From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 99458C2594
 for <pve-devel@lists.proxmox.com>; Tue, 23 Jan 2024 10:51:17 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 798B635D9C
 for <pve-devel@lists.proxmox.com>; Tue, 23 Jan 2024 10:51:17 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Tue, 23 Jan 2024 10:51:16 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 86BB749250
 for <pve-devel@lists.proxmox.com>; Tue, 23 Jan 2024 10:51:16 +0100 (CET)
Date: Tue, 23 Jan 2024 10:51:09 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
References: <20240122101206.226150-1-f.gleumes@proxmox.com>
In-Reply-To: <20240122101206.226150-1-f.gleumes@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1706003149.vhzmc5u0zf.astroid@yuna.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.064 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com, pct.pm]
Subject: Re: [pve-devel] [PATCH container] fix #5194: delete environment
 variables set by pve
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2024 09:51:17 -0000

On January 22, 2024 11:12 am, Folke Gleumes wrote:
> proxmox-perl-rs set's SSL_CERT_{DIR,FILE}, which can break ssl in
> containers if their certificate store can't be found in the same spot.
> This patch explicitly unsets those variables before starting the
> container.

after a short talk with Wolfgang - this patch is probably an okay
stop-gap to fix the particular regression.

but it might be nice to switch to `--clear-env` for lxc-attach with
corresponding options for pct to either preserve the whole env, or
particular variables? might be 9.0 material since it is a semantic
change that possibly breaks scripted use cases that rely on env
variables to pass along things from host to whatever they run inside the
container.. we could introduce the options now though and also have a
`--keep-env` that is the default for 8.x, and flip it to default to
`--clear-env` with 9.0.

>=20
> Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
> ---
>  src/PVE/CLI/pct.pm | 11 +++++++++++
>  1 file changed, 11 insertions(+)
>=20
> diff --git a/src/PVE/CLI/pct.pm b/src/PVE/CLI/pct.pm
> index a0b9bce..53519e4 100755
> --- a/src/PVE/CLI/pct.pm
> +++ b/src/PVE/CLI/pct.pm
> @@ -143,6 +143,15 @@ __PACKAGE__->register_method ({
>  	exec(@$cmd);
>      }});
> =20
> +sub clean_environment {
> +    # These env variables are currently needed by PVE to work correctly =
with rust libraries,
> +    # but can break ssl inside of containers.
> +    # An explanation why they are needed and the code that sets them can=
 be found here:
> +    # https://git.proxmox.com/?p=3Dproxmox-perl-rs.git;a=3Dblob;f=3Dcomm=
on/pkg/Proxmox/Lib/SslProbe.pm
> +    delete $ENV{SSL_CERT_FILE};
> +    delete $ENV{SSL_CERT_DIR};
> +};
> +
>  __PACKAGE__->register_method ({
>      name =3D> 'enter',
>      path =3D> 'enter',
> @@ -164,6 +173,7 @@ __PACKAGE__->register_method ({
>  	PVE::LXC::Config->load_config($vmid); # test if container exists on thi=
s node
>  	die "container '$vmid' not running!\n" if !PVE::LXC::check_running($vmi=
d);
> =20
> +	clean_environment();
>  	exec('lxc-attach', '-n',  $vmid);
>      }});
> =20
> @@ -189,6 +199,7 @@ __PACKAGE__->register_method ({
> =20
>  	die "missing command" if !@{$param->{'extra-args'}};
> =20
> +	clean_environment();
>  	exec('lxc-attach', '-n', $vmid, '--', @{$param->{'extra-args'}});
>      }});
> =20
> --=20
> 2.39.2
>=20
>=20
>=20
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>=20
>=20
>=20