Skip to content

Instantly share code, notes, and snippets.

@wankdanker

wankdanker/mkunpriv.sh

Last active December 26, 2023 19:43
Show Gist options
  • Save wankdanker/cbbbe8ed01fa2c0d31835e6d6c49dcc3 to your computer and use it in GitHub Desktop.
Save wankdanker/cbbbe8ed01fa2c0d31835e6d6c49dcc3 to your computer and use it in GitHub Desktop.
Download ZIP
A script to make Proxmox LXC Containers unprivileged
Raw
mkunpriv.sh
#!/bin/bash
##
## Warning: do not use this unless you understand and agree with what it does
##
## Based on: https://forum.proxmox.com/threads/convert-privileged-to-unprivileged-container.31066/#post-261883
##
## NOT HANDLED
## * multiple disks
## * if there are backup/snapshot references in the lxc/$vmid.conf the unprivileged:1 will be added to the end of the file and in a backup config not in the active config, that can break the first boot
## * setuid and setgid permissions are not retained
# CONFIGURE THIS (the pool on which subvol-NNN-disk-1's exist):
vol=pve1-data
vmid=$1
if [ "$vmid" == "" ];
then
echo "Usage is: $0 vmid";
exit 1
fi
echo "stopping vm $vmid"
pct stop $vmid
echo "taking snapshot"
zfs snapshot $vol/subvol-$vmid-disk-1@mkunpriv-$( date +%Y%m%d%H%M%S%N )
echo "chowning files, sockets and pipes"
find /$vol/subvol-$vmid-disk-1/ -type f -or -type s -or -type p | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
echo "chowning symlinks"
find /$vol/subvol-$vmid-disk-1/ -type l | while read S; do U="$(ls -ln "${S}" | awk '{print$3}')"; G="$(ls -ln "${S}" | awk '{print$4}')"; F=100000; chown -h "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
echo "chowning directores"
find /$vol/subvol-$vmid-disk-1/ -type d | while read S; do U="$(ls -lnd "${S}" | awk '{print$3}')"; G="$(ls -lnd "${S}" | awk '{print$4}')"; F=100000; chown "${F:0: -${#U}}${U}:${F:0: -${#G}}${G}" "${S}"; done
echo "fixing postfix if necessary"
[ -e /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-random ] && rm -ri /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-random
[ -e /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-urandom ] && rm -ri /$vol/subvol-$vmid-disk-1/var/spool/postfix/dev/-urandom
echo "setting suid on sudo"
[ -e /$vol/subvol-$vmid-disk-1/usr/bin/sudo ] && chmod u+s /$vol/subvol-$vmid-disk-1/usr/bin/sudo
echo "enabling unprivileged setting on vm config"
echo -e "\nunprivileged: 1" >> /etc/pve/lxc/$vmid.conf
echo "starting vm $vmid"
pct start $vmid
@dgarner-cg
Copy link

I got around to merging the two scripts into one, but in testing, ran into a weird issue. I'll share it once I'm a bit more confident in its functionality. I believe my issue may have been umask related, but haven't had the time to verify.

I've been working on a bit of an update, but running into a little speed bump and out of time for the day, if you want to take a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment