[pve-devel] [PATCH container v2 1/2] fix #5194: pct: delete environment variables set by pve

[pve-devel] [PATCH container v2 1/2] fix #5194: pct: delete environment variables set by pve

[Folke Gleumes]

proxmox-perl-rs set's SSL_CERT_{DIR,FILE}, which can break ssl in
containers if their certificate store can't be found in the same spot.
This patch explicitly unsets those variables before starting the
container.

Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
---
Changes since v1:
* Add reevaluation notice for pve9

 src/PVE/CLI/pct.pm | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/PVE/CLI/pct.pm b/src/PVE/CLI/pct.pm
index a0b9bce..091ac8e 100755
--- a/src/PVE/CLI/pct.pm
+++ b/src/PVE/CLI/pct.pm
@@ -143,6 +143,16 @@ __PACKAGE__->register_method ({
 	exec(@$cmd);
     }});
 
+# TODO: Evaluate if still needed with PVE9
+sub clean_environment {
+    # These env variables are currently needed by PVE to work correctly with rust libraries,
+    # but can break ssl inside of containers.
+    # An explanation why they are needed and the code that sets them can be found here:
+    # https://git.proxmox.com/?p=proxmox-perl-rs.git;a=blob;f=common/pkg/Proxmox/Lib/SslProbe.pm
+    delete $ENV{SSL_CERT_FILE};
+    delete $ENV{SSL_CERT_DIR};
+};
+
 __PACKAGE__->register_method ({
     name => 'enter',
     path => 'enter',
@@ -164,6 +174,7 @@ __PACKAGE__->register_method ({
 	PVE::LXC::Config->load_config($vmid); # test if container exists on this node
 	die "container '$vmid' not running!\n" if !PVE::LXC::check_running($vmid);
 
+	clean_environment();
 	exec('lxc-attach', '-n',  $vmid);
     }});
 
@@ -189,6 +200,7 @@ __PACKAGE__->register_method ({
 
 	die "missing command" if !@{$param->{'extra-args'}};
 
+	clean_environment();
 	exec('lxc-attach', '-n', $vmid, '--', @{$param->{'extra-args'}});
     }});
 
-- 
2.39.2

[pve-devel] [PATCH container v2 2/2] pct: add keep-env option

[Folke Gleumes]

The keep-env option allows the user to define if the current environment
should be kept when running 'pct enter/exec'. pct will now always set
'--keep-env' or '--discard-env' when calling lxc-attach to anticipate
the upcoming change in default behavior.

Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
---
This wasn't present in v1

 src/PVE/CLI/pct.pm | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/PVE/CLI/pct.pm b/src/PVE/CLI/pct.pm
index 091ac8e..7ce0de0 100755
--- a/src/PVE/CLI/pct.pm
+++ b/src/PVE/CLI/pct.pm
@@ -162,12 +162,21 @@ __PACKAGE__->register_method ({
 	additionalProperties => 0,
 	properties => {
 	    vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_running }),
+	    # TODO: set keep-env to default false with PVE 9
+	    'keep-env' => {
+		type => 'boolean',
+		description => "Keep the current environment. This option will disabled by default with PVE 9. "
+		    ."If you rely on a preserved environment, please use this option to be future-proof.",
+		optional => 1,
+		default => 1,
+	    },
 	},
     },
     returns => { type => 'null' },
 
     code => sub {
 	my ($param) = @_;
+	my $keep_env = $param->{'keep-env'} // 1; # TODO: toggle with pve 9
 
 	my $vmid = $param->{vmid};
 
@@ -175,7 +184,7 @@ __PACKAGE__->register_method ({
 	die "container '$vmid' not running!\n" if !PVE::LXC::check_running($vmid);
 
 	clean_environment();
-	exec('lxc-attach', '-n',  $vmid);
+	exec('lxc-attach', $keep_env ? '--keep-env' : '--clear-env', '-n', $vmid);
     }});
 
