Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#46853 - [libvirt] do not only use kvm group

Attached to Project: Community Packages
Opened by Tom Yan (tom.ty89) - Saturday, 24 October 2015, 05:40 GMT
Last edited by Sergej Pupykin (sergej) - Tuesday, 27 October 2015, 10:26 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

It seems like there's a bug/defect in libvirt. The first attached test case (libvirt) is done after a fresh reboot with 65-kvm.rules from qemu removed. As you can see, having libvirt running qemu with a group owns and has rw permission on /dev/kvm does not work. (But it will work if /dev/kvm is test:root 0660 or test:test 0660 instead).

We can easily skipped this issue without knowing what had happened because SOMEHOW, although a re-trigger of udev (which seem to have changed the ownership successfully) does not work, it will work if the modules are loaded with udev already carrying the "group rule". For example, a reboot, or `modprobe -r kvm_intel; modprobe kvm_intel`, after installing qemu. (And you can even switch the group back and forth without having the same issue until the modules are loaded again with udev NOT carrying the "group rule")

Running standalone qemu with a user of a group/supp. group which has rw permission on /dev/kvm does not seem to show the same issue. See the second attached test case (qemu).

Actually I think libvirt upstream should really improve this, like setfacl on /dev/kvm for the specified user/group in qemu.conf.

Anyway the I think "kvm group only" way in Arch's qemu/libvirt looks a bit silly as well. Can't we just let /dev/kvm be owned by kvm:kvm? What's the point of leaving /dev/kvm owned by root anyway? (Like, even under cases when something weird would run qemu with root, I don't think /dev/kvm has to be owned by root anyway?)
   libvirt (3.6 KiB)
   qemu (0.9 KiB)
This task depends upon

Closed by  Sergej Pupykin (sergej)
Tuesday, 27 October 2015, 10:26 GMT
Reason for closing:  Upstream
Comment by Tom Yan (tom.ty89) - Saturday, 24 October 2015, 06:00 GMT
An easy way to reproduce is: uninstall qemu; reboot; install qemu; start libvirtd and create a vm in virt-manager under qemu/kvm (and fail); reboot; start libvirtd and try create again (and succeed).
Comment by Tom Yan (tom.ty89) - Saturday, 24 October 2015, 06:49 GMT
I found out some more fact about this issue. First of all it's probably not a bug/defect in libvirt but qemu (or the kvm/udev?). Somehow qemu acts up on the kvm line in 70-uaccess.rules from systemd. As you can see in my attached "qemu" test case, there's no ACL set on /dev/kvm. That is because I commented the line.

If I do the cycle I mentioned in comment #1, but with the line commented before the first reboot, I will have NO issue in virt-manager AND qemu. However if I don't, even `sudo -u test qemu-system-x86_64 -enable-kvm -nographic` would fail with the same permission error as in libvirtd, assuming user "test" has "kvm" as its supp. group.

However it doesn't seem to have any thing to do with the order of rule files, like if I mv 65-kvm.rules to 71- or 99-, I still cannot reproduce the same issue after I reboot.
Comment by Tom Yan (tom.ty89) - Monday, 26 October 2015, 01:21 GMT
So this is the actual issue: https://github.com/systemd/systemd/issues/1677

I guess it's just usual practice that we change only group for a /dev/* to allow certain actions, and it works anyway.

Loading...