Emmanuel Kasper
2020-Dec-29 17:09 UTC
Unexplicable permission error when trying to read a qemu firmware file
Hi
I want to create a CoreOS VM following the steps mentioned at
https://docs.fedoraproject.org/en-US/fedora-coreos/getting-started,
using a Debian 11 (bullseye) system.
I am thus creating a VM with the following virt-install command:
virt-install --connect="qemu:///system" --name=coreos \
--vcpus=2 --memory=2048 \
--os-variant=fedora29 --import --graphics=none \
--disk="size=10,backing_store=$PWD/fedora-coreos-33.20201201.3.0-qemu.x86_64.qcow2"
\
--qemu-commandline="-fw_cfg
name=opt/com.coreos/config,file=/tmp/example.ign"
which spits some warnings and this mysterious error
2020-12-29T16:52:03.858938Z qemu-system-x86_64: warning: host doesn't
support requested feature: MSR(48FH).vmx-exit-load-perf-global-ctrl [bit 12]
2020-12-29T16:52:03.858941Z qemu-system-x86_64: warning: host doesn't
support requested feature: MSR(490H).vmx-entry-load-perf-global-ctrl
[bit 13]
2020-12-29T16:52:03.864778Z qemu-system-x86_64: -fw_cfg
name=opt/com.coreos/config,file=/tmp/example.ign: can't load
/tmp/example.ign: Failed to open file ?/tmp/example.ign?: Permission denied
the file /tmp/example.ign is perfectly world readable,
-rw-rw-rw- 1 manu manu 1130 Dec 29 17:23 /tmp/example.ign
so I am puzzled at what could cause this permission error.
on a RHEL8 system, I had the same error, and was able to fix by setting
a security context on the firmware file:
sudo semanage fcontext --add --type virt_content_t /tmp/example.ign
restorecon /tmp/example.ign
now this Debian system does not selinux installed at all.
ls -dZ /
? /
I could also read the qemu firmware file when using the qemu:///session
connection
any pointers where to look for ?
Emmanuel
Michal Privoznik
2021-Jan-04 19:07 UTC
Unexplicable permission error when trying to read a qemu firmware file
On 12/29/20 6:09 PM, Emmanuel Kasper wrote:> Hi > > I want to create a CoreOS VM following the steps mentioned at > https://docs.fedoraproject.org/en-US/fedora-coreos/getting-started, > using a Debian 11 (bullseye) system. > I am thus creating a VM with the following virt-install command: > > virt-install --connect="qemu:///system" --name=coreos \ > --vcpus=2 --memory=2048 \ > --os-variant=fedora29 --import --graphics=none \ > > --disk="size=10,backing_store=$PWD/fedora-coreos-33.20201201.3.0-qemu.x86_64.qcow2" > \ > --qemu-commandline="-fw_cfg > name=opt/com.coreos/config,file=/tmp/example.ign"1: this ^^> > which spits some warnings and this mysterious error > > 2020-12-29T16:52:03.858938Z qemu-system-x86_64: warning: host doesn't > support requested feature: MSR(48FH).vmx-exit-load-perf-global-ctrl [bit 12] > 2020-12-29T16:52:03.858941Z qemu-system-x86_64: warning: host doesn't > support requested feature: MSR(490H).vmx-entry-load-perf-global-ctrl > [bit 13]I don't know what are these, sorry.> > 2020-12-29T16:52:03.864778Z qemu-system-x86_64: -fw_cfg > name=opt/com.coreos/config,file=/tmp/example.ign: can't load > /tmp/example.ign: Failed to open file ?/tmp/example.ign?: Permission deniedBut this is expected.> > the file /tmp/example.ign is perfectly world readable, > -rw-rw-rw- 1 manu manu 1130 Dec 29 17:23 /tmp/example.ignThis doesn't matter. It's SELinux what's giving you the error (as you've found out). The problem here is [1]. If you bypass libvirt and put something right onto qemu's command line then libvirt blindly puts it there. No checks, no DAC/SELinux relabel, nothing. But I've implemented support for ignition files here: https://gitlab.com/libvirt/libvirt/-/commit/3dda889a4426bb3555b1d8861d8314f82d8e1ef9 So what you need instead is: <sysinfo type='fwcfg'> <entry name='opt/com.coreos/config' file='/tmp/example.ign'/> </sysinfo> This will make libvirt set correct labels and everything. I'm not sure whether virt-install supports that though, sorry. Michal