Description of problem: ----------------------- Libguestfs fails to create an appliance when attempted to run libguestfs tools (e.g. virt-df, virt-filesystems) on a disk image (located on an external disk mounted in /run/media/kashyap/. . .) The command fails with: "libguestfs: error: could not create appliance through libvirt: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/tmp/libguestfs5QbBEf/snapshot2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=writeback: could not open disk image /tmp/libguestfs5QbBEf/snapshot2: Permission denied" Version: -------- $ uname -r ; rpm -q qemu-system-x86 libvirt-daemon-kvm libguestfs 3.11.3-201.fc19.x86_64 qemu-system-x86-1.6.0-9.fc19.x86_64 libvirt-daemon-kvm-1.1.3-2.fc19.x86_64 libguestfs-1.23.25-1.fc21.x86_64 How reproducible: ----------------- Consistently Steps to Reproduce: ------------------- I should first note that the qcow2 image is located on an external hard-disk, which is mounted in /run/media/kashyap/ 0. Permissions on the image: $ ls -lZ /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2 -rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2 1. Run as root, Check SELinux status: $ sudo -i $ getenforce Permissive 2. Ensure to use 'libvirt' backend, and enable Libguestfs DEBUG and TRACE: $ export LIBGUESTFS_BACKEND=libvirt $ export LIBGUESTFS_DEBUG=1 $ export LIBGUESTFS_TRACE=1 3. Run 'virt-df' libguestfs tool as sudo: $ id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ virt-df -a ostack-compute.qcow2 -h Actual results: --------------- Trace result: $ virt-df -a /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2 -h libguestfs: trace: set_verbose true libguestfs: trace: set_verbose = 0 libguestfs: trace: set_backend "libvirt" libguestfs: trace: set_backend = 0 libguestfs: create: flags = 0, handle = 0x7fb2bb6aa350, program = virt-df libguestfs: trace: add_drive "/run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2" "readonly:true" libguestfs: trace: add_drive = 0 libguestfs: trace: launch libguestfs: trace: get_tmpdir libguestfs: trace: get_tmpdir = "/tmp" libguestfs: trace: get_backend libguestfs: trace: get_backend = "libvirt" libguestfs: launch: backend registered: unix libguestfs: launch: backend registered: uml libguestfs: launch: backend registered: libvirt libguestfs: launch: backend registered: direct libguestfs: launch: backend=libvirt libguestfs: launch: tmpdir=/tmp/libguestfsHHwaWo libguestfs: launch: umask=0022 libguestfs: launch: euid=0 libguestfs: libvirt version = 1001003 (1.1.3) libguestfs: [00000ms] connect to libvirt libguestfs: opening libvirt handle: URI = NULL, auth = virConnectAuthPtrDefault, flags = 0 libguestfs: successfully opened libvirt handle: conn = 0x7fb2bb6aaae0 libguestfs: [00129ms] get libvirt capabilities libguestfs: [00153ms] parsing capabilities XML libguestfs: [00154ms] build appliance libguestfs: command: run: supermin-helper libguestfs: command: run: \ --verbose libguestfs: command: run: \ -f checksum libguestfs: command: run: \ --host-cpu x86_64 libguestfs: command: run: \ /usr/lib64/guestfs/supermin.d supermin helper [00000ms] whitelist = (not specified) supermin helper [00000ms] host_cpu = x86_64 supermin helper [00000ms] dtb_wildcard = (not specified) supermin helper [00000ms] inputs: supermin helper [00000ms] inputs[0] = /usr/lib64/guestfs/supermin.d supermin helper [00000ms] outputs: supermin helper [00000ms] kernel = (none) supermin helper [00000ms] dtb = (none) supermin helper [00000ms] initrd = (none) supermin helper [00000ms] appliance = (none) checking modpath /lib/modules/3.9.9-301.fc19.x86_64.debug is a directory checking modpath /lib/modules/3.9.9-302.fc19.x86_64.debug is a directory checking modpath /lib/modules/3.9.9-302.fc19.x86_64 is a directory checking modpath /lib/modules/3.11.3-201.fc19.x86_64.debug is a directory checking modpath /lib/modules/3.11.3-201.fc19.x86_64 is a directory checking modpath /lib/modules/3.10.4-300.fc19.x86_64 is a directory picked kernel vmlinuz-3.11.3-201.fc19.x86_64.debug supermin helper [00000ms] finished creating kernel supermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d supermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/base.img.gz supermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/daemon.img.gz supermin helper [00000ms] visiting /usr/lib64/guestfs/supermin.d/hostfiles supermin helper [00034ms] visiting /usr/lib64/guestfs/supermin.d/init.img supermin helper [00034ms] visiting /usr/lib64/guestfs/supermin.d/udev-rules.img supermin helper [00034ms] adding kernel modules supermin helper [00057ms] finished creating appliance libguestfs: checksum of existing appliance: 99bb62d113ed75d1820f737d1dfbe9eea04a3e8e118bba5549bed542dbd93c0c libguestfs: trace: get_cachedir libguestfs: trace: get_cachedir = "/var/tmp" libguestfs: command: run: qemu-img libguestfs: command: run: \ create libguestfs: command: run: \ -f qcow2 libguestfs: command: run: \ -b /var/tmp/.guestfs-0/root.32586 libguestfs: command: run: \ -o backing_fmt=raw libguestfs: command: run: \ /tmp/libguestfsHHwaWo/snapshot1 Formatting '/tmp/libguestfsHHwaWo/snapshot1', fmt=qcow2 size=4294967296 backing_file='/var/tmp/.guestfs-0/root.32586' backing_fmt='raw' encryption=off cluster_size=65536 lazy_refcounts=off libguestfs: command: run: qemu-img libguestfs: command: run: \ create libguestfs: command: run: \ -f qcow2 libguestfs: command: run: \ -b /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2 libguestfs: command: run: \ /tmp/libguestfsHHwaWo/snapshot2 Formatting '/tmp/libguestfsHHwaWo/snapshot2', fmt=qcow2 size=15032385536 backing_file='/run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2' encryption=off cluster_size=65536 lazy_refcounts=off libguestfs: [00243ms] create libvirt XML libguestfs: trace: get_cachedir libguestfs: trace: get_cachedir = "/var/tmp" libguestfs: libvirt XML:\n<?xml version="1.0"?>\n<domain type="kvm" xmlns:qemu="http://libvirt.org/schemas/domain/qemu/1.0">\n <name>guestfs-pamlcgfvpwkqi1zh</name>\n <memory unit="MiB">500</memory>\n <currentMemory unit="MiB">500</currentMemory>\n <cpu mode="host-passthrough">\n <model fallback="allow"/>\n </cpu>\n <vcpu>1</vcpu>\n <clock offset="utc">\n <timer name="kvmclock" present="yes"/>\n </clock>\n <os>\n <type>hvm</type>\n <kernel>/var/tmp/.guestfs-0/kernel.32586</kernel>\n <initrd>/var/tmp/.guestfs-0/initrd.32586</initrd>\n <cmdline>panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color</cmdline>\n </os>\n <on_reboot>destroy</on_reboot>\n <devices>\n <controller type="scsi" index="0" model="virtio-scsi"/>\n <disk device="disk" type="file">\n <source file="/tmp/libguestfsHHwaWo/snapshot2"/>\n <target dev="sda" bus="scsi"/>\n <driver name="qemu" type="qcow2" cache="writeback"/>\n <address type="drive" controller="0" bus="0" target="0" unit="0"/>\n </disk>\n <disk type="file" device="disk">\n <source file="/tmp/libguestfsHHwaWo/snapshot1"/>\n <target dev="sdb" bus="scsi"/>\n <driver name="qemu" type="qcow2" cache="unsafe"/>\n <address type="drive" controller="0" bus="0" target="1" unit="0"/>\n <shareable/>\n </disk>\n <serial type="unix">\n <source mode="connect" path="/tmp/libguestfsHHwaWo/console.sock"/>\n <target port="0"/>\n </serial>\n <channel type="unix">\n <source mode="connect" path="/tmp/libguestfsHHwaWo/guestfsd.sock"/>\n <target type="virtio" name="org.libguestfs.channel.0"/>\n </channel>\n </devices>\n <qemu:commandline>\n <qemu:env name="TMPDIR" value="/var/tmp"/>\n </qemu:commandline>\n</domain>\n libguestfs: trace: get_cachedir libguestfs: trace: get_cachedir = "/var/tmp" libguestfs: command: run: ls libguestfs: command: run: \ -a libguestfs: command: run: \ -l libguestfs: command: run: \ -Z /var/tmp/.guestfs-0 libguestfs: drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 . libguestfs: drwxrwxrwt. root root system_u:object_r:tmp_t:s0 .. libguestfs: -rwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 checksum libguestfs: -rw-r--r--. root root system_u:object_r:virt_content_t:s0 initrd libguestfs: -rw-r--r--. root root system_u:object_r:virt_content_t:s0 initrd.32586 libguestfs: -rw-r--r--. root root system_u:object_r:virt_content_t:s0 kernel libguestfs: -rw-r--r--. root root system_u:object_r:virt_content_t:s0 kernel.32586 libguestfs: -rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 root libguestfs: -rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 root.32586 libguestfs: command: run: ls libguestfs: