[pve-devel] [PATCH container 4/4] seccomp config: adapt to new lxc-syscalld runtime directory

[Fiona Ebner]

The lxc-syscalld now uses a different runtime directory. Its old
runtime directory was /run/pve, which was also used for other things,
e.g. storage tunnel and mtunnel sockets and container stderr logs as
well as pull metrics. The fact that it would be recreated on service
restart is problematic, so the runtime directory was changed.

Note that this configuration is only used for containers with the
experimental 'mknod' feature enabled.

For already running containers, a symbolic link is put into place by
the new version of pve-lxc-syscalld, but newly started ones should
always use the new socket path as soon as it is available. Only use
the old socket path if the old version of pve-lxc-syscalld is still
used. The heuristic to check this is:
1. the new socket path doesn't exist
2. the old socket path exists
3. the old socket path is not a symbolic link

Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
 src/PVE/LXC.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 2b9f0cf..c42fdde 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -525,7 +525,15 @@ sub make_seccomp_config {
 	    die "'mknod' feature requested, but kernel too old (found $kernel, required >= 5.3)\n";
 	}
 
-	$raw_conf .= "lxc.seccomp.notify.proxy = unix:/run/pve/lxc-syscalld.sock\n";
+	# TODO PVE 10 - always use new socket path
+	my $old_socket_path = '/run/pve/lxc-syscalld.sock';
+	my $new_socket_path = '/run/pve-lxc-syscalld/lxc-syscalld.sock';
+
+	if (!-e $new_socket_path && -e $old_socket_path && !-l $old_socket_path) {
+	    $raw_conf .= "lxc.seccomp.notify.proxy = unix:$old_socket_path\n";
+	} else {
+	    $raw_conf .= "lxc.seccomp.notify.proxy = unix:$new_socket_path\n";
+	}
 	$raw_conf .= "lxc.seccomp.notify.cookie = $vmid\n";
 
 	$rules->{mknod} = [
-- 
2.39.5