How does keyctl works in virtual environments

M

Machine Manager

Member
Oct 10, 2022
30
0
6
I am wondering if `keyctl` is shared between host and VM's and/or containers.
Is there any security issue associated with enabling this feature?
Docker may need it, but do other kind of VM/containers need it in any fashion? The lack of the nested virtualization feature may cause issues with `su`, for example, then I am wondering if any similar issue happens by disabling `keyctl`.
 
Hi,
VMs are running their own kernel completely independent of the host kernel. Containers run on the same kernel, so your questions only apply there. I'm not aware of any security issues, but if the container doesn't explicitly need it (and I think the vast majority except docker don't), it's better to just keep it disabled. And it seems you can't use systemd-networkd when it's enabled, quoting from man pct:
keyctl=<boolean> (default = 0)
For unprivileged containers only: Allow the use of the keyctl() system call. This is required to use docker inside a
container. By default unprivileged containers will see this system call as non-existent. This is mostly a workaround for
systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to
lacking permissions. Essentially, you can choose between running systemd-networkd or docker.
Click to expand...
 
  • Like
Reactions: markc, Machine Manager and Dunuin
Hi,
________ said:
Sorry to necro but seems like the systemd-networkd issue in unpriveleged containers with keyctl has been fixed a while ago: https://github.com/systemd/systemd/pull/8447
Click to expand...
I think the version inside the container needs to include the fix and we can't guarantee that. And the documentation states "mostly", so not sure if there are other issues. @wbumiller might know more.

Do you have any particular use-case which requires it? docker is already documented and actually, it's highly recommended to run docker inside VMs rather than containers (they just don't interact nicely and breakage at some point is very likely).
 
I think at least the docs should be updated to mention the version of systemd that it applies to.
 
fiona said:
Do you have any particular use-case which requires it? docker is already documented and actually, it's highly recommended to run docker inside VMs rather than containers (they just don't interact nicely and breakage at some point is very likely).
Click to expand...
Damn, I just started of fresh install of Proxmox 8 while I was previously on 7.

Is it still true in Feb 2024 that its best to have docker in VM instead of LXC ?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back