krun seems to require either ACL set on /dev/kvm to run as non-root user (or a+rw/666).
With basic access permissions via group kvm podman fails to launch:
$ groups | grep kvm
pi adm dialout cdrom sudo audio video plugdev games users netdev gpio i2c spi render kvm input
$ ls -l /dev/kvm
crw-rw---- 1 root kvm 10, 232 Oct 11 15:52 /dev/kvm
$ podman run --rm -it --runtime=krun alpine
thread '<unnamed>' panicked at src/vmm/src/linux/vstate.rs:445:30:
Error creating the Kvm object: Error(13)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fatal runtime error: failed to initiate panic, error 2440797440, aborting
Adding user access rights enables podman to work exactly once, ACLs are reset after:
$ sudo setfacl -m "u:pi:rw" /dev/kvm
[sudo] password for pi:
$ ls -l /dev/kvm
crw-rw----+ 1 root kvm 10, 232 Oct 11 15:59 /dev/kvm
$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
user:pi:rw-
group::rw-
mask::rw-
other::---
$ podman run --rm -it --runtime=krun alpine
/ #
$ ls -l /dev/kvm
crw-rw----+ 1 root kvm 10, 232 Oct 11 16:08 /dev/kvm
$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
group::rw-
mask::rw-
other::---
$ podman run --rm -it --runtime=krun alpine
thread '<unnamed>' panicked at src/vmm/src/linux/vstate.rs:445:30:
Error creating the Kvm object: Error(13)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fatal runtime error: failed to initiate panic, error 2952903936, aborting
Machines tested on:
- Raspberry Pi CM4 (Trixie): no ACL by default, ACL reset after execution.
krun version 1.24.0.0.0.17-15f8
commit: 15f855f
- Arch Linux: no ACL but
666 permissions. changing to 660 requires ACL as well, but does not reset after execution
- Pi CM5 (bookworm): default ACL (for unknown reasons), no issues at all
Additional info: seems to be krun and/or podman related, the chroot_vm example included in libkrun works with group permissions only.
Not sure if there's anything wrong with krun per se, but would appreciate some documentation of the required permissions.
For someone unaware of ACLs, it was kind of difficult to notice the difference between
crw-rw---- 1 root kvm 10, 232 Oct 11 15:52 /dev/kvm
crw-rw----+ 1 root kvm 10, 232 Oct 11 16:08 /dev/kvm
when most documentation only refers to being member of the kvm group.
(See my confusion in containers/libkrun#420)
I'll gladly continue debugging, if you consider the reset of ACLs an issue in itself.
krunseems to require either ACL set on/dev/kvmto run as non-root user (ora+rw/666).With basic access permissions via group
kvmpodman fails to launch:Adding user access rights enables podman to work exactly once, ACLs are reset after:
Machines tested on:
krun version 1.24.0.0.0.17-15f8
commit: 15f855f
666permissions. changing to660requires ACL as well, but does not reset after executionAdditional info: seems to be krun and/or podman related, the
chroot_vmexample included in libkrun works with group permissions only.Not sure if there's anything wrong with krun per se, but would appreciate some documentation of the required permissions.
For someone unaware of ACLs, it was kind of difficult to notice the difference between
when most documentation only refers to being member of the
kvmgroup.(See my confusion in containers/libkrun#420)
I'll gladly continue debugging, if you consider the reset of ACLs an issue in itself.