everzakov
everzakov
> If I understand correctly, the idea is that a runtime is expected to start an instance of `swtpm` behind the scenes, and wire up the result inside the container....
> 1. With that example runtime-spec config you shared, what would runc need to do from a high-level point of view? Is it a bind mount of the hostPath in...
> 2\. My understanding is that we can create as many vTPMs on a host as we want, is this right? I'm not a DRA expert, but do all DRA...
Also, i think i need to test the whole solution with use case when hostUsers=false in pod spec. The logic should be the same as working with volumes. However, CDI...
> 1. I'm not sure what is the point of a hostPath in the json if we will create it with mknod just using the major/minor. What am I missing?...
> Also, I tried to use mount the device and i have a "bug": > > 1. If i understand correctly, when tpm2-tools package is installed on the host, >...
> But right, we can't mknod inside a userns (that is something the kernel imposes). So this needs more thought on who will create the device and how. It can't...
Hello, @rata ! Sorry, for a ping. Have you checked vtpm runc tests? In short, in hostUsers: false scenario device should have 0666 permissions because uid/gid won't be changed for...
> I know that runc currently doesn't do an mknod if inside a userns. I wonder what happens, though, if the device is allowed in the devices cgroup and we...
> It doesn't have the privileges at that point, but runc forks several times and keeps a pipe open with itself, when it is running on the init userns. That...