Silverblue 37 virt-manager permission mounted device

Project Discussion
1

Hi there,
i am very new to fedora silverblue and doing the first steps, but up to now i really like it and want to stick with.

I am heavily using 2 virtual windows machines thought, which i would need to move to the new setup.

The fist on is nothing special, just a Windows 10 installation with some important programs available as *.qcow2.
it is stored on another ssd mounted via fstab on but with gid and uid my personal user 1000.

virt-manger has been layerd with rpm-ostree install.

When i now want to import the existing machine i get a permissions denied error.
Virt manager is not allowed to open from the “external” device.

Is there anybody who has experience with this and might have a hint?

The second VM is another Windows 10 machine with GPU passthrough - but this might be another topic which i will come back to if i have this permissions problem solved.

Thank you all very much in advance.

PS: This is an output of virt-host-validate - might this problem occur due to the missing “devices” in Kernel Konfig? How can i add it?

  QEMU: Überprüfung for hardware virtualization                                 : BESTANDEN
  QEMU: Überprüfung if device /dev/kvm exists                                   : BESTANDEN
  QEMU: Überprüfung if device /dev/kvm is accessible                            : BESTANDEN
  QEMU: Überprüfung if device /dev/vhost-net exists                             : BESTANDEN
  QEMU: Überprüfung if device /dev/net/tun exists                               : BESTANDEN
  QEMU: Überprüfung for cgroup 'cpu' controller support                         : BESTANDEN
  QEMU: Überprüfung for cgroup 'cpuacct' controller support                     : BESTANDEN
  QEMU: Überprüfung for cgroup 'cpuset' controller support                      : BESTANDEN
  QEMU: Überprüfung for cgroup 'memory' controller support                      : BESTANDEN
  QEMU: Überprüfung for cgroup 'devices' controller support                     : WARNUNG (Enable 'devices' in kernel Kconfig file or mount/enable cgroup controller in your system)
  QEMU: Überprüfung for cgroup 'blkio' controller support                       : BESTANDEN
  QEMU: Überprüfung for device assignment IOMMU support                         : BESTANDEN
  QEMU: Überprüfung if IOMMU is enabled by kernel                               : WARNUNG (IOMMU appears to be disabled in kernel. Add intel_iommu=on to kernel cmdline arguments)
  QEMU: Überprüfung for secure guest support                                    : WARNUNG (Unknown if this platform has Secure Guest support)
   LXC: Überprüfung für Linux >= 2.6.26                                        : BESTANDEN
   LXC: Überprüfung for namespace ipc                                           : BESTANDEN
   LXC: Überprüfung for namespace mnt                                           : BESTANDEN
   LXC: Überprüfung for namespace pid                                           : BESTANDEN
   LXC: Überprüfung for namespace uts                                           : BESTANDEN
   LXC: Überprüfung for namespace net                                           : BESTANDEN
   LXC: Überprüfung for namespace user                                          : BESTANDEN
   LXC: Überprüfung for cgroup 'cpu' controller support                         : BESTANDEN
   LXC: Überprüfung for cgroup 'cpuacct' controller support                     : BESTANDEN
   LXC: Überprüfung for cgroup 'cpuset' controller support                      : BESTANDEN
   LXC: Überprüfung for cgroup 'memory' controller support                      : BESTANDEN
   LXC: Überprüfung for cgroup 'devices' controller support                     : VERFEHLT (Enable 'devices' in kernel Kconfig file or mount/enable cgroup controller in your system)
   LXC: Überprüfung for cgroup 'freezer' controller support                     : VERFEHLT (Enable 'freezer' in kernel Kconfig file or mount/enable cgroup controller in your system)
   LXC: Überprüfung for cgroup 'blkio' controller support                       : BESTANDEN
   LXC: Überprüfung if device /sys/fs/fuse/connections exists                   : BESTANDEN
2

This is unlikely to be related. You need to look at the permissions for the folders (and all up folders) for the path you’re using for those images.

3

Thank you very much for your answer.

Which persmission does virt-manager need to be able to access the image file.
As the file is owned by me as personal user. And hast permissions set like this: .rwxr-xr-x@

Any idea?

4

You need to make sure all parent directories are also o+x.

5

You probably need to add yourself to the libvirt group first. There’s the regular libvirt namespace and then there’s a user namespace. If you create a VM in the user namespace, it will be stored in your home directory and will be limited in which devices on the host in can access. If it’s not in the user namespace, then only root or a member of the libvirt group can access it and it will be stored in /var/lib/libvirt/images. You’ll need to run usermod -aG libvirt <user> to add yourself to the group and then restart your session in your terminal or whatever you’re using.

6

Hmm,
@siosm all parent directories have write permissions.

The ssd is mounted on boot via fstab with this command.
/dev/sdb2 /run/media/username/VOLUME exfat defaults,uid=1000,gid=1000,iocharset=utf8 0 0

If i try to change permissions via chmod or chown the changes are not accepted. Perhaps this is due to my mounting settings of uid and gid being 1000, or filesystem being exFAT?

Output:
chown: The owner of file is changed: operations is permitted
chmod: No output, but permissions aren’t changed either.

I assume it has something to do with my way of mounting though i have no idea what to change.

@alys thank you very much for your input. I already added my user to the libvirt group following this work arround on silverblue

https://bugzilla.redhat.com/show_bug.cgi?id=1919994#c22

when i check the groups with
cat /etc/group
i can see my user in the libvirt group whereas i manually added libvirt group libvirt:x:996 to /etc/group initially.

I have no clue how i could proceed. I can’t copy the VM to my main SSD as there is not enough space.

7

You’re likely mounting that from an un-privileged user so it gets mounted in /run. You’d want to add an entry in /etc/fstab or create a systemd .mount unit to make it a system mount so that you can change anything there and it persists.

8

Thank you @siosm
I tried several ways to mount this drive.
In the end i have a systemd.mount unit running and i am fine with it. If i mount the filesystem as root, it is read only for my user.
So i still have to mount the drive with uid=1000 and gid=1000 otherwise a cannot access it from my current user account.

With virt-manager there where now differences. Still i had trouble with permissions.

But, i was able to get the virtual machine (*.qcow2 file) running in a qemu:///session which is obviously working with limited features and also used by gnome-boxes (that i used successfully to run the VM).

My future goal though is to create a GPU passthrough setup on fedora silverblue.
qemu:///session, as it has no host admin privileges, won’t be able to do PCI device assignment.

Is there anybody who made virt-manger starting a machine in qemu:///system from an automounted device (uid=1000, gid=1000) in silverblue?