Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Strange permissions issue with virt-install + UEFI

100 views
Skip to first unread message

Matt Ventura

unread,
May 13, 2022, 9:00:04 PM5/13/22
to

Hi,

On one box (Debian 11.3), my virt-install script works fine:

virt-install --virt-type kvm --name $NEWVM --location http://ftp.us.debian.org/debian/dists/bullseye/main/installer-amd64 --extra-args "netcfg/hostname=$NEWVM" -v  \
--os-variant debian11 --disk size=30,pool=vmvol,bus=scsi,discard=unmap,cache=writeback,io=threads --disk size=4,pool=vmvol-nobackup,bus=scsi,discard=unmap,cache=unsafe,io=threads \
--memory 8196 --initrd-inject=preseed.cfg --noautoconsole  --boot uefi --graphics spice --video virtio --controller=scsi,model=virtio-scsi --network=bridge=virbr1,model=virtio


However, on another box, the same command (minus the final --network option) gives me this: 

> ERROR    internal error: process exited while connecting to monitor: 2022-05-14T00:11:48.169264Z qemu-system-x86_64: -blockdev \
{"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/openwisp_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"}: \
Could not open '/var/lib/libvirt/qemu/nvram/openwisp_VARS.fd': Permission denied
Domain installation does not appear to have been successful.

First idea was to check the perms of the /var/lib/libvirt-qemu/nvram directory. On both boxes, it is owned by user+group libvirt-qemu, mode 0755. The files themselves seem to be owned by libvirt-qemu:libvirt-qemu as well.

On the failing box, the new file is created:

-rw-------  1 libvirt-qemu libvirt-qemu 540672 May 13 16:39 openwisp_VARS.fd

So, I'm really not sure why it thinks it's failing, but it aborts the installation regardless.

Any ideas?

Matt Ventura

David

unread,
May 13, 2022, 10:00:05 PM5/13/22
to
On Sat, 14 May 2022 at 10:57, Matt Ventura <mattv...@mattventura.net> wrote:

> On one box (Debian 11.3), my virt-install script works fine:
> virt-install [...]

> However, on another box, the same command (minus the final --network option) gives me this:
[...]
> Could not open '/var/lib/libvirt/qemu/nvram/openwisp_VARS.fd': Permission denied
[...]
> Any ideas?

You don't mention which user is running the 'virt-install' commands.
I suggest to think about that.

https://wiki.debian.org/KVM says:
In order to manage virtual machines as a regular user, that user
needs to be added to the libvirt group:
# adduser <youruser> libvirt

On both machines, check that the user (who is running the virt-install
command) is a member of group=libvirt.

Run: groups | grep libvirt

I'm not sure if this is the answer, but it is the first thing I would check.
Also, test if that user can read the file openwisp_VARS.fd via its
full path.

Matt Ventura

unread,
May 13, 2022, 10:40:05 PM5/13/22
to
On the broken machine, it fails even if I run it as root. Root isn't a
member of libvirt on either machine, but root is root, so it shouldn't
be getting permission denied either way. Perhaps the file is being
created as libvirt-qemu, but the plain old libvirt user needs to access
it too? That's the only thing I can think of, since root ignores
permissions anyway.

I did try to `su` into the libvirt-qemu user, and the path was reachable
via the full absolute path. I could create, modify, read, and delete
files in that dir.

Some searching pointed to it being an AppArmor problem, but AA is
enabled on both.

Matt Ventura
0 new messages