Description of problem: Failed to start an instance using virt-manager GUI, and see some libvert errors. Error starting domain: internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied Version-Release number of selected component (if applicable): OS: Fedora 16, 64 bit libvirt: 0.9.6.2 virt-manager: 9.9.4 How reproducible: Always. Steps to Reproduce: 1. Deployment a VM using Open stack Nova componment. $ nova boot --image 64298b19-0438-4c53-8260-a2acb3be621f --flavor 1 myserver1 2. Open virt-manager GUI. 3. Run this instance Actual results: Can't run this instance due to libvirt error. Expected results: It should be run the instance sucessfully. Additional info: ---Errors in virt-manager Error starting domain: internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied Details: Error starting domain: internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 96, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 117, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1090, in startup self._backend.create() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 510, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirtError: internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied ---------- ---Errors in libvirt.log 2012-09-10 06:14:46.653+0000: 9409: warning : qemuDomainObjTaint:1111 : Domain id=7 name='instance-00000001' uuid=0a5fd036-fa25-4d4a-9419-ca5aac1a4ae6 is tainted: high-privileges 2012-09-10 06:14:46.812+0000: 9409: error : qemuProcessReadLogOutput:969 : internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied ------
This happens because of selinux. So workaround is disabling selinux (setenforce 0). You can also add a rule to enable access to the resources it wants to access.
Hmm, further investigating I found that the problem probably happens only when having instances on NFS. And it looks like a NOTABUG. Checking for `denied` [root@node-01 ~]# grep denied /var/log/audit/audit.log type=AVC msg=audit(1358884285.083:886): avc: denied { open } for pid=3742 comm="qemu-kvm" name="console.log" dev=0:13 ino=11534395 scontext=unconfined_u:system_r:svirt_t:s0:c33,c736 tcontext=system_u:object_r:nfs_t:s0 tclass=file Finding out how to solve it [root@node-01 ~]# grep denied /var/log/audit/audit.log | audit2allow #============= svirt_t ============== #!!!! This avc can be allowed using the boolean 'virt_use_nfs' allow svirt_t nfs_t:file open; After setsebool virt_use_nfs=true, the instance boots fine.
(In reply to comment #3) > After setsebool virt_use_nfs=true, the instance boots fine. Yes this is a current requirement for SELINUX + NFS with libvirt. We should make sure this is included in OpenStack documentation talking about NFS Once we get to RHEL-7, this should no longer be required since QEMU will let libvirt pass it pre-opened file descriptors.
Since this is just a configuration issue for setting the selinux boolean when using NFS for virt images, I'm going to move this to the documentation component to make sure our docs mention somewhere "If you're using NFS as a backend for vm disk images be sure to run setsetbool virt_use_nfs=true"
Closing this out, doesn't apply to GSG (PackStack deployments wont use NFS) and has been covered already in ICG.