22 18:05 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Simon LEONARD 2025-03-22 18:05 ` [pve-devel] [PATCH container v2 1/1] close #1543: allow low-level lxc config update Simon LEONARD @ 2025-03-24 15:01 ` Fabian Grünbichler 1 sibling, 0 replies; 6+ messages in thread From: Fabian Grünbichler @ 2025-03-24 15:01 UTC (permalink / raw) To: Simon LEONARD; +Cc: pve-devel > Simon LEONARD <git-1001af4@sinux.sh> hat am 22.03.2025 19:05 CET geschrieben: > I added the validify check for each key. > > I'm not keen to allow only root@pam to change this setting, as it would > kill any attempt at automating the container creation via the API. > But maybe it should be part of a permission? it needs to be root-only at the moment, because it allows setting a lot of things that only root is supposed to be able to do: - various containment features (apparmor, ..) - arbitrary mounts - hooks - .. most of those don't have an associated privilege and would require something like 'Sys.Root': https://bugzilla.proxmox.com/show_bug.cgi?id=2582 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-03-24 15:01 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-01-23 22:29 [pve-devel] [PATCH container 0/1] close #1543: allow low-level lxc update Simon LEONARD 2025-01-23 22:29 ` [pve-devel] [PATCH container 1/1] " Simon LEONARD 2025-01-27 11:05 ` Fabian Grünbichler 2025-03-22 18:05 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Simon LEONARD 2025-03-22 18:05 ` [pve-devel] [PATCH container v2 1/1] close #1543: allow low-level lxc config update Simon LEONARD 2025-03-24 15:01 ` [pve-devel] [PATCH container v2 0/1] close #1543: allow low-level lxc config Fabian Grünbichler
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inboxService provided by Proxmox Server Solutions GmbH | Privacy | Legal