[Swan-dev] qemu-img: Could not open '/home/build/pool/swanfedora22base.qcow2

Andrew Cagney andrew.cagney at gmail.com
Fri Jul 20 15:26:55 UTC 2018 

On Fri, 20 Jul 2018 at 10:30, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
>
> | From: Andrew Cagney <andrew.cagney at gmail.com>
> |
> | I'm guessing the most recent fedora?
>
> Yeah, fresh F28 install and up to date.
>
> Machine is old: i5-2400.  Which is causing entropy problems, but that's
> another story.
>
> Spoiler:
>
> The problem was that I somehow skipped adding the test user to the qemu group:
> <https://libreswan.org/wiki/Test_Suite#Setting_Users_and_Groups>
> I've slightly improved the makefile's reaction to this problem. There
> is still room for improvement.

I think it is the best fix available.  Thanks.

> Surprising fact: so far this is the only place where the lack of
> group membership snagged me.
>
> | On Fri, 20 Jul 2018 at 00:12, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
> | >
> | > I'm setting up a new test system.
> | >
> | > make kvm-install failed with this message:
> | >
> | >
> | > qemu-img convert \
> | >         -p -O qcow2 \
> | >         /home/build/pool/swanfedora22base.qcow2 \
> | >         /home/build/pool/a.clone.qcow2.tmp
> | > qemu-img: Could not open '/home/build/pool/swanfedora22base.qcow2': Could not open '/home/build/pool/swanfedora22base.qcow2': Permission denied
> | >
> | > observations:
> | > -rw-r-----. 1 root  qemu  8591507456 Jul 19 23:22 swanfedora22base.qcow2
> | >
> | > -rwxr-xr-x. 1 root root 1773200 Jul  3 13:42 /usr/bin/qemu-img
> | >
> | > This would work if qemu-img were setgid qemu.
> | > The makefile seems to expect that to be the case.
> |
> | Why?  No.  Only running a VM needs SUDO (and that annoys me).
>
> One doesn't need set GID qemu if one is already in the group. :-)

Interesting.

Perhaps someone knows of a how-to explaining the 'correct' way to set
up what we do such that SUDO isn't needed.  My last round of research
didn't inspire confidence:

# The alternative is qemu:///session and it doesn't require root.
# However, it has never been used, and the python tools all assume
# qemu://system. Finally, it comes with a warning: QEMU usermode
# session is not the virt-manager default.  It is likely that any
# pre-existing QEMU/KVM guests will not be available.  Networking
# options are very limited.
KVM_CONNECTION ?= qemu:///system
VIRSH = sudo virsh --connect $(KVM_CONNECTION)

> | > On the other hand, my old test system has the same file ownerships and
> | > permissions.
> |
> | I'd suspect something around the images creation - virt-install or
> | your own umask?
>
> At my build account's shell prompt, umask is 0002.  On both the old and
> new system.  I have not changed the Fedora default.
>
> | What's the ownership on the old system?
>
> -rw-r-----. 1 root qemu 8591507456 Sep 17  2017 swanfedorabase.qcow2
>
> In other words, the same.
>
> But this old system has incrementally migrated from old Fedora and old
> Libreswan.  I guess that the datestamp on the file gives hints of this.
> |
> | > Doing this
> | >         sudo chmod a+r ../pool/swanfedora22base.qcow2
> | >         make kvm-install
> | > gets past this point.
>
> Even though this chmod isn't recommended, it seems to solve the
> problem.  Is this better than adding the user to the qemu group?
>
> Looking back on the transcript, this is how swanfedora22base.qcow2 got
> created:
>
>
> : XXX: Passing --security type=static,model=dac,label='1001:107',relabel=yes to virt-install causes it to panic
> sudo virt-install --connect qemu:///system \
>         --name=swanfedora22base \
>         --os-variant fedora22 \
>         --vcpus=1 \
>         --memory 1024 \
>         --nographics \
>         --disk size=8,cache=writeback,path=/home/build/pool/swanfedora22base.qcow2 \
>         --network=network:swandefault,model=virtio \
>         --rng type=random,device=/dev/random \
>         --location=/home/build/pool/Fedora-Server-DVD-x86_64-22.iso \
>         --initrd-inject=testing/libvirt/fedora22.ks \
>         --extra-args="swanname=swanfedora22base ks=file:/fedora22.ks console=tty0 console=ttyS0,115200 net.ifnames=0 biosdevname=0" \
>         --noreboot
>
> So that explains why it is owned by root.
>
> Later the failure shows up.  Here it is with a bit more context.
>
> test -r /home/build/pool/swanfedora22base.qcow2 || sudo chgrp 107 /home/build/pool/swanfedora22base.qcow2
> test -r /home/build/pool/swanfedora22base.qcow2 || sudo chmod g+r          /home/build/pool/swanfedora22base.qcow2
> : create a full copy
> rm -f /home/build/pool/a.clone.qcow2
> qemu-img convert \
>         -p -O qcow2 \
>         /home/build/pool/swanfedora22base.qcow2 \
>         /home/build/pool/a.clone.qcow2.tmp
>     (0.00/100%)^Mqemu-img: Could not open '/home/build/pool/swanfedora22base.qcow2': Could not open '/home/build/pool/swanfedora22base.qcow2': Permission denied
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list