[opensuse] A slightly complicated permission problem with kvm/libvirt and an existing disk with images
Hello to all. I had to reinstall my TW these days. I have a separate disc mounted as /kvmimages where I hold the images of the OS. When I check, all is O.K.. The images are effectively present and they are owned by root:root. Now my user is called entropy. Entropy is member of the groups kvm and libvirt. As a matter of fact, he can start and connect kvm/qemu and then you can choose "new" - virtual machine - choose from existing images. When I try to do so, unfortunately I do not see anything because there seems to be a permission problem. This puzzles me, because while being entropy member of kvm/qemu he should be able to read them, even when owned by root. Am I mistaken? In this setup (see above) and respecting the security issue of not wanting this /kvmstorage be world readable, what permission do I have to set to / kvmstorage in order to be able as "entropy" to import the existing images. Thank you. P.S. PAM solutions are also highly welcome (as long as you are verbose enough and I shall be able to understand them fully). _________________________________________________________________ ________________________________________________________ Ihre E-Mail-Postf�cher sicher & zentral an einem Ort. Jetzt wechseln und alte E-Mail-Adresse mitnehmen! https://www.eclipso.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, Am Sonntag, 17. November 2019, 14:14:52 CET schrieb stakanov:
Hello to all. I had to reinstall my TW these days. I have a separate disc mounted as /kvmimages where I hold the images of the OS. When I check, all is O.K.. The images are effectively present and they are owned by root:root. Now my user is called entropy. Entropy is member of the groups kvm and libvirt. As a matter of fact, he can start and connect kvm/qemu and then you can choose "new" - virtual machine - choose from existing images. When I try to do so, unfortunately I do not see anything because there seems to be a permission problem. This puzzles me, because while being entropy member of kvm/qemu he should be able to read them, even when owned by root. Am I mistaken?
Wild guess: There's an AppArmor profile for /usr/{lib,lib64}/libvirt/virt-aa-helper which allows access to the following directories (ending with "/") and files (everythig else): /var/lib/libvirt/images/ r, /var/lib/libvirt/images/** r, /var/lib/nova/instances/_base/* r, /{media,mnt,opt,srv}/** r, /{,var/}run/libvirt/**/[sv]d[a-z] r, /**.img r, /**.raw r, /**.qcow{,2} r, /**.qed r, /**.vmdk r, /**.vhd r, /**.[iI][sS][oO] r, /**/disk{,.*} r, /kvmimages/ is not allowed in this list (not a surprise, since it's not one of the usual directories), and (wild guess) your images probably don't have one of the extensions listed above. To confirm if AppArmor really causes your problem, check /var/log/audit/audit.log for lines with apparmor="DENIED". Assuming you really see AppArmor denials: Since you use a custom location, you'll have to allow it in /etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper Add the following lines there: /kvmimages/ r, /kvmimages/** r, and run rcapparmor reload Note that this is more or less a blind guess. If this doesn't help, please show the entries from audit.log - or simply run aa-logprof to update the profile yourself. Regards, Christian Boltz -- [dracut] I'm reluctant to waste time dealing with things like e.g. modules.d/90crypt/cryptroot-ask.sh. That feels like boot.crypto which was rightfully killed by systemd raising from the dead. [Ludwig Nussel in opensuse-packaging] -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Christian Boltz -
stakanov