From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 96C7190FD7 for ; Fri, 26 Jan 2024 12:39:19 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 75C893491A for ; Fri, 26 Jan 2024 12:39:19 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 26 Jan 2024 12:39:18 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 689A5492D3 for ; Fri, 26 Jan 2024 12:39:18 +0100 (CET) Message-ID: From: Folke Gleumes To: Proxmox VE development discussion Cc: Wolfgang Bumiller Date: Fri, 26 Jan 2024 12:39:17 +0100 In-Reply-To: <1706003149.vhzmc5u0zf.astroid@yuna.none> References: <20240122101206.226150-1-f.gleumes@proxmox.com> <1706003149.vhzmc5u0zf.astroid@yuna.none> Organization: Proxmox Server Solutions GmbH Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.386 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_ASCII_DIVIDERS 0.8 Email that uses ascii formatting dividers and possible spam tricks KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [pct.pm, proxmox.com] Subject: Re: [pve-devel] [PATCH container] fix #5194: delete environment variables set by pve X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jan 2024 11:39:19 -0000 On Tue, 2024-01-23 at 10:51 +0100, Fabian Gr=C3=BCnbichler wrote: > On January 22, 2024 11:12 am, Folke Gleumes wrote: > > proxmox-perl-rs set's SSL_CERT_{DIR,FILE}, which can break ssl in > > containers if their certificate store can't be found in the same > > spot. > > This patch explicitly unsets those variables before starting the > > container. >=20 > after a short talk with Wolfgang - this patch is probably an okay > stop-gap to fix the particular regression. If I understood things correctly, setting the env variables won't be necessary with the next Debian major release, so I'll add a notice to remove the workaround with pve 9 [0]. >=20 > but it might be nice to switch to `--clear-env` for lxc-attach with > corresponding options for pct to either preserve the whole env, or > particular variables? might be 9.0 material since it is a semantic > change that possibly breaks scripted use cases that rely on env > variables to pass along things from host to whatever they run inside > the > container.. we could introduce the options now though and also have a > `--keep-env` that is the default for 8.x, and flip it to default to > `--clear-env` with 9.0. Seems like a good idea. I also noticed that the lxc-attach man page currently states "[keep-env] is the current default behaviour (as of version 0.9), but is is likely to change in the future". By defining it explicitly, we would be free to decide when to introduce the change. [0] https://bugzilla.proxmox.com/show_bug.cgi?id=3D4979 >=20 > >=20 > > Signed-off-by: Folke Gleumes > > --- > > =C2=A0src/PVE/CLI/pct.pm | 11 +++++++++++ > > =C2=A01 file changed, 11 insertions(+) > >=20 > > diff --git a/src/PVE/CLI/pct.pm b/src/PVE/CLI/pct.pm > > index a0b9bce..53519e4 100755 > > --- a/src/PVE/CLI/pct.pm > > +++ b/src/PVE/CLI/pct.pm > > @@ -143,6 +143,15 @@ __PACKAGE__->register_method ({ > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0exec(@$cmd); > > =C2=A0=C2=A0=C2=A0=C2=A0 }}); > > =C2=A0 > > +sub clean_environment { > > +=C2=A0=C2=A0=C2=A0 # These env variables are currently needed by PVE t= o work > > correctly with rust libraries, > > +=C2=A0=C2=A0=C2=A0 # but can break ssl inside of containers. > > +=C2=A0=C2=A0=C2=A0 # An explanation why they are needed and the code t= hat sets > > them can be found here: > > +=C2=A0=C2=A0=C2=A0 # > > https://git.proxmox.com/?p=3Dproxmox-perl-rs.git;a=3Dblob;f=3Dcommon/pk= g/Proxmox/Lib/SslProbe.pm > > +=C2=A0=C2=A0=C2=A0 delete $ENV{SSL_CERT_FILE}; > > +=C2=A0=C2=A0=C2=A0 delete $ENV{SSL_CERT_DIR}; > > +}; > > + > > =C2=A0__PACKAGE__->register_method ({ > > =C2=A0=C2=A0=C2=A0=C2=A0 name =3D> 'enter', > > =C2=A0=C2=A0=C2=A0=C2=A0 path =3D> 'enter', > > @@ -164,6 +173,7 @@ __PACKAGE__->register_method ({ > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0PVE::LXC::Config->load_= config($vmid); # test if container > > exists on this node > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0die "container '$vmid' = not running!\n" if > > !PVE::LXC::check_running($vmid); > > =C2=A0 > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0clean_environment(); > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0exec('lxc-attach', '-n'= ,=C2=A0 $vmid); > > =C2=A0=C2=A0=C2=A0=C2=A0 }}); > > =C2=A0 > > @@ -189,6 +199,7 @@ __PACKAGE__->register_method ({ > > =C2=A0 > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0die "missing command" i= f !@{$param->{'extra-args'}}; > > =C2=A0 > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0clean_environment(); > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0exec('lxc-attach', '-n'= , $vmid, '--', @{$param->{'extra- > > args'}}); > > =C2=A0=C2=A0=C2=A0=C2=A0 }}); > > =C2=A0 > > --=20 > > 2.39.2 > >=20 > >=20 > >=20 > > _______________________________________________ > > pve-devel mailing list > > pve-devel@lists.proxmox.com > > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > >=20 > >=20 > >=20 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20