FS#33650 - [libvirt] permission denied after update 1.0.1-3 - libvirt.install should be updated

Attached to Project: Community Packages
Opened by Andrzej Giniewicz (Giniu) - Thursday, 31 January 2013, 09:41 GMT
Last edited by Sergej Pupykin (sergej) - Friday, 01 February 2013, 06:18 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

after update, libvirt no longer starts my virtual machines:

Could not access KVM kernel module: Permission denied
failed to initialize KVM: Permission denied

After some research I found that the cause are lines:

--with-qemu-user=nobody --with-qemu-group=nobody

from https://projects.archlinux.org/svntogit/community.git/commit/trunk?h=packages/libvirt&id=ae55480906f49b853f9b1b66854c8897bd6f292a - While it is said in https://bugs.archlinux.org/task/33604 that "is easy to change in config". I believe this is reference to:

"Regardless of this build time default, administrators can set a per-host default setting in the /etc/libvirt/qemu.conf configuration file via the user=$USERNAME and group=$GROUPNAME parameters"

Setting this helped, but the install file prints message:

echo ">>> To use libvirt as a non-root user:"
echo ">>> Use polkit to grant access."
echo ">>> ...or change the access model in /etc/libvirt/libvirtd.conf."
echo ">>> (see unixperms.patch in PKGBUILD for help)"

I had it configured using polkit (it worked before this update) and I don't see any unixperms.patch with:

polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" && subject.user == "<MyManagerUser>") {
return polkit.Result.YES;
}
});

It is at least confusing, especially that wiki does not reflect those changes and also talks about non existing unixperms.patch. Removing --with-qemu-user=nobody --with-qemu-group=nobody also helps.
This task depends upon

Closed by  Sergej Pupykin (sergej)
Friday, 01 February 2013, 06:18 GMT
Reason for closing:  Fixed
Comment by Andrzej Giniewicz (Giniu) - Thursday, 31 January 2013, 09:55 GMT
In short, I believe that if:

- someone had it configured correctly, at least as far as wiki says so (polkit)
- and it was working for at least half year

this working system shouldn't break without notice when updating only by package release, especially if we talk about something like virtualization - so, because this change is actually good and I'm not asking to remove it - lets add notice so people who update without checking changelog of package know what to do, istead of pointing them to file that was removed.
Comment by Sergej Pupykin (sergej) - Thursday, 31 January 2013, 15:58 GMT
I cleaned up installation messages. Now it says about default user change and points to wiki.
Comment by Thomas Weißschuh (t-8ch) - Thursday, 31 January 2013, 17:09 GMT
The --with-qemu-user=$USER and polkit are different users. Polkit is used to grant a user access to libvirt.
This still works (try 'virsh -c qemu:///system';).
Libvirt then spawns a qemu process. This *process* is now nobody:nobody.
Qemu tries to access /dev/kvm to use hardware acceleration. This doesn't work, as 'nobody' has no right to access /dev/kvm.
Comment by Andrzej Giniewicz (Giniu) - Thursday, 31 January 2013, 19:37 GMT
@Thomas: yes, I figured it out, just wanted to point that I had configured all that was noted in install.message and wiki

@Sergej: looked at 1.0.2-2, users are supposed to read install messages, so it's fixed in my opinion, cool.

Loading...