[Swan-dev] qemu-img: Could not open '/home/build/pool/swanfedora22base.qcow2

D. Hugh Redelmeier hugh at mimosa.com
Fri Jul 20 14:29:59 UTC 2018

| From: Andrew Cagney <andrew.cagney at gmail.com>
| I'm guessing the most recent fedora?

Yeah, fresh F28 install and up to date.

Machine is old: i5-2400.  Which is causing entropy problems, but that's 
another story.


The problem was that I somehow skipped adding the test user to the qemu group:

I've slightly improved the makefile's reaction to this problem. There
is still room for improvement.

Surprising fact: so far this is the only place where the lack of
group membership snagged me.

| On Fri, 20 Jul 2018 at 00:12, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
| >
| > I'm setting up a new test system.
| >
| > make kvm-install failed with this message:
| >
| >
| > qemu-img convert \
| >         -p -O qcow2 \
| >         /home/build/pool/swanfedora22base.qcow2 \
| >         /home/build/pool/a.clone.qcow2.tmp
| > qemu-img: Could not open '/home/build/pool/swanfedora22base.qcow2': Could not open '/home/build/pool/swanfedora22base.qcow2': Permission denied
| >
| > observations:
| > -rw-r-----. 1 root  qemu  8591507456 Jul 19 23:22 swanfedora22base.qcow2
| >
| > -rwxr-xr-x. 1 root root 1773200 Jul  3 13:42 /usr/bin/qemu-img
| >
| > This would work if qemu-img were setgid qemu.
| > The makefile seems to expect that to be the case.
| Why?  No.  Only running a VM needs SUDO (and that annoys me).

One doesn't need set GID qemu if one is already in the group. :-)

| > On the other hand, my old test system has the same file ownerships and
| > permissions.
| I'd suspect something around the images creation - virt-install or
| your own umask?

At my build account's shell prompt, umask is 0002.  On both the old and 
new system.  I have not changed the Fedora default.

| What's the ownership on the old system?

-rw-r-----. 1 root qemu 8591507456 Sep 17  2017 swanfedorabase.qcow2

In other words, the same.

But this old system has incrementally migrated from old Fedora and old 
Libreswan.  I guess that the datestamp on the file gives hints of this.
| > Doing this
| >         sudo chmod a+r ../pool/swanfedora22base.qcow2
| >         make kvm-install
| > gets past this point.

Even though this chmod isn't recommended, it seems to solve the
problem.  Is this better than adding the user to the qemu group?

Looking back on the transcript, this is how swanfedora22base.qcow2 got 

: XXX: Passing --security type=static,model=dac,label='1001:107',relabel=yes to virt-install causes it to panic
sudo virt-install --connect qemu:///system \
        --name=swanfedora22base \
        --os-variant fedora22 \
        --vcpus=1 \
        --memory 1024 \
        --nographics \
        --disk size=8,cache=writeback,path=/home/build/pool/swanfedora22base.qcow2 \
        --network=network:swandefault,model=virtio \
        --rng type=random,device=/dev/random \
        --location=/home/build/pool/Fedora-Server-DVD-x86_64-22.iso \
        --initrd-inject=testing/libvirt/fedora22.ks \
        --extra-args="swanname=swanfedora22base ks=file:/fedora22.ks console=tty0 console=ttyS0,115200 net.ifnames=0 biosdevname=0" \

So that explains why it is owned by root.

Later the failure shows up.  Here it is with a bit more context.

test -r /home/build/pool/swanfedora22base.qcow2 || sudo chgrp 107 /home/build/pool/swanfedora22base.qcow2
test -r /home/build/pool/swanfedora22base.qcow2 || sudo chmod g+r          /home/build/pool/swanfedora22base.qcow2
: create a full copy
rm -f /home/build/pool/a.clone.qcow2
qemu-img convert \
        -p -O qcow2 \
        /home/build/pool/swanfedora22base.qcow2 \
    (0.00/100%)^Mqemu-img: Could not open '/home/build/pool/swanfedora22base.qcow2': Could not open '/home/build/pool/swanfedora22base.qcow2': Permission denied

More information about the Swan-dev mailing list