Re: Default permissions on /dev/kvm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 03/15/2017 05:27 AM, Daniel P. Berrange wrote:
> On Tue, Mar 14, 2017 at 05:35:54PM -0400, Daniel J Walsh wrote:
>>
>> On 03/14/2017 05:18 PM, Dusty Mabe wrote:
>>> On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
>>>> On 03/14/2017 05:02 PM, Dusty Mabe wrote:
>>>>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
>>>>>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
>>>>>> I guess if you volume/bind mount the device into the container you could
>>>>>> see an issue,
>>>>>> but most containers that deal with /dev/kvm are going to be run as root,
>>>>>> anyways.
>>>>> I was running with --privileged, still got permission denied until I
>>>>> changed permissions of /dev/kvm to 666.
>>>>> _______________________________________________
>>>>> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>> # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm
>>>> crw-rw-rw-. 1 root 36 system_u:object_r:container_file_t:s0:c303,c737 10, 232 Mar 14 21:12 /dev/kvm
>>>> # chmod 600 /dev/kvm 
>>>> # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm 
>>>> crw-------. 1 root 36 system_u:object_r:container_file_t:s0:c281,c442 10, 232 Mar 14 21:13 /dev/kvm
>>>>
>>>> So using --device to add the device to the container just maintains the permission of the host
>>>> for the device you added.  Whether it is volume mounted in or specified via --device, at least
>>>> from dockers point of view. 
>>> I'm not sure of your point. I was just trying to say that whether i
>>> was root or not did not seem to matter. I still got permission denied
>>> if perms were 600 and not 666. I'm working off of memory here, so it's
>>> possible somebody will prove me wrong.
>> Most likely libvirt or whoever is launching the containers is not running
>> as root, so it is being blocked access.
> It is simpler than that. When you ask libvirt to assign a device to a
> container it will simply mknod() in the container's private /dev, with
> permissions 0700. If the container needs to make that available to
> mon-privileged users inside the container, its "init" has to arrange
> to set permissions further.
>
> For Docker, I'm unclear whether it is also just doing a mknod in the
> container's /dev, or whether it is bind mounting the host device node.
> Either way, udev isn't involved inside the container.
>
> Regards,
> Daniel
My point was that docker is just matching the permissions from the host.

In the case of using docker run --device /dev/kvm
It is creating a different device


#ls -i /dev/kvm

18835 /dev/kvm

# docker run -ti --device /dev/kvm fedora sh

# ls -lZ /dev/kvm 
crw-------. 1 root 36 system_u:object_r:container_file_t:s0:c516,c728 10, 232 Mar 15 11:44 /dev/kvm
# ls -i /dev/kvm 
669570 /dev/kvm

If I chmod 666 outside of the container the mode of the container is still 600, so they are different devices.


_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux