From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 99458C2594 for ; Tue, 23 Jan 2024 10:51:17 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 798B635D9C for ; Tue, 23 Jan 2024 10:51:17 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 23 Jan 2024 10:51:16 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 86BB749250 for ; Tue, 23 Jan 2024 10:51:16 +0100 (CET) Date: Tue, 23 Jan 2024 10:51:09 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion Cc: Wolfgang Bumiller References: <20240122101206.226150-1-f.gleumes@proxmox.com> In-Reply-To: <20240122101206.226150-1-f.gleumes@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1706003149.vhzmc5u0zf.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.064 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, pct.pm] Subject: Re: [pve-devel] [PATCH container] fix #5194: delete environment variables set by pve X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2024 09:51:17 -0000 On January 22, 2024 11:12 am, Folke Gleumes wrote: > proxmox-perl-rs set's SSL_CERT_{DIR,FILE}, which can break ssl in > containers if their certificate store can't be found in the same spot. > This patch explicitly unsets those variables before starting the > container. after a short talk with Wolfgang - this patch is probably an okay stop-gap to fix the particular regression. but it might be nice to switch to `--clear-env` for lxc-attach with corresponding options for pct to either preserve the whole env, or particular variables? might be 9.0 material since it is a semantic change that possibly breaks scripted use cases that rely on env variables to pass along things from host to whatever they run inside the container.. we could introduce the options now though and also have a `--keep-env` that is the default for 8.x, and flip it to default to `--clear-env` with 9.0. >=20 > Signed-off-by: Folke Gleumes > --- > src/PVE/CLI/pct.pm | 11 +++++++++++ > 1 file changed, 11 insertions(+) >=20 > diff --git a/src/PVE/CLI/pct.pm b/src/PVE/CLI/pct.pm > index a0b9bce..53519e4 100755 > --- a/src/PVE/CLI/pct.pm > +++ b/src/PVE/CLI/pct.pm > @@ -143,6 +143,15 @@ __PACKAGE__->register_method ({ > exec(@$cmd); > }}); > =20 > +sub clean_environment { > + # These env variables are currently needed by PVE to work correctly = with rust libraries, > + # but can break ssl inside of containers. > + # An explanation why they are needed and the code that sets them can= be found here: > + # https://git.proxmox.com/?p=3Dproxmox-perl-rs.git;a=3Dblob;f=3Dcomm= on/pkg/Proxmox/Lib/SslProbe.pm > + delete $ENV{SSL_CERT_FILE}; > + delete $ENV{SSL_CERT_DIR}; > +}; > + > __PACKAGE__->register_method ({ > name =3D> 'enter', > path =3D> 'enter', > @@ -164,6 +173,7 @@ __PACKAGE__->register_method ({ > PVE::LXC::Config->load_config($vmid); # test if container exists on thi= s node > die "container '$vmid' not running!\n" if !PVE::LXC::check_running($vmi= d); > =20 > + clean_environment(); > exec('lxc-attach', '-n', $vmid); > }}); > =20 > @@ -189,6 +199,7 @@ __PACKAGE__->register_method ({ > =20 > die "missing command" if !@{$param->{'extra-args'}}; > =20 > + clean_environment(); > exec('lxc-attach', '-n', $vmid, '--', @{$param->{'extra-args'}}); > }}); > =20 > --=20 > 2.39.2 >=20 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20