 __PACKAGE__->register_method ({
@@ -187,12 +196,21 @@ __PACKAGE__->register_method ({
 	additionalProperties => 0,
 	properties => {
 	    vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_running }),
+	    # TODO: set keep-env to default false with PVE 9
+	    'keep-env' => {
+		type => 'boolean',
+		description => "Keep the current environment. This option will disabled by default with PVE 9. "
+		    ."If you rely on a preserved environment, please use this option to be future-proof.",
+		optional => 1,
+		default => 1,
+	    },
 	    'extra-args' => get_standard_option('extra-args'),
 	},
     },
     returns => { type => 'null' },
     code => sub {
 	my ($param) = @_;
+	my $keep_env = $param->{'keep-env'} // 1; # TODO: toggle with pve 9
 
 	my $vmid = $param->{vmid};
 	PVE::LXC::Config->load_config($vmid); # test if container exists on this node
@@ -201,7 +219,7 @@ __PACKAGE__->register_method ({
 	die "missing command" if !@{$param->{'extra-args'}};
 
 	clean_environment();
-	exec('lxc-attach', '-n', $vmid, '--', @{$param->{'extra-args'}});
+	exec('lxc-attach', $keep_env ? '--keep-env' : '--clear-env', '-n', $vmid, '--', @{$param->{'extra-args'}});
     }});
 
 __PACKAGE__->register_method ({
-- 
2.39.2

[pve-devel] applied: [PATCH container v2 1/2] fix #5194: pct: delete environment variables set by pve

[Thomas Lamprecht]

Am 29/01/2024 um 16:43 schrieb Folke Gleumes:
> proxmox-perl-rs set's SSL_CERT_{DIR,FILE}, which can break ssl in
> containers if their certificate store can't be found in the same spot.
> This patch explicitly unsets those variables before starting the
> container.
> 
> Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
> ---
> Changes since v1:
> * Add reevaluation notice for pve9
> 
>  src/PVE/CLI/pct.pm | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
>

applied, thanks!

Re: [pve-devel] [PATCH container v2 2/2] pct: add keep-env option

[Thomas Lamprecht]

Am 29/01/2024 um 16:43 schrieb Folke Gleumes:
> The keep-env option allows the user to define if the current environment
> should be kept when running 'pct enter/exec'. pct will now always set
> '--keep-env' or '--discard-env' when calling lxc-attach to anticipate
> the upcoming change in default behavior.

seems fine in general, but I saw a two code style nits, of which one I'd
really like to avoid, see comment in line.

> 
> Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
> ---
> This wasn't present in v1
> 
>  src/PVE/CLI/pct.pm | 22 ++++++++++++++++++++--
>  1 file changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/CLI/pct.pm b/src/PVE/CLI/pct.pm
> index 091ac8e..7ce0de0 100755
> --- a/src/PVE/CLI/pct.pm
> +++ b/src/PVE/CLI/pct.pm
> @@ -162,12 +162,21 @@ __PACKAGE__->register_method ({
>  	additionalProperties => 0,
>  	properties => {
>  	    vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_running }),
> +	    # TODO: set keep-env to default false with PVE 9

no hard feelings for thiss one, but could be a better fit if located in the
default line, which would be the one that will be changed, e.g.:

default => 1, # TODO: make keep-env opt-out here and in the code with PVE 9

or before with even more context, something like:

# FIXME: passing the environment in CT is really not ideal, it can leak secrets or cause
# programs to do behave weird, so change to opt-in in PVE 9

Having some more context about the reasoning can be good for such comments
(or at least the commit message), even if it should be relatively clear,
like here.


> +	    'keep-env' => {> +		type => 'boolean',
> +		description => "Keep the current environment. This option will disabled by default with PVE 9. "

nit: for line continuations the next line should hold the space, that way
one can add or remove sentences more likely without touching other unrelated
lines. As example for here:

description => "Keep the current environment. This option will disabled by default with PVE 9."
    ." If you rely on a preserved environment, please use this option to be future-proof."

But would not have blocked applying just because of this, so mostly mentioning it
due to writing a reply anyway.

> +		    ."If you rely on a preserved environment, please use this option to be future-proof.",


> @@ -175,7 +184,7 @@ __PACKAGE__->register_method ({
>  	die "container '$vmid' not running!\n" if !PVE::LXC::check_running($vmid);
>  
>  	clean_environment();
> -	exec('lxc-attach', '-n',  $vmid);
> +	exec('lxc-attach', $keep_env ? '--keep-env' : '--clear-env', '-n', $vmid);

I'd prefer to avoid such "hidden" ternaries inside other statements, that makes
the code unnecessarily hard to read without much gain.
While it makes it longer, having this split over a few line seems a bit nicer, e.g.
something like (untested):

my @lxc_attach_cmd = ('lxc-attach', '-n',  $vmid);

push @lxc_attach_cmd, $keep_env ? '--keep-env' : '--clear-env';

exec(@lxc_attach_cmd);

>      }});
>  
>  __PACKAGE__->register_method ({
> @@ -187,12 +196,21 @@ __PACKAGE__->register_method ({
>  	additionalProperties => 0,
>  	properties => {
>  	    vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_running }),
> +	    # TODO: set keep-env to default false with PVE 9
> +	    'keep-env' => {
> +		type => 'boolean',
> +		description => "Keep the current environment. This option will disabled by default with PVE 9. "

same here w.r.t. trailing space for literal string continuation

> +		    ."If you rely on a preserved environment, please use this option to be future-proof.",
> +		optional => 1,
> +		default => 1,
> +	    },
>  	    'extra-args' => get_standard_option('extra-args'),
>  	},
>      },
>      returns => { type => 'null' },
>      code => sub {
>  	my ($param) = @_;
> +	my $keep_env = $param->{'keep-env'} // 1; # TODO: toggle with pve 9
>  
>  	my $vmid = $param->{vmid};
>  	PVE::LXC::Config->load_config($vmid); # test if container exists on this node
> @@ -201,7 +219,7 @@ __PACKAGE__->register_method ({
>  	die "missing command" if !@{$param->{'extra-args'}};
>  
>  	clean_environment();
> -	exec('lxc-attach', '-n', $vmid, '--', @{$param->{'extra-args'}});
> +	exec('lxc-attach', $keep_env ? '--keep-env' : '--clear-env', '-n', $vmid, '--', @{$param->{'extra-args'}});

same here w.r.t. ternary, gets a bit unwieldy

>      }});
>  
>  __PACKAGE__->register_method ({

[pve-devel] [PATCH container v3] pct: add keep-env option

[Folke Gleumes]

The keep-env option allows the user to define if the current environment
should be kept when running 'pct enter/exec'. pct will now always set
'--keep-env' or '--clear-env' when calling lxc-attach to anticipate
the upcoming change in default behavior.

Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
---

changes in v3:
* fix code style nits

changes in v2:
* add this patch

 src/PVE/CLI/pct.pm | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/src/PVE/CLI/pct.pm b/src/PVE/CLI/pct.pm
index 091ac8e..325178f 100755
--- a/src/PVE/CLI/pct.pm
+++ b/src/PVE/CLI/pct.pm
@@ -162,12 +162,22 @@ __PACKAGE__->register_method ({
 	additionalProperties => 0,
 	properties => {
 	    vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_running }),
+	    # FIXME: passing the environment into the container potentially leaks hosts secrets, or causes
+	    # unexpected behavior. Change to opt-in for pve 9
+	    'keep-env' => {
+		type => 'boolean',
+		description => "Keep the current environment. This option will disabled by default with PVE 9."
+		    ." If you rely on a preserved environment, please use this option to be future-proof.",
+		optional => 1,
+		default => 1,
+	    },
 	},
     },
     returns => { type => 'null' },
 
     code => sub {
 	my ($param) = @_;
+	my $keep_env = $param->{'keep-env'} // 1; # FIXME: switch to default 0 with pve 9, see above
 
 	my $vmid = $param->{vmid};
 
@@ -175,7 +185,10 @@ __PACKAGE__->register_method ({
 	die "container '$vmid' not running!\n" if !PVE::LXC::check_running($vmid);
 
 	clean_environment();
-	exec('lxc-attach', '-n',  $vmid);
+
+	my @lxc_attach_cmd =  ('lxc-attach', '-n',  $vmid);
+	push @lxc_attach_cmd, $keep_env ? '--keep-env' : '--clear-env';
+	exec(@lxc_attach_cmd);
     }});
 
 __PACKAGE__->register_method ({
@@ -187,12 +200,20 @@ __PACKAGE__->register_method ({
 	additionalProperties => 0,
 	properties => {
 	    vmid => get_standard_option('pve-vmid', { completion => \&PVE::LXC::complete_ctid_running }),
+	    'keep-env' => {
+		type => 'boolean',
+		description => "Keep the current environment. This option will disabled by default with PVE 9."
+		    ." If you rely on a preserved environment, please use this option to be future-proof.",
+		optional => 1,
+		default => 1, # FIXME: switch to default 0 with pve 9, see enter method
+	    },
 	    'extra-args' => get_standard_option('extra-args'),
 	},
     },
     returns => { type => 'null' },
     code => sub {
 	my ($param) = @_;
+	my $keep_env = $param->{'keep-env'} // 1; # FIXME: switch to default 0 with pve 9, see enter method
 
 	my $vmid = $param->{vmid};
 	PVE::LXC::Config->load_config($vmid); # test if container exists on this node
@@ -201,7 +222,11 @@ __PACKAGE__->register_method ({
 	die "missing command" if !@{$param->{'extra-args'}};
 
 	clean_environment();
-	exec('lxc-attach', '-n', $vmid, '--', @{$param->{'extra-args'}});
+
+	my @lxc_attach_cmd =  ('lxc-attach', '-n',  $vmid);
+	push @lxc_attach_cmd, $keep_env ? '--keep-env' : '--clear-env';
+	push @lxc_attach_cmd, '--', @{$param->{'extra-args'}};
+	exec(@lxc_attach_cmd);
     }});
 
 __PACKAGE__->register_method ({
-- 
2.39.2

[pve-devel] applied: [PATCH container v2 2/2] pct: add keep-env option

[Thomas Lamprecht]

Am 02/02/2024 um 17:53 schrieb Thomas Lamprecht:
> Am 29/01/2024 um 16:43 schrieb Folke Gleumes:
>> The keep-env option allows the user to define if the current environment
>> should be kept when running 'pct enter/exec'. pct will now always set
>> '--keep-env' or '--discard-env' when calling lxc-attach to anticipate
>> the upcoming change in default behavior.
> 
> seems fine in general, but I saw a two code style nits, of which one I'd
> really like to avoid, see comment in line.
> 
>>
>> Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
>> ---
>> This wasn't present in v1
>>
>>  src/PVE/CLI/pct.pm | 22 ++++++++++++++++++++--
>>  1 file changed, 20 insertions(+), 2 deletions(-)
>>
>>

applied, thanks!

Two small things though:
- there where two instances with double whitespace, e.g. after the
  `my @lxc_attach_cmd = `and before `$vmid`, and that then copied over
  to the other command too. It really did not seemed to be due to
  some vertical alignment, so I ameded the commit and dropped them.

- in general it's preferred to send new patches, single or series, as new
  thread, i.e., without in-reply too. I know some open source projects
  sometimes are fine with sending those as in-reply-to, but IMO that
  hides them more. It's naturally fine to propose ad-hock diffs/code
  in a discussion in thread, but if there's a full patch with a new
  revision, then one is basically always better off when sending that
  as new thread.

Oh, and while at it, w.r.t perl array-refs you nowadays can write
`@{$foo->{bar}}` as `$foo->{bar}->@*`, and you can concat lists,
so the final "add base command + user params then exec" part could
look like:

exec(@lxc_attach_cmd, '--', $foo->{bar}->@*);

I kept that as is for now, it's IMO really not worse if done explicitly.