On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote: > > > On 03/15/2017 05:17 AM, Daniel P. Berrange wrote: > > > > Sure, if udev maintainers are willing to ship the kvm rule by default, > > that's fine with me for reason you suggest. I simply don't think it'll > > have any effect on usage of /dev/kvm inside containers > > > > Does that mean you assume my scenario I outlined is incorrect? The > only reason we are having this discussion is because i found that > changing the permissions of /dev/kvm on the host from 600 to 666 made > it so that I could run libvirt inside a container, which would mean > that if does have an effect on usage of /dev/kvm inside a container. Oh, wait I think I see - you don't have qemu installed in the host at all - you only installed it inside a docker image, but docker is just copying the host permissions, and thus see the default permissions from the kernel. > I could be "using it wrong", but would like for you to tell me why > what I'm doing is invalid. While Docker copies the permissions from host devices, I don't think that is something it is nice to rely on. Different operating systems have different views on what default permissions are. So if you build a Docker image that relies on the host OS having given /dev/kvm particular permissions, your Docker image is going to be non-portable. IOW while moving the udev rule out of the QEMU rpm into the udev RPM would fix it for future Fedora, your docker image is going to be unable to reliably run on other OS distros (whether older Fedora or Debian which has restrictive /dev/kvm by default). I don't see any way to force docker to give the device different permissions when using the --device flag to launch a container. In absence of that the only other option is to use an entrypoint script to chmod the file when your container starts, but that requires the container to run privileged which is bad. I think ideally Docker would provide some way to give explicit permissions so your container is isolated from decisions OS distros make about default permissions in the host. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
