How does keyctl works in virtual environments

[Machine Manager]

I am wondering if `keyctl` is shared between host and VM's and/or containers.
Is there any security issue associated with enabling this feature?
Docker may need it, but do other kind of VM/containers need it in any fashion? The lack of the nested virtualization feature may cause issues with `su`, for example, then I am wondering if any similar issue happens by disabling `keyctl`.

 

[fiona]

Hi,
VMs are running their own kernel completely independent of the host kernel. Containers run on the same kernel, so your questions only apply there. I'm not aware of any security issues, but if the container doesn't explicitly need it (and I think the vast majority except docker don't), it's better to just keep it disabled. And it seems you can't use systemd-networkd when it's enabled, quoting from man pct:

keyctl=<boolean> (default = 0)
For unprivileged containers only: Allow the use of the keyctl() system call. This is required to use docker inside a
container. By default unprivileged containers will see this system call as non-existent. This is mostly a workaround for
systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to
lacking permissions. Essentially, you can choose between running systemd-networkd or docker.

 

[________]

Sorry to necro but seems like the systemd-networkd issue in unpriveleged containers with keyctl has been fixed a while ago: https://github.com/systemd/systemd/pull/8447

 

[fiona]

Hi,

Sorry to necro but seems like the systemd-networkd issue in unpriveleged containers with keyctl has been fixed a while ago: https://github.com/systemd/systemd/pull/8447

I think the version inside the container needs to include the fix and we can't guarantee that. And the documentation states "mostly", so not sure if there are other issues. @wbumiller might know more.

Do you have any particular use-case which requires it? docker is already documented and actually, it's highly recommended to run docker inside VMs rather than containers (they just don't interact nicely and breakage at some point is very likely).

 

[________]

I think at least the docs should be updated to mention the version of systemd that it applies to.

 

[NinthWave]

Do you have any particular use-case which requires it? docker is already documented and actually, it's highly recommended to run docker inside VMs rather than containers (they just don't interact nicely and breakage at some point is very likely).

Damn, I just started of fresh install of Proxmox 8 while I was previously on 7.

Is it still true in Feb 2024 that its best to have docker in VM instead of LXC ?

 

[UdoB]

Is it still true in Feb 2024 that its best to have docker in VM instead of LXC ?

The current documentation at https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pct says:

"If you want to run application containers, for example, Docker images, it is recommended that you run them inside a Proxmox QEMU VM."