Bug 1654364

Summary: Permission denied when starting UEFI based VM on oVirt 4.3.0_alpha
Product: [oVirt] ovirt-engine Reporter: Rob Sanders <rob>
Component: BLL.VirtAssignee: Michal Skrivanek <michal.skrivanek>
Status: CLOSED CURRENTRELEASE QA Contact: meital avital <mavital>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: bugs, rob
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-14 10:28:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Sanders 2018-11-28 15:29:05 UTC 
I've upgraded my test cluster to 4.3.0_alpha. I've created a new UEFI based VM and it fails to start:

web console error:

VM 7.6_Template is down with error. Exit message: internal error: process exited while connecting to monitor: 2018-11-28T15:16:57.823968Z qemu-kvm: -drive file=/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd,if=pflash,format=raw,unit=1: Could not open '/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd': Permission denied.



VDSM log error:

...
    <os>
        <type arch="x86_64" machine="q35">hvm</type>
        <smbios mode="sysinfo"/>
        <loader readonly="yes" secure="no" type="pflash">/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
        <nvram template="/usr/share/OVMF/OVMF_VARS.fd">/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd</nvram>
        <bios useserial="yes"/>
    </os>
...

2018-11-28 15:16:51,588+0000 ERROR (vm/172900ec) [virt.vm] (vmId='172900ec-2c5c-4e78-bcd4-f26e4a63770e') The vm start process failed (vm:934)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 863, in _startUnderlyingVm
    self._run()
  File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 2840, in _run
    dom.createWithFlags(flags)
  File "/usr/lib/python2.7/site-packages/vdsm/common/libvirtconnection.py", line 131, in wrapper
    ret = f(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/vdsm/common/function.py", line 94, in wrapper
    return func(inst, *args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1110, in createWithFlags
    if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self)
libvirtError: internal error: process exited while connecting to monitor: 2018-11-28T15:16:51.247871Z qemu-kvm: -drive file=/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd,if=pflash,format=raw,unit=1: Could not open '/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd': Permission denied
2018-11-28 15:16:51,588+0000 INFO  (vm/172900ec) [virt.vm] (vmId='172900ec-2c5c-4e78-bcd4-f26e4a63770e') Changed state to Down: internal error: process exited while connecting to monitor: 2018-11-28T15:16:51.247871Z qemu-kvm: -drive file=/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd,if=pflash,format=raw,unit=1: Could not open '/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd': Permission denied (code=1) (vm:1671)
2018-11-28 15:16:51,598+0000 INFO  (vm/172900ec) [virt.vm] (vmId='172900ec-2c5c-4e78-bcd4-f26e4a63770e') Stopping connection (guestagent:454)


It looks like when the file is copied, it doesn't have the correct permissions or ownership:

ls -las /var/lib/libvirt/qemu/nvram/
528 -rw-------.  1 root root 540672 Nov 28 15:24 172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd


When I manually copy the file BEFORE starting the VM, it starts fine

cp /usr/share/OVMF/OVMF_VARS.fd /var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd; chmod 755 /var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd;
Comment 1 Rob Sanders 2018-11-28 15:51:33 UTC 
If I'm not mistaken, it's related to this code:

https://github.com/oVirt/ovirt-engine/commit/94d249426ca26153a0ae3cfa3ebfebaadd5eb0e9#diff-d6f7100af881feb7d909f23faeda326f
Comment 2 Michal Skrivanek 2018-11-29 10:47:58 UTC 
alpha doesn't have the right dependencies yet. Try with latest libvirt from RHEL 7.6 or CentOS CR repos, it needs to be 4.5 at least, ideally libvirt-4.5.0-10.el7_6.3
Comment 3 Rob Sanders 2018-11-29 11:01:24 UTC 
Hi Michal,

I'm on libvirt-4.5.0-10.el7_6.2.x86_64 atm. As soon as el7_6.3 hits the CR I will re-test it.
Comment 4 Rob Sanders 2018-11-29 11:06:08 UTC 
Looking at the diff between 4.5.0-10.el7_6.2 and 4.5.0-10.el7_6.3 - there doesn't seem to be anything there which would fix it:

https://git.centos.org/commitdiff/rpms!libvirt.git/5ff110eabf82a06adfbb7683aa3ea1c4c5b05193
Comment 5 Rob Sanders 2019-01-14 09:00:05 UTC 
As of 4.3 RC, I can no longer reproduce this issue.
Comment 6 Michal Skrivanek 2019-01-14 10:28:21 UTC 
(In reply to Rob Sanders from comment #4)
> Looking at the diff between 4.5.0-10.el7_6.2 and 4.5.0-10.el7_6.3 - there
> doesn't seem to be anything there which would fix it:
> 
> https://git.centos.org/commitdiff/rpms!libvirt.git/
> 5ff110eabf82a06adfbb7683aa3ea1c4c5b05193

the fix is in older release, el7_6.3 was just required for other fixes. Thanks for confirmation it works with recent version