command: run: \ -a libguestfs: command: run: \ -l libguestfs: command: run: \ -Z /tmp/libguestfsHHwaWo libguestfs: drwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 . libguestfs: drwxrwxrwt. root root system_u:object_r:tmp_t:s0 .. libguestfs: srw-rw----. root qemu unconfined_u:object_r:user_tmp_t:s0 console.sock libguestfs: srw-rw----. root qemu unconfined_u:object_r:user_tmp_t:s0 guestfsd.sock libguestfs: -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 snapshot1 libguestfs: -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 snapshot2 libguestfs: -rwxr-xr-x. root root unconfined_u:object_r:user_tmp_t:s0 umask-check libguestfs: [00249ms] launch libvirt guest libguestfs: error: could not create appliance through libvirt: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/tmp/libguestfsHHwaWo/snapshot2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=writeback: could not open disk image /tmp/libguestfsHHwaWo/snapshot2: Permission denied [code=1 domain=10] libguestfs: trace: launch = -1 (error) libguestfs: trace: close libguestfs: closing guestfs handle 0x7fb2bb6aa350 (state 0) libguestfs: command: run: rm libguestfs: command: run: \ -rf /tmp/libguestfsHHwaWo Expected results: ----------------- Libguestfs appliance should be created successfully Additional info: ---------------- Libguestfs successfully creates an appliance, if I run the tool as the user: $ id uid=1000(kashyap) gid=1000(kashyap) groups=1000(kashyap),989(mock) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ getenforce Permissive Ensure to use 'libvirt' backend: $ export LIBGUESTFS_BACKEND=libvirt Run any of libguestfs tools (e.g. virt-df): $ cd \ /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ $ virt-df -a ostack-compute.qcow2 Filesystem Size Used Available Use% ostack-compute.qcow2:/dev/sda1 476M 82M 365M 18% ostack-compute.qcow2:/dev/sdora/root 12G 4.1G 7.0G 35% Related bug: https://bugzilla.redhat.com/show_bug.cgi?id=921292
There should be a file: ~/.cache/libvirt/qemu/log/guestfs-pamlcgfvpwkqi1zh.log Can you attach it here as it will probably have more information. That said, I believe this is going to be a regular permissions problem, although the error message printed by libvirt/qemu could certainly be better. It's not SELinux, but is it possible that root simply can't open the disk image because of something to do with the media (VFAT?) or where it is mounted? You could try running (as root): md5sum /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2
(In reply to Richard W.M. Jones from comment #1) > There should be a file: > > ~/.cache/libvirt/qemu/log/guestfs-pamlcgfvpwkqi1zh.log I don't see such a file. I retried, but still I don't see the cache log: ==== kashyap@~$ export LIBGUESTFS_BACKEND=libvirt kashyap@~$ export LIBGUESTFS_DEBUG=1 kashyap@~$ export LIBGUESTFS_TRACE=1 kashyap@~$ sudo virt-df -a /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2 -h libguestfs: error: could not create appliance through libvirt: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/tmp/libguestfsTYoexl/snapshot2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=writeback: could not open disk image /tmp/libguestfsTYoexl/snapshot2: Permission denied [code=1 domain=10] kashyap@~$ ls ~/.cache/libvirt/qemu/log kashyap@~$ ==== Re-ran virt-df as just user, the log file is present: ====== kashyap@~$ cat ~/.cache/libvirt/qemu/log/guestfs-i8blgo23hpd03kaj.log 2013-12-16 10:52:30.313+0000: starting up LC_ALL=C PATH=/usr/lib64/qt-3.3/bin:/usr/lib64/ccache:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/home/kashyap/.local/bin:/home/kashyap/bin HOME=/home/kashyap USER=kashyap LOGNAME=kashyap QEMU_AUDIO_DRV=none TMPDIR=/var/tmp /usr/bin/qemu-kvm -name guestfs-i8blgo23hpd03kaj -S -machine pc-i440fx-1.6,accel=kvm,usb=off -cpu host,+kvmclock -m 500 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 9713bc40-4724-4670-a2e3-c814fd5bf777 -nographic -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/home/kashyap/.config/libvirt/qemu/lib/guestfs-i8blgo23hpd03kaj.