CONTAINER_INTERFACE[0] is omething systemd people call their API and we need to adapt to it a bit, even if it means doing stupid unnecessary things, as else systemd decides to regress and suddenly break network stack in CT after an upgrade[1].
This mounts the parent /sys as ro, child mounts can be whatever. Fixes the system regression introduced by[2]. [0]: https://systemd.io/CONTAINER_INTERFACE/ [1]: https://github.com/systemd/systemd/issues/15101#issuecomment-598607582 [2]: https://github.com/systemd/systemd/commit/bf331d87171b7750d1c72ab0b140a240c0cf32c3 Signed-off-by: Thomas Lamprecht <t.lampre...@proxmox.com> --- I hate it. Just a POC for commenting or picking up, probably belongs in a LXC config or in a "per distro, per systemd version" specific thing src/PVE/LXC.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm index f811550..5f1865e 100644 --- a/src/PVE/LXC.pm +++ b/src/PVE/LXC.pm @@ -720,6 +720,8 @@ sub update_lxc_config { $raw .= "lxc.rootfs.path = $dir/rootfs\n"; + $raw .= "lxc.mount.auto = sys:ro\n"; + foreach my $k (sort keys %$conf) { next if $k !~ m/^net(\d+)$/; my $ind = $1; -- 2.20.1 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
