Bug 1654364 - Permission denied when starting UEFI based VM on oVirt 4.3.0_alpha
Summary: Permission denied when starting UEFI based VM on oVirt 4.3.0_alpha
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Michal Skrivanek
QA Contact: meital avital
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-28 15:29 UTC by Rob Sanders
Modified: 2019-01-14 10:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-14 10:28:21 UTC
oVirt Team: Virt
Embargoed:

Attachments (Terms of Use)

Description Rob Sanders 2018-11-28 15:29:05 UTC 
I've upgraded my test cluster to 4.3.0_alpha. I've created a new UEFI based VM and it fails to start:

web console error:

VM 7.6_Template is down with error. Exit message: internal error: process exited while connecting to monitor: 2018-11-28T15:16:57.823968Z qemu-kvm: -drive file=/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd,if=pflash,format=raw,unit=1: Could not open '/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd': Permission denied.



VDSM log error:

...
    <os>
        <type arch="x86_64" machine="q35">hvm</type>
        <smbios mode="sysinfo"/>
        <loader readonly="yes" secure="no" type="pflash">/usr/share/OVMF/OVMF_CODE.secboot.fd</loader>
        <nvram template="/usr/share/OVMF/OVMF_VARS.fd">/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd</nvram>
        <bios useserial="yes"/>
    </os>
...

2018-11-28 15:16:51,588+0000 ERROR (vm/172900ec) [virt.vm] (vmId='172900ec-2c5c-4e78-bcd4-f26e4a63770e') The vm start process failed (vm:934)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 863, in _startUnderlyingVm
    self._run()
  File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 2840, in _run
    dom.createWithFlags(flags)
  File "/usr/lib/python2.7/site-packages/vdsm/common/libvirtconnection.py", line 131, in wrapper
    ret = f(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/vdsm/common/function.py", line 94, in wrapper
    return func(inst, *args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1110, in createWithFlags
    if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self)
libvirtError: internal error: process exited while connecting to monitor: 2018-11-28T15:16:51.247871Z qemu-kvm: -drive file=/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd,if=pflash,format=raw,unit=1: Could not open '/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd': Permission denied
2018-11-28 15:16:51,588+0000 INFO  (vm/172900ec) [virt.vm] (vmId='172900ec-2c5c-4e78-bcd4-f26e4a63770e') Changed state to Down: internal error: process exited while connecting to monitor: 2018-11-28T15:16:51.247871Z qemu-kvm: -drive file=/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd,if=pflash,format=raw,unit=1: Could not open '/var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd': Permission denied (code=1) (vm:1671)
2018-11-28 15:16:51,598+0000 INFO  (vm/172900ec) [virt.vm] (vmId='172900ec-2c5c-4e78-bcd4-f26e4a63770e') Stopping connection (guestagent:454)


It looks like when the file is copied, it doesn't have the correct permissions or ownership:

ls -las /var/lib/libvirt/qemu/nvram/
528 -rw-------.  1 root root 540672 Nov 28 15:24 172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd


When I manually copy the file BEFORE starting the VM, it starts fine

cp /usr/share/OVMF/OVMF_VARS.fd /var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd; chmod 755 /var/lib/libvirt/qemu/nvram/172900ec-2c5c-4e78-bcd4-f26e4a63770e.fd;
Comment 1 Rob Sanders 2018-11-28 15:51:33 UTC 
If I'm not mistaken, it's related to this code:

https://github.com/oVirt/ovirt-engine/commit/94d249426ca26153a0ae3cfa3ebfebaadd5eb0e9#diff-d6f7100af881feb7d909f23faeda326f
Comment 2 Michal Skrivanek 2018-11-29 10:47:58 UTC 
alpha doesn't have the right dependencies yet. Try with latest libvirt from RHEL 7.6 or CentOS CR repos, it needs to be 4.5 at least, ideally libvirt-4.5.0-10.el7_6.3
Comment 3 Rob Sanders 2018-11-29 11:01:24 UTC 
Hi Michal,

I'm on libvirt-4.5.0-10.el7_6.2.x86_64 atm. As soon as el7_6.3 hits the CR I will re-test it.
Comment 4 Rob Sanders 2018-11-29 11:06:08 UTC 
Looking at the diff between 4.5.0-10.el7_6.2 and 4.5.0-10.el7_6.3 - there doesn't seem to be anything there which would fix it:

https://git.centos.org/commitdiff/rpms!libvirt.git/5ff110eabf82a06adfbb7683aa3ea1c4c5b05193
Comment 5 Rob Sanders 2019-01-14 09:00:05 UTC 
As of 4.3 RC, I can no longer reproduce this issue.
Comment 6 Michal Skrivanek 2019-01-14 10:28:21 UTC 
(In reply to Rob Sanders from comment #4)
> Looking at the diff between 4.5.0-10.el7_6.2 and 4.5.0-10.el7_6.3 - there
> doesn't seem to be anything there which would fix it:
> 
> https://git.centos.org/commitdiff/rpms!libvirt.git/
> 5ff110eabf82a06adfbb7683aa3ea1c4c5b05193

the fix is in older release, el7_6.3 was just required for other fixes. Thanks for confirmation it works with recent version
Note You need to log in before you can comment on or make changes to this bug.