gioxx/tune-pct.sh

## tune-pct.sh
#!/usr/bin/env bash
# Proxmox LXC tuning script
# Usage: sudo ./tune-pct.sh <CTID>
# Applies:
#   - pct set <CTID> -features nesting=1,keyctl=1
#   - AppArmor unconfined
#   - Allow all devices via cgroup2
#   - Empty cap drop line
#   - pct restart <CTID>

set -euo pipefail

# --- Helpers ---------------------------------------------------------------

usage() {
  echo "Usage: sudo $0 <CTID>"
  echo "Example: sudo $0 801"
  exit 1
}

require_root() {
  if [[ ${EUID} -ne 0 ]]; then
    echo "Error: this script must be run as root." >&2
    exit 1
  fi
}

ensure_ct_exists() {
  local ctid="$1"
  if ! pct config "$ctid" >/dev/null 2>&1; then
    echo "Error: container $ctid does not exist." >&2
    exit 1
  fi
}

ensure_line_in_file() {
  # Appends the exact line to the file if it does not already exist.
  local line="$1"
  local file="$2"
  if ! grep -qF -- "$line" "$file"; then
    echo "$line" >>"$file"
  fi
}

# --- Main ------------------------------------------------------------------

main() {
  [[ $# -eq 1 ]] || usage
  require_root

  local CTID="$1"
  [[ "$CTID" =~ ^[0-9]+$ ]] || { echo "Error: CTID must be numeric."; exit 1; }

  ensure_ct_exists "$CTID"

  local CFG="/etc/pve/lxc/${CTID}.conf"

  # Safety backup before editing
  if [[ -f "$CFG" ]]; then
    cp -a "$CFG" "${CFG}.bak.$(date +%Y%m%d-%H%M%S)"
  else
    echo "Error: config file $CFG not found." >&2
    exit 1
  fi

  echo ">> Enabling features nesting=1,keyctl=1 on CT $CTID…"
  pct set "$CTID" -features nesting=1,keyctl=1

  echo ">> Ensuring required lines are present in $CFG…"
  ensure_line_in_file "lxc.apparmor.profile: unconfined" "$CFG"
  ensure_line_in_file "lxc.cgroup2.devices.allow: a" "$CFG"
  # An empty value after the colon is intentional
  ensure_line_in_file "lxc.cap.drop:" "$CFG"

  echo ">> Restarting CT $CTID…"
  pct reboot "$CTID"

  echo "Done."
}

main "$@"
	#!/usr/bin/env bash
	# Proxmox LXC tuning script
	# Usage: sudo ./tune-pct.sh <CTID>
	# Applies:
	# - pct set <CTID> -features nesting=1,keyctl=1
	# - AppArmor unconfined
	# - Allow all devices via cgroup2
	# - Empty cap drop line
	# - pct restart <CTID>

	set -euo pipefail

	# --- Helpers ---------------------------------------------------------------

	usage() {
	echo "Usage: sudo $0 <CTID>"
	echo "Example: sudo $0 801"
	exit 1
	}

	require_root() {
	if [[ ${EUID} -ne 0 ]]; then
	echo "Error: this script must be run as root." >&2
	exit 1
	fi
	}

	ensure_ct_exists() {
	local ctid="$1"
	if ! pct config "$ctid" >/dev/null 2>&1; then
	echo "Error: container $ctid does not exist." >&2
	exit 1
	fi
	}

	ensure_line_in_file() {
	# Appends the exact line to the file if it does not already exist.
	local line="$1"
	local file="$2"
	if ! grep -qF -- "$line" "$file"; then
	echo "$line" >>"$file"
	fi
	}

	# --- Main ------------------------------------------------------------------

	main() {
	[[ $# -eq 1 ]] \|\| usage
	require_root

	local CTID="$1"
	[[ "$CTID" =~ ^[0-9]+$ ]] \|\| { echo "Error: CTID must be numeric."; exit 1; }

	ensure_ct_exists "$CTID"

	local CFG="/etc/pve/lxc/${CTID}.conf"

	# Safety backup before editing
	if [[ -f "$CFG" ]]; then
	cp -a "$CFG" "${CFG}.bak.$(date +%Y%m%d-%H%M%S)"
	else
	echo "Error: config file $CFG not found." >&2
	exit 1
	fi

	echo ">> Enabling features nesting=1,keyctl=1 on CT $CTID…"
	pct set "$CTID" -features nesting=1,keyctl=1

	echo ">> Ensuring required lines are present in $CFG…"
	ensure_line_in_file "lxc.apparmor.profile: unconfined" "$CFG"
	ensure_line_in_file "lxc.cgroup2.devices.allow: a" "$CFG"
	# An empty value after the colon is intentional
	ensure_line_in_file "lxc.cap.drop:" "$CFG"

	echo ">> Restarting CT $CTID…"
	pct reboot "$CTID"

	echo "Done."
	}

	main "$@"
No results found