disable keyctl in user namespaces

systemd-networkd keeps trying to use keyctl() and if it
refuses to work it is apparently a fatal error, so let's
make it think keyctl() support doesn't actually exist by
letting it always fail with ENOSYS.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/Makefile b/src/Makefile
index 08d1f4dc107093f8f671ba924ebe146c86a2da1d..f68eb5d1eab08492ae1a4ccead7ea0567776312a 100644 (file)
--- a/src/Makefile
+++ b/src/Makefile
@@ -9,7 +9,8 @@ DOCDIR=${PREFIX}/share/doc/${PACKAGE}
 LXC_SCRIPT_DIR=${PREFIX}/share/lxc
 LXC_TMPL_DIR=${LXC_SCRIPT_DIR}/templates
 LXC_HOOK_DIR=${LXC_SCRIPT_DIR}/hooks
-LXC_COMMON_CONFIG_DIR=${LXC_SCRIPT_DIR}/config/common.conf.d
+LXC_CONFIG_DIR=${LXC_SCRIPT_DIR}/config
+LXC_COMMON_CONFIG_DIR=${LXC_CONFIG_DIR}/common.conf.d
 SERVICEDIR=${DESTDIR}/lib/systemd/system
 PODDIR=${DOCDIR}/pod
 MAN1DIR=${MANDIR}/man1/
@@ -32,7 +33,7 @@ check: test
        make -C test
 
 .PHONY: install
-install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-poststop-hook lxcnetaddbr pct.1 pct.conf.5 pct.bash-completion
+install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-poststop-hook lxcnetaddbr pct.1 pct.conf.5 pct.bash-completion pve-userns.seccomp
        PVE_GENERATING_DOCS=1 perl -I. -T -e "use PVE::CLI::pct; PVE::CLI::pct->verify_api();"
        install -d ${SBINDIR}
        install -m 0755 pct ${SBINDIR}
@@ -46,6 +47,8 @@ install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-pos
        install -m 0755 lxc-pve-prestart-hook ${LXC_HOOK_DIR}
        install -m 0755 lxc-pve-autodev-hook ${LXC_HOOK_DIR}
        install -m 0755 lxc-pve-poststop-hook ${LXC_HOOK_DIR}
+       install -d ${LXC_CONFIG_DIR}
+       install -m 0644 pve-userns.seccomp ${LXC_CONFIG_DIR}/pve-userns.seccomp
        install -d ${LXC_COMMON_CONFIG_DIR}
        install -m 0644 lxc-pve.conf ${LXC_COMMON_CONFIG_DIR}/01-pve.conf
        install -m 0644 -D pct.bash-completion ${BASHCOMPLDIR}/pct
@@ -64,6 +67,11 @@ install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-pos
        install -m 0644 pve-reboot.conf ${SERVICEDIR}/lxc@.service.d/
        install -m 0755 lxc-pve-reboot-trigger ${LXC_SCRIPT_DIR}
 
+pve-userns.seccomp: /usr/share/lxc/config/common.seccomp
+       cp $< $@
+       echo 'keyctl errno 38' >> $@
+
+
 .PHONY: test
 test:
        make -C test test

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 12310efaccbf4cd0221630c717ad5da12426d79d..423ce21dd07c27d3852603622c1a3f0017a4026a 100644 (file)
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -362,13 +362,15 @@ sub update_lxc_config {
 
     my $ostype = $conf->{ostype} || die "missing 'ostype' - internal error";
 
-    my $inc ="/usr/share/lxc/config/$ostype.common.conf";
-    $inc ="/usr/share/lxc/config/common.conf" if !-f $inc;
+    my $cfgpath = '/usr/share/lxc/config';
+    my $inc = "$cfgpath/$ostype.common.conf";
+    $inc ="$cfgpath/common.conf" if !-f $inc;
     $raw .= "lxc.include = $inc\n";
     if ($unprivileged || $custom_idmap) {
-       $inc = "/usr/share/lxc/config/$ostype.userns.conf";
-       $inc = "/usr/share/lxc/config/userns.conf" if !-f $inc;
-       $raw .= "lxc.include = $inc\n"
+       $inc = "$cfgpath/$ostype.userns.conf";
+       $inc = "$cfgpath/userns.conf" if !-f $inc;
+       $raw .= "lxc.include = $inc\n";
+       $raw .= "lxc.seccomp.profile = $cfgpath/pve-userns.seccomp\n";
     }
 
     # WARNING: DO NOT REMOVE this without making sure that loop device nodes