Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876 Currently if you install a minimal-ish, non-"Virtualization Host" Fedora, then the permissions on the /dev/kvm device are: crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm (I believe this is because of some kernel defaults for the device. In any case there seems to be no base install udev rule which applies a `MODE=' line explicitly for /dev/kvm). There mere act of installing the qemu package adds a new udev rule which changes the permissions: [root@rawhide ~]# ll /dev/kvm crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm [root@rawhide ~]# dnf -y install qemu-system-x86 //... [root@rawhide ~]# ll /dev/kvm crw-rw-rw-. 1 root root 10, 232 Mar 14 15:51 /dev/kvm I don't have a problem with any of that and I'm not saying that the permissions should be more restrictive, but for balance I will note that in Debian /dev/kvm is more restrictive (see comment in the bug above). The problem raised in the bug above is that with containers people will wish to install qemu or libvirt or other tools inside the containers, but not necessarily have qemu installed on the host. In that case, they will always see /dev/kvm with mode 0600, ie. generally unusable for them.

On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: I guess if you volume/bind mount the device into the container you could see an issue, but most containers that deal with /dev/kvm are going to be run as root, anyways.

On 03/14/2017 05:02 PM, Dusty Mabe wrote: > > On 03/14/2017 04:56 PM, Daniel J Walsh wrote: >> >> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: >> I guess if you volume/bind mount the device into the container you could >> see an issue, >> but most containers that deal with /dev/kvm are going to be run as root, >> anyways. > I was running with --privileged, still got permission denied until I > changed permissions of /dev/kvm to 666. > _______________________________________________ > devel mailing list -- devel(a)lists.fedoraproject.org > To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm crw-rw-rw-. 1 root 36 system_u:object_r:container_file_t:s0:c303,c737 10, 232 Mar 14 21:12 /dev/kvm # chmod 600 /dev/kvm # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm crw-------. 1 root 36 system_u:object_r:container_file_t:s0:c281,c442 10, 232 Mar 14 21:13 /dev/kvm So using --device to add the device to the container just maintains the permission of the host for the device you added. Whether it is volume mounted in or specified via --device, at least from dockers point of view.

On 03/14/2017 05:18 PM, Dusty Mabe wrote: > > On 03/14/2017 05:15 PM, Daniel J Walsh wrote: >> >> On 03/14/2017 05:02 PM, Dusty Mabe wrote: >>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote: >>>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote: >>>> I guess if you volume/bind mount the device into the container you could >>>> see an issue, >>>> but most containers that deal with /dev/kvm are going to be run as root, >>>> anyways. >>> I was running with --privileged, still got permission denied until I >>> changed permissions of /dev/kvm to 666. >>> _______________________________________________ >>> devel mailing list -- devel(a)lists.fedoraproject.org >>> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org >> # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm >> crw-rw-rw-. 1 root 36 system_u:object_r:container_file_t:s0:c303,c737 10, 232 Mar 14 21:12 /dev/kvm >> # chmod 600 /dev/kvm >> # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm >> crw-------. 1 root 36 system_u:object_r:container_file_t:s0:c281,c442 10, 232 Mar 14 21:13 /dev/kvm >> >> So using --device to add the device to the container just maintains the permission of the host >> for the device you added. Whether it is volume mounted in or specified via --device, at least >> from dockers point of view. > I'm not sure of your point. I was just trying to say that whether i > was root or not did not seem to matter. I still got permission denied > if perms were 600 and not 666. I'm working off of memory here, so it's > possible somebody will prove me wrong. Most likely libvirt or whoever is launching the containers is not running as root, so it is being blocked access.

I'm fuzzy about the issue faced with containers. Containers will usually have a separate /dev that is populated by the container mgmt engine (whether docker, libvirt, lxc or something else). That mgmt engine is responsible for setting permissions of /dev/kvm in the container's /dev if the user asked for /dev/kvm to be made available. udev should never run inside a container - it is only supposed to run in host context. So any udev rules that manipulate /dev/kvm permissions will only ever be used in host context and never have any effect on containers. The bug listed above doesn't actually describe any real problem with containers & /dev/kvm - my reading is that the bug is just thinking about a hypothetical future problem, but since udev isn't involved in containers' /dev mgmt, I don't think there's a bug that needs fixing here.

