[pve-devel] [PATCH-SERIES manager/container/lxc-syscalld v2 0/4] avoid using generic runtime directory name for pve-lxc-syscalld

[pve-devel] [PATCH-SERIES manager/container/lxc-syscalld v2 0/4] avoid using generic runtime directory name for pve-lxc-syscalld

[Fiona Ebner]

Changes in v2:
* rebase on current master
* rely on debhelper v13/dh_installtmpfiles
* use root:root 0750 permissions for /run/pve
* avoid redundancy in path for socket

The pve-lxc-syscalld systemd service currently uses /run/pve as a
runtime directory. This means, that when the service is restarted, the
directory will be recreated. But the /run/pve directory is not just
used as the runtime directory of this service, but also for other
things, e.g. storage tunnel and mtunnel sockets, container stderr logs
as well as pull metric cache and lock, which will be lost when the
service is restarted.

Versioned Breaks needed:

New pve-lxc-syscalld breaks old pve-container: when the experimental
'mknod' feature is used, which requires specifying the new socket path.

New pve-lxc-syscalld breaks old pve-manager: /run/pve is not
automatically created in the context of pull metrics yet.

manager:

Fiona Ebner (1):
  debian: add tpmfiles.d config to create /run/pve directory

 debian/tmpfiles | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 debian/tmpfiles


pve-container:

Fiona Ebner (1):
  seccomp config: adapt to new lxc-syscalld runtime directory

 src/PVE/LXC.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)


pve-lxc-syscalld:

Fiona Ebner (2):
  service: avoid using generic runtime directory name
  d/postinst: create link to new socket location on upgrade

 debian/postinst                 | 19 +++++++++++++++++++
 etc/pve-lxc-syscalld.service.in |  4 ++--
 2 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 debian/postinst


Summary over all repositories:
  4 files changed, 32 insertions(+), 3 deletions(-)

-- 
Generated by git-murpp 0.5.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager v2 1/4] debian: add tpmfiles.d config to create /run/pve directory

[Fiona Ebner]

The pve-lxc-syscalld systemd service currently uses /run/pve as a
runtime directory. This means, that when the service is restarted, the
directory will be recreated. But the /run/pve directory is not just
used as the runtime directory of this service, but also for other
things, e.g. storage tunnel and mtunnel sockets, container stderr logs
as well as pull metric cache and lock, which will be lost when the
service is restarted.

The plan is to give the service its own runtime directory that is only
used for that purpose and nothing else. However, this means the
/run/pve directory will not get created automatically anymore (e.g.
pull metric relies on the existence already). Add this tmpfiles.d
configuration to create it automatically again. Note that the
permissions/owner are different now. As the runtime directory, it was
created with 0755 root:root. This tmpfiles configuration
changes this to 0750 root:root.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v2:
* use root:root rather than root:www-data
* rely on debhelper v13/dh_installtmpfiles

 debian/tmpfiles | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 debian/tmpfiles

diff --git a/debian/tmpfiles b/debian/tmpfiles
new file mode 100644
index 00000000..98b8fb96
--- /dev/null
+++ b/debian/tmpfiles
@@ -0,0 +1,2 @@
+#Type Path     Mode User Group Age Argument
+d     /run/pve 0750 root root  -   -
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH container v2 2/4] seccomp config: adapt to new lxc-syscalld runtime directory

[Fiona Ebner]

The lxc-syscalld now uses a different runtime directory. Its old
runtime directory was /run/pve, which was also used for other things,
e.g. storage tunnel and mtunnel sockets and container stderr logs as
well as pull metrics. The fact that it would be recreated on service
restart is problematic, so the runtime directory was changed.

Note that this configuration is only used for containers with the
experimental 'mknod' feature enabled.

For already running containers, a symbolic link is put into place by
the new version of pve-lxc-syscalld, but newly started ones should
always use the new socket path as soon as it is available. Only use
the old socket path if the old version of pve-lxc-syscalld is still
used. The heuristic to check this is:
1. the new socket path doesn't exist
2. the old socket path exists
3. the old socket path is not a symbolic link

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v2:
* adapt to shortened socket path

 src/PVE/LXC.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 741bb33..a236b5a 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -534,7 +534,15 @@ sub make_seccomp_config {
             die "'mknod' feature requested, but kernel too old (found $kernel, required >= 5.3)\n";
         }
 
-        $raw_conf .= "lxc.seccomp.notify.proxy = unix:/run/pve/lxc-syscalld.sock\n";
+        # TODO PVE 10 - always use new socket path
+        my $old_socket_path = '/run/pve/lxc-syscalld.sock';
+        my $new_socket_path = '/run/pve-lxc-syscalld/socket';
+
+        if (!-e $new_socket_path && -e $old_socket_path && !-l $old_socket_path) {
+            $raw_conf .= "lxc.seccomp.notify.proxy = unix:$old_socket_path\n";
+        } else {
+            $raw_conf .= "lxc.seccomp.notify.proxy = unix:$new_socket_path\n";
+        }
         $raw_conf .= "lxc.seccomp.notify.cookie = $vmid\n";
 
