Hello Michal, thank you for the reply!
I've carefully tested everything you suggested, thanks.
I set dynamic_ownership=0 and use these hooks during the live build for
permissions. (I googled a lot, and apparently libvirt needs the images to
be executable too)
chown -R libvirt-qemu:kvm /var/lib/libvirt/images
chmod -R g+rwx /var/lib/libvirt/images
Booting the live debian iso everything works in virt-manager, but again,
after clicking "run", a copy of the vm image is created in
/run/live/overlay/rw/var/lib/libvirt/images and only then does the VM start.
Either it's still being chowned or chmodded somehow, or it's something
else, but I can't stop this copy being made.
Interestingly, when I boot the Live debian iso and then copy the images
into /var/lib/libvirt/images from my USB stick, the VM starts immediately
without creating any copies in the /run/live.... directory. So my guess is
that maybe the squashfs could be the issue?
Editing the XML
<source file='/var/lib/libvirt/images/vm1.qcow2'>
<seclabel relabel='no'/>
</source>
This results in an error:
Unsupported Configuration:
Security driver model 'null' not available
Here I tried setting security_driver=none in qemu.conf but same error after.
</devices>
<seclabel type='none'/>
</domain>
This also returns an Error but I'm still googling to understand it properly.
XML document failed to validate against schema
Unable to validate doc against /usr/share/libvirt/schemas/domain.rng
Invalid element relabel for element seclabel
Extra element seclabel in interleave
Element domain failed to validate content
Thanks again so much for your helo, I've been messing with this for weeks
now and it's killing me.
On Tue, Nov 23, 2021, 9:43 PM Michal Pr?vozn?k <mprivozn at redhat.com>
wrote:
> On 11/23/21 17:25, Elias Mobery wrote:
> >
> > Hi everyone!
> >
> > I've built a Debian Live ISO with packages qemu and libvirt to run
a VM
> > in the live environment.
> >
> > The guest images are placed in /var/lib/libvirt/images and 2GB each.
> >
> > Everything works great, except for one issue.
> >
> > When starting a VM, libvirt automatically issues a chown command to
the
> > images, changing ownership.
> >
> > This results in a copy of the images being created in
> > /run/live/overlay/rw/var/lib/libvirt/images
> >
> > I don't want these copies to be made but can't stop it.
> >
> > I've tried editing qemu.conf user/group, dynamic ownership etc.
without
> > any luck.
> >
> > Is there a way to STOP libvirt from changing the ownership of these
> images?
> >
> >
>
> Setting dynamic_ownership=0 in qemu.conf is the way to go (don't forget
> to restart the daemon after you made the change).
>
> Alternatively, you can set <seclabel/> either for whole domain or
> individual disks, e.g. like this:
>
> <disk type='file' device='disk'>
> <driver name='qemu' type='qcow2'/>
> <source file='/var/lib/libvirt/images/vm1.qcow2'>
> <seclabel relabel='no'/>
> </source>
> </disk>
>
> or for whole domain:
>
> ...
> </devices>
> <seclabel type='none'/>
> </domain>
>
> I'm not sure what your setup is, but if chown() is a problem then what
> if guest tries to write onto its disk? Wouldn't that create a copy in
> overlay?
>
> Michal
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20211124/8d316c06/attachment.htm>
On 11/24/21 16:01, Elias Mobery wrote:> Hello Michal, thank you for the reply! > > I've carefully tested everything you suggested, thanks. > > I set dynamic_ownership=0 and use these hooks during the live build for > permissions. (I googled a lot, and apparently libvirt needs the images > to be executable too) > > chown -R libvirt-qemu:kvm? /var/lib/libvirt/images > chmod -R g+rwx /var/lib/libvirt/imagesI don't think this is correct. I don't have any of my images executable and still run VMs happily.> > Booting the live debian iso everything works in virt-manager, but again, > after clicking "run", a copy of the vm image is created in > /run/live/overlay/rw/var/lib/libvirt/images and only then does the VM start.So who/what creates this copy? Is this a feature of underlying FS or what exactly? It's definitely not libvirt who creates those copies.> > Either it's still being chowned or chmodded somehow, or it's something > else, but I can't stop this copy being made. > > Interestingly, when I boot the Live debian iso and then copy the images > into /var/lib/libvirt/images from my USB stick, the VM starts > immediately without creating any copies in the /run/live.... directory. > So my guess is that maybe the squashfs could be the issue? > > Editing the XML > > <source file='/var/lib/libvirt/images/vm1.qcow2'> > ? ? ? <seclabel relabel='no'/> > ? ? </source> > > This results in an error: > Unsupported Configuration: > Security driver model 'null' not available> > Here I tried setting security_driver=none in qemu.conf but same error after. > > </devices> > ? ? <seclabel type='none'/> > ? </domain>This should have been: <seclabel type='none' model='dac'/> and if you are running with SELinux you want to repeat that for model='selinux' too. Michal
On Wed, Nov 24, 2021 at 04:01:34PM +0100, Elias Mobery wrote:>Hello Michal, thank you for the reply! > >I've carefully tested everything you suggested, thanks. > >I set dynamic_ownership=0 and use these hooks during the live build for >permissions. (I googled a lot, and apparently libvirt needs the images to >be executable too) > >chown -R libvirt-qemu:kvm /var/lib/libvirt/images >chmod -R g+rwx /var/lib/libvirt/images >I do not see why would the images need to be executable, you might need an executable bit set on the directory so that your and qemu user can browse it.>Booting the live debian iso everything works in virt-manager, but again, >after clicking "run", a copy of the vm image is created in >/run/live/overlay/rw/var/lib/libvirt/images and only then does the VM start. >Does that happen when you try to run it with virsh instead of virt-manager? Are you connected to the system daemon?>Either it's still being chowned or chmodded somehow, or it's something >else, but I can't stop this copy being made. > >Interestingly, when I boot the Live debian iso and then copy the images >into /var/lib/libvirt/images from my USB stick, the VM starts immediately >without creating any copies in the /run/live.... directory. So my guess is >that maybe the squashfs could be the issue? >Oh, interesting, is the USB stick filesystem mounted R/W and the live ISO filesystem mounted read-only? How is the overlay mounted?>Editing the XML > ><source file='/var/lib/libvirt/images/vm1.qcow2'> > <seclabel relabel='no'/> > </source> > >This results in an error: >Unsupported Configuration: >Security driver model 'null' not available >For issues like this it is most helpful to check the documentation: https://libvirt.org/formatdomain.html where you can see it is just a missing attribute `model`, in this case model="dac".>Here I tried setting security_driver=none in qemu.conf but same error after. > ></devices> > <seclabel type='none'/> > </domain> >Same here.>This also returns an Error but I'm still googling to understand it properly. > >XML document failed to validate against schema >Unable to validate doc against /usr/share/libvirt/schemas/domain.rng >Invalid element relabel for element seclabel >Extra element seclabel in interleave >Element domain failed to validate content > >Thanks again so much for your helo, I've been messing with this for weeks >now and it's killing me. > >On Tue, Nov 23, 2021, 9:43 PM Michal Pr?vozn?k <mprivozn at redhat.com> wrote: > >> On 11/23/21 17:25, Elias Mobery wrote: >> > >> > Hi everyone! >> > >> > I've built a Debian Live ISO with packages qemu and libvirt to run a VM >> > in the live environment. >> > >> > The guest images are placed in /var/lib/libvirt/images and 2GB each. >> > >> > Everything works great, except for one issue. >> > >> > When starting a VM, libvirt automatically issues a chown command to the >> > images, changing ownership. >> > >> > This results in a copy of the images being created in >> > /run/live/overlay/rw/var/lib/libvirt/images >> > >> > I don't want these copies to be made but can't stop it. >> > >> > I've tried editing qemu.conf user/group, dynamic ownership etc. without >> > any luck. >> > >> > Is there a way to STOP libvirt from changing the ownership of these >> images? >> > >> > >> >> Setting dynamic_ownership=0 in qemu.conf is the way to go (don't forget >> to restart the daemon after you made the change). >> >> Alternatively, you can set <seclabel/> either for whole domain or >> individual disks, e.g. like this: >> >> <disk type='file' device='disk'> >> <driver name='qemu' type='qcow2'/> >> <source file='/var/lib/libvirt/images/vm1.qcow2'> >> <seclabel relabel='no'/> >> </source> >> </disk> >> >> or for whole domain: >> >> ... >> </devices> >> <seclabel type='none'/> >> </domain> >> >> I'm not sure what your setup is, but if chown() is a problem then what >> if guest tries to write onto its disk? Wouldn't that create a copy in >> overlay? >> >> Michal >> >>-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20211124/c64f4bab/attachment.sig>