diff --git a/misc/build.func b/misc/build.func index b4e10afc3..461ee991f 100644 --- a/misc/build.func +++ b/misc/build.func @@ -535,6 +535,12 @@ base_settings() { TAGS="community-script,${var_tags:-}" ENABLE_FUSE=${var_fuse:-"${1:-no}"} ENABLE_TUN=${var_tun:-"${1:-no}"} + ENABLE_NESTING=${var_nesting:-"${1:-1}"} + ENABLE_KEYCTL=${var_keyctl:-"${1:-0}"} + ALLOW_MOUNT_FS=${var_mount_fs:-""} + ENABLE_MKNOD=${var_mknod:-"${1:-0}"} + PROTECT_CT=${var_protection:-"${1:-no}"} + CT_TIMEZONE=${var_timezone:-""} # Since these 2 are only defined outside of default_settings function, we add a temporary fallback. TODO: To align everything, we should add these as constant variables (e.g. OSTYPE and OSVERSION), but that would currently require updating the default_settings function for all existing scripts if [ -z "$var_os" ]; then @@ -558,9 +564,9 @@ default_var_settings() { # Allowed var_* keys (alphabetically sorted) # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique) local VAR_WHITELIST=( - var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse - var_gateway var_hostname var_ipv6_method var_mac var_mtu - var_net var_ns var_pw var_ram var_tags var_tun var_unprivileged + var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_keyctl + var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu + var_net var_nesting var_ns var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged var_verbose var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage ) @@ -638,6 +644,14 @@ var_ssh=no # Features/Tags/verbosity var_fuse=no var_tun=no + +# Advanced Settings (Proxmox-official features) +var_nesting=1 # Allow nesting (required for Docker/LXC in CT) +var_keyctl=0 # Allow keyctl() - needed for Docker (systemd-networkd workaround) +var_mknod=0 # Allow device node creation (requires kernel 5.3+, experimental) +var_mount_fs= # Allow specific filesystems: nfs,fuse,ext4,etc (leave empty for defaults) +var_protection=no # Prevent accidental deletion of container +var_timezone= # Container timezone (e.g. Europe/Berlin, leave empty for host timezone) var_tags=community-script var_verbose=no @@ -904,6 +918,12 @@ _build_current_app_vars_tmp() { _apt_cacher_ip="${APT_CACHER_IP:-}" _fuse="${ENABLE_FUSE:-no}" _tun="${ENABLE_TUN:-no}" + _nesting="${ENABLE_NESTING:-1}" + _keyctl="${ENABLE_KEYCTL:-0}" + _mknod="${ENABLE_MKNOD:-0}" + _mount_fs="${ALLOW_MOUNT_FS:-}" + _protect="${PROTECT_CT:-no}" + _timezone="${CT_TIMEZONE:-}" _tags="${TAGS:-}" _verbose="${VERBOSE:-no}" @@ -947,6 +967,12 @@ _build_current_app_vars_tmp() { [ -n "$_fuse" ] && echo "var_fuse=$(_sanitize_value "$_fuse")" [ -n "$_tun" ] && echo "var_tun=$(_sanitize_value "$_tun")" + [ -n "$_nesting" ] && echo "var_nesting=$(_sanitize_value "$_nesting")" + [ -n "$_keyctl" ] && echo "var_keyctl=$(_sanitize_value "$_keyctl")" + [ -n "$_mknod" ] && echo "var_mknod=$(_sanitize_value "$_mknod")" + [ -n "$_mount_fs" ] && echo "var_mount_fs=$(_sanitize_value "$_mount_fs")" + [ -n "$_protect" ] && echo "var_protection=$(_sanitize_value "$_protect")" + [ -n "$_timezone" ] && echo "var_timezone=$(_sanitize_value "$_timezone")" [ -n "$_tags" ] && echo "var_tags=$(_sanitize_value "$_tags")" [ -n "$_verbose" ] && echo "var_verbose=$(_sanitize_value "$_verbose")" @@ -1529,6 +1555,51 @@ advanced_settings() { configure_ssh_settings export SSH_KEYS_FILE echo -e "${ROOTSSH}${BOLD}${DGN}Root SSH Access: ${BGN}$SSH${CL}" + + # Advanced Settings - Proxmox Features + if (whiptail --backtitle "Proxmox VE Helper Scripts" --title "ADVANCED SETTINGS" --yesno "Configure Advanced Proxmox Features?" 10 58); then + # keyctl: for Docker support + if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Enable keyctl()" --yesno "Allow keyctl() system calls?\n\nNeeded for: Docker inside container, systemd-networkd\nDefault: No (not needed for most applications)" 10 58); then + ENABLE_KEYCTL="1" + else + ENABLE_KEYCTL="0" + fi + echo -e "${SEARCH}${BOLD}${DGN}Allow keyctl(): ${BGN}$ENABLE_KEYCTL${CL}" + + # mknod: device node creation + if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Enable mknod()" --yesno "Allow device node creation?