nhnh
February 8, 2025, 1:34pm
1
Hello all,
Setting up a home server, i decided to go with fedora-server 41 for the host and to virtualize TrueNAS-SCALE (w PCIe SATA controller passthrough) for the NAS / backup server side of things.
I’m able to install & run a TrueNAS VM (and others) via cockpit in BIOS mode (including the required passthrough of the SATA controller, as TrueNAS require direct access).
However, I cannot install any OS in a VM in UEFI mode, neither with cockpit on the f41 fedora-server, nor with Virt-Manager on the f41 fedora-workstation laptop.
The Problem seems to have started anywhere between f41 release and two weeks ago, since shortly after upgrade from f40 to f41 I was still able to install multiple VM’s in UEFI mode on my fedora-workstation laptop with Virt-Manager.
Technical details:
with the exact same host & VM configuration besides choosing BIOS instead of UEFI option in VM edit, it gets to the installer right away.
Does anyone know how to solve the Problem?
Any help would be greatly appreciated, as I’m struggling with this since weeks.
Best regards
ilikelinux
February 8, 2025, 1:42pm
2
I think you just have to change the boot order. It tries to boot from the NAS. See error: PciRoot
nhnh
February 8, 2025, 1:50pm
3
Thank you for your answer.
Besides, the NAS doesn’t exist yet, I’m trying to create one.
Actually Cockpit properly attaches the .iso as CD ROM:
vgaetera
February 8, 2025, 2:06pm
4
Make sure to install this update:FEDORA-2025-81cacd8b05 — bugfix update for selinux-policy — Fedora Updates System
Also move the ISO image to the main storage pool and fix its SELinux label:
sudo mv /*.iso /var/lib/libvirt/images
sudo restorecon -R /var/lib/libvirt/images
Then reattach the ISO to the VM and try again.
nhnh
February 8, 2025, 2:19pm
5
Thank you for your answer.
admin@host:~$ sudo dnf upgrade --refresh --advisory=FEDORA-2025-81cacd8b05
[sudo] password for admin:
Updating and loading repositories:
Fedora 41 openh264 (From Cisco) - x86_64 100% | 687.0 B/s | 989.0 B | 00m01s
Fedora 41 - x86_64 100% | 21.5 KiB/s | 26.3 KiB | 00m01s
Fedora 41 - x86_64 - Updates 100% | 46.0 KiB/s | 20.0 KiB | 00m00s
Repositories loaded.
Nothing to do.
admin@host:/$ sudo mv TrueNAS-SCALE-24.10.2.iso /var/lib/libvirt/images
admin@host:/var/lib/libvirt/images$ sudo ls
TrueNAS-SCALE-24.10.2.iso TrueNAS-SCALE.qcow2
admin@host:~$ sudo restorecon -R /var/lib/libvirt/images
Tried your steps, no change.
any other idea?
vgaetera
February 8, 2025, 2:50pm
6
Check if the issue persists in permissive mode:
sudo setenforce 0
Also let’s check the output:
journalctl --no-pager -b _AUDIT_TYPE_NAME=AVC
rpm -q -a selinux-policy\*
sudo ls -l -a -Z /var/lib/libvirt/images
nhnh
February 8, 2025, 2:57pm
7
Vladislav Grigoryev:
sudo setenforce 0
admin@host:~$ sudo setenforce 0
[sudo] password for admin:
admin@host:~$
No change
Output:
admin@host:~$ journalctl --no-pager -b _AUDIT_TYPE_NAME=AVC
Feb 08 13:21:03 host.srv.lan audit[2484]: AVC avc: denied { execute } for pid=2484 comm="rpc-virtqemud" name="kmod" dev="nvme0n1p3" ino=192939461 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1
Feb 08 13:21:03 host.srv.lan audit[2484]: AVC avc: denied { execute_no_trans } for pid=2484 comm="rpc-virtqemud" path="/usr/bin/kmod" dev="nvme0n1p3" ino=192939461 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1
Feb 08 13:21:03 host.srv.lan audit[2484]: AVC avc: denied { map } for pid=2484 comm="modprobe" path="/usr/bin/kmod" dev="nvme0n1p3" ino=192939461 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1
Feb 08 13:21:03 host.srv.lan audit[2484]: AVC avc: denied { map } for pid=2484 comm="modprobe" path="/usr/lib/modules/6.12.11-200.fc41.x86_64/modules.dep.bin" dev="nvme0n1p3" ino=50380386 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1
Feb 08 13:21:03 host.srv.lan audit[2484]: AVC avc: denied { module_load } for pid=2484 comm="modprobe" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=system permissive=1
Feb 08 13:21:03 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 13:21:04 host.srv.lan audit[2523]: AVC avc: denied { open } for pid=2523 comm="swtpm" path="/var/log/swtpm/libvirt/qemu/TrueNAS-SCALE-swtpm.log" dev="nvme0n1p3" ino=184607444 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:virt_log_t:s0 tclass=file permissive=0
Feb 08 13:38:41 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 13:38:41 host.srv.lan audit[2812]: AVC avc: denied { relabelfrom } for pid=2812 comm="rpc-virtqemud" name="TrueNAS-SCALE-24.10.2.iso" dev="nvme0n1p3" ino=1704 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file permissive=1
Feb 08 13:39:01 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:10:