Bug#887852: /dev/kvm is no longer accessible to local users
Hi! I did some further digging in git and here's what I found: In systemd 235, these two rules managed /dev/kvm: 50-udev-default.rules.in: KERNEL=="kvm", GROUP="kvm", MODE="@DEV_KVM_MODE@" https://github.com/systemd/systemd/blob/v235/rules/50-udev-default.rules.in#L78 70-uaccess.rules: SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess" https://github.com/systemd/systemd/blob/v235/src/login/70-uaccess.rules#L49 Upstream commit b8fd3d82205f632ce001fade74fed287e1564a1a (part of PR 7112) removed the KVM related bits from the second file, but changed the default value for @DEV_KVM_MODE@ from 0660 to 0666. Unfortunately Debian has been removing the KVM related bits from the first file for some time now, see https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/patches/debian/Avoid-requiring-a-kvm-system-group.patch The result is, that in Debian, there is now no systemd-owned udev rule managing /dev/kvm. This causes the regression that logind does no longer grant access to /dev/kvm to local users. Personally, I think that Debian should remove the patch mentioned above, make kvm a static system group, and remove the udev rule from QEMU since there *are* other users of /dev/kvm (e.g. kvmtool, which doesn't ship a udev rule). Then, choose a value for the 'dev-kvm-mode' meson build option of systemd. I like the upstream default, but there is Debian bug #640328. But then again, this was in 2011. So, ultimately this is a maintainer decision, I just wanted to warn you that people might trip over this on stretch -> buster upgrades! Best regards Alexander Kurtz signature.asc Description: This is a digitally signed message part
Bug#887852: /dev/kvm is no longer accessible to local users
On Mon, 2018-01-22 at 17:50 +0100, Michael Biebl wrote: > On Sat, 20 Jan 2018 18:21:33 +0100 Alexander Kurtz wrote: > > Package: systemd > > Version: 236-3 > > > > Hi! > > > > Until recently, /dev/kvm was made accessible to local users by this > > line in /lib/udev/rules.d/70-uaccess.rules: > > > > # KVM > > SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess" > > > > However, as of systemd 236, the above rule seems to be gone. After > > reading up a bit on systemd's upstream and Debian bug tracker, I'm even > > more confused than before: Which package is supposed to manage > > permissions on /dev/kvm in Debian? Which package is supposed to create > > the "kvm" group? Is the missing access for local users intentional? > > Isn't this setup by the qemu package in > /lib/udev/rules.d/60-qemu-system-common.rules:KERNEL=="kvm", > GROUP="kvm", MODE="0660" Yes, but only partially: This is the full rule shipped by QEMU: $ cat /lib/udev/rules.d/60-qemu-system-common.rules KERNEL=="kvm", GROUP="kvm", MODE="0660" $ This rule only manages the basic group ownership and permissions. It does not add the "uaccess" tag, which is (presumably) used by logind to dynamically grant local users access via ACLs. This used to work before with systemd <236 and doesn't work now. Is this intentional? Best regards Alexander Kurtz signature.asc Description: This is a digitally signed message part
Bug#887852: /dev/kvm is no longer accessible to local users
On Sat, 20 Jan 2018 18:21:33 +0100 Alexander Kurtz wrote: > Package: systemd > Version: 236-3 > > Hi! > > Until recently, /dev/kvm was made accessible to local users by this > line in /lib/udev/rules.d/70-uaccess.rules: > > # KVM > SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess" > > However, as of systemd 236, the above rule seems to be gone. After > reading up a bit on systemd's upstream and Debian bug tracker, I'm even > more confused than before: Which package is supposed to manage > permissions on /dev/kvm in Debian? Which package is supposed to create > the "kvm" group? Is the missing access for local users intentional? Isn't this setup by the qemu package in /lib/udev/rules.d/60-qemu-system-common.rules:KERNEL=="kvm", GROUP="kvm", MODE="0660" -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#887852: /dev/kvm is no longer accessible to local users
Package: systemd Version: 236-3 Hi! Until recently, /dev/kvm was made accessible to local users by this line in /lib/udev/rules.d/70-uaccess.rules: # KVM SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess" However, as of systemd 236, the above rule seems to be gone. After reading up a bit on systemd's upstream and Debian bug tracker, I'm even more confused than before: Which package is supposed to manage permissions on /dev/kvm in Debian? Which package is supposed to create the "kvm" group? Is the missing access for local users intentional? Best regards Alexander Kurtz signature.asc Description: This is a digitally signed message part