Bug 855723 - Failed to start an instance - Error starting domain: internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied
Failed to start an instance - Error starting domain: internal error Process e...
Status: CLOSED NOTABUG
Product: Red Hat OpenStack
Classification: Red Hat
Component: doc-Getting_Started_Guide (Show other bugs)
2.1
x86_64 Linux
unspecified Severity low
: ---
: 3.0
Assigned To: Stephen Gordon
ecs-bugs
: Documentation, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-10 02:17 EDT by ranlf
Modified: 2016-04-26 23:32 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-29 17:33:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description ranlf 2012-09-10 02:17:45 EDT
Description of problem:

Failed to start an instance using virt-manager GUI, and see some libvert errors.
Error starting domain: internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied


Version-Release number of selected component (if applicable):
OS: Fedora 16, 64 bit
libvirt: 0.9.6.2
virt-manager: 9.9.4

How reproducible:
Always.

Steps to Reproduce:
1. Deployment a VM using Open stack Nova componment.
 $ nova boot --image 64298b19-0438-4c53-8260-a2acb3be621f --flavor 1 myserver1
2. Open virt-manager GUI.
3. Run this instance 
  
Actual results:
Can't run this instance due to libvirt error.

Expected results:
It should be run the instance sucessfully.

Additional info:

---Errors in virt-manager
Error starting domain: internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied
Details:
Error starting domain: internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied


Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 96, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 117, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1090, in startup
    self._backend.create()
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 510, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied
----------

---Errors in libvirt.log

2012-09-10 06:14:46.653+0000: 9409: warning : qemuDomainObjTaint:1111 : Domain id=7 name='instance-00000001' uuid=0a5fd036-fa25-4d4a-9419-ca5aac1a4ae6 is tainted: high-privileges
2012-09-10 06:14:46.812+0000: 9409: error : qemuProcessReadLogOutput:969 : internal error Process exited while reading console log output: chardev: opening backend "file" failed: Permission denied
------
Comment 1 Jaroslav Henner 2013-01-22 14:35:22 EST
This happens because of selinux. So workaround is disabling selinux (setenforce 0). You can also add a rule to enable access to the resources it wants to access.
Comment 3 Jaroslav Henner 2013-01-22 14:58:54 EST
Hmm, further investigating I found that the problem probably happens only when having instances on NFS. And it looks like a NOTABUG. 

Checking for `denied`
[root@node-01 ~]# grep denied /var/log/audit/audit.log 
type=AVC msg=audit(1358884285.083:886): avc:  denied  { open } for  pid=3742 comm="qemu-kvm" name="console.log" dev=0:13 ino=11534395 scontext=unconfined_u:system_r:svirt_t:s0:c33,c736 tcontext=system_u:object_r:nfs_t:s0 tclass=file

Finding out how to  solve it
[root@node-01 ~]# grep denied /var/log/audit/audit.log | audit2allow 


#============= svirt_t ==============

#!!!! This avc can be allowed using the boolean 'virt_use_nfs'
allow svirt_t nfs_t:file open;

After setsebool virt_use_nfs=true, the instance boots fine.
Comment 4 Daniel Berrange 2013-01-22 15:17:34 EST
(In reply to comment #3)
> After setsebool virt_use_nfs=true, the instance boots fine.

Yes this is a current requirement for SELINUX + NFS with libvirt. We should make sure this is included in OpenStack documentation talking about NFS

Once we get to RHEL-7, this should no longer be required since QEMU will let libvirt pass it pre-opened file descriptors.
Comment 5 Perry Myers 2013-01-29 11:16:46 EST
Since this is just a configuration issue for setting the selinux boolean when using NFS for virt images, I'm going to move this to the documentation component to make sure our docs mention somewhere "If you're using NFS as a backend for vm disk images be sure to run setsetbool virt_use_nfs=true"
Comment 7 Stephen Gordon 2013-05-29 17:33:29 EDT
Closing this out, doesn't apply to GSG (PackStack deployments wont use NFS) and has been covered already in ICG.

Note You need to log in before you can comment on or make changes to this bug.