Description of problem: The USB passthrough via hostdev element doesn't work when qemu is set to run under non-root user (user = "qemu" in /etc/libvirt/qemu.conf). Example of used XML: <hostdev managed="yes" mode="subsystem" type="usb"> <source> <address bus="2" device="1"/> </source> </hostdev> <hostdev managed="yes" mode="subsystem" type="usb"> <source> <address bus="3" device="1"/> </source> </hostdev> where the addresses point to USB mouse and USB mass storage device. None of the devices are visible in guest's lsusb when the process runs under the "qemu" user, both of them are visible when running under root. Version-Release number of selected component (if applicable): libvirt-1.2.17-2.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Change qemu to run under "qemu" user, 2. attach USB device via hostdev element to the domain, 3. start the domain. Actual results: USB device is missing in the guest Expected results: USB device is visible and usable in guest Additional info: Works as expected under root user.
It works for me with: selinux-policy-3.13.1-34.el7.noarch libvirt-daemon-1.2.17-2.el7.x86_64 qemu-kvm-rhev-2.3.0-13.el7.x86_64 Is there anything useful in the machine log in /var/log/libvirt/qemu/? Does it work with SELinux in permissive mode? If SELinux is enforcing, is virt_use_usb set? # getsebool virt_use_usb virt_use_usb --> on Can you attach the whole domain XML and the part of audit.log related to domain startup?
After further investigation, the issue is caused by dynamic_ownership=0 in /etc/libvirt/qemu.conf. Using dynamic_ownership=1 does work as expected.
(In reply to Martin Polednik from comment #3) > After further investigation, the issue is caused by dynamic_ownership=0 in > /etc/libvirt/qemu.conf. > > Using dynamic_ownership=1 does work as expected. that is explicitly disabled by vdsm. Don't remember why. Dan?
With dynamic_ownership=1 libvirtd (running as root) attempted to chown NFS-mounted images. This fails on rootsquash NFS mounts. I see in bug 810241 that libvirt's semantics has been refined a bit since then, so it may be that this is no longer needed for that. There might have been other reasons for synamic_ownertship=0, but neither I nor git nor bugzilla remember them. It has been introduced long ago (bug 554961) and has been like that in oVirt ever since. A change to 1 requires proper regression check of file/block storage.
I can reproduce it . version: libvirt-1.2.17-3.el7.x86_64 reproduce steps : 1.change user in qemu.conf user = "qemu" group = "qemu" dynamic_ownership = 0 2. add user qemu #useradd qemu -g qemu 3.prepare a guest with OS 4.prepare two usb devices on host : # lsusb Bus 001 Device 003: ID 0781:5567 SanDisk Corp. Cruzer Blade Bus 002 Device 009: ID 1005:b113 Apacer Technology, Inc. Handy Steno/AH123 / Handy Steno 2.0/HT203 check usb device ownership: # ls /dev/bus/usb/001/003 -alZ crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/001/003 # ls /dev/bus/usb/002/009 -alZ crw-rw-r--. root root system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/009 5.attch usb devices to guest # cat usb2.xml <hostdev mode='subsystem' type='usb' managed='yes'> <source> <address bus='1' device='3'/> </source> <boot order='4'/> </hostdev> # virsh attach-device usb usb2.xml Device attached successfully # cat usb3.xml <hostdev mode='subsystem' type='usb' managed='yes'> <source> <vendor id='0x1005'/> <product id='0xb113'/> </source> </hostdev> # virsh attach-device usb usb3.xml Device attached successfully # virsh dumpxml usb |grep hostdev -A 9 <hostdev mode='subsystem' type='usb' managed='yes'> <source> <address bus='1' device='3'/> </source> <alias name='hostdev0'/> </hostdev> <hostdev mode='subsystem' type='usb' managed='yes'> <source> <vendor id='0x1005'/> <product id='0xb113'/> <address bus='2' device='9'/> </source> <alias name='hostdev1'/> </hostdev> 6.login into guest to check : #lsusb CANNOT find usb devices . 7.check the ownership again : # ls /dev/bus/usb/001/003 -alZ crw-rw-r--. root root system_u:object_r:svirt_image_t:s0:c179,c596 /dev/bus/usb/001/003 [root@184pzhang usb]# ls /dev/bus/usb/002/009 -alZ crw-rw-r--. root root system_u:object_r:svirt_image_t:s0:c179,c596 /dev/bus/usb/002/009 additional info : 1>If I change the ownship of usb devices ,it will be OK # chown qemu:qemu /dev/bus/usb/002/009 # ls /dev/bus/usb/002/009 -alZ crw-rw-r--. qemu qemu system_u:object_r:usb_device_t:s0 /dev/bus/usb/002/009 # virsh attach-device usb usb2.xml Device attached successfully login guest use lsusb to check , #lsusb The usb device could be found in guest . 2>If I set dynamic_ownership = 1 Than I attach the usb device to guest and start the guest : # virsh dumpxml usb | grep hostdev -A 9 <hostdev mode='subsystem' type='usb' managed='yes'> <source> <address bus='1' device='3'/> </source> <alias name='hostdev0'/> </hostdev> # ls /dev/bus/usb/001/003 -alZ crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c363,c560 /dev/bus/usb/001/003 login guest to check #lsusb usb device can be found in guest.
With dynamic_ownership disabled, libvirt obviously does not change the ownership of the device.
*** Bug 1261075 has been marked as a duplicate of this bug. ***
Fixed. Verification scenario: 1. attach USB keyboard and mouse to VFIO VM and verify devices functionality. 2. Attach USB live image to VM and install VM. Verification version: rhevm-3.6.0.1-0.1.el6 sanlock-3.2.4-1.el7.x86_64 vdsm-4.17.9-1.el7ev.noarch qemu-kvm-rhev-2.3.0-31.el7.x86_64 libvirt-client-1.2.17-5.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0362.html