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-reboot -no-acpi -kernel /var/tmp/.guestfs-1000/kernel.9033 -initrd /var/tmp/.guestfs-1000/initrd.9033 -append panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x3 -drive file=/tmp/libguestfss0Taph/snapshot2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=writeback -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 -drive file=/tmp/libguestfss0Taph/snapshot1,if=none,id=drive-scsi0-0-1-0,format=qcow2,cache=unsafe -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=1,lun=0,drive=drive-scsi0-0-1-0,id=scsi0-0-1-0 -chardev socket,id=charserial0,path=/tmp/libguestfss0Taph/console.sock -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/tmp/libguestfss0Taph/guestfsd.sock -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.libguestfs.channel.0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 Domain id=2 is tainted: custom-argv Domain id=2 is tainted: host-cpu qemu: terminating on signal 15 from pid 9036 2013-12-16 10:52:34.591+0000: shutting down ====== > > Can you attach it here as it will probably have more > information. > > That said, I believe this is going to be a regular permissions > problem, although the error message printed by libvirt/qemu could > certainly be better. Agreed. > It's not SELinux, but is it possible that > root simply can't open the disk image because of something to > do with the media (VFAT?) No, it's ext4. > or where it is mounted? You could try > running (as root): > > md5sum > /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack- > compute.qcow2 $ root@~$ md5sum /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2 812f043f78fdafdba4a1705e98eb1954 /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2
Created attachment 837215 [details] guestfs-pamlcgfvpwkqi1zh.log - from /var/log/libvirt/qemu
Actually, I was forgetting something. When libvirt runs as root, it will run qemu as user qemu.qemu, so if qemu.qemu cannot access the disk then you'll have a problem. You could try: su - qemu md5sum /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack-compute.qcow2 or just examine the permissions on the file *and every parent directory* to see if qemu would be allowed to open that file.
(In reply to Richard W.M. Jones from comment #4) > Actually, I was forgetting something. When libvirt runs as root, > it will run qemu as user qemu.qemu, so if qemu.qemu cannot access > the disk then you'll have a problem. You could try: > > su - qemu > md5sum > /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ostack-images/ostack- > compute.qcow2 > > or just examine the permissions on the file *and every > parent directory* to see if qemu would be allowed to open > that file. Right - the disk image itself has qemu:qemu on the media: $ ls -lash ostack-compute.qcow2 11G -rw-r--r--. 1 qemu qemu 15G Dec 13 11:12 ostack-compute.qcow2 Parent dir: $ ls -lash /run/media/kashyap/2bad4c53-36d1-4f61-b89f-018011ee5912/ \ | grep ostack-images 4.0K drwxr-xr-x. 3 kashyap kashyap 4.0K Dec 15 20:14 ostack-images The media itself: $ ls -lash /run/media/kashyap/ total 4.0K 0 drwxr-x---+ 3 root root 60 Dec 16 09:52 . 0 drwxr-xr-x. 3 root root 60 Dec 16 09:34 .. 4.0K drwxr-xr-x. 13 500 500 4.0K Dec 14 22:10 2bad4c53-36d1-4f61- b89f-018011ee5912 Feel free to close this as permissions issue.
Dan: At the moment libvirt runs qemu as qemu.qemu (or a setting chosen from /etc/libvirt/qemu.conf), if run as root. I'm not disputing that this is the best thing to do for regular virtual machines. However it's somewhat unexpected from a libguestfs point of view, since in normal (non-root) cases qemu runs as the user, and people often run libguestfs / virt tools as root as a "just do it" toggle. I have in fact run into this issue myself, and have forgetten about it too. Added to this, qemu upstream now produces better error messages. However nothing in the error says that qemu is running as a non-root user. So, I think it should be possible to override the user/group setuid stuff programmatically, not just through a config file. Or perhaps we can tell libvirt to ignore the config file? What do you think?
You should already be able to override this with a security label <seclabel type='static' model='dac' relabel='no'> <label>root:qemu</label> </seclabel> IIRC you have to have either the user or group remain as 'qemu' but the other can be changed to say 'root'.
