From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <pve-devel-bounces@lists.proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 9C6CA1FF183 for <inbox@lore.proxmox.com>; Tue, 13 May 2025 12:57:18 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0C1AA1EFEF; Tue, 13 May 2025 12:57:30 +0200 (CEST) From: Fiona Ebner <f.ebner@proxmox.com> To: pve-devel@lists.proxmox.com Date: Tue, 13 May 2025 12:56:52 +0200 Message-Id: <20250513105652.67403-5-f.ebner@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250513105652.67403-1-f.ebner@proxmox.com> References: <20250513105652.67403-1-f.ebner@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.036 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [lxc.pm] Subject: [pve-devel] [PATCH container 4/4] seccomp config: adapt to new lxc-syscalld runtime directory X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/> List-Post: <mailto:pve-devel@lists.proxmox.com> List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe> Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com> The lxc-syscalld now uses a different runtime directory. Its old runtime directory was /run/pve, which was also used for other things, e.g. storage tunnel and mtunnel sockets and container stderr logs as well as pull metrics. The fact that it would be recreated on service restart is problematic, so the runtime directory was changed. Note that this configuration is only used for containers with the experimental 'mknod' feature enabled. For already running containers, a symbolic link is put into place by the new version of pve-lxc-syscalld, but newly started ones should always use the new socket path as soon as it is available. Only use the old socket path if the old version of pve-lxc-syscalld is still used. The heuristic to check this is: 1. the new socket path doesn't exist 2. the old socket path exists 3. the old socket path is not a symbolic link Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> --- src/PVE/LXC.pm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm index 2b9f0cf..c42fdde 100644 --- a/src/PVE/LXC.pm +++ b/src/PVE/LXC.pm @@ -525,7 +525,15 @@ sub make_seccomp_config { die "'mknod' feature requested, but kernel too old (found $kernel, required >= 5.3)\n"; } - $raw_conf .= "lxc.seccomp.notify.proxy = unix:/run/pve/lxc-syscalld.sock\n"; + # TODO PVE 10 - always use new socket path + my $old_socket_path = '/run/pve/lxc-syscalld.sock'; + my $new_socket_path = '/run/pve-lxc-syscalld/lxc-syscalld.sock'; + + if (!-e $new_socket_path && -e $old_socket_path && !-l $old_socket_path) { + $raw_conf .= "lxc.seccomp.notify.proxy = unix:$old_socket_path\n"; + } else { + $raw_conf .= "lxc.seccomp.notify.proxy = unix:$new_socket_path\n"; + } $raw_conf .= "lxc.seccomp.notify.cookie = $vmid\n"; $rules->{mknod} = [ -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel