Add keyutils to CBL-Mariner base image

[jaltman]

Is your feature request related to a problem? Please describe.
Bug reports have been filed against WSL2 because of failures of the Linux Kernel's Key Request Service. The Key Request Service provides an upcall mechanism as documented in Documentation/security/keys/request-key.rst where the kernel executes an instance of /sbin/request-key for each request. The request-key process is provided by the keyutils package. If the /sbin/request-key process cannot be located in the mount namespace of the root filesystem, then the upcalls will fail with an -ENOENT error. The Key Request service is used in support of keyring management, DNS queries, and id-mapping.

Describe the solution you'd like
Please install keyutils as part of the base image

Describe alternatives you've considered
Installation of keyutils in an WSL2 distro container does not work because the installed /sbin/request-key cannot be located in the mount namespace of the root filesystem.

Additional context
A working key request service is necessary to support various Linux kernel options including

1. CONFIG_CIFS_UPCALL, CONFIG_CIFS_DFS_UPCALL, CONFIG_CIFS_SWN_UPCALL: Kernel dns_resolver not working WSL#9540
2. CONFIG_AFS_FS: Enable AFS/AuriStorFS filesystem support WSL#11458
3. CONFIG_NFS_USE_KERNEL_DNS
4. CONFIG_CEPH_LIB_USE_DNS_RESOLVER
5. NFS ID Mapper

[jaltman]

It should be noted that the AzureLinux kernel config includes

• CONFIG_DNS_RESOLVER=y
• CONFIG_NFS_USE_KERNEL_DNS=y

which depend upon the presence of /sbin/request-key from the keyutils package.

[jabbera]

I'd love this!

[jabbera]

@jaltman Not sure why this isn't in the wsl CBL?

#6435

[mfrw]

@jaltman Not sure why this isn't in the wsl CBL?

#6435

We can tdnf install keyutils with WSL CBL-Mariner.
Also, the kernel that runs WSL is by design of WSL not the one shipped with AzureLinux, but WSL2-Linux-Kernel
In other words, whatever distribution we use, be it ubuntu, fedora, AzureLinux via WSL, it will always have the WSL2-Linux-Kernel

[jaltman]

We can tdnf install keyutils with WSL CBL-Mariner. Also, the kernel that runs WSL is by design of WSL not the one shipped with AzureLinux, but WSL2-Linux-Kernel In other words, whatever distribution we use, be it ubuntu, fedora, AzureLinux via WSL, it will always have the WSL2-Linux-Kernel

@mfrw thank you for the reply. The Linux kernel version doesn't matter to this request. All Linux kernels due to keyrings support will perform an upcall to userspace by executing /sbin/request-key from the namespace of the root filesystem mount. This same upcall mechanism will be used for DNS queries when the kernel is built with CONFIG_DNS_RESOLVE=y. Successful execution of the upcall requires that /sbin/request-key must be present in the root filesystem's namespace.

The kernel cannot successfully find or execute /sbin/request-key when tdnf (or other package manager) is used to install /sbin/request-key (as part of the keyutils package) into a container image filesystem because the container image filesystem is mounted into a distinct namespace. If the kernel could find and execute /sbin/request-key in the container namespace, a container could replace the host's binaries and configuration for the purpose of feeding inappropriate data into the kernel which would then apply to the host at large and all of the other containers running on the system.

What I am asking for in this request is that the keyutils package be added to the CBL-Mariner base image so that /sbin/request-key and its required configuration and associated helpers are available in the root filesystem namespace.

A simple test of the /sbin/request-key upcall is to execute

keyctl request2 user debug:foo "expired" @s

if /sbin/request-key is not present in the root filesystem it will fail with a "No such file or directory" error. (-ENOENT). This will be true even if /sbin/request-key is present in the Debian, Ubuntu, AzureLinux container image.

[jabbera]

Hi, @OneBlue as discussed at your ignite session here is what I think the key issue is w.r.t. support DFS CIFS shares in WSL2. The DFS kernel code requires kernel upcalls to work to resolve dns:

see: https://github.com/torvalds/linux/blob/fc39fb56917bb3cb53e99560ca3612a84456ada2/fs/smb/client/dns_resolve.c#L68C7-L68C16
and the kernel implementation to query dns via request-keys here: https://github.com/torvalds/linux/blob/341d041daae52cd5f014f68c1c7d9039db818fca/net/dns_resolver/dns_query.c#L128

Installing any linux distribution on WSL2 and running the following to test request-key functionality shows it doesn't work:

keyctl request2 user debug:foo "expired" @s 

This is something that needs to be fixed in the image you run wsl2 distributions in I believe.

Issue realted to kernel dns resolver not working in WSL2: microsoft/WSL#9540
Original issue about DFS here: microsoft/WSL#9524

Thanks for looking!

[FrancescoRestelli]

Hi,

Thanks for posting this, can anybody think of a workaround to the missing keyutils/request-key issue?

Also trying to get DFS to run.

thank you br francesco

[jabbera]

Hi @OneBlue, happy 2025. I was wondering if you had an update on this item?

[zandershah]

I'm also looking for any way to get DFS to run if there are any known workarounds

[jabbera]

I was never able to get it going because the lack of keyring up calls in the container image that runs wsl. It's incredibly frustrating.