[libvirt-users] Ubuntu Trusty: failed to create VM due to permission denied
Hi, libvirt experts, I used libvirt to create a VM and used backing store to a local file. It works fine until I installed my box to Unbuntu Trusty (14.04). I got the following errors when I tried to start the VM: Could not open backing file: Could not open <path to my backing file>: Permission denied However, if I moved my image file (not base image) to default location /var/lib/libvirt/images. It works. It seems something related to selinux. However, my box seems not have selinux installed at all. Anyone knows how to fix this? Thanks, ~Frank
On 08/05/2014 05:23 PM, Jianfeng Tang wrote:
However, if I moved my image file (not base image) to default location /var/lib/libvirt/images. It works.
It seems something related to selinux. However, my box seems not have selinux installed at all.
It's probably AppArmor, not SELinux; but the concepts are the same - if you have a mandatory access control that libvirt can use, then you have to make sure that non-default locations are permitted through your control mechanism, in order for libvirt sVirt protections to work with your layout.
Anyone knows how to fix this?
Sadly, I don't use AppArmor myself to offer actual advice on it. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Thank you Eric. Yes, it looks like AppArmor caused the problem. I will google on how to disable it. On 8/5/14 8:27 PM, "Eric Blake" <eblake@redhat.com> wrote:
On 08/05/2014 05:23 PM, Jianfeng Tang wrote:
However, if I moved my image file (not base image) to default location /var/lib/libvirt/images. It works.
It seems something related to selinux. However, my box seems not have selinux installed at all.
It's probably AppArmor, not SELinux; but the concepts are the same - if you have a mandatory access control that libvirt can use, then you have to make sure that non-default locations are permitted through your control mechanism, in order for libvirt sVirt protections to work with your layout.
Anyone knows how to fix this?
Sadly, I don't use AppArmor myself to offer actual advice on it.
-- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 08/06/2014 10:02 AM, Jianfeng Tang wrote:
Thank you Eric. Yes, it looks like AppArmor caused the problem. I will google on how to disable it.
That feels wrong. "My security process is preventing me from doing something wrong because I didn't configure it to match my usage patterns, so I'm going to disable security". Rather, you should google for how to add additional storage pools to what AppArmor will allow, so that you can continue to have a secure setup. (I feel the same way about people that complain that SELinux prevented them from doing something, so they disable SELinux instead of fixing their process to use SELinux correctly) -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Agree. I did a little research. For those who hit this issue, it works after I modified /etc/apparmor.d/abstractions/libvirt-qemu to include the backing store directory. On 8/6/14 11:18 AM, "Eric Blake" <eblake@redhat.com> wrote:
On 08/06/2014 10:02 AM, Jianfeng Tang wrote:
Thank you Eric. Yes, it looks like AppArmor caused the problem. I will google on how to disable it.
That feels wrong. "My security process is preventing me from doing something wrong because I didn't configure it to match my usage patterns, so I'm going to disable security". Rather, you should google for how to add additional storage pools to what AppArmor will allow, so that you can continue to have a secure setup. (I feel the same way about people that complain that SELinux prevented them from doing something, so they disable SELinux instead of fixing their process to use SELinux correctly)
-- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (2)
-
Eric Blake -
Jianfeng Tang