On 03/15/2017 05:27 AM, Daniel P. Berrange wrote:
On Tue, Mar 14, 2017 at 05:35:54PM -0400, Daniel J Walsh wrote:
>
> On 03/14/2017 05:18 PM, Dusty Mabe wrote:
>> On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
>>> On 03/14/2017 05:02 PM, Dusty Mabe wrote:
>>>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
>>>>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
>>>>> I guess if you volume/bind mount the device into the container you
could
>>>>> see an issue,
>>>>> but most containers that deal with /dev/kvm are going to be run as
root,
>>>>> anyways.
>>>> I was running with --privileged, still got permission denied until I
>>>> changed permissions of /dev/kvm to 666.
>>>> _______________________________________________
>>>> devel mailing list -- devel(a)lists.fedoraproject.org
>>>> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
>>> # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm
>>> crw-rw-rw-. 1 root 36 system_u:object_r:container_file_t:s0:c303,c737 10, 232
Mar 14 21:12 /dev/kvm
>>> # chmod 600 /dev/kvm
>>> # docker run -ti --device /dev/kvm fedora ls -lZ /dev/kvm
>>> crw-------. 1 root 36 system_u:object_r:container_file_t:s0:c281,c442 10, 232
Mar 14 21:13 /dev/kvm
>>>
>>> So using --device to add the device to the container just maintains the
permission of the host
>>> for the device you added. Whether it is volume mounted in or specified via
--device, at least
>>> from dockers point of view.
>> I'm not sure of your point. I was just trying to say that whether i
>> was root or not did not seem to matter. I still got permission denied
>> if perms were 600 and not 666. I'm working off of memory here, so it's
>> possible somebody will prove me wrong.
> Most likely libvirt or whoever is launching the containers is not running
> as root, so it is being blocked access.
It is simpler than that. When you ask libvirt to assign a device to a
container it will simply mknod() in the container's private /dev, with
permissions 0700. If the container needs to make that available to
mon-privileged users inside the container, its "init" has to arrange
to set permissions further.
For Docker, I'm unclear whether it is also just doing a mknod in the
container's /dev, or whether it is bind mounting the host device node.
Either way, udev isn't involved inside the container.
Regards,
Daniel
My point was that docker is just matching the permissions from the host.
In the case of using docker run --device /dev/kvm
It is creating a different device
#ls -i /dev/kvm
18835 /dev/kvm
# docker run -ti --device /dev/kvm fedora sh
# ls -lZ /dev/kvm
crw-------. 1 root 36 system_u:object_r:container_file_t:s0:c516,c728 10, 232 Mar 15 11:44
/dev/kvm
# ls -i /dev/kvm
669570 /dev/kvm
If I chmod 666 outside of the container the mode of the container is still 600, so they
are different devices.