mock should automatically mount /dev/kvm inside chroot (if exists)

[ignatenkobrain]

Short description of the problem

When commands run in mock, it does not have /dev/kvm device which is handy

Output of rpm -q mock

mock-2.2-1.git.1.53ac2e0.fc33.noarch

Steps to reproduce issue

1. mock -r epel-8-x86_64 --init
2. mock -r epel-8-x86_64 --chroot -- file /dev/kvm

Any additional notes

Output of `mock --debug-config`

INFO: mock.py version 2.2 starting (python version = 3.8.2)... Start(bootstrap): init plugins INFO: selinux enabled Finish(bootstrap): init plugins Start: init plugins INFO: selinux enabled Finish: init plugins INFO: Signal handler active Start: run config_opts['bootstrap_image'] = 'fedora:rawhide' config_opts['build_log_fmt_str'] = '%(message)s' config_opts['cache_alterations'] = False config_opts['chroot_name'] = 'default' config_opts['chroot_setup_cmd'] = 'install @{% if mirrored %}buildsys-{% endif %}build' config_opts['cleanup_on_failure'] = False config_opts['cleanup_on_success'] = False config_opts['config_file'] = '/etc/mock/default.cfg' config_opts['config_path'] = '/etc/mock' config_opts['config_paths'] = ['/etc/mock/site-defaults.cfg', '/etc/mock/fedora-rawhide-x86_64.cfg', '/etc/mock/templates/fedora-rawhide.tpl', '/home/brain/.config/mock.cfg'] config_opts['dist'] = 'rawhide' config_opts['dnf.conf'] = ('\n' '[main]\n' 'keepcache=1\n' 'debuglevel=2\n' 'reposdir=/dev/null\n' 'logfile=/var/log/yum.log\n' 'retries=20\n' 'obsoletes=1\n' 'gpgcheck=0\n' 'assumeyes=1\n' 'syslog_ident=mock\n' 'syslog_device=\n' 'install_weak_deps=0\n' 'metadata_expire=0\n' 'best=1\n' 'module_platform_id=platform:f{{ releasever }}\n' 'protected_packages=\n' '\n' '{%- macro rawhide_gpg_keys() -%}\n' 'file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary\n' '{%- for version in [releasever|int, releasever|int - 1]\n' '%} file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-{{ ' 'version }}-primary\n' '{%- endfor %}\n' '{%- endmacro %}\n' '\n' '# repos\n' '\n' '[local]\n' 'name=local\n' 'baseurl=https://kojipkgs.fedoraproject.org/repos/rawhide/latest/$basearch/\n' 'cost=2000\n' 'enabled={{ not mirrored }}\n' 'skip_if_unavailable=False\n' '\n' '[local-source]\n' 'name=local-source\n' 'baseurl=https://kojipkgs.fedoraproject.org/repos/rawhide/latest/src/\n' 'cost=2000\n' 'enabled=0\n' 'skip_if_unavailable=False\n' '\n' '{% if mirrored %}\n' '[fedora]\n' 'name=fedora\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide&arch=$basearch\n' 'gpgkey={{ rawhide_gpg_keys() }}\n' 'gpgcheck=1\n' 'skip_if_unavailable=False\n' '\n' '[fedora-debuginfo]\n' 'name=Fedora Rawhide - Debug\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide-debug&arch=$basearch\n' 'enabled=0\n' 'gpgkey={{ rawhide_gpg_keys() }}\n' 'gpgcheck=1\n' 'skip_if_unavailable=False\n' '\n' '[fedora-source]\n' 'name=fedora-source\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide-source&arch=$basearch\n' 'gpgkey={{ rawhide_gpg_keys() }}\n' 'gpgcheck=1\n' 'enabled=0\n' 'skip_if_unavailable=False\n' '\n' '# modular\n' '\n' '[rawhide-modular]\n' 'name=Fedora - Modular Rawhide - Developmental packages for the next Fedora ' 'release\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide-modular&arch=$basearch\n' '# if you want to enable it, you should set best=0\n' '# see https://bugzilla.redhat.com/show_bug.cgi?id=1673851\n' 'enabled=0\n' 'gpgcheck=1\n' 'gpgkey={{ rawhide_gpg_keys() }}\n' 'skip_if_unavailable=False\n' '\n' '[rawhide-modular-debuginfo]\n' 'name=Fedora - Modular Rawhide - Debug\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide-modular-debug&arch=$basearch\n' 'enabled=0\n' 'gpgcheck=1\n' 'gpgkey={{ rawhide_gpg_keys() }}\n' 'skip_if_unavailable=False\n' '\n' '[rawhide-modular-source]\n' 'name=Fedora - Modular Rawhide - Source\n' 'metalink=https://mirrors.fedoraproject.org/metalink?repo=rawhide-modular-source&arch=$basearch\n' 'enabled=0\n' 'gpgcheck=1\n' 'gpgkey={{ rawhide_gpg_keys() }}\n' 'skip_if_unavailable=False\n' '{% endif %}\n') config_opts['enable_disable_repos'] = [] config_opts['extra_chroot_dirs'] = ['/run/lock'] config_opts['files'] = {'etc/hosts': '127.0.0.1 localhost localhost.localdomain\n' '::1 localhost localhost.localdomain localhost6 ' 'localhost6.localdomain6\n'} config_opts['legal_host_arches'] = ('x86_64',) config_opts['macros'] = {'%_buildhost': 'konsky-localdomain', '%_netsharedpath': '/proc:/sys', '%_rpmfilename': '%%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm', '%_topdir': '/builddir/build'} config_opts['mirrored'] = True config_opts['nspawn_args'] = ['--capability=cap_ipc_lock', '--bind=/tmp/mock-resolv.7n85alvt:/etc/resolv.conf', '--bind=/dev/loop-control', '--bind=/dev/loop0', '--bind=/dev/loop1', '--bind=/dev/loop2', '--bind=/dev/loop3', '--bind=/dev/loop4', '--bind=/dev/loop5', '--bind=/dev/loop6', '--bind=/dev/loop7', '--bind=/dev/loop8', '--bind=/dev/loop9', '--bind=/dev/loop10', '--bind=/dev/loop11'] config_opts['plugin_conf'] = {'bind_mount_enable': True, 'bind_mount_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'create_dirs': False, 'dirs': [], 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'ccache_enable': False, 'ccache_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'compress': None, 'dir': '/var/cache/mock/fedora-rawhide-x86_64/ccache/u1000/', 'max_cache_size': '4G', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'chroot_scan_enable': False, 'chroot_scan_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'only_failed': True, 'regexes': ['^[^k]?core(\.\d+)?$', '\.log$'], 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'compress_logs_enable': False, 'compress_logs_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'command': 'gzip', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'hw_info_enable': True, 'hw_info_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'lvm_root_enable': False, 'lvm_root_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'pool_name': 'mockbuild', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'mount_enable': False, 'mount_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'overlayfs_enable': False, 'overlayfs_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'package_state_enable': True, 'package_state_opts': {'available_pkgs': False, 'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'installed_pkgs': True, 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'pm_request_enable': False, 'pm_request_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'procenv_enable': False, 'procenv_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'root_cache_enable': True, 'root_cache_opts': {'age_check': True, 'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'compress_program': 'pigz', 'decompress_program': None, 'dir': '/var/cache/mock/fedora-rawhide-x86_64/root_cache/', 'exclude_dirs': ['./proc', './sys', './dev', './tmp/ccache', './var/cache/yum', './var/cache/dnf', './var/log'], 'extension': '.gz', 'max_age_days': 15, 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64', 'tar': 'gnutar'}, 'selinux_enable': True, 'selinux_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'sign_enable': False, 'sign_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'cmd': 'rpmsign', 'opts': '--addsign %(rpms)s', 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'tmpfs_enable': False, 'tmpfs_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'keep_mounted': False, 'max_fs_size': None, 'mode': '0755', 'required_ram_mb': 900, 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}, 'yum_cache_enable': True, 'yum_cache_opts': {'basedir': '/var/lib/mock/fedora-rawhide-x86_64', 'cache_topdir': '/var/cache/mock', 'cachedir': '/var/cache/mock/fedora-rawhide-x86_64', 'max_age_days': 30, 'max_metadata_age_days': 30, 'online': True, 'resultdir': '/var/lib/mock/fedora-rawhide-x86_64/result', 'root': 'fedora-rawhide-x86_64'}} config_opts['print_main_output'] = True config_opts['releasever'] = '33' config_opts['root'] = 'fedora-rawhide-{{ target_arch }}' config_opts['root_log_fmt_str'] = '%(levelname)s %(filename)s:%(lineno)d: %(message)s' config_opts['rpmbuild_arch'] = 'x86_64' config_opts['state_log_fmt_str'] = '%(asctime)s - %(message)s' config_opts['target_arch'] = 'x86_64' config_opts['verbose'] = 1

Having /dev/kvm inside chroot is very useful since tools like livemedia-creator can use it to speed up building of images quite significantly.

[Conan-Kudo]

Having /dev/kvm inside chroot is very useful since tools like livemedia-creator can use it to speed up building of images quite significantly.

It's a major security problem to expose /dev/kvm, which is why Mock doesn't. There are no production users of Lorax using the virt mode (Fedora doesn't, Red Hat doesn't, etc.). I'm not sure why you think it will speed up image builds, because the majority of the problem is that Anaconda is slow...

[ignatenkobrain]

Well, in my case building image in virt mode without /dev/kvm is taking 35 minutes, with /dev/kvm it takes just 5 minutes.

It's a major security problem to expose /dev/kvm, which is why Mock doesn't.

Mind explaining more?

[Conan-Kudo]

/dev/kvm is privileged access to the CPU. You can do all kinds of crazy things with that, including environment breakout if you know what to do.

[ignatenkobrain]

There are no production users of Lorax using the virt mode (Fedora doesn't, Red Hat doesn't, etc.).

Oh, by the way this is not true. The imagefactory/oz is using virtual machines, so all Fedora Cloud images are using virtualization during image creation.

For example, https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/Rawhide/20200426.n.0/data/logs/image/oz-x86_64.log

[Conan-Kudo]

😢

[ignatenkobrain]

In any case, I would be satisfied if it would be possible to do so via some option. Unfortunately bind_mount plugin is not capable of mounting to to /dev/kvm (I guess because it is happening before the /dev is set up), so I have to use some quirk like bind-mounting it to /devkvm and then from inside chroot like touch /dev/kvm && mount --bind /devkvm /dev/kvm which is horrible :)

[praiskup]

Mock "pre bindmounts" stuff, before handing over the chroot to systemd-nspawn. And then systemd-nspawn overmounts certain directories (including /dev).