40 lines
1.2 KiB
Bash
40 lines
1.2 KiB
Bash
#!/bin/bash
|
|
# =====================================================================
|
|
# Fix: Docker in unprivileged LXC containers
|
|
# =====================================================================
|
|
# Both NPM (CT 122) and Guacamole (CT 121) fail with:
|
|
# "open sysctl net.ipv4.ip_unprivileged_port_start: permission denied"
|
|
#
|
|
# Fix: Set AppArmor profile to unconfined.
|
|
# Run on Proxmox host (10.0.0.240) as root.
|
|
# Run THIS script first, then fix-guac-npm.sh second.
|
|
# =====================================================================
|
|
|
|
set -euo pipefail
|
|
|
|
for CT_ID in 121 122; do
|
|
CT_CONF="/etc/pve/lxc/${CT_ID}.conf"
|
|
CT_NAME=$(pct config "${CT_ID}" | grep hostname | awk '{print $2}')
|
|
|
|
echo "=== Fixing CT ${CT_ID} (${CT_NAME}) ==="
|
|
|
|
pct stop "${CT_ID}" 2>/dev/null || true
|
|
sleep 3
|
|
|
|
if grep -q "lxc.apparmor.profile" "${CT_CONF}" 2>/dev/null; then
|
|
sed -i 's/^lxc\.apparmor\.profile:.*/lxc.apparmor.profile: unconfined/' "${CT_CONF}"
|
|
else
|
|
echo "lxc.apparmor.profile: unconfined" >> "${CT_CONF}"
|
|
fi
|
|
|
|
pct start "${CT_ID}"
|
|
sleep 5
|
|
pct exec "${CT_ID}" -- systemctl restart docker
|
|
sleep 3
|
|
echo " Done"
|
|
done
|
|
|
|
echo ""
|
|
echo "AppArmor fix applied to CT 121 and 122."
|
|
echo "Now run: ./fix-guac-npm.sh"
|