\n\nNeeded for: Complex device management (experimental, kernel 5.3+)\nDefault: No (rarely needed)" 10 58); then + ENABLE_MKNOD="1" + else + ENABLE_MKNOD="0" + fi + echo -e "${SEARCH}${BOLD}${DGN}Allow mknod(): ${BGN}$ENABLE_MKNOD${CL}" + + # mount: specific filesystems + if MOUNT_FS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Allow specific filesystems (e.g., nfs,fuse,ext4)\nLeave blank for defaults" 8 58 "$ALLOW_MOUNT_FS" --title "Mount Filesystems" 3>&1 1>&2 2>&3); then + ALLOW_MOUNT_FS="$MOUNT_FS" + [ -z "$ALLOW_MOUNT_FS" ] && ALLOW_MOUNT_FS="(defaults)" + else + exit_script + fi + echo -e "${SEARCH}${BOLD}${DGN}Mount Filesystems: ${BGN}$ALLOW_MOUNT_FS${CL}" + + # Container protection + if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "Protection Flag" --yesno "Prevent accidental deletion?\n\nIf enabled, container cannot be deleted or its disk modified\nDefault: No" 10 58); then + PROTECT_CT="yes" + else + PROTECT_CT="no" + fi + echo -e "${SEARCH}${BOLD}${DGN}Container Protection: ${BGN}$PROTECT_CT${CL}" + + # Container timezone + if CT_TIMEZONE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox "Set container timezone (e.g., Europe/Berlin)\nLeave blank to use host timezone" 8 58 "$CT_TIMEZONE" --title "Container Timezone" 3>&1 1>&2 2>&3); then + [ -z "$CT_TIMEZONE" ] && CT_TIMEZONE="(host)" + else + exit_script + fi + echo -e "${SEARCH}${BOLD}${DGN}Container Timezone: ${BGN}$CT_TIMEZONE${CL}" + fi + if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "FUSE Support" --yesno "Enable FUSE support?\nRequired for tools like rclone, mergerfs, AppImage, etc." 10 58); then ENABLE_FUSE="yes" else @@ -1829,13 +1900,12 @@ settings_menu() { local settings_items=( "1" "Manage API-Diagnostic Setting" "2" "Edit Default.vars" - "3" "Edit Default Storage" ) if [ -f "$(get_app_defaults_path)" ]; then - settings_items+=("4" "Edit App.vars for ${APP}") - settings_items+=("5" "Exit") - else + settings_items+=("3" "Edit App.vars for ${APP}") settings_items+=("4" "Exit") + else + settings_items+=("3" "Exit") fi local choice @@ -2196,16 +2266,31 @@ build_container() { none) ;; esac - if [ "$CT_TYPE" == "1" ]; then - FEATURES="keyctl=1,nesting=1" - else - FEATURES="nesting=1" + # Build FEATURES string with advanced settings + # Start with nesting (almost always enabled for Proxmox CTs) + FEATURES="nesting=${ENABLE_NESTING}" + + # keyctl: needed for Docker inside containers (systemd-networkd workaround) + # Typically needed for unprivileged containers with Docker + if [ "$CT_TYPE" == "1" ] || [ "$ENABLE_KEYCTL" == "1" ]; then + FEATURES="$FEATURES,keyctl=1" fi + # mknod: allow device node creation (requires kernel 5.3+, experimental) + if [ "$ENABLE_MKNOD" == "1" ]; then + FEATURES="$FEATURES,mknod=1" + fi + + # FUSE: required for rclone, mergerfs, AppImage, etc. if [ "$ENABLE_FUSE" == "yes" ]; then FEATURES="$FEATURES,fuse=1" fi + # mount: allow specific filesystems (e.g., nfs, ext4, etc.) + if [ -n "$ALLOW_MOUNT_FS" ]; then + FEATURES="$FEATURES,mount=$ALLOW_MOUNT_FS" + fi + TEMP_DIR=$(mktemp -d) pushd "$TEMP_DIR" >/dev/null if [ "$var_os" == "alpine" ]; then @@ -2239,9 +2324,27 @@ build_container() { export CTTYPE="$CT_TYPE" export ENABLE_FUSE="$ENABLE_FUSE" export ENABLE_TUN="$ENABLE_TUN" + export ENABLE_NESTING="$ENABLE_NESTING" + export ENABLE_KEYCTL="$ENABLE_KEYCTL" + export ENABLE_MKNOD="$ENABLE_MKNOD" + export ALLOW_MOUNT_FS="$ALLOW_MOUNT_FS" + export PROTECT_CT="$PROTECT_CT" + export CT_TIMEZONE="$CT_TIMEZONE" export PCT_OSTYPE="$var_os" export PCT_OSVERSION="$var_version" export PCT_DISK_SIZE="$DISK_SIZE" + # Build protection flag if enabled + _PROT_FLAG="" + if [ "$PROTECT_CT" == "yes" ]; then + _PROT_FLAG="-protection 1" + fi + + # Build timezone flag if set + _TZ_FLAG="" + if [ -n "$CT_TIMEZONE" ]; then + _TZ_FLAG="-timezone $CT_TIMEZONE" + fi + export PCT_OPTIONS=" -features $FEATURES -hostname $HN @@ -2253,6 +2356,8 @@ build_container() { -cores $CORE_COUNT -memory $RAM_SIZE -unprivileged $CT_TYPE + $_PROT_FLAG + $_TZ_FLAG $PW " export TEMPLATE_STORAGE="${var_template_storage:-}"