View Issue Details

IDProjectCategoryView StatusLast Update Ecosystem Testingpublic2018-07-05 20:47
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Summary0014915: /dev/kvm is not accessible to pods when using random user
DescriptionFollowing, I created a pod that is supposed to run libvirt/QEMU tests. Something like this:

kind: Pod
apiVersion: v1
  name: tests
    - name: tests
      image: cockpit/tests
      command: [ "sleep", "10000" ]
    oci_kvm_hook: allowed

(This won't actually suffice to run Cockpit tests, but it demonstrates the problem). Then, `oc rsh tests`:

sh-4.4$ ls -l /dev/kvm
crw-------. 1 root root 10, 232 Jun 6 20:45 /dev/kvm

sh-4.4$ head /dev/kvm
head: cannot open '/dev/kvm' for reading: Permission denied

As pods in CentOS CI run as a random unprivileged UID, 600 permissions are rather useless. #14713 suggested

          runAsUser: 0

but first that doesn't work:

    Error from server (Forbidden): pods "tests" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 0: UID on container tests does not match required range. Found 0, required min: 1000190000 max: 1000199999]

and it's also not really desirable, as one really doesn't have to be root to use QEMU/libvirt, it's just about the device node. In fedora, /dev/kvm has been 0666 for a fair while now, as it was deemed safe enough now. Can pods get the same?
TagsNo tags attached.




2018-06-07 10:00

reporter   ~0032026

In newer Fedoras, udev's /lib/udev/rules.d/50-udev-default.rules sets the correct permissions. But not on RHEL-7:

/lib/udev/rules.d/80-kvm.rules:KERNEL=="kvm", GROUP="kvm", MODE="0666"
[root@m1 ~]# rpm -qf /lib/udev/rules.d/80-kvm.rules

# cat /lib/udev/rules.d/80-kvm.rules
KERNEL=="kvm", GROUP="kvm", MODE="0666"

So could this udev rule be installed on the nodes? Or, if that's preferrable in any way, install qemu-kvm on the nodes?


2018-07-05 20:47

administrator   ~0032184

This was applied in June, but an Ansible run in late June reverted the change. I've fixed our playbooks to do the right thing from now on.

Apologies for the mixup.

Issue History

Date Modified Username Field Change
2018-06-06 20:59 Martin.Pitt New Issue
2018-06-07 10:00 Martin.Pitt Note Added: 0032026
2018-07-05 20:47 bstinson Note Added: 0032184
2018-07-05 20:47 bstinson Status new => resolved
2018-07-05 20:47 bstinson Resolution open => fixed