On 03/15/2017 05:27 AM, Daniel P. Berrange wrote: > On Tue, Mar 14, 2017 at 05:35:54PM -0400, Daniel J Walsh wrote: >> >> On 03/14/2017 05:18 PM, Dusty Mabe wrote: >>> On 03/14/2017 05:15 PM, Daniel J Walsh wrote: >>>> On 03/14/2017 05:02 PM, Dusty Mabe wrote: >>>>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote: >>>>>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: >>>>>> I guess if you volume/bind mount the device into the container you could >>>>>> see an issue, >>>>>> but most containers that deal with /dev/kvm are going to be run as root, >>>>>> anyways. >>>>> I was running with --privileged, still got permission denied until I >>>>> changed permissions of /dev/kvm to 666. >>>>> _______________________________________________ >>>>> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx >>>>> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx >>>> # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm >>>> crw-rw-rw-. 1 root 36 system_u:object_r:container_file_t:s0:c303,c737 10, 232 Mar 14 21:12 /dev/kvm >>>> # chmod 600 /dev/kvm >>>> # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm >>>> crw-------. 1 root 36 system_u:object_r:container_file_t:s0:c281,c442 10, 232 Mar 14 21:13 /dev/kvm >>>> >>>> So using --device to add the device to the container just maintains the permission of the host >>>> for the device you added. Whether it is volume mounted in or specified via --device, at least >>>> from dockers point of view. >>> I'm not sure of your point. I was just trying to say that whether i >>> was root or not did not seem to matter. I still got permission denied >>> if perms were 600 and not 666. I'm working off of memory here, so it's >>> possible somebody will prove me wrong. >> Most likely libvirt or whoever is launching the containers is not running >> as root, so it is being blocked access. > It is simpler than that. When you ask libvirt to assign a device to a > container it will simply mknod() in the container's private /dev, with > permissions 0700. If the container needs to make that available to > mon-privileged users inside the container, its "init" has to arrange > to set permissions further. > > For Docker, I'm unclear whether it is also just doing a mknod in the > container's /dev, or whether it is bind mounting the host device node. > Either way, udev isn't involved inside the container. > > Regards, > Daniel My point was that docker is just matching the permissions from the host. In the case of using docker run --device /dev/kvm It is creating a different device #ls -i /dev/kvm 18835 /dev/kvm # docker run -ti --device /dev/kvm fedora sh # ls -lZ /dev/kvm crw-------. 1 root 36 system_u:object_r:container_file_t:s0:c516,c728 10, 232 Mar 15 11:44 /dev/kvm # ls -i /dev/kvm 669570 /dev/kvm If I chmod 666 outside of the container the mode of the container is still 600, so they are different devices. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
