Add keyutils to CBL-Mariner base image

[jaltman]

Is your feature request related to a problem? Please describe. Bug reports have been filed against WSL2 because of failures of the Linux Kernel's Key Request Service. The Key Request Service provides an upcall mechanism as documented in Documentation/security/keys/request-key.rst where the kernel executes an instance of /sbin/request-key for each request. The request-key process is provided by the keyutils package. If the /sbin/request-key process cannot be located in the mount namespace of the root filesystem, then the upcalls will fail with an -ENOENT error. The Key Request service is used in support of keyring management, DNS queries, and id-mapping.

Describe the solution you'd like Please install keyutils as part of the base image

Describe alternatives you've considered Installation of keyutils in an WSL2 distro container does not work because the installed /sbin/request-key cannot be located in the mount namespace of the root filesystem.

Additional context A working key request service is necessary to support various Linux kernel options including

1. CONFIG_CIFS_UPCALL, CONFIG_CIFS_DFS_UPCALL, CONFIG_CIFS_SWN_UPCALL: https://github.com/microsoft/WSL/issues/9540
2. CONFIG_AFS_FS: https://github.com/microsoft/WSL/issues/11458
3. CONFIG_NFS_USE_KERNEL_DNS
4. CONFIG_CEPH_LIB_USE_DNS_RESOLVER
5. NFS ID Mapper

[jaltman]

It should be noted that the AzureLinux kernel config includes

• CONFIG_DNS_RESOLVER=y
• CONFIG_NFS_USE_KERNEL_DNS=y

which depend upon the presence of /sbin/request-key from the keyutils package.

[jabbera]

I'd love this!

[jabbera]

@jaltman Not sure why this isn't in the wsl CBL?

https://github.com/microsoft/azurelinux/pull/6435

[mfrw]

@jaltman Not sure why this isn't in the wsl CBL?

#6435

We can tdnf install keyutils with WSL CBL-Mariner. Also, the kernel that runs WSL is by design of WSL not the one shipped with AzureLinux, but WSL2-Linux-Kernel In other words, whatever distribution we use, be it ubuntu, fedora, AzureLinux via WSL, it will always have the WSL2-Linux-Kernel

[jaltman]

We can tdnf install keyutils with WSL CBL-Mariner. Also, the kernel that runs WSL is by design of WSL not the one shipped with AzureLinux, but WSL2-Linux-Kernel In other words, whatever distribution we use, be it ubuntu, fedora, AzureLinux via WSL, it will always have the WSL2-Linux-Kernel

@mfrw thank you for the reply. The Linux kernel version doesn't matter to this request. All Linux kernels due to keyrings support will perform an upcall to userspace by executing /sbin/request-key from the namespace of the root filesystem mount. This same upcall mechanism will be used for DNS queries when the kernel is built with CONFIG_DNS_RESOLVE=y. Successful execution of the upcall requires that /sbin/request-key must be present in the root filesystem's namespace.

The kernel cannot successfully find or execute /sbin/request-key when tdnf (or other package manager) is used to install /sbin/request-key (as part of the keyutils package) into a container image filesystem because the container image filesystem is mounted into a distinct namespace. If the kernel could find and execute /sbin/request-key in the container namespace, a container could replace the host's binaries and configuration for the purpose of feeding inappropriate data into the kernel which would then apply to the host at large and all of the other containers running on the system.

What I am asking for in this request is that the keyutils package be added to the CBL-Mariner base image so that /sbin/request-key and its required configuration and associated helpers are available in the root filesystem namespace.

A simple test of the /sbin/request-key upcall is to execute

keyctl request2 user debug:foo "expired" @s

if /sbin/request-key is not present in the root filesystem it will fail with a "No such file or directory" error. (-ENOENT). This will be true even if /sbin/request-key is present in the Debian, Ubuntu, AzureLinux container image.