From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 29 Feb 2024 17:19:07 +0000 (+0100)
Subject: ssh-generator: don't do AF_VSOCK stuff if we run in a container
X-Git-Tag: v256-rc1~696
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d52320337ee377f011782ed51e8d39a33e4f23be;p=thirdparty%2Fsystemd.git

ssh-generator: don't do AF_VSOCK stuff if we run in a container

Tighten our VM check: whether we run in a VM is not enough to do
AF_VSOCK. We also need to check if we are run in a container, because if
we run in a container inside a VM then we should *not* do the AF_VSOCK
stuff, but leave the port free for the VM itself.

As discussed here:

https://github.com/systemd/systemd/pull/31544#issuecomment-1971455401
---

diff --git a/src/ssh-generator/ssh-generator.c b/src/ssh-generator/ssh-generator.c
index f906b475684..6fdd4ec27f3 100644
--- a/src/ssh-generator/ssh-generator.c
+++ b/src/ssh-generator/ssh-generator.c
@@ -184,10 +184,11 @@ static int add_vsock_socket(
         assert(dest);
         assert(generated_sshd_template_unit);
 
-        Virtualization v = detect_vm();
+        Virtualization v = detect_virtualization();
         if (v < 0)
                 return log_error_errno(v, "Failed to detect if we run in a VM: %m");
-        if (v == VIRTUALIZATION_NONE) {
+        if (!VIRTUALIZATION_IS_VM(v)) {
+                /* NB: if we are running in a container inside a VM, then we'll *not* do AF_VSOCK stuff */
                 log_debug("Not running in a VM, not listening on AF_VSOCK.");
                 return 0;
         }