Closed infinnovation-dev closed 3 years ago
tianon
commented
4 years ago I agree a more robust test would be great -- my only concern is that we need to also ensure the test ensures our cgroup has access, which I think is possibly harder than just test -r? (not sure)
tianon
commented
3 years ago Just to come back and confirm my suspicions here:
$ docker run --rm -v /dev/kvm:/kvm:ro bash test -w /kvm; echo $?
0(Both test -r and test -w are insufficient :disappointed:)
tianon
commented
3 years ago Here's an idea that might work, but I have no idea how abusive this is to this kernel interface: :weary:
$ docker run --rm -v /dev/kvm:/kvm bash -c 'echo -n > /kvm'; echo $?
bash: line 1: /kvm: Operation not permitted
1
$ docker run --rm --device /dev/kvm:/kvm bash -c 'echo -n > /kvm'; echo $?
0Reading through https://lwn.net/Articles/658511/, this seems pretty sane -- thanks for filing the issue, and sorry it took me so long to find a better solution! :sweat_smile:
If running as a non-privileged user, e.g. using singularity or (untested) podman rather than docker, and /dev/kvm has restricted permissions, the test on the existence of /dev/kvm may lead start-qemu to set the -enable-kvm flag which then doesn't work. Perhaps
would be better?