         $rules->{mknod} = [
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-lxc-syscalld v2 3/4] service: avoid using generic runtime directory name

[Fiona Ebner]

When the service is restarted, the directory will be recreated. The
issue is that the /run/pve directory is not just used as the runtime
directory of this service, but also for other things, e.g. storage
tunnel and mtunnel sockets and container stderr logs as well as pull
metrics, which will be lost when the service is restarted.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Versioned breaks for pve-container and pve-manager needed

Changes in v2:
* avoid redundancy in path for socket

 etc/pve-lxc-syscalld.service.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/pve-lxc-syscalld.service.in b/etc/pve-lxc-syscalld.service.in
index be076a7..66249bf 100644
--- a/etc/pve-lxc-syscalld.service.in
+++ b/etc/pve-lxc-syscalld.service.in
@@ -4,8 +4,8 @@ Before=pve-guests.service
 
 [Service]
 Type=notify
-ExecStart=%LIBEXECDIR%/pve-lxc-syscalld/pve-lxc-syscalld --system /run/pve/lxc-syscalld.sock
-RuntimeDirectory=pve
+ExecStart=%LIBEXECDIR%/pve-lxc-syscalld/pve-lxc-syscalld --system /run/pve-lxc-syscalld/socket
+RuntimeDirectory=pve-lxc-syscalld
 Restart=on-failure
 
 [Install]
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-lxc-syscalld v2 4/4] d/postinst: create link to new socket location on upgrade

[Fiona Ebner]

This allows containers started with a configuration using the old
socket path to continue calling in to the pve-lxc-syscalld, except for
a brief time window after the new runtime dir is used before the
postinst script runs. However, such a time window was/is already
present during service restart (and thus during package upgrade),
since pve-lxc-syscalld doesn't currently implement graceful reloading.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---

Changes in v2:
* adapt to changed socket path

 debian/postinst | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 debian/postinst

diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 0000000..8224df4
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+#DEBHELPER#
+
+case "$1" in
+  configure)
+    if test -n "$2"; then
+      # TODO: remove once PVE 10.0 is released
+      if dpkg --compare-versions "$2" 'lt' '2.0.1'; then
+        ln -s -f /run/pve-lxc-syscalld/socket /run/pve/lxc-syscalld.sock
+      fi
+    fi
+    ;;
+
+esac
+
+exit 0
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH container v2 2/4] seccomp config: adapt to new lxc-syscalld runtime directory

[Fabian Grünbichler]

On July 23, 2025 4:40 pm, Fiona Ebner wrote:
> The lxc-syscalld now uses a different runtime directory. Its old
> runtime directory was /run/pve, which was also used for other things,
> e.g. storage tunnel and mtunnel sockets and container stderr logs as
> well as pull metrics. The fact that it would be recreated on service
> restart is problematic, so the runtime directory was changed.
> 
> Note that this configuration is only used for containers with the
> experimental 'mknod' feature enabled.
> 
> For already running containers, a symbolic link is put into place by
> the new version of pve-lxc-syscalld, but newly started ones should
> always use the new socket path as soon as it is available. Only use
> the old socket path if the old version of pve-lxc-syscalld is still
> used. The heuristic to check this is:
> 1. the new socket path doesn't exist
> 2. the old socket path exists
> 3. the old socket path is not a symbolic link

couldn't this be solved by adding a versioned depends, instead of
breaking the other direction which is not actually required because of
the compat symlink?

> 
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
> 
> Changes in v2:
> * adapt to shortened socket path
> 
>  src/PVE/LXC.pm | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 741bb33..a236b5a 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -534,7 +534,15 @@ sub make_seccomp_config {
>              die "'mknod' feature requested, but kernel too old (found $kernel, required >= 5.3)\n";
>          }
>  
> -        $raw_conf .= "lxc.seccomp.notify.proxy = unix:/run/pve/lxc-syscalld.sock\n";
> +        # TODO PVE 10 - always use new socket path
> +        my $old_socket_path = '/run/pve/lxc-syscalld.sock';
> +        my $new_socket_path = '/run/pve-lxc-syscalld/socket';
> +
> +        if (!-e $new_socket_path && -e $old_socket_path && !-l $old_socket_path) {
> +            $raw_conf .= "lxc.seccomp.notify.proxy = unix:$old_socket_path\n";
> +        } else {
> +            $raw_conf .= "lxc.seccomp.notify.proxy = unix:$new_socket_path\n";
> +        }
>          $raw_conf .= "lxc.seccomp.notify.cookie = $vmid\n";
>  
>          $rules->{mknod} = [
> -- 
> 2.47.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH container v2 2/4] seccomp config: adapt to new lxc-syscalld runtime directory

[Thomas Lamprecht]

Am 30.07.25 um 14:50 schrieb Fabian Grünbichler:
>> For already running containers, a symbolic link is put into place by
>> the new version of pve-lxc-syscalld, but newly started ones should
>> always use the new socket path as soon as it is available. Only use
>> the old socket path if the old version of pve-lxc-syscalld is still
>> used. The heuristic to check this is:
>> 1. the new socket path doesn't exist
>> 2. the old socket path exists
>> 3. the old socket path is not a symbolic link
> couldn't this be solved by adding a versioned depends, instead of
> breaking the other direction which is not actually required because of
> the compat symlink?


