On 2/21/23 09:47, Sánta, Márton (ext) wrote:
Dear All,
I have started to work with libvirt a few weeks ago, but I have some problem with starting a virtual machine. Currently, I am using an *embedded arm64 device* with a *Linux* built with *Yocto*. I managed to install *lbvirt 8.1.0* in the image and I have a *qemu user* and *qemu and kvm groups *in the system. I am using *KVM hypervisor* and I did the configuration in the *qemu.conf* and *libvirtd.conf* files, enabled all the sockets and services in the system. The xml based definition of the virtual machine is simple, but when I try to start it I get the error message: *Failed to start domain ’XYZ’* and *Unable to set ACLs on /dev/kvm: Invalid argument*. I cannot set ACLs on the /dev/kvm (owner is /root/, group is /kvm/ but I have also tried to set it /root:root/) with the /setfacl /command, but I gave /rwx/ access to user, group and others as well so everybody can use the device. I also uncommented the relevant lines in the /qemu.conf/ file (/cgroup_controllers = …/ and /cgroup_device_acl = …/) and I also found that /devices/ controller is already mounted at //sys/fs/cgroup/devices/. Can anybody help me with this issue? Did Anybody have similar problem? I can start a virtual machine with *qemu-system-aarch64*, but I would like to use the libvirt library to manage the machines.
Thank you in advance for an early reply.
This is a namespace issue. Basically, when starting a guest (or domain as we call it), libvirt creates a private /dev for it. It's using mount namespace to create a private mount table to replace the original /dev, hence the name of the feature. And this private /dev is populated with only a handful of nodes (some basic ones, like /dev/zero, /dev/null, ... and those which are configured in domain XML). Each individual node is created as an exact copy of the original /dev, including ACL entries. If you understand C a bit you can see the function that's responsible for creating the nodes here [1]. Now, there used to be a bug, where libvirt tried to set ACLs even though the corresponding file had none. It was fixed by the following commit [2]. unfortunately, the commit is part of newer libvirt than what you have: v8.8.0. There is a workaround though: you can disable this namespace feature by setting the following in /etc/libvirt/qemu.conf: namespaces = [] Michal 1: https://gitlab.com/libvirt/libvirt/-/blob/master/src/qemu/qemu_namespace.c#L... 2: https://gitlab.com/libvirt/libvirt/-/commit/687374959e160dc566bd4b6d43c7bf1b...