A script to make Proxmox LXC Containers unprivileged

mkunpriv.sh

#!/bin/bash
##
## Warning: do not use this unless you understand and agree with what it does
##
## Based on: https://forum.proxmox.com/threads/convert-privileged-to-unprivileged-container.31066/#post-261883
##
## NOT HANDLED
## * multiple disks
## * if there are backup/snapshot references in the lxc/$vmid.conf the unprivileged:1 will be added to the end of the file and in a backup config not in the active config, that can break the first boot
## * setuid and setgid permissions are not retained

# CONFIGURE THIS (the pool on which subvol-NNN-disk-1's exist):
vol=pve1-data
vmid=$1

if [ "$vmid" == "" ];
then
        echo "Usage is: $0 vmid";
        exit 1
fi

echo "stopping vm $vmid"
pct stop $vmid

echo "taking snapshot"
zfs snapshot $vol/subvol-$vmid-disk-1@mkunpriv-$( date +%Y%m%d%H%M%S%N )

echo "chowning files, sockets and pipes"
find /$vol/subvol-$vmid-disk-1/ -type f -or -type s -or -type p | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done

echo "chowning symlinks"
find /$vol/subvol-$vmid-disk-1/ -type l | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown -h "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done

echo "chowning directores"
find /$vol/subvol-$vmid-disk-1/ -type d | while read S; do U="$(ls -lnd "${S}" | awk '{print$3}')"; G="$(ls -lnd "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done

echo "fixing postfix if necessary"
[ -e /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-random ] && rm -ri /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-random
[ -e /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-urandom ] && rm -ri /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-urandom

echo "setting suid on sudo"
[ -e /$vol/subvol-$vmid-disk-1/usr/bin/sudo ] && chmod u+s /$vol/subvol-$vmid-disk-1/usr/bin/sudo

echo "enabling unprivileged setting on vm config"
echo -e "\nunprivileged: 1" >> /etc/pve/lxc/$vmid.conf

echo "starting vm $vmid"
pct start $vmid

Is there version to undo this? Changing a unprivileged to a privileged container?

Yes, I modified this script to do that a few years ago and entirely forgot to share it:

#!/bin/bash
##
## Warning: do not use this unless you understand and agree with what it does
##
## Based on: https://forum.proxmox.com/threads/convert-privileged-to-unprivileged-container.31066/#post-261883
##
## NOT HANDLED
## * multiple disks
## * if there are backup/snapshot references in the lxc/$vmid.conf the unprivileged:1 will be added to the end of the file and in a backup config not in the active config, that can break the first boot
## * setuid and setgid permissions are not retained

# CONFIGURE THIS (the pool on which subvol-NNN-disk-1's exist):
vol=pve1-data
vmid=$1

if [ "$vmid" == "" ];
then
        echo "Usage is: $0 vmid";
        exit 1
fi

echo "stopping container $vmid"
pct stop $vmid

echo "taking snapshot"
zfs snapshot $vol/subvol-$vmid-disk-0@mkpriv-$( date +%Y%m%d%H%M%S%N )

echo "chowning files, sockets and pipes"
find /$vol/subvol-$vmid-disk-0/ -type f -or -type s -or -type p | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; chown "${U:3}:${G:3}" "${S}"; done

echo "chowning symlinks"
find /$vol/subvol-$vmid-disk-0/ -type l | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; chown -h "${U:3}:${G:3}" "${S}"; done

echo "chowning directores"
find /$vol/subvol-$vmid-disk-0/ -type d | while read S; do U="$(ls -lnd "${S}" | awk '{print$3}')"; G="$(ls -lnd "${S}" | awk '{print$4}')"; chown "${U:3}:${G:3}" "${S}"; done

#echo "fixing postfix if necessary"
#[ -e /$vol/subvol-$vmid-disk-0/var/spool/postfix/dev/-random ] && rm -ri /$vol/subvol-$vmid-disk-0/var/spool/postfix/dev/-random
#[ -e /$vol/subvol-$vmid-disk-0/var/spool/postfix/dev/-urandom ] && rm -ri /$vol/subvol-$vmid-disk-0/var/spool/postfix/dev/-urandom

#echo "setting suid on sudo"
#[ -e /$vol/subvol-$vmid-disk-0/usr/bin/sudo ] && chmod u+s /$vol/subvol-$vmid-disk-0/usr/bin/sudo

echo "disabling unprivileged setting in lxc config"
sed -i 's/unprivileged: 1/# unprivileged: 1/g' /etc/pve/lxc/$vmid.conf

echo "starting container $vmid"
pct start $vmid

I'm not certain whether sudo or postfix need to be modified when converting to privledged, though mine didn't, so ymmv. This script assumes your system uses ZFS. If it doesn't, comment out the zfs snapshot line and/or replace it with an equivalent.

Standard disclaimer that while this script worked for me, it may not work for thee (it may not work for you the way it did for me, or as intended), thus take a backup, restore it, and test it on the restored instance.

Should @wankdanker choose to do so, they could modify their gist here with an extra arg that converts unprivileged to privileged and vice-versa so that the script does everything in an all-in-one fashion. I could do it myself, time permitting, but as I've benefitted from their work, I'll share what I've done here and leave it open to them whether they'd like to do so.

Regards to all.

fyi, you two that wrote the priv and unpriv script are heroes.

I got around to merging the two scripts into one, but in testing, ran into a weird issue. I'll share it once I'm a bit more confident in its functionality. I believe my issue may have been umask related, but haven't had the time to verify.

I can't wait, if you would, ping me when you do.

I got around to merging the two scripts into one, but in testing, ran into a weird issue. I'll share it once I'm a bit more confident in its functionality. I believe my issue may have been umask related, but haven't had the time to verify.

I've been working on a bit of an update, but running into a little speed bump and out of time for the day, if you want to take a look.