On Tue, Mar 14, 2017 at 08:09:00PM +0000, Richard W.M. Jones wrote: > Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876 > > Currently if you install a minimal-ish, non-"Virtualization Host" > Fedora, then the permissions on the /dev/kvm device are: > > crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > (I believe this is because of some kernel defaults for the device. In > any case there seems to be no base install udev rule which applies a > `MODE=' line explicitly for /dev/kvm). > > There mere act of installing the qemu package adds a new udev rule > which changes the permissions: > > [root@rawhide ~]# ll /dev/kvm > crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > [root@rawhide ~]# dnf -y install qemu-system-x86 > //... > [root@rawhide ~]# ll /dev/kvm > crw-rw-rw-. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > I don't have a problem with any of that and I'm not saying that the > permissions should be more restrictive, but for balance I will note > that in Debian /dev/kvm is more restrictive (see comment in the bug > above). > > The problem raised in the bug above is that with containers people > will wish to install qemu or libvirt or other tools inside the > containers, but not necessarily have qemu installed on the host. In > that case, they will always see /dev/kvm with mode 0600, ie. generally > unusable for them. I'm fuzzy about the issue faced with containers. Containers will usually have a separate /dev that is populated by the container mgmt engine (whether docker, libvirt, lxc or something else). That mgmt engine is responsible for setting permissions of /dev/kvm in the container's /dev if the user asked for /dev/kvm to be made available. udev should never run inside a container - it is only supposed to run in host context. So any udev rules that manipulate /dev/kvm permissions will only ever be used in host context and never have any effect on containers. The bug listed above doesn't actually describe any real problem with containers & /dev/kvm - my reading is that the bug is just thinking about a hypothetical future problem, but since udev isn't involved in containers' /dev mgmt, I don't think there's a bug that needs fixing here. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
