From 3e90209df699e8e256f615d6ef2bbf8bbe949d87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20B=C3=A9dard-Couture?= <remi.bc@outlook.com>
Date: Thu, 7 Mar 2024 22:21:03 -0500
Subject: [PATCH] Leave keyctl off by default as recommended

---
 misc/all-templates.sh |  4 +++-
 misc/build.func       | 13 ++++++++-----
 turnkey/turnkey.sh    |  4 +++-
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/misc/all-templates.sh b/misc/all-templates.sh
index ab430e7c..ea3facbf 100644
--- a/misc/all-templates.sh
+++ b/misc/all-templates.sh
@@ -77,8 +77,10 @@ TEMPLATE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "All Templat
 NAME=$(echo "$TEMPLATE" | grep -oE '^[^-]+-[^-]+')
 PASS="$(openssl rand -base64 8)"
 CTID=$(pvesh get /cluster/nextid)
+#Recommended default for unprivileged containers is to leave keyctl off
+#https://forum.proxmox.com/threads/how-does-keyctl-works-in-virtual-environments.116414/
 PCT_OPTIONS="
-    -features keyctl=1,nesting=1
+    -features nesting=1
     -hostname $NAME
     -tags proxmox-helper-scripts
     -onboot 0
diff --git a/misc/build.func b/misc/build.func
index f21ad361..c1fc7724 100644
--- a/misc/build.func
+++ b/misc/build.func
@@ -509,11 +509,14 @@ start() {
 build_container() {
 #  if [ "$VERB" == "yes" ]; then set -x; fi
 
-  if [ "$CT_TYPE" == "1" ]; then
-    FEATURES="keyctl=1,nesting=1"
-  else
-    FEATURES="nesting=1"
-  fi
+#Recommended default for unprivileged containers is to leave keyctl off
+#https://forum.proxmox.com/threads/how-does-keyctl-works-in-virtual-environments.116414/
+  FEATURES="nesting=1"
+#  if [ "$CT_TYPE" == "1" ]; then
+#    FEATURES="keyctl=1,nesting=1"
+#  else
+#    FEATURES="nesting=1"
+#  fi
 
 
   TEMP_DIR=$(mktemp -d)
diff --git a/turnkey/turnkey.sh b/turnkey/turnkey.sh
index 202143cf..3ef28c99 100644
--- a/turnkey/turnkey.sh
+++ b/turnkey/turnkey.sh
@@ -98,8 +98,10 @@ turnkey=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "TurnKey LXCs
 # Setup script environment
 PASS="$(openssl rand -base64 8)"
 CTID=$(pvesh get /cluster/nextid)
+#Recommended default for unprivileged containers is to leave keyctl off
+#https://forum.proxmox.com/threads/how-does-keyctl-works-in-virtual-environments.116414/
 PCT_OPTIONS="
-    -features keyctl=1,nesting=1
+    -features nesting=1
     -hostname turnkey-${turnkey}
     -tags proxmox-helper-scripts
     -onboot 1