On 03/15/2017 11:49 AM, Daniel P. Berrange wrote: > On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote: >> >> >> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote: >>> >>> Sure, if udev maintainers are willing to ship the kvm rule by default, >>> that's fine with me for reason you suggest. I simply don't think it'll >>> have any effect on usage of /dev/kvm inside containers >>> >> >> Does that mean you assume my scenario I outlined is incorrect? The >> only reason we are having this discussion is because i found that >> changing the permissions of /dev/kvm on the host from 600 to 666 made >> it so that I could run libvirt inside a container, which would mean >> that if does have an effect on usage of /dev/kvm inside a container. > > Oh, wait I think I see - you don't have qemu installed in the host > at all - you only installed it inside a docker image, but docker > is just copying the host permissions, and thus see the default > permissions from the kernel. right >> I could be "using it wrong", but would like for you to tell me why >> what I'm doing is invalid. > > While Docker copies the permissions from host devices, I don't think > that is something it is nice to rely on. Different operating systems > have different views on what default permissions are. So if you build > a Docker image that relies on the host OS having given /dev/kvm > particular permissions, your Docker image is going to be non-portable. > > IOW while moving the udev rule out of the QEMU rpm into the udev RPM > would fix it for future Fedora, your docker image is going to be > unable to reliably run on other OS distros (whether older Fedora or > Debian which has restrictive /dev/kvm by default). > > I don't see any way to force docker to give the device different > permissions when using the --device flag to launch a container. > In absence of that the only other option is to use an entrypoint > script to chmod the file when your container starts, but that > requires the container to run privileged which is bad. I think > ideally Docker would provide some way to give explicit permissions > so your container is isolated from decisions OS distros make about > default permissions in the host. > Thanks for the explanation. Maybe we should just leave things like they are in Fedora then and not worry with changing systemd since it looks like we won't be able to get them to change it to 666 by default anyway. Should we just cancel our request? I think any change other than 666 perms would probably cause more problems than it would solve. Dusty _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
