Run mknod in the right namespace

Author: stefwalter

README.md

@@ -8,13 +8,11 @@ concept there.
 Here are the manual commands to test this out. You should see a Linux boot process.
 
     $ sudo docker run -ti fedora /bin/bash
-    # yum install wget qemu-kvm
+    # yum install qemu-kvm
     ...
-    # wget https://download.fedoraproject.org/pub/alt/atomic/stable/Fedora-Atomic-25-20170314.0/CloudImages/x86_64/images/Fedora-Atomic-25-20170314.0.x86_64.qcow2
-    # wget https://rawgit.com/cockpit-project/cockpit/master/test/common/cloud-init.iso
-    # mknod /dev/kvm c 10 232
-    # chmod 666 /dev/kvm
-    # qemu-kvm -boot c -net nic -net user -m 1024 -nographic -cdrom cloud-init.iso Fedora-Atomic-25-20170314.0.x86_64.qcow2
+    # curl -Lo atomic.qcow2 https://ftp-stud.hs-esslingen.de/pub/Mirrors/alt.fedoraproject.org/atomic/stable/Fedora-Atomic-26-20170707.1/CloudImages/x86_64/images/Fedora-Atomic-26-20170707.1.x86_64.qcow2
+    # curl -Lo cloud-init.iso https://rawgit.com/stefwalter/oci-kvm-hook/master/test/cloud-init.iso
+    # qemu-kvm -boot c -net nic -net user -m 1024 -nographic -cdrom cloud-init.iso atomic.qcow2
 
 Or with a prebuilt constainer:
 

oci-kvm-hook.go

@@ -26,28 +26,31 @@ type Process struct {
 
 func allowKvm(state State) {
 	// TODO: Use state.Pid and /proc/$pid/cgroup to determine the right devices.allow file
-	path := fmt.Sprintf("/sys/fs/cgroup/devices/system.slice/docker-%s.scope/devices.allow", state.ID)
-	allow, err := os.OpenFile(path, os.O_APPEND|os.O_WRONLY, 0600)
+	allow_path := fmt.Sprintf("/sys/fs/cgroup/devices/system.slice/docker-%s.scope/devices.allow", state.ID)
+	allow, err := os.OpenFile(allow_path, os.O_APPEND|os.O_WRONLY, 0600)
 	if err != nil {
-		log.Printf("Failed to open file: %s: %v", path, err.Error())
+		log.Printf("Failed to open file: %s: %v", allow_path, err.Error())
 		return
 	}
 
 	_, err = allow.WriteString("c 10:232 rwm")
 	if err != nil {
-		log.Printf("Failed to write to group file: %s: %v", path, err.Error())
+		log.Printf("Failed to write to group file: %s: %v", allow_path, err.Error())
 		return
 	}
 
-	path = fmt.Sprintf("%s/dev/kvm", state.Root)
-	cmd := exec.Command("/usr/bin/mknod", path, "c", "10", "232")
-	_, err = cmd.Output()
+	allow.Close()
+
+	kvm_path := fmt.Sprintf("%s/dev/kvm", state.Root)
+	cmd := exec.Command("/usr/bin/nsenter", "--target", fmt.Sprintf("%d", state.Pid), "--mount", "--cgroup", "--",
+		"/usr/bin/mknod", "-m", "0666", kvm_path, "c", "10", "232")
+	output, err := cmd.CombinedOutput()
 	if err != nil {
-		log.Printf("Failed to run mknod: %s: %v", path, err.Error())
+		log.Printf("Failed to run mknod: %s: %v: %s", kvm_path, err.Error(), output)
 		return
 	}
 
-	log.Printf("Allowed /dev/kvm in new container: %s %s", path, state.ID)
+	log.Printf("Allowed /dev/kvm in new container: %s %s %s", kvm_path, allow_path, state.ID)
 }
 
 func main() {

test/Dockerfile

@@ -1,6 +1,6 @@
 FROM fedora:25
 
-RUN curl -o /image.qcow2 https://dl.fedoraproject.org/pub/fedora/linux/releases/25/CloudImages/x86_64/images/Fedora-Cloud-Base-25-1.3.x86_64.qcow2
+RUN curl -o /atomic.qcow2 https://ftp-stud.hs-esslingen.de/pub/Mirrors/alt.fedoraproject.org/atomic/stable/Fedora-Atomic-26-20170707.1/CloudImages/x86_64/images/Fedora-Atomic-26-20170707.1.x86_64.qcow2
 RUN yum -y install qemu-kvm
 ADD cloud-init.iso /
-CMD test -f /dev/kvm || mknod --mode=0666 /dev/kvm c 10 232; qemu-kvm -boot c -net nic -net user -m 1024 -nographic -cdrom /cloud-init.iso /image.qcow2
+CMD test -e /dev/kvm || mknod --mode=0666 /dev/kvm c 10 232; qemu-kvm -boot c -net nic -net user -m 1024 -nographic -cdrom /cloud-init.iso /atomic.qcow2