Convert unprivileged container in Proxmox to privileged

When creating LXC container in Proxmox you can either configure it to run in privileged or unprivileged mode. With the unprivileged mode, you get better security since the container runs in user namespace and reduces the risk of compromise. However, running some applications within an LXC container may require better privileges. In this guide we will walk you through the necessary steps of recreating unprivileged LXC container as privileged.

The process of LXC container conversion from unprivileged to privileged container involves backing up the entire containers, destroying active one, and then recreating by restoring from backup as privileged container.

The steps to change from unprivileged to privileged LXC container are:

  • Stop the container if running
  • Backup existing container (unprivileged)
  • Delete the existing container
  • Recreate the container from backup archive

Step 1: Stop the container

List all running containers:

# pct list
VMID       Status     Lock         Name
109        running                 cloud.cloudspinx.com
110        running                 pihole.cloudspinx.com
111        running                 projects.cloudspinx.com
112        running                 grafana.cloudspinx.com
114        running                 dash.cloudspinx.com
115        running                 erp.cloudspinx.com

Stop the container if it’s in running state. This will ensure your container backup is consistent.

pct stop <container_id>

Step 2: Backup the container

Backup the running container using pct command.

vzdump <<container_id>> --dumpdir /var/lib/vz/dump

Replace <container_id> with your container ID and /var/lib/vz/dump with the path where you want the backup stored if you need to change it.

Here is an example showing how to backup container with ID 110.

# vzdump 110 --dumpdir /var/lib/vz/dump
INFO: starting new backup job: vzdump 110 --dumpdir ./
INFO: filesystem type on dumpdir is 'zfs' -using /var/tmp/vzdumptmp11176_110 for temporary files
INFO: Starting Backup of VM 110 (lxc)
INFO: Backup started at 2024-07-22 13:40:50
INFO: status = stopped
INFO: backup mode: stop
INFO: ionice priority: 7
INFO: CT Name: pihole.cloudspinx.com
INFO: including mount point rootfs ('/') in backup
INFO: creating vzdump archive '/var/lib/vz/vzdump-lxc-110-2024_07_22-13_40_50.tar'
INFO: Total bytes written: 2209566720 (2.1GiB, 156MiB/s)
INFO: archive file size: 2.06GB
INFO: Finished Backup of VM 110 (00:00:15)
INFO: Backup finished at 2024-07-22 13:41:05
INFO: Backup job finished successfully
INFO: notified via target `mail-to-root`

Step 3: Destroy active container

Destroy the container after successful backup.

# pct destroy <container_id>
  Logical volume "snap_vm-110-disk-0_snap1" successfully removed.
  Logical volume "vm-110-disk-0" successfully removed.

Step 4: Restore LXC container

Get a list of all storage pools in you Proxmox cluster.

# pvesm status
Name         Type     Status           Total            Used       Available        %
data      lvmthin     active       489975808       128226668       361749139   26.17%
local         dir     active       483595136         8399744       475195392    1.74%
pbs           pbs     active      1895890924        71930076      1727581152    3.79%
zpool     zfspool     active       483655680         8460184       475195496    1.75%

Restore the container with the option --unprivileged 0 to make it privileged.

pct restore <CONTAINER_ID> /var/lib/vz/dump/vzdump-lxc-<CONTAINER_ID>-<DATE>.tar \
--storage <storage_pool> --unprivileged 0

For example:

pct restore 110 /var/lib/vz/dump/vzdump-lxc-110-2024_07_22-13_40_50.tar \
--unprivileged 0 --storage data

Command execution output:

recovering backed-up configuration from '/var/lib/vz/dump/115/vzdump-lxc-115-2024_07_22-20_47_32.tar'
  Logical volume "vm-115-disk-0" created.
Creating filesystem with 7864320 4k blocks and 1966080 inodes
Filesystem UUID: d7618d87-f795-4667-9e7c-6954cd829558
Superblock backups stored on blocks:
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
restoring '/var/lib/vz/dump/115/vzdump-lxc-115-2024_07_22-20_47_32.tar' now..
extracting archive '/var/lib/vz/dump/115/vzdump-lxc-115-2024_07_22-20_47_32.tar'
Total bytes read: 6965800960 (6.5GiB, 203MiB/s)
merging backed-up and given configuration..

Step 5: Start the container

After restoration, start the container:

pct start 110

Option 2: Automated recreation method

There is a bash script we created in our Github repository that you can use to automate the process.

git clone https://github.com/cloudspinx/proxmox_scripts.git

Change into the directory:

cd proxmox_scripts

Run the script to recreate container as privileged:

bash recreate_container_as_privileged.sh

Input the container ID, storage pool name to proceed with the backup, destroy and restore operations.

Your IT Journey Starts Here!

Ready to level up your IT skills? Our new eLearning platform is coming soon to help you master the latest technologies.

Be the first to know when we launch! Join our waitlist now.

Join our Linux and open source community. Subscribe to our newsletter for tips, tricks, and collaboration opportunities!

Recent Post

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Post

The web browser is the key arsenal that we use to browse the internet. If you want to access information […]

In this guide,we will look at how you can install Java 11 on Oracle Linux 8. Java is a widely […]

The adoption of Containers and microservice architectures has been amazing and speedy in the past few years. Docker is widely […]

Let's Connect

Unleash the full potential of your business with CloudSpinx. Our expert solutions specialists are standing by to answer your questions and tailor a plan that perfectly aligns with your unique needs.
You will get a response from our solutions specialist within 12 hours
We understand emergencies can be stressful. For immediate assistance, chat with us now

Contact CloudSpinx today!

Download CloudSpinx Profile

Discover the full spectrum of our expertise and services by downloading our detailed Company Profile. Simply enter your first name, last name, and email address.