The compat symlink only exists for the boot during which the upgrade
to the newer pve-lxc-syscalld was made, afterwards the new syscalld
really breaks older pve-container.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH container v2 2/4] seccomp config: adapt to new lxc-syscalld runtime directory

[Fabian Grünbichler]

On July 30, 2025 3:00 pm, Thomas Lamprecht wrote:
> Am 30.07.25 um 14:50 schrieb Fabian Grünbichler:
>>> For already running containers, a symbolic link is put into place by
>>> the new version of pve-lxc-syscalld, but newly started ones should
>>> always use the new socket path as soon as it is available. Only use
>>> the old socket path if the old version of pve-lxc-syscalld is still
>>> used. The heuristic to check this is:
>>> 1. the new socket path doesn't exist
>>> 2. the old socket path exists
>>> 3. the old socket path is not a symbolic link
>> couldn't this be solved by adding a versioned depends, instead of
>> breaking the other direction which is not actually required because of
>> the compat symlink?
> 
> 
> The compat symlink only exists for the boot during which the upgrade
> to the newer pve-lxc-syscalld was made, afterwards the new syscalld
> really breaks older pve-container.

right!

so that only leaves new pve-manager combined with old pve-lxc-syscalld
as problematic combination, but that is no worse than the status quo
(restarting the syscalld service still clears out /run/pve).

LGTM!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH container v2 2/4] seccomp config: adapt to new lxc-syscalld runtime directory

[Thomas Lamprecht]

On Wed, 23 Jul 2025 16:40:07 +0200, Fiona Ebner wrote:
> The lxc-syscalld now uses a different runtime directory. Its old
> runtime directory was /run/pve, which was also used for other things,
> e.g. storage tunnel and mtunnel sockets and container stderr logs as
> well as pull metrics. The fact that it would be recreated on service
> restart is problematic, so the runtime directory was changed.
> 
> Note that this configuration is only used for containers with the
> experimental 'mknod' feature enabled.
> 
> [...]

Applied, thanks!

[2/4] seccomp config: adapt to new lxc-syscalld runtime directory
      commit: f4f25a0b5194b96d0093b1248ba11594a96e1a56


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH manager v2 1/4] debian: add tpmfiles.d config to create /run/pve directory

[Thomas Lamprecht]

On Wed, 23 Jul 2025 16:40:06 +0200, Fiona Ebner wrote:
> The pve-lxc-syscalld systemd service currently uses /run/pve as a
> runtime directory. This means, that when the service is restarted, the
> directory will be recreated. But the /run/pve directory is not just
> used as the runtime directory of this service, but also for other
> things, e.g. storage tunnel and mtunnel sockets, container stderr logs
> as well as pull metric cache and lock, which will be lost when the
> service is restarted.
> 
> [...]

Applied, thanks!

[1/4] debian: add tpmfiles.d config to create /run/pve directory
      commit: a67037fc691aae72b1af65db74b9f0c39d157246


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH pve-lxc-syscalld v2 3/4] service: avoid using generic runtime directory name

[Thomas Lamprecht]

On Wed, 23 Jul 2025 16:40:08 +0200, Fiona Ebner wrote:
> When the service is restarted, the directory will be recreated. The
> issue is that the /run/pve directory is not just used as the runtime
> directory of this service, but also for other things, e.g. storage
> tunnel and mtunnel sockets and container stderr logs as well as pull
> metrics, which will be lost when the service is restarted.
> 
> 
> [...]

Applied, thanks!

[3/4] service: avoid using generic runtime directory name
      commit: 8f429696929839b10068304cb4e988b632b7b51d


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH pve-lxc-syscalld v2 4/4] d/postinst: create link to new socket location on upgrade

[Thomas Lamprecht]

On Wed, 23 Jul 2025 16:40:09 +0200, Fiona Ebner wrote:
> This allows containers started with a configuration using the old
> socket path to continue calling in to the pve-lxc-syscalld, except for
> a brief time window after the new runtime dir is used before the
> postinst script runs. However, such a time window was/is already
> present during service restart (and thus during package upgrade),
> since pve-lxc-syscalld doesn't currently implement graceful reloading.
> 
> [...]

Applied, thanks!

[4/4] d/postinst: create link to new socket location on upgrade
      commit: 40d028eccaeee052abc388aa7c8890ed501347e0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel