View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0014915||Buildsys||Ci.centos.org Ecosystem Testing||public||2018-06-06 20:59||2018-07-05 20:47|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Summary||0014915: /dev/kvm is not accessible to pods when using random user|
|Description||Following https://bugs.centos.org/view.php?id=14713, I created a pod that is supposed to run libvirt/QEMU tests. Something like this:|
- name: tests
command: [ "sleep", "10000" ]
(This won't actually suffice to run Cockpit tests, but it demonstrates the problem). Then, `oc rsh tests`:
sh-4.4$ ls -l /dev/kvm
crw-------. 1 root root 10, 232 Jun 6 20:45 /dev/kvm
sh-4.4$ head /dev/kvm
head: cannot open '/dev/kvm' for reading: Permission denied
As pods in CentOS CI run as a random unprivileged UID, 600 permissions are rather useless. #14713 suggested
but first that doesn't work:
Error from server (Forbidden): pods "tests" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 0: UID on container tests does not match required range. Found 0, required min: 1000190000 max: 1000199999]
and it's also not really desirable, as one really doesn't have to be root to use QEMU/libvirt, it's just about the device node. In fedora, /dev/kvm has been 0666 for a fair while now, as it was deemed safe enough now. Can pods get the same?
|Tags||No tags attached.|
In newer Fedoras, udev's /lib/udev/rules.d/50-udev-default.rules sets the correct permissions. But not on RHEL-7:
/lib/udev/rules.d/80-kvm.rules:KERNEL=="kvm", GROUP="kvm", MODE="0666"
[root@m1 ~]# rpm -qf /lib/udev/rules.d/80-kvm.rules
# cat /lib/udev/rules.d/80-kvm.rules
KERNEL=="kvm", GROUP="kvm", MODE="0666"
So could this udev rule be installed on the nodes? Or, if that's preferrable in any way, install qemu-kvm on the nodes?
This was applied in June, but an Ansible run in late June reverted the change. I've fixed our playbooks to do the right thing from now on.
Apologies for the mixup.