On Tue, Feb 25, 2014 at 07:11:00PM +0100, Lennart Poettering wrote: > On Tue, 25.02.14 18:29, Djalal Harouni (tix...@opendz.org) wrote: > > > The detect_virtualization() logic is to test several mechanisms in order > > to detect if we are in a container or a virtual machine. This implies that > > these tests may fail at an undetermined point. > > > > An example: detect_container() needs privileges where detect_vm() does > > not, perhaps there are other cases. > > > > Currently unprivileged code will fail in: > > detect_virtualization() => detect_container() => running_in_chroot() > > > > This makes detect_virtualization() fail even for non container machines > > which prevents detection of virtual machines. Where in the other hand > > unprivileged code is able to test the CPUID hypervisor bit without any > > problem. > > > > Since we are dealing here with some test mechanisms, then do not fail if > > detect_container() returns error, just continue with detect_vm() and > > give a chance to detect_vm_cpuid() and detect_vm_dmi(), then report > > errors if any. > > This would have the effect that we'd detect different things depending > on whether we are called with or without priviliges? Hmm yes! the virtual machine detection doesn't need privileges, and the files are worldreadable. However the container needs privs!
> I am pretty sure that would be a very bad idea. We should always detect > the same thing, though possibly fail with EPERM, never eat up the EPERM. Thinking more about this you are right! ok. Hmm , currently EPERM is returned as expected! > > This makes "systemd-detect-virt" tool able to detect virtual machines > > without any privileges. > > systemd-detect-virt uses fs caps to get the necessary caps to work > correctly even without privs. Yes I saw it now, cap_dac_override handles this! sorry for the noise... > Also, we are exposing "Virtualization" as bus property on the manager > object of PID 1, so that anyone cast query this without the need for > privs. Yes, thanks! > Lennart > > -- > Lennart Poettering, Red Hat -- Djalal Harouni http://opendz.org _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel