Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A script to make Proxmox LXC Containers unprivileged
#!/bin/bash
##
## Warning: do not use this unless you understand and agree with what it does
##
## Based on: https://forum.proxmox.com/threads/convert-privileged-to-unprivileged-container.31066/#post-261883
##
## NOT HANDLED
## * multiple disks
## * if there are backup/snapshot references in the lxc/$vmid.conf the unprivileged:1 will be added to the end of the file and in a backup config not in the active config, that can break the first boot
## * setuid and setgid permissions are not retained
# CONFIGURE THIS (the pool on which subvol-NNN-disk-1's exist):
vol=pve1-data
vmid=$1
if [ "$vmid" == "" ];
then
echo "Usage is: $0 vmid";
exit 1
fi
echo "stopping vm $vmid"
pct stop $vmid
echo "taking snapshot"
zfs snapshot $vol/subvol-$vmid-disk-1@mkunpriv-$( date +%Y%m%d%H%M%S%N )
echo "chowning files, sockets and pipes"
find /$vol/subvol-$vmid-disk-1/ -type f -or -type s -or -type p | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
echo "chowning symlinks"
find /$vol/subvol-$vmid-disk-1/ -type l | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown -h "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
echo "chowning directores"
find /$vol/subvol-$vmid-disk-1/ -type d | while read S; do U="$(ls -lnd "${S}" | awk '{print$3}')"; G="$(ls -lnd "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
echo "fixing postfix if necessary"
[ -e /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-random ] && rm -ri /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-random
[ -e /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-urandom ] && rm -ri /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-urandom
echo "setting suid on sudo"
[ -e /$vol/subvol-$vmid-disk-1/usr/bin/sudo ] && chmod u+s /$vol/subvol-$vmid-disk-1/usr/bin/sudo
echo "enabling unprivileged setting on vm config"
echo -e "\nunprivileged: 1" >> /etc/pve/lxc/$vmid.conf
echo "starting vm $vmid"
pct start $vmid
@Phlogi

This comment has been minimized.

Copy link

@Phlogi Phlogi commented Jan 17, 2020

Is there version to undo this? Changing a unprivileged to a privileged container?

@wankdanker

This comment has been minimized.

Copy link
Owner Author

@wankdanker wankdanker commented Jan 20, 2020

@Phlogi I have not worked on one nor searched for one, so I'm not sure.. I know the way the Proxmox team recommends to do it is by backup/restore. I think during the restore process, you have the option to toggle unprivileged or privileged.

@danielehrhardt

This comment has been minimized.

Copy link

@danielehrhardt danielehrhardt commented Mar 31, 2020

How long does this process Take?

@wankdanker

This comment has been minimized.

Copy link
Owner Author

@wankdanker wankdanker commented Apr 1, 2020

@danielehrhardt It really depends on the number of files in the volume. It's running find three times at the root of the container. If you have enough memory, then probably a lot of the file metadata would be in ram after the first execution of find. The output of find is piped to a bunch of commands... I don't know how long processing each file takes.

I did this to probably 20 or 30 containers. Some of those containers were barely modified installations of Ubuntu Server with the latest packages and very little user data. Those probably took 15 to 30 minutes each.

Other containers were running Samba or Cyrus IMAP with hundreds of thousands if not millions of files and those took hours.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment