[pve-devel] virtual scsi disk passed with scsi-block with lvm host storage (wrong)
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Feb 25 08:47:43 CET 2016
On Thu, Feb 25, 2016 at 07:48:41AM +0100, Dietmar Maurer wrote:
> I just found package liblinux-prctl-perl, which can do
>
> Linux::Prctl::capbset_drop(CAP_SYS_RAWIO);
>
> That way we could do it inside perl before the SCSI INQUIRY syscall.
> Would that solve the problem?
>
> But we would need to fork before calling capbset_drop ...
If LVM is special there, wouldn't it make more sense to check for LVM
directly rather than dropping this capability? While apparently most
devices only need read-access for the SG_IO ioctl, capabilities(7)
states that you need CAP_SYS_RAWIO for "various scsi commands" and "a
range of device-specific operations on other devices":
capabilities(7):
CAP_SYS_RAWIO
* Perform I/O port operations (iopl(2) and ioperm(2));
(...)
* perform various SCSI device commands;
(...)
* perform a range of device-specific operations on other devices.
> > On February 25, 2016 at 6:54 AM Dietmar Maurer <dietmar at proxmox.com> wrote:
> >
> >
> > > #capsh --drop=cap_sys_rawio -- -c 'sg_inq /dev/pve/vm-115-disk-2'
> > > Both SCSI INQUIRY and fetching ATA information failed on
> > > /dev/pve/vm-115-disk-2
> >
> > Why --drop=cap_sys_rawio ? Does kvm drop this when starting?
More information about the pve-devel
mailing list