Re: Unexplicable permission error when trying to read a qemu firmware file
On 12/29/20 6:09 PM, Emmanuel Kasper wrote:
Hi
I want to create a CoreOS VM following the steps mentioned at
https://docs.fedoraproject.org/en-US/fedora-coreos/getting-started,
using a Debian 11 (bullseye) system.
I am thus creating a VM with the following virt-install command:
virt-install --connect="qemu:///system" --name=coreos \
--vcpus=2 --memory=2048 \
--os-variant=fedora29 --import --graphics=none \
--disk="size=10,backing_store=$PWD/fedora-coreos-33.20201201.3.0-qemu.x86_64.qcow2"
\
--qemu-commandline="-fw_cfg
name=opt/com.coreos/config,file=/tmp/example.ign"
1: this ^^
which spits some warnings and this mysterious error
2020-12-29T16:52:03.858938Z qemu-system-x86_64: warning: host doesn't
support requested feature: MSR(48FH).vmx-exit-load-perf-global-ctrl [bit 12]
2020-12-29T16:52:03.858941Z qemu-system-x86_64: warning: host doesn't
support requested feature: MSR(490H).vmx-entry-load-perf-global-ctrl
[bit 13]
I don't know what are these, sorry.
2020-12-29T16:52:03.864778Z qemu-system-x86_64: -fw_cfg
name=opt/com.coreos/config,file=/tmp/example.ign: can't load
/tmp/example.ign: Failed to open file “/tmp/example.ign”: Permission denied
But this is expected.
the file /tmp/example.ign is perfectly world readable,
-rw-rw-rw- 1 manu manu 1130 Dec 29 17:23 /tmp/example.ign
This doesn't matter. It's SELinux what's giving you the error (as you've
found out).
The problem here is [1]. If you bypass libvirt and put something right
onto qemu's command line then libvirt blindly puts it there. No checks,
no DAC/SELinux relabel, nothing. But I've implemented support for
ignition files here:
https://gitlab.com/libvirt/libvirt/-/commit/3dda889a4426bb3555b1d8861d831...
So what you need instead is:
<sysinfo type='fwcfg'>
<entry name='opt/com.coreos/config' file='/tmp/example.ign'/>
</sysinfo>
This will make libvirt set correct labels and everything. I'm not sure
whether virt-install supports that though, sorry.
Michal