On Tue, Mar 14, 2017 at 08:29:00PM +0000, Daniel P. Berrange wrote: > On Tue, Mar 14, 2017 at 08:09:00PM +0000, Richard W.M. Jones wrote: > > Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876 > > > > Currently if you install a minimal-ish, non-"Virtualization Host" > > Fedora, then the permissions on the /dev/kvm device are: > > > > crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > > > (I believe this is because of some kernel defaults for the device. In > > any case there seems to be no base install udev rule which applies a > > `MODE=' line explicitly for /dev/kvm). > > > > There mere act of installing the qemu package adds a new udev rule > > which changes the permissions: > > > > [root@rawhide ~]# ll /dev/kvm > > crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > [root@rawhide ~]# dnf -y install qemu-system-x86 > > //... > > [root@rawhide ~]# ll /dev/kvm > > crw-rw-rw-. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > > > I don't have a problem with any of that and I'm not saying that the > > permissions should be more restrictive, but for balance I will note > > that in Debian /dev/kvm is more restrictive (see comment in the bug > > above). > > > > The problem raised in the bug above is that with containers people > > will wish to install qemu or libvirt or other tools inside the > > containers, but not necessarily have qemu installed on the host. In > > that case, they will always see /dev/kvm with mode 0600, ie. generally > > unusable for them. > > I'm fuzzy about the issue faced with containers. Containers will usually > have a separate /dev that is populated by the container mgmt engine (whether > docker, libvirt, lxc or something else). That mgmt engine is responsible for > setting permissions of /dev/kvm in the container's /dev if the user asked for > /dev/kvm to be made available. udev should never run inside a container - it > is only supposed to run in host context. So any udev rules that manipulate > /dev/kvm permissions will only ever be used in host context and never have > any effect on containers. > > The bug listed above doesn't actually describe any real problem with > containers & /dev/kvm - my reading is that the bug is just thinking > about a hypothetical future problem, but since udev isn't involved > in containers' /dev mgmt, I don't think there's a bug that needs fixing > here. This applies to any system where kvm is to be used by unprivileged users without qemu package being installed. It is possible to use kvm in this way, e.g. by using self-compiled qemu, or some alternative or whatever. So maybe we should move the rules for /dev/kvm to /usr/lib/udev/rules.d/50-udev-default.rules. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
