FS#33650 - [libvirt] permission denied after update 1.0.1-3 - libvirt.install should be updated
Attached to Project:
Community Packages
Opened by Andrzej Giniewicz (Giniu) - Thursday, 31 January 2013, 09:41 GMT
Last edited by Sergej Pupykin (sergej) - Friday, 01 February 2013, 06:18 GMT
Opened by Andrzej Giniewicz (Giniu) - Thursday, 31 January 2013, 09:41 GMT
Last edited by Sergej Pupykin (sergej) - Friday, 01 February 2013, 06:18 GMT
|
Details
Description:
after update, libvirt no longer starts my virtual machines: Could not access KVM kernel module: Permission denied failed to initialize KVM: Permission denied After some research I found that the cause are lines: --with-qemu-user=nobody --with-qemu-group=nobody from https://projects.archlinux.org/svntogit/community.git/commit/trunk?h=packages/libvirt&id=ae55480906f49b853f9b1b66854c8897bd6f292a - While it is said in https://bugs.archlinux.org/task/33604 that "is easy to change in config". I believe this is reference to: "Regardless of this build time default, administrators can set a per-host default setting in the /etc/libvirt/qemu.conf configuration file via the user=$USERNAME and group=$GROUPNAME parameters" Setting this helped, but the install file prints message: echo ">>> To use libvirt as a non-root user:" echo ">>> Use polkit to grant access." echo ">>> ...or change the access model in /etc/libvirt/libvirtd.conf." echo ">>> (see unixperms.patch in PKGBUILD for help)" I had it configured using polkit (it worked before this update) and I don't see any unixperms.patch with: polkit.addRule(function(action, subject) { if (action.id == "org.libvirt.unix.manage" && subject.user == "<MyManagerUser>") { return polkit.Result.YES; } }); It is at least confusing, especially that wiki does not reflect those changes and also talks about non existing unixperms.patch. Removing --with-qemu-user=nobody --with-qemu-group=nobody also helps. |
This task depends upon
- someone had it configured correctly, at least as far as wiki says so (polkit)
- and it was working for at least half year
this working system shouldn't break without notice when updating only by package release, especially if we talk about something like virtualization - so, because this change is actually good and I'm not asking to remove it - lets add notice so people who update without checking changelog of package know what to do, istead of pointing them to file that was removed.
This still works (try 'virsh -c qemu:///system';).
Libvirt then spawns a qemu process. This *process* is now nobody:nobody.
Qemu tries to access /dev/kvm to use hardware acceleration. This doesn't work, as 'nobody' has no right to access /dev/kvm.
@Sergej: looked at 1.0.2-2, users are supposed to read install messages, so it's fixed in my opinion, cool.