From: Wolfgang Bumiller Date: Fri, 16 Mar 2018 08:12:41 +0000 (+0100) Subject: disable keyctl in user namespaces X-Git-Url: https://git.proxmox.com/?p=pve-container.git;a=commitdiff_plain;h=059f7bb4240159d06701b78dad0caaa47a5965cf disable keyctl in user namespaces systemd-networkd keeps trying to use keyctl() and if it refuses to work it is apparently a fatal error, so let's make it think keyctl() support doesn't actually exist by letting it always fail with ENOSYS. Signed-off-by: Wolfgang Bumiller --- diff --git a/src/Makefile b/src/Makefile index 08d1f4d..f68eb5d 100644 --- a/src/Makefile +++ b/src/Makefile @@ -9,7 +9,8 @@ DOCDIR=${PREFIX}/share/doc/${PACKAGE} LXC_SCRIPT_DIR=${PREFIX}/share/lxc LXC_TMPL_DIR=${LXC_SCRIPT_DIR}/templates LXC_HOOK_DIR=${LXC_SCRIPT_DIR}/hooks -LXC_COMMON_CONFIG_DIR=${LXC_SCRIPT_DIR}/config/common.conf.d +LXC_CONFIG_DIR=${LXC_SCRIPT_DIR}/config +LXC_COMMON_CONFIG_DIR=${LXC_CONFIG_DIR}/common.conf.d SERVICEDIR=${DESTDIR}/lib/systemd/system PODDIR=${DOCDIR}/pod MAN1DIR=${MANDIR}/man1/ @@ -32,7 +33,7 @@ check: test make -C test .PHONY: install -install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-poststop-hook lxcnetaddbr pct.1 pct.conf.5 pct.bash-completion +install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-poststop-hook lxcnetaddbr pct.1 pct.conf.5 pct.bash-completion pve-userns.seccomp PVE_GENERATING_DOCS=1 perl -I. -T -e "use PVE::CLI::pct; PVE::CLI::pct->verify_api();" install -d ${SBINDIR} install -m 0755 pct ${SBINDIR} @@ -46,6 +47,8 @@ install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-pos install -m 0755 lxc-pve-prestart-hook ${LXC_HOOK_DIR} install -m 0755 lxc-pve-autodev-hook ${LXC_HOOK_DIR} install -m 0755 lxc-pve-poststop-hook ${LXC_HOOK_DIR} + install -d ${LXC_CONFIG_DIR} + install -m 0644 pve-userns.seccomp ${LXC_CONFIG_DIR}/pve-userns.seccomp install -d ${LXC_COMMON_CONFIG_DIR} install -m 0644 lxc-pve.conf ${LXC_COMMON_CONFIG_DIR}/01-pve.conf install -m 0644 -D pct.bash-completion ${BASHCOMPLDIR}/pct @@ -64,6 +67,11 @@ install: pct lxc-pve.conf lxc-pve-prestart-hook lxc-pve-autodev-hook lxc-pve-pos install -m 0644 pve-reboot.conf ${SERVICEDIR}/lxc@.service.d/ install -m 0755 lxc-pve-reboot-trigger ${LXC_SCRIPT_DIR} +pve-userns.seccomp: /usr/share/lxc/config/common.seccomp + cp $< $@ + echo 'keyctl errno 38' >> $@ + + .PHONY: test test: make -C test test diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm index 12310ef..423ce21 100644 --- a/src/PVE/LXC.pm +++ b/src/PVE/LXC.pm @@ -362,13 +362,15 @@ sub update_lxc_config { my $ostype = $conf->{ostype} || die "missing 'ostype' - internal error"; - my $inc ="/usr/share/lxc/config/$ostype.common.conf"; - $inc ="/usr/share/lxc/config/common.conf" if !-f $inc; + my $cfgpath = '/usr/share/lxc/config'; + my $inc = "$cfgpath/$ostype.common.conf"; + $inc ="$cfgpath/common.conf" if !-f $inc; $raw .= "lxc.include = $inc\n"; if ($unprivileged || $custom_idmap) { - $inc = "/usr/share/lxc/config/$ostype.userns.conf"; - $inc = "/usr/share/lxc/config/userns.conf" if !-f $inc; - $raw .= "lxc.include = $inc\n" + $inc = "$cfgpath/$ostype.userns.conf"; + $inc = "$cfgpath/userns.conf" if !-f $inc; + $raw .= "lxc.include = $inc\n"; + $raw .= "lxc.seccomp.profile = $cfgpath/pve-userns.seccomp\n"; } # WARNING: DO NOT REMOVE this without making sure that loop device nodes