On Tue, Mar 14, 2017 at 11:38:51PM +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Tue, Mar 14, 2017 at 08:29:00PM +0000, Daniel P. Berrange wrote: > > On Tue, Mar 14, 2017 at 08:09:00PM +0000, Richard W.M. Jones wrote: > > > Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876 > > > > > > Currently if you install a minimal-ish, non-"Virtualization Host" > > > Fedora, then the permissions on the /dev/kvm device are: > > > > > > crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > > > > > (I believe this is because of some kernel defaults for the device. In > > > any case there seems to be no base install udev rule which applies a > > > `MODE=' line explicitly for /dev/kvm). > > > > > > There mere act of installing the qemu package adds a new udev rule > > > which changes the permissions: > > > > > > [root@rawhide ~]# ll /dev/kvm > > > crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > > [root@rawhide ~]# dnf -y install qemu-system-x86 > > > //... > > > [root@rawhide ~]# ll /dev/kvm > > > crw-rw-rw-. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > > > > > I don't have a problem with any of that and I'm not saying that the > > > permissions should be more restrictive, but for balance I will note > > > that in Debian /dev/kvm is more restrictive (see comment in the bug > > > above). > > > > > > The problem raised in the bug above is that with containers people > > > will wish to install qemu or libvirt or other tools inside the > > > containers, but not necessarily have qemu installed on the host. In > > > that case, they will always see /dev/kvm with mode 0600, ie. generally > > > unusable for them. > > > > I'm fuzzy about the issue faced with containers. Containers will usually > > have a separate /dev that is populated by the container mgmt engine (whether > > docker, libvirt, lxc or something else). That mgmt engine is responsible for > > setting permissions of /dev/kvm in the container's /dev if the user asked for > > /dev/kvm to be made available. udev should never run inside a container - it > > is only supposed to run in host context. So any udev rules that manipulate > > /dev/kvm permissions will only ever be used in host context and never have > > any effect on containers. > > > > The bug listed above doesn't actually describe any real problem with > > containers & /dev/kvm - my reading is that the bug is just thinking > > about a hypothetical future problem, but since udev isn't involved > > in containers' /dev mgmt, I don't think there's a bug that needs fixing > > here. > > This applies to any system where kvm is to be used by unprivileged users > without qemu package being installed. It is possible to use kvm in this > way, e.g. by using self-compiled qemu, or some alternative or whatever. > So maybe we should move the rules for /dev/kvm to > /usr/lib/udev/rules.d/50-udev-default.rules. Sure, if udev maintainers are willing to ship the kvm rule by default, that's fine with me for reason you suggest. I simply don't think it'll have any effect on usage of /dev/kvm inside containers Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
