On 03/15/2017 11:49 AM, Daniel P. Berrange wrote: > On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote: >> >> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote: >>> Sure, if udev maintainers are willing to ship the kvm rule by default, >>> that's fine with me for reason you suggest. I simply don't think it'll >>> have any effect on usage of /dev/kvm inside containers >>> >> Does that mean you assume my scenario I outlined is incorrect? The >> only reason we are having this discussion is because i found that >> changing the permissions of /dev/kvm on the host from 600 to 666 made >> it so that I could run libvirt inside a container, which would mean >> that if does have an effect on usage of /dev/kvm inside a container. > Oh, wait I think I see - you don't have qemu installed in the host > at all - you only installed it inside a docker image, but docker > is just copying the host permissions, and thus see the default > permissions from the kernel. > >> I could be "using it wrong", but would like for you to tell me why >> what I'm doing is invalid. > While Docker copies the permissions from host devices, I don't think > that is something it is nice to rely on. Different operating systems > have different views on what default permissions are. So if you build > a Docker image that relies on the host OS having given /dev/kvm > particular permissions, your Docker image is going to be non-portable. > > IOW while moving the udev rule out of the QEMU rpm into the udev RPM > would fix it for future Fedora, your docker image is going to be > unable to reliably run on other OS distros (whether older Fedora or > Debian which has restrictive /dev/kvm by default). > > I don't see any way to force docker to give the device different > permissions when using the --device flag to launch a container. > In absence of that the only other option is to use an entrypoint > script to chmod the file when your container starts, but that > requires the container to run privileged which is bad. I think > ideally Docker would provide some way to give explicit permissions > so your container is isolated from decisions OS distros make about > default permissions in the host. > > Regards, > Daniel Lets open a bugzilla on this for docker, although I am not sure upstream would be amenable to a decent solution. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
