Alex KretzschmarFun with #proxmox 9 and AppArmor continues.
https://blog.ktz.me/proxmox-9-made-unprivileged-lxcs-pointless-for-quicksync-users/
Jake Howard@ironicbadger Privileged LXCs definitely have a bad name, but I agree they shouldn't be necessary all the time. My use case at the moment is explicitly for bind-mounting to keep the UIDs (which IIRC is all privileged really does).
Might need to accelerate my plans for moving off of Proxmox... (Which i've been saying and researching for years š )
Might need to accelerate my plans for moving off of Proxmox... (Which i've been saying and researching for years š )
@jake if the argument for not putting things on the host, and using specifically LXC containers, is to improve security, then using a solution that the team that created it refers to it as āminimally isolatedā then why bother?
For the record, I am perfectly happy with the isolation that docker offers and Iām only exploring LXCs as part of a strawman argument - raised a month ago with my previous post - bemoaning apparmors quiet inclusion and heavy handed approach to what it is trying to do.
I donāt use a great deal of Proxmoxs specific stuff. As a system, it isnāt terribly sticky, but there isnāt anything else that I know of that lets me cluster multiple systems together and keep an eye on things in one place quite like it does. And ships ZFS. And is entirely browser based so I donāt need to fart around with clients on my local system. Moving away from pro rock just as the project is gathering massive momentum is also frustrating. Having now used it for approaching 10 years.
> LXC upstream's position is that those containers aren't and cannot be root-safe.
It's not ideal, but it's the only reliable way I've found of getting storage into an LXC. Docker doesn't do UID mapping, so I'd assume (and hope...) the security level is about the same. I'd love to find another solution.