[pve-devel] [PATCH container] oci create: fix creating privileged containers

From: Filip Schauer <f.schauer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH container] oci create: fix creating privileged containers
Date: Tue, 25 Nov 2025 15:19:20 +0100	[thread overview]
Message-ID: <20251125141922.165771-1-f.schauer@proxmox.com> (raw)

Previously, creating privileged containers from OCI images failed with:
`unable to create CT 123 - Invalid argument`

This was caused by an empty $id_map being passed to run_in_userns.

This commit fixes this by making the call to run_in_userns conditional,
based on whether $id_map is empty or not.

Reported in the Proxmox forum:
https://forum.proxmox.com/threads/proxmox-virtual-environment-9-1-available.176255/post-818600

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 src/PVE/LXC/Create.pm | 47 +++++++++++++++++++++++++------------------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index dc97327..9956cf9 100644
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -674,12 +674,17 @@ sub restore_oci_archive {
 
     my ($id_map, undef, undef) = PVE::LXC::parse_id_maps($conf);
     # NOTE: values of $unsafe_oci_config are untrusted! do NOT use them as is, only via the helpers!
-    my $unsafe_oci_config = PVE::LXC::Namespaces::run_in_userns(
-        sub {
-            PVE::RS::OCI::parse_and_extract_image($archive_file, $rootdir);
-        },
-        $id_map,
-    );
+    my $unsafe_oci_config;
+    if (@$id_map) {
+        $unsafe_oci_config = PVE::LXC::Namespaces::run_in_userns(
+            sub {
+                PVE::RS::OCI::parse_and_extract_image($archive_file, $rootdir);
+            },
+            $id_map,
+        );
+    } else {
+        $unsafe_oci_config = PVE::RS::OCI::parse_and_extract_image($archive_file, $rootdir);
+    }
 
     # should we rather validate this on the rust side already?
     my $has_ctrl_char = sub { return $_[0] =~ /[\x00-\x08\x10-\x1F\x7F]/; };
@@ -715,20 +720,22 @@ sub restore_oci_archive {
         # This will also keep the cases working where a user does know about them and
         # added MPs at this locations, at they will simply get mounted there correctly then.
         # TODO: should the folders always be owned by the CT root user though?
-        PVE::LXC::Namespaces::run_in_userns(
-            sub {
-                # we're now in the correct user namespace, but not in the mount namespace, so chroot
-                # into the rootdir to ensure that make_path is safe from ../ and symlinks!
-                chroot($rootdir) or die "failed to change root to: $rootdir: $!\n";
-                chdir('/') or die "failed to change to root directory\n";
-
-                for my $path (@data_volume_paths) {
-                    print "creating base directory for volume at $path\n";
-                    make_path("/$path"); # chrooted to /$rootdir above already
-                }
-            },
-            $id_map,
-        );
+        my $create_volume_paths = sub {
+            # we're not in the correct mount namespace, so chroot into the rootdir
+            # to ensure that make_path is safe from ../ and symlinks!
+            chroot($rootdir) or die "failed to change root to: $rootdir: $!\n";
+            chdir('/') or die "failed to change to root directory\n";
+
+            for my $path (@data_volume_paths) {
+                print "creating base directory for volume at $path\n";
+                make_path("/$path"); # chrooted to /$rootdir above already
+            }
+        };
+        if (@$id_map) {
+            PVE::LXC::Namespaces::run_in_userns($create_volume_paths, $id_map);
+        } else {
+            PVE::Tools::run_fork($create_volume_paths);
+        }
     }
 
     my $init_cmd = [];
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

