CC'ing the bug again to have a more permanent record of the
discussion. I hope it is ok for you?
TJ [2008-09-04 18:20 +0100]:
> I've finished a sys file-system patch for kvm and qemu that continues to
> support the legacy /proc/ and /dev/ device lists. It is based on a patch
> in the Novell bug-tracker but doesn't rip out legacy support.
What does that mean? I hope not that kvm/qemu are supposed to directly
access USB devices through /sys? (that would be EBW).
> The USB devices in /dev/bus/usb/*/* have root:root permissions.
... by default. E. g. scanners and cameras get ACLs assigned to them
by hal/consolekit, so that the currently active local user session can
access those as well.
> Obviously it wouldn't be a great idea to have VMs running as root so I
> was looking for an existing group that might be used to modify those
> permissions so that kvm/qemu can obtain read/write access to the
> devices. Without it USB support fails.
>
> Matt Zimmerman pointed out 'plugdev' is being deprecated and I didn't
> want to use 'kvm' as that is package-specific.
So please don't proliferate groups too much. 'kvm' should ideally
disappear as well eventually.
The current two recommended possibilities for providing device access
are:
- Provide a backend running as root (which can access the devices),
expose the backend functionality through a D-BUS API (well, could
be IP or something else as well, but D-BUS is very convenient), and
control access to the backend through PolicyKit. Then device access
can be configured with polkit-gnome-authorization (with defaulting
to something sane, like "local users only"). That's the way e. g.
mounting internal hard drives through hal works.
- For pure client-side programs, use the hal ACL management facility:
/usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi
/usr/share/PolicyKit/policy/org.freedesktop.hal.device-access.policy
The FDI configures which device classes get ACL controlled, and
assigns access_control.type. The .policy maps that type to a
PolicyKit privilege, and assigns the default rights.
Please let me know if either of those options are feasible for you.
If you really must use a group for now, then I suppose you coordinate
with Soren, to use a more generic group name than 'kvm'. 'plugdev' is
not appropriate at all, it is meant for hotpluggable block devices,
not virtualization hypervisor access.
Hi TJ,
CC'ing the bug again to have a more permanent record of the
discussion. I hope it is ok for you?
TJ [2008-09-04 18:20 +0100]:
> I've finished a sys file-system patch for kvm and qemu that continues to
> support the legacy /proc/ and /dev/ device lists. It is based on a patch
> in the Novell bug-tracker but doesn't rip out legacy support.
What does that mean? I hope not that kvm/qemu are supposed to directly
access USB devices through /sys? (that would be EBW).
> The USB devices in /dev/bus/usb/*/* have root:root permissions.
... by default. E. g. scanners and cameras get ACLs assigned to them
by hal/consolekit, so that the currently active local user session can
access those as well.
> Obviously it wouldn't be a great idea to have VMs running as root so I
> was looking for an existing group that might be used to modify those
> permissions so that kvm/qemu can obtain read/write access to the
> devices. Without it USB support fails.
>
> Matt Zimmerman pointed out 'plugdev' is being deprecated and I didn't
> want to use 'kvm' as that is package-specific.
In fact we want to completely deprecate the (ab)use of groups for /wiki.ubuntu. com/DesktopTeam /Specs/ Intrepid/ DevicePermissio ns
device access:
https:/
So please don't proliferate groups too much. 'kvm' should ideally
disappear as well eventually.
The current two recommended possibilities for providing device access
are:
- Provide a backend running as root (which can access the devices), gnome-authoriza tion (with defaulting
expose the backend functionality through a D-BUS API (well, could
be IP or something else as well, but D-BUS is very convenient), and
control access to the backend through PolicyKit. Then device access
can be configured with polkit-
to something sane, like "local users only"). That's the way e. g.
mounting internal hard drives through hal works.
- For pure client-side programs, use the hal ACL management facility: share/hal/ fdi/policy/ 10osvendor/ 20-acl- management. fdi share/PolicyKit /policy/ org.freedesktop .hal.device- access. policy
/usr/
/usr/
The FDI configures which device classes get ACL controlled, and control. type. The .policy maps that type to a
assigns access_
PolicyKit privilege, and assigns the default rights.
Please let me know if either of those options are feasible for you.
If you really must use a group for now, then I suppose you coordinate
with Soren, to use a more generic group name than 'kvm'. 'plugdev' is
not appropriate at all, it is meant for hotpluggable block devices,
not virtualization hypervisor access.
Martin
-- www.piware. de
Martin Pitt | http://
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)