On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: > On Tue, Mar 14, 2017 at 08:09:00PM +0000, Richard W.M. Jones wrote: >> Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876 >> >> Currently if you install a minimal-ish, non-"Virtualization Host" >> Fedora, then the permissions on the /dev/kvm device are: >> >> crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm >> >> (I believe this is because of some kernel defaults for the device. In >> any case there seems to be no base install udev rule which applies a >> `MODE=' line explicitly for /dev/kvm). >> >> There mere act of installing the qemu package adds a new udev rule >> which changes the permissions: >> >> [root@rawhide ~]# ll /dev/kvm >> crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm >> [root@rawhide ~]# dnf -y install qemu-system-x86 >> //... >> [root@rawhide ~]# ll /dev/kvm >> crw-rw-rw-. 1 root root 10, 232 Mar 14 15:51 /dev/kvm >> >> I don't have a problem with any of that and I'm not saying that the >> permissions should be more restrictive, but for balance I will note >> that in Debian /dev/kvm is more restrictive (see comment in the bug >> above). >> >> The problem raised in the bug above is that with containers people >> will wish to install qemu or libvirt or other tools inside the >> containers, but not necessarily have qemu installed on the host. In >> that case, they will always see /dev/kvm with mode 0600, ie. generally >> unusable for them. > I'm fuzzy about the issue faced with containers. Containers will usually > have a separate /dev that is populated by the container mgmt engine (whether > docker, libvirt, lxc or something else). That mgmt engine is responsible for > setting permissions of /dev/kvm in the container's /dev if the user asked for > /dev/kvm to be made available. udev should never run inside a container - it > is only supposed to run in host context. So any udev rules that manipulate > /dev/kvm permissions will only ever be used in host context and never have > any effect on containers. > > The bug listed above doesn't actually describe any real problem with > containers & /dev/kvm - my reading is that the bug is just thinking > about a hypothetical future problem, but since udev isn't involved > in containers' /dev mgmt, I don't think there's a bug that needs fixing > here. > > Regards, > Daniel I guess if you volume/bind mount the device into the container you could see an issue, but most containers that deal with /dev/kvm are going to be run as root, anyways. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
