[pve-devel] applied: [PATCH container] disable keyctl in user namespaces
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Mar 20 16:07:44 CET 2018
applied
tested with an current archlinux CT template
On 3/16/18 9:12 AM, Wolfgang Bumiller wrote:
> systemd-networkd keeps trying to use keyctl() and if it
> refuses to work it is apparently a fatal error, so let's
> make it think keyctl() support doesn't actually exist by
> letting it always fail with ENOSYS.
>
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> ---
> src/Makefile | 12 ++++++++++--
> src/PVE/LXC.pm | 12 +++++++-----
> 2 files changed, 17 insertions(+), 7 deletions(-)
>
> diff --git a/src/Makefile b/src/Makefile
> index 08d1f4d..f68eb5d 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -9,7 +9,8 @@ DOCDIR=${PREFIX}/share/doc/${PACKAGE}
> LXC_SCRIPT_DIR=${PREFIX}/share/lxc
> LXC_TMPL_DIR=${LXC_SCRIPT_DIR}/templates
> LXC_HOOK_DIR=${LXC_SCRIPT_DIR}/hooks
> -LXC_COMMON_CONFIG_DIR=${LXC_SCRIPT_DIR}/config/common.conf.d
> +LXC_CONFIG_DIR=${LXC_SCRIPT_DIR}/config
> +LXC_COMMON_CONFIG_DIR=${LXC_CONFIG_DIR}/common.conf.d
> SERVICEDIR=${DESTDIR}/lib/systemd/system
> PODDIR=${DOCDIR}/pod
> MAN1DIR=${MANDIR}/man1/
> @@ -32,7 +33,7 @@ check: test
> make -C test
>
> .PHONY: install
> -install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-poststop-hook lxcnetaddbr pct.1 pct.conf.5 pct.bash-completion
> +install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-poststop-hook lxcnetaddbr pct.1 pct.conf.5 pct.bash-completion pve-userns.seccomp
> PVE_GENERATING_DOCS=1 perl -I. -T -e "use PVE::CLI::pct; PVE::CLI::pct->verify_api();"
> install -d ${SBINDIR}
> install -m 0755 pct ${SBINDIR}
> @@ -46,6 +47,8 @@ install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-pos
> install -m 0755 lxc-pve-prestart-hook ${LXC_HOOK_DIR}
> install -m 0755 lxc-pve-autodev-hook ${LXC_HOOK_DIR}
> install -m 0755 lxc-pve-poststop-hook ${LXC_HOOK_DIR}
> + install -d ${LXC_CONFIG_DIR}
> + install -m 0644 pve-userns.seccomp ${LXC_CONFIG_DIR}/pve-userns.seccomp
> install -d ${LXC_COMMON_CONFIG_DIR}
> install -m 0644 lxc-pve.conf ${LXC_COMMON_CONFIG_DIR}/01-pve.conf
> install -m 0644 -D pct.bash-completion ${BASHCOMPLDIR}/pct
> @@ -64,6 +67,11 @@ install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-pos
> install -m 0644 pve-reboot.conf ${SERVICEDIR}/lxc at .service.d/
> install -m 0755 lxc-pve-reboot-trigger ${LXC_SCRIPT_DIR}
>
> +pve-userns.seccomp: /usr/share/lxc/config/common.seccomp
> + cp $< $@
> + echo 'keyctl errno 38' >> $@
> +
> +
> .PHONY: test
> test:
> make -C test test
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index a107ec2..5733843 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -361,13 +361,15 @@ sub update_lxc_config {
>
> my $ostype = $conf->{ostype} || die "missing 'ostype' - internal error";
>
> - my $inc ="/usr/share/lxc/config/$ostype.common.conf";
> - $inc ="/usr/share/lxc/config/common.conf" if !-f $inc;
> + my $cfgpath = '/usr/share/lxc/config';
> + my $inc = "$cfgpath/$ostype.common.conf";
> + $inc ="$cfgpath/common.conf" if !-f $inc;
> $raw .= "lxc.include = $inc\n";
> if ($unprivileged || $custom_idmap) {
> - $inc = "/usr/share/lxc/config/$ostype.userns.conf";
> - $inc = "/usr/share/lxc/config/userns.conf" if !-f $inc;
> - $raw .= "lxc.include = $inc\n"
> + $inc = "$cfgpath/$ostype.userns.conf";
> + $inc = "$cfgpath/userns.conf" if !-f $inc;
> + $raw .= "lxc.include = $inc\n";
> + $raw .= "lxc.seccomp.profile = $cfgpath/pve-userns.seccomp\n";
> }
>
> # WARNING: DO NOT REMOVE this without making sure that loop device nodes
>
More information about the pve-devel
mailing list