On Tue, Mar 14, 2017 at 08:29:00PM +0000, Daniel P. Berrange wrote: > On Tue, Mar 14, 2017 at 08:09:00PM +0000, Richard W.M. Jones wrote: > > Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876 > > > > Currently if you install a minimal-ish, non-"Virtualization Host" > > Fedora, then the permissions on the /dev/kvm device are: > > > > crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > > > (I believe this is because of some kernel defaults for the device. In > > any case there seems to be no base install udev rule which applies a > > `MODE=' line explicitly for /dev/kvm). > > > > There mere act of installing the qemu package adds a new udev rule > > which changes the permissions: > > > > [root@rawhide ~]# ll /dev/kvm > > crw-------. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > [root@rawhide ~]# dnf -y install qemu-system-x86 > > //... > > [root@rawhide ~]# ll /dev/kvm > > crw-rw-rw-. 1 root root 10, 232 Mar 14 15:51 /dev/kvm > > > > I don't have a problem with any of that and I'm not saying that the > > permissions should be more restrictive, but for balance I will note > > that in Debian /dev/kvm is more restrictive (see comment in the bug > > above). > > > > The problem raised in the bug above is that with containers people > > will wish to install qemu or libvirt or other tools inside the > > containers, but not necessarily have qemu installed on the host. In > > that case, they will always see /dev/kvm with mode 0600, ie. generally > > unusable for them. > > I'm fuzzy about the issue faced with containers. Containers will usually > have a separate /dev that is populated by the container mgmt engine (whether > docker, libvirt, lxc or something else). That mgmt engine is responsible for > setting permissions of /dev/kvm in the container's /dev if the user asked for > /dev/kvm to be made available. udev should never run inside a container - it > is only supposed to run in host context. So any udev rules that manipulate > /dev/kvm permissions will only ever be used in host context and never have > any effect on containers. > > The bug listed above doesn't actually describe any real problem with > containers & /dev/kvm - my reading is that the bug is just thinking > about a hypothetical future problem, but since udev isn't involved > in containers' /dev mgmt, I don't think there's a bug that needs fixing > here. This applies to any system where kvm is to be used by unprivileged users without qemu package being installed. It is possible to use kvm in this way, e.g. by using self-compiled qemu, or some alternative or whatever. So maybe we should move the rules for /dev/kvm to /usr/lib/udev/rules.d/50-udev-default.rules.

On 03/15/2017 05:17 AM, Daniel P. Berrange wrote: > > Sure, if udev maintainers are willing to ship the kvm rule by default, > that's fine with me for reason you suggest. I simply don't think it'll > have any effect on usage of /dev/kvm inside containers > Does that mean you assume my scenario I outlined is incorrect? The only reason we are having this discussion is because i found that changing the permissions of /dev/kvm on the host from 600 to 666 made it so that I could run libvirt inside a container, which would mean that if does have an effect on usage of /dev/kvm inside a container.

I could be "using it wrong", but would like for you to tell me why what I'm doing is invalid.

On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote: > > > On 03/15/2017 05:17 AM, Daniel P. Berrange wrote: >> >> Sure, if udev maintainers are willing to ship the kvm rule by default, >> that's fine with me for reason you suggest. I simply don't think it'll >> have any effect on usage of /dev/kvm inside containers >> > > Does that mean you assume my scenario I outlined is incorrect? The > only reason we are having this discussion is because i found that > changing the permissions of /dev/kvm on the host from 600 to 666 made > it so that I could run libvirt inside a container, which would mean > that if does have an effect on usage of /dev/kvm inside a container. Oh, wait I think I see - you don't have qemu installed in the host at all - you only installed it inside a docker image, but docker is just copying the host permissions, and thus see the default permissions from the kernel.

> I could be "using it wrong", but would like for you to tell me why > what I'm doing is invalid. While Docker copies the permissions from host devices, I don't think that is something it is nice to rely on. Different operating systems have different views on what default permissions are. So if you build a Docker image that relies on the host OS having given /dev/kvm particular permissions, your Docker image is going to be non-portable. IOW while moving the udev rule out of the QEMU rpm into the udev RPM would fix it for future Fedora, your docker image is going to be unable to reliably run on other OS distros (whether older Fedora or Debian which has restrictive /dev/kvm by default). I don't see any way to force docker to give the device different permissions when using the --device flag to launch a container. In absence of that the only other option is to use an entrypoint script to chmod the file when your container starts, but that requires the container to run privileged which is bad. I think ideally Docker would provide some way to give explicit permissions so your container is isolated from decisions OS distros make about default permissions in the host.