On 03/15/2017 11:49 AM, Daniel P. Berrange wrote:
> On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote:
>>
>>
>> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote:
>>>
>>> Sure, if udev maintainers are willing to ship the kvm rule by default,
>>> that's fine with me for reason you
As part of the discussion at the systemd bugtracker [1], people from
Debian said that they prefer 0660 mode, group kvm, because this limits
the exposure to kernel bugs in the kvm module. Those are not frequent,
but they do happen, so it's hard to argue that increases security at
least a bit.
On 03/15/2017 11:49 AM, Daniel P. Berrange wrote:
> On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote:
>>
>> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote:
>>> Sure, if udev maintainers are willing to ship the kvm rule by default,
>>> that's fine with me for reason you suggest. I
On Wed, Mar 15, 2017 at 11:32:35AM -0400, Dusty Mabe wrote:
>
>
> On 03/15/2017 05:17 AM, Daniel P. Berrange wrote:
> >
> > Sure, if udev maintainers are willing to ship the kvm rule by default,
> > that's fine with me for reason you suggest. I simply don't think it'll
> > have any effect on
On 03/15/2017 05:17 AM, Daniel P. Berrange wrote:
>
> Sure, if udev maintainers are willing to ship the kvm rule by default,
> that's fine with me for reason you suggest. I simply don't think it'll
> have any effect on usage of /dev/kvm inside containers
>
Does that mean you assume my
On 03/15/2017 05:27 AM, Daniel P. Berrange wrote:
> On Tue, Mar 14, 2017 at 05:35:54PM -0400, Daniel J Walsh wrote:
>>
>> On 03/14/2017 05:18 PM, Dusty Mabe wrote:
>>> On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
On 03/14/2017 05:02 PM, Dusty Mabe wrote:
> On 03/14/2017 04:56 PM,
On Tue, Mar 14, 2017 at 05:35:54PM -0400, Daniel J Walsh wrote:
>
>
> On 03/14/2017 05:18 PM, Dusty Mabe wrote:
> >
> > On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
> >>
> >> On 03/14/2017 05:02 PM, Dusty Mabe wrote:
> >>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
> On 03/14/2017 04:29
On Tue, Mar 14, 2017 at 11:38:51PM +, Zbigniew Jędrzejewski-Szmek wrote:
> On Tue, Mar 14, 2017 at 08:29:00PM +, Daniel P. Berrange wrote:
> > On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
> > > Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
> > >
> > >
On Tue, Mar 14, 2017 at 08:29:00PM +, Daniel P. Berrange wrote:
> On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
> > Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
> >
> > Currently if you install a minimal-ish, non-"Virtualization Host"
> > Fedora, then the
On 03/14/2017 05:18 PM, Dusty Mabe wrote:
>
> On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
>>
>> On 03/14/2017 05:02 PM, Dusty Mabe wrote:
>>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
I guess if you volume/bind mount the device
On 03/14/2017 05:15 PM, Daniel J Walsh wrote:
>
>
> On 03/14/2017 05:02 PM, Dusty Mabe wrote:
>>
>> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
>>>
>>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
>>> I guess if you volume/bind mount the device into the container you could
>>> see an
On 03/14/2017 05:02 PM, Dusty Mabe wrote:
>
> On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
>>
>> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
>> I guess if you volume/bind mount the device into the container you could
>> see an issue,
>> but most containers that deal with /dev/kvm are
On 03/14/2017 04:56 PM, Daniel J Walsh wrote:
>
>
> On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
> I guess if you volume/bind mount the device into the container you could
> see an issue,
> but most containers that deal with /dev/kvm are going to be run as root,
> anyways.
I was running
On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
>
> I'm fuzzy about the issue faced with containers. Containers will usually
> have a separate /dev that is populated by the container mgmt engine (whether
> docker, libvirt, lxc or something else). That mgmt engine is responsible for
> setting
On 03/14/2017 04:29 PM, Daniel P. Berrange wrote:
> On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
>> Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
>>
>> Currently if you install a minimal-ish, non-"Virtualization Host"
>> Fedora, then the permissions on the
On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
> Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
>
> Currently if you install a minimal-ish, non-"Virtualization Host"
> Fedora, then the permissions on the /dev/kvm device are:
>
> crw---. 1 root root 10, 232 Mar
On Tue, Mar 14, 2017 at 08:09:00PM +, Richard W.M. Jones wrote:
> base RHEL install? Or something else?
Bleah yes I've been spending too long today doing RHEL security fixes.
I meant of course the base _Fedora_ install.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
Re: https://bugzilla.redhat.com/show_bug.cgi?id=1431876
Currently if you install a minimal-ish, non-"Virtualization Host"
Fedora, then the permissions on the /dev/kvm device are:
crw---. 1 root root 10, 232 Mar 14 15:51 /dev/kvm
(I believe this is because of some kernel defaults for the
18 matches
Mail list logo