From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 9C6CA1FF183
	for <inbox@lore.proxmox.com>; Tue, 13 May 2025 12:57:18 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 0C1AA1EFEF;
	Tue, 13 May 2025 12:57:30 +0200 (CEST)
From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Tue, 13 May 2025 12:56:52 +0200
Message-Id: <20250513105652.67403-5-f.ebner@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250513105652.67403-1-f.ebner@proxmox.com>
References: <20250513105652.67403-1-f.ebner@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.036 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [lxc.pm]
Subject: [pve-devel] [PATCH container 4/4] seccomp config: adapt to new
 lxc-syscalld runtime directory
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

The lxc-syscalld now uses a different runtime directory. Its old
runtime directory was /run/pve, which was also used for other things,
e.g. storage tunnel and mtunnel sockets and container stderr logs as
well as pull metrics. The fact that it would be recreated on service
restart is problematic, so the runtime directory was changed.

Note that this configuration is only used for containers with the
experimental 'mknod' feature enabled.

For already running containers, a symbolic link is put into place by
the new version of pve-lxc-syscalld, but newly started ones should
always use the new socket path as soon as it is available. Only use
the old socket path if the old version of pve-lxc-syscalld is still
used. The heuristic to check this is:
1. the new socket path doesn't exist
2. the old socket path exists
3. the old socket path is not a symbolic link

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/LXC.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 2b9f0cf..c42fdde 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -525,7 +525,15 @@ sub make_seccomp_config {
 	    die "'mknod' feature requested, but kernel too old (found $kernel, required >= 5.3)\n";
 	}
 
-	$raw_conf .= "lxc.seccomp.notify.proxy = unix:/run/pve/lxc-syscalld.sock\n";
+	# TODO PVE 10 - always use new socket path
+	my $old_socket_path = '/run/pve/lxc-syscalld.sock';
+	my $new_socket_path = '/run/pve-lxc-syscalld/lxc-syscalld.sock';
+
+	if (!-e $new_socket_path && -e $old_socket_path && !-l $old_socket_path) {
+	    $raw_conf .= "lxc.seccomp.notify.proxy = unix:$old_socket_path\n";
+	} else {
+	    $raw_conf .= "lxc.seccomp.notify.proxy = unix:$new_socket_path\n";
+	}
 	$raw_conf .= "lxc.seccomp.notify.cookie = $vmid\n";
 
 	$rules->{mknod} = [
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel