From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gleumes@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 96C7190FD7
 for <pve-devel@lists.proxmox.com>; Fri, 26 Jan 2024 12:39:19 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 75C893491A
 for <pve-devel@lists.proxmox.com>; Fri, 26 Jan 2024 12:39:19 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Fri, 26 Jan 2024 12:39:18 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 689A5492D3
 for <pve-devel@lists.proxmox.com>; Fri, 26 Jan 2024 12:39:18 +0100 (CET)
Message-ID: <c06cbeaba45460d215674a1fe46249f5a7de9f61.camel@proxmox.com>
From: Folke Gleumes <f.gleumes@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 26 Jan 2024 12:39:17 +0100
In-Reply-To: <1706003149.vhzmc5u0zf.astroid@yuna.none>
References: <20240122101206.226150-1-f.gleumes@proxmox.com>
 <1706003149.vhzmc5u0zf.astroid@yuna.none>
Organization: Proxmox Server Solutions GmbH
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4-2 
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.386 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_ASCII_DIVIDERS 0.8 Email that uses ascii formatting dividers and possible
 spam tricks
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [pct.pm, proxmox.com]
Subject: Re: [pve-devel] [PATCH container] fix #5194: delete environment
 variables set by pve
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 26 Jan 2024 11:39:19 -0000

On Tue, 2024-01-23 at 10:51 +0100, Fabian Gr=C3=BCnbichler wrote:
> On January 22, 2024 11:12 am, Folke Gleumes wrote:
> > proxmox-perl-rs set's SSL_CERT_{DIR,FILE}, which can break ssl in
> > containers if their certificate store can't be found in the same
> > spot.
> > This patch explicitly unsets those variables before starting the
> > container.
>=20
> after a short talk with Wolfgang - this patch is probably an okay
> stop-gap to fix the particular regression.
If I understood things correctly, setting the env variables won't be
necessary with the next Debian major release, so I'll add a notice to
remove the workaround with pve 9 [0].
>=20
> but it might be nice to switch to `--clear-env` for lxc-attach with
> corresponding options for pct to either preserve the whole env, or
> particular variables? might be 9.0 material since it is a semantic
> change that possibly breaks scripted use cases that rely on env
> variables to pass along things from host to whatever they run inside
> the
> container.. we could introduce the options now though and also have a
> `--keep-env` that is the default for 8.x, and flip it to default to
> `--clear-env` with 9.0.
Seems like a good idea. I also noticed that the lxc-attach man page
currently states "[keep-env] is the current default behaviour  (as  of
version  0.9),  but is is likely to change in the future". By defining
it explicitly, we would be free to decide when to introduce the change.

[0] https://bugzilla.proxmox.com/show_bug.cgi?id=3D4979
>=20
> >=20
> > Signed-off-by: Folke Gleumes <f.gleumes@proxmox.com>
> > ---
> > =C2=A0src/PVE/CLI/pct.pm | 11 +++++++++++
> > =C2=A01 file changed, 11 insertions(+)
> >=20
> > diff --git a/src/PVE/CLI/pct.pm b/src/PVE/CLI/pct.pm
> > index a0b9bce..53519e4 100755
> > --- a/src/PVE/CLI/pct.pm
> > +++ b/src/PVE/CLI/pct.pm
> > @@ -143,6 +143,15 @@ __PACKAGE__->register_method ({
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0exec(@$cmd);
> > =C2=A0=C2=A0=C2=A0=C2=A0 }});
> > =C2=A0
> > +sub clean_environment {
> > +=C2=A0=C2=A0=C2=A0 # These env variables are currently needed by PVE t=
o work
> > correctly with rust libraries,
> > +=C2=A0=C2=A0=C2=A0 # but can break ssl inside of containers.
> > +=C2=A0=C2=A0=C2=A0 # An explanation why they are needed and the code t=
hat sets
> > them can be found here:
> > +=C2=A0=C2=A0=C2=A0 #
> > https://git.proxmox.com/?p=3Dproxmox-perl-rs.git;a=3Dblob;f=3Dcommon/pk=
g/Proxmox/Lib/SslProbe.pm
> > +=C2=A0=C2=A0=C2=A0 delete $ENV{SSL_CERT_FILE};
> > +=C2=A0=C2=A0=C2=A0 delete $ENV{SSL_CERT_DIR};
> > +};
> > +
> > =C2=A0__PACKAGE__->register_method ({
> > =C2=A0=C2=A0=C2=A0=C2=A0 name =3D> 'enter',
> > =C2=A0=C2=A0=C2=A0=C2=A0 path =3D> 'enter',
> > @@ -164,6 +173,7 @@ __PACKAGE__->register_method ({
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0PVE::LXC::Config->load_=
config($vmid); # test if container
> > exists on this node
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0die "container '$vmid' =
not running!\n" if
> > !PVE::LXC::check_running($vmid);
> > =C2=A0
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0clean_environment();
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0exec('lxc-attach', '-n'=
,=C2=A0 $vmid);
> > =C2=A0=C2=A0=C2=A0=C2=A0 }});
> > =C2=A0
> > @@ -189,6 +199,7 @@ __PACKAGE__->register_method ({
> > =C2=A0
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0die "missing command" i=
f !@{$param->{'extra-args'}};
> > =C2=A0
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0clean_environment();
> > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0exec('lxc-attach', '-n'=
, $vmid, '--', @{$param->{'extra-
> > args'}});
> > =C2=A0=C2=A0=C2=A0=C2=A0 }});
> > =C2=A0
> > --=20
> > 2.39.2
> >=20
> >=20
> >=20
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> >=20
> >=20
> >=20
>=20
>=20
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>=20
>=20