[pve-devel] [PATCH container 1/2] setup: untaint path to host timezone

[pve-devel] [PATCH container 1/2] setup: untaint path to host timezone

[Fabian Ebner]

To avoid an error with 'pct create ... --timezone host'.

Reported in the community forum:
https://forum.proxmox.com/threads/pct-create-command-with-timezone-host-option-fails-to-create-a-container.97538/

Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
---
 src/PVE/LXC/Setup.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index 4e211ef..7c377ab 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -114,7 +114,9 @@ sub new {
 
     # Cache some host files we need access to:
     $plugin->{host_resolv_conf} = PVE::INotify::read_file('resolvconf');
-    $plugin->{host_localtime} = abs_path('/etc/localtime');
+
+    abs_path('/etc/localtime') =~ m|^(/.+)| or die "invalid /etc/localtime\n"; # untaint
+    $plugin->{host_localtime} = $1;
 
     # pass on user namespace information:
     my ($id_map, $rootuid, $rootgid) = PVE::LXC::parse_id_maps($conf);
-- 
2.30.2

[pve-devel] [PATCH container 2/2] setup: also set contents of /etc/timezone

[Fabian Ebner]

Some distributions like CentOS 8 and Gentoo don't have the file, so
only update if it already existed.

A slight change in behavior in set_timezone is that the warning will
now trigger if /etc/localtime is a link to $tz_path, but $tz_path does
not exist. Previously, it would return early if the link matched.

Programs that rely on /etc/timezone within the container will now see
the configured timezone too. While that is more correct, it's still a
change that might be unexpected.

Reported in the community forum:
https://forum.proxmox.com/threads/pct-create-command-with-timezone-host-option-fails-to-create-a-container.97538/

Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
---

Does this need to wait until PVE 8.0, because of potential breakage?

 src/PVE/LXC/Setup.pm      |  1 +
 src/PVE/LXC/Setup/Base.pm | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index 7c377ab..5cc56af 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -114,6 +114,7 @@ sub new {
 
     # Cache some host files we need access to:
     $plugin->{host_resolv_conf} = PVE::INotify::read_file('resolvconf');
+    $plugin->{host_timezone} = PVE::INotify::read_file('timezone');
 
     abs_path('/etc/localtime') =~ m|^(/.+)| or die "invalid /etc/localtime\n"; # untaint
     $plugin->{host_localtime} = $1;
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 04332ea..dafd69a 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -469,12 +469,18 @@ sub set_timezone {
 	$tz_path = $self->{host_localtime};
     }
 
-    return if abs_path('/etc/localtime') eq $tz_path;
-
     if ($self->ct_file_exists($tz_path)) {
-	my $tmpfile = "localtime.$$.new.tmpfile";
-	$self->ct_symlink($tz_path, $tmpfile);
-	$self->ct_rename($tmpfile, "/etc/localtime");
+	if (abs_path('/etc/localtime') ne $tz_path) {
+	    my $tmpfile = "localtime.$$.new.tmpfile";
+	    $self->ct_symlink($tz_path, $tmpfile);
+	    $self->ct_rename($tmpfile, "/etc/localtime");
+	}
+
+	# not all distributions have /etc/timezone
+	if ($self->ct_file_exists('/etc/timezone')) {
+	    my $contents = $zoneinfo eq 'host' ? $self->{host_timezone} : $zoneinfo;
+	    $self->ct_file_set_contents('/etc/timezone', "$contents\n");
+	}
     } else {
 	warn "container does not have $tz_path, timezone can not be modified\n";
     }
-- 
2.30.2

[pve-devel] applied: [PATCH container 1/2] setup: untaint path to host timezone

[Thomas Lamprecht]

On 07.10.21 12:48, Fabian Ebner wrote:
> To avoid an error with 'pct create ... --timezone host'.
> 
> Reported in the community forum:
> https://forum.proxmox.com/threads/pct-create-command-with-timezone-host-option-fails-to-create-a-container.97538/
> 
> Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
> ---
>  src/PVE/LXC/Setup.pm | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
>

applied, thanks!

[pve-devel] applied: [PATCH container 2/2] setup: also set contents of /etc/timezone

[Thomas Lamprecht]

On 07.10.21 12:48, Fabian Ebner wrote:
> Some distributions like CentOS 8 and Gentoo don't have the file, so
> only update if it already existed.
> 
> A slight change in behavior in set_timezone is that the warning will
> now trigger if /etc/localtime is a link to $tz_path, but $tz_path does
> not exist. Previously, it would return early if the link matched.
> 
> Programs that rely on /etc/timezone within the container will now see
> the configured timezone too. While that is more correct, it's still a
> change that might be unexpected.
> 
> Reported in the community forum:
> https://forum.proxmox.com/threads/pct-create-command-with-timezone-host-option-fails-to-create-a-container.97538/
> 
> Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
> ---
> 
> Does this need to wait until PVE 8.0, because of potential breakage?

nah, we changed setup stuff all the time, not that frequently anymore
because pve-container is quite stable/mature since a while but still
here and then.

If users report issues with the change we can still adapt to that.

> 
>  src/PVE/LXC/Setup.pm      |  1 +
>  src/PVE/LXC/Setup/Base.pm | 16 +++++++++++-----
>  2 files changed, 12 insertions(+), 5 deletions(-)
> 
>

applied, thanks!