Another instance of it with 'libvirt' backend: $ virt-builder fedora-20 [ 2.0] Downloading: http://libguestfs.org/download/builder/fedora-20.xz ####################################################################### 100.0% [ 813.0] Creating disk image: fedora-20.img [ 813.0] Uncompressing: http://libguestfs.org/download/builder/fedora-20.xz [ 828.0] Opening the new disk virt-builder: libguestfs error: could not create appliance through libvirt. Try using the direct backend to run qemu directly without libvirt, by setting the LIBGUESTFS_BACKEND=direct environment variable.: internal error: process exited while connecting to monitor: qemu-system-x86_64: -drive file=/root/fedora-20.img,if=none,id=drive-scsi0-0-0-0,format=raw,cache=unsafe: could not open disk image /root/fedora-20.img: Could not open '/root/f edora-20.img': Permission denied [code=1 domain=10] $ getenforce Permissive $ rpm -q libguestfs-tools-c libguestfs-tools-c-1.24.2-1.fc20.x86_64 $ ls -lash ~/.cache/virt-builder/ total 175M 4.0K drwxr-xr-x. 2 root root 4.0K Dec 19 15:52 . 4.0K dr-xr-x---. 5 root root 4.0K Dec 19 15:38 .. 175M -rw-r--r--. 1 root root 175M Dec 19 15:52 fedora-20.1 With direct QEMU appliance, works fine: $ export LIBGUESTFS_BACKEND=direct $ virt-builder fedora-20 [ 1.0] Downloading: http://libguestfs.org/download/builder/fedora-20.xz [ 2.0] Creating disk image: fedora-20.img [ 3.0] Uncompressing: http://libguestfs.org/download/builder/fedora-20.xz [ 16.0] Opening the new disk [ 25.0] Setting a random seed [ 25.0] Random root password: bRijv0QzPEGcNfWf [did you mean to use --root-password?] [ 25.0] Finishing off Output: fedora-20.img Total usable space: 5.2G Free space: 4.5G (86%)
Created attachment 838980 [details] 0001-launch-libvirt-Run-qemu-as-root-when-libguestfs-runs.patch I tried the attached patch which does a couple of things: (1) Use root:root DAC label. (2) Remove the code for chown/chmod the sockets. However this doesn't work because qemu cannot connect to the libvirt *monitor* : qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/guestfs-5keemr09uswfgev8.monitor,server,nowait: Failed to bind socket: Permission denied qemu-system-x86_64: -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/guestfs-5keemr09uswfgev8.monitor,server,nowait: chardev: opening backend "socket" failed I have verified that the DAC label is effective, ie. that qemu really does run as root.root. I did this by: $ while true; do ps -eo pid,uid,gid,euid,egid,args | grep '[q]emu'; done [...] 14270 0 0 0 0 /usr/bin/qemu-system-x86_64 -machine accel=kvm -name guestfs-5keemr09uswfgev8 -S -machine pc-i440fx-1.7,accel=kvm,usb=off -cpu host,+kvmclock -m 500 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid ae97eda2-7bb3-43ed-8e7f-9b4a5d27f1ae -nographic -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/guestfs-5keemr09uswfgev8.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-reboot -no-acpi -kernel /home/rjones/d/libguestfs/tmp/.guestfs-0/kernel.12917 -initrd /home/rjones/d/libguestfs/tmp/.guestfs-0/initrd.12917 -append panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_network=1 TERM=xterm-256color -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x3 -drive file=/root/f19,if=none,id=drive-scsi0-0-0-0,format=raw,cache=unsafe -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 -drive file=/home/rjones/d/libguestfs/tmp/libguestfsfjWgfU/snapshot1,if=none,id=drive-scsi0-0-1-0,format=qcow2,cache=unsafe -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=1,lun=0,drive=drive-scsi0-0-1-0,id=scsi0-0-1-0 -chardev socket,id=charserial0,path=/home/rjones/d/libguestfs/tmp/libguestfsfjWgfU/console.sock -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/home/rjones/d/libguestfs/tmp/libguestfsfjWgfU/guestfsd.sock -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.libguestfs.channel.0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 -netdev user,id=usernet,net=169.254.0.0/16 -device virtio-net-pci,netdev=usernet I have also checked and it's not SELinux. I don't understand why a root.root process would have problems opening any file ...
Apparently, libvirt strips Linux process capabilities from qemu.
I think the actionable bit here was filed as https://bugzilla.redhat.com/show_bug.cgi?id=1045039 , so just duping to that. Please reopen if I missed something though *** This bug has been marked as a duplicate of bug 1045039 ***