From d5cfa386dde789a9fdfe288314474c5e84f23664 Mon Sep 17 00:00:00 2001 From: Dalton Durst Date: Thu, 4 Jan 2024 14:20:41 -0600 Subject: [PATCH] docker: Add troubleshooting for permission errors on /dev/kvm I got a `permission denied` error when trying to use the KVM fakemachine backend on a host. The Docker documentation indicates that "the docker container process runs with the supplementary groups looked up for the specified user," but I suspect this means the groups _inside_ the container are looked up. I added the owning group of `/dev/kvm` (which happened to be `kvm`) to the container and all is well. --- docker/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/README.md b/docker/README.md index 7895a0e5..91597fd2 100644 --- a/docker/README.md +++ b/docker/README.md @@ -20,6 +20,8 @@ cd docker run --rm --interactive --tty --device /dev/kvm --user $(id -u) --workdir /recipes --mount "type=bind,source=$(pwd),destination=/recipes" --security-opt label=disable godebos/debos ``` +If debos fails to run the KVM fakemachine backend and the `/dev/kvm` device exists on your host, you may need to add the owning group of the device as a supplementary group of the container. This will work if `ls -l /dev/kvm` indicates that the owning group has read-write access to the device. Adding the supplementary group may be unsafe depending on the owning group of `/dev/kvm`, but it could be required depending on your login provider. To add the group, add `--group-add "$(stat -c '%g' /dev/kvm)"` to your `docker run` command before `godebos/debos`. See [Docker run reference -- Additional Groups](https://docs.docker.com/engine/reference/run/#additional-groups) for more information. + ## Container build To build the debos container image from current git branch: ```