crun icon indicating copy to clipboard operation
crun copied to clipboard
verified publisher icon containers

krun requires permissions beyond group access on /dev/kvm

Open sgsaenger opened this issue 3 months ago • 1 comments

krun seems to require either ACL set on /dev/kvm to run as non-root user (or a+rw/666).

With basic access permissions via group kvm podman fails to launch:

$ groups | grep kvm
pi adm dialout cdrom sudo audio video plugdev games users netdev gpio i2c spi render kvm input

$ ls -l /dev/kvm
crw-rw---- 1 root kvm 10, 232 Oct 11 15:52 /dev/kvm

$ podman run --rm -it --runtime=krun alpine

thread '<unnamed>' panicked at src/vmm/src/linux/vstate.rs:445:30:
Error creating the Kvm object: Error(13)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fatal runtime error: failed to initiate panic, error 2440797440, aborting

Adding user access rights enables podman to work exactly once, ACLs are reset after:

$ sudo setfacl -m "u:pi:rw" /dev/kvm
[sudo] password for pi:

$ ls -l /dev/kvm
crw-rw----+ 1 root kvm 10, 232 Oct 11 15:59 /dev/kvm

$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
user:pi:rw-
group::rw-
mask::rw-
other::---

$ podman run --rm -it --runtime=krun alpine
/ #

$ ls -l /dev/kvm
crw-rw----+ 1 root kvm 10, 232 Oct 11 16:08 /dev/kvm

$ getfacl /dev/kvm
getfacl: Removing leading '/' from absolute path names
# file: dev/kvm
# owner: root
# group: kvm
user::rw-
group::rw-
mask::rw-
other::---

$ podman run --rm -it --runtime=krun alpine

thread '<unnamed>' panicked at src/vmm/src/linux/vstate.rs:445:30:
Error creating the Kvm object: Error(13)
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fatal runtime error: failed to initiate panic, error 2952903936, aborting

Machines tested on:

  • Raspberry Pi CM4 (Trixie): no ACL by default, ACL reset after execution. krun version 1.24.0.0.0.17-15f8 commit: 15f855fa22ffdf89fbed2fb6bfddab847d8737d1
  • Arch Linux: no ACL but 666 permissions. changing to 660 requires ACL as well, but does not reset after execution
  • Pi CM5 (bookworm): default ACL (for unknown reasons), no issues at all

Additional info: seems to be krun and/or podman related, the chroot_vm example included in libkrun works with group permissions only.

Not sure if there's anything wrong with krun per se, but would appreciate some documentation of the required permissions. For someone unaware of ACLs, it was kind of difficult to notice the difference between

crw-rw---- 1 root kvm 10, 232 Oct 11 15:52 /dev/kvm
crw-rw----+ 1 root kvm 10, 232 Oct 11 16:08 /dev/kvm

when most documentation only refers to being member of the kvm group. (See my confusion in https://github.com/containers/libkrun/issues/420)

I'll gladly continue debugging, if you consider the reset of ACLs an issue in itself.

sgsaenger avatar Oct 11 '25 14:10 sgsaenger

@slp PTAL

giuseppe avatar Oct 17 '25 16:10 giuseppe