Last active
December 26, 2023 19:43
-
-
Save wankdanker/cbbbe8ed01fa2c0d31835e6d6c49dcc3 to your computer and use it in GitHub Desktop.
A script to make Proxmox LXC Containers unprivileged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ## | |
| ## Warning: do not use this unless you understand and agree with what it does | |
| ## | |
| ## Based on: https://forum.proxmox.com/threads/convert-privileged-to-unprivileged-container.31066/#post-261883 | |
| ## | |
| ## NOT HANDLED | |
| ## * multiple disks | |
| ## * if there are backup/snapshot references in the lxc/$vmid.conf the unprivileged:1 will be added to the end of the file and in a backup config not in the active config, that can break the first boot | |
| ## * setuid and setgid permissions are not retained | |
| # CONFIGURE THIS (the pool on which subvol-NNN-disk-1's exist): | |
| vol=pve1-data | |
| vmid=$1 | |
| if [ "$vmid" == "" ]; | |
| then | |
| echo "Usage is: $0 vmid"; | |
| exit 1 | |
| fi | |
| echo "stopping vm $vmid" | |
| pct stop $vmid | |
| echo "taking snapshot" | |
| zfs snapshot $vol/subvol-$vmid-disk-1@mkunpriv-$( date +%Y%m%d%H%M%S%N ) | |
| echo "chowning files, sockets and pipes" | |
| find /$vol/subvol-$vmid-disk-1/ -type f -or -type s -or -type p | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done | |
| echo "chowning symlinks" | |
| find /$vol/subvol-$vmid-disk-1/ -type l | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown -h "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done | |
| echo "chowning directores" | |
| find /$vol/subvol-$vmid-disk-1/ -type d | while read S; do U="$(ls -lnd "${S}" | awk '{print$3}')"; G="$(ls -lnd "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done | |
| echo "fixing postfix if necessary" | |
| [ -e /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-random ] && rm -ri /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-random | |
| [ -e /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-urandom ] && rm -ri /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-urandom | |
| echo "setting suid on sudo" | |
| [ -e /$vol/subvol-$vmid-disk-1/usr/bin/sudo ] && chmod u+s /$vol/subvol-$vmid-disk-1/usr/bin/sudo | |
| echo "enabling unprivileged setting on vm config" | |
| echo -e "\nunprivileged: 1" >> /etc/pve/lxc/$vmid.conf | |
| echo "starting vm $vmid" | |
| pct start $vmid |
I got around to merging the two scripts into one, but in testing, ran into a weird issue. I'll share it once I'm a bit more confident in its functionality. I believe my issue may have been
umaskrelated, but haven't had the time to verify.
I've been working on a bit of an update, but running into a little speed bump and out of time for the day, if you want to take a look.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I can't wait, if you would, ping me when you do.