On 03/15/2017 11:49 AM, Daniel P. Berrange wrote:
> On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote:
>>
>>
>> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote:
>>>
>>> Sure, if udev maintainers are willing to ship the kvm rule by default,
>>> that's fine with me for reason you suggest.
As part of the discussion at the systemd bugtracker [1], people from
Debian said that they prefer 0660 mode, group kvm, because this limits
the exposure to kernel bugs in the kvm module. Those are not frequent,
but they do happen, so it's hard to argue that increases security at
least a bit.
Curre
On 03/15/2017 11:49 AM, Daniel P. Berrange wrote:
> On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote:
>>
>> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote:
>>> Sure, if udev maintainers are willing to ship the kvm rule by default,
>>> that's fine with me for reason you suggest. I simp
On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote:
>
>
> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote:
> >
> > Sure, if udev maintainers are willing to ship the kvm rule by default,
> > that's fine with me for reason you suggest. I simply don't think it'll
> > have any effect on usa
On 03/15/2017 05:17 AM, Daniel P. Berrange wrote:
>
> Sure, if udev maintainers are willing to ship the kvm rule by default,
> that's fine with me for reason you suggest. I simply don't think it'll
> have any effect on usage of /dev/kvm inside containers
>
Does that mean you assume my scenario
On 03/15/2017 05:27 AM, Daniel P. Berrange wrote:
> On Tue, Mar 14, 2017 at 05:35:54PM -0400, Daniel J Walsh wrote:
>>
>> On 03/14/2017 05:18 PM, Dusty Mabe wrote:
>>> On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
On 03/14/2017 05:02 PM, Dusty Mabe wrote:
> On 03/14/2017 04:56 PM, Daniel
On Tue, Mar 14, 2017 at 05:35:54PM -0400, Daniel J Walsh wrote:
>
>
> On 03/14/2017 05:18 PM, Dusty Mabe wrote:
> >
> > On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
> >>
> >> On 03/14/2017 05:02 PM, Dusty Mabe wrote:
> >>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
> On 03/14/2017 04:29
On Tue, Mar 14, 2017 at 11:38:51PM +, Zbigniew Jędrzejewski-Szmek wrote:
> On Tue, Mar 14, 2017 at 08:29:00PM +, Daniel P. Berrange wrote:
> > On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
> > > Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
> > >
> > > Curre
On Tue, Mar 14, 2017 at 08:29:00PM +, Daniel P. Berrange wrote:
> On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
> > Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
> >
> > Currently if you install a minimal-ish, non-"Virtualization Host"
> > Fedora, then the permi
On 03/14/2017 05:18 PM, Dusty Mabe wrote:
>
> On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
>>
>> On 03/14/2017 05:02 PM, Dusty Mabe wrote:
>>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
I guess if you volume/bind mount the device int
On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
>
>
> On 03/14/2017 05:02 PM, Dusty Mabe wrote:
>>
>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
>>>
>>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
>>> I guess if you volume/bind mount the device into the container you could
>>> see an iss
On 03/14/2017 05:02 PM, Dusty Mabe wrote:
>
> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
>>
>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
>> I guess if you volume/bind mount the device into the container you could
>> see an issue,
>> but most containers that deal with /dev/kvm are going
On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
>
>
> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
> I guess if you volume/bind mount the device into the container you could
> see an issue,
> but most containers that deal with /dev/kvm are going to be run as root,
> anyways.
I was running w
On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
>
> I'm fuzzy about the issue faced with containers. Containers will usually
> have a separate /dev that is populated by the container mgmt engine (whether
> docker, libvirt, lxc or something else). That mgmt engine is responsible for
> setting p
On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
> On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
>> Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
>>
>> Currently if you install a minimal-ish, non-"Virtualization Host"
>> Fedora, then the permissions on the /dev/kv
On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
> Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
>
> Currently if you install a minimal-ish, non-"Virtualization Host"
> Fedora, then the permissions on the /dev/kvm device are:
>
> crw---. 1 root root 10, 232 Mar
On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
> base RHEL install? Or something else?
Bleah yes I've been spending too long today doing RHEL security fixes.
I meant of course the base _Fedora_ install.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.r
Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
Currently if you install a minimal-ish, non-"Virtualization Host"
Fedora, then the permissions on the /dev/kvm device are:
crw---. 1 root root 10, 232 Mar 14 15:51 /dev/kvm
(I believe this is because of some kernel defaults for the de
18 matches
Mail list logo
