[systemd-devel] [PATCH resend] virt: detect_virtualization() do not abort on errors
tixxdz at opendz.org
Tue Feb 25 13:14:42 PST 2014
On Tue, Feb 25, 2014 at 07:11:00PM +0100, Lennart Poettering wrote:
> On Tue, 25.02.14 18:29, Djalal Harouni (tixxdz at opendz.org) wrote:
> > The detect_virtualization() logic is to test several mechanisms in order
> > to detect if we are in a container or a virtual machine. This implies that
> > these tests may fail at an undetermined point.
> > An example: detect_container() needs privileges where detect_vm() does
> > not, perhaps there are other cases.
> > Currently unprivileged code will fail in:
> > detect_virtualization() => detect_container() => running_in_chroot()
> > This makes detect_virtualization() fail even for non container machines
> > which prevents detection of virtual machines. Where in the other hand
> > unprivileged code is able to test the CPUID hypervisor bit without any
> > problem.
> > Since we are dealing here with some test mechanisms, then do not fail if
> > detect_container() returns error, just continue with detect_vm() and
> > give a chance to detect_vm_cpuid() and detect_vm_dmi(), then report
> > errors if any.
> This would have the effect that we'd detect different things depending
> on whether we are called with or without priviliges?
Hmm yes! the virtual machine detection doesn't need privileges, and the
files are worldreadable. However the container needs privs!
> I am pretty sure that would be a very bad idea. We should always detect
> the same thing, though possibly fail with EPERM, never eat up the EPERM.
Thinking more about this you are right! ok.
Hmm , currently EPERM is returned as expected!
> > This makes "systemd-detect-virt" tool able to detect virtual machines
> > without any privileges.
> systemd-detect-virt uses fs caps to get the necessary caps to work
> correctly even without privs.
Yes I saw it now, cap_dac_override handles this! sorry for the noise...
> Also, we are exposing "Virtualization" as bus property on the manager
> object of PID 1, so that anyone cast query this without the need for
> Lennart Poettering, Red Hat
More information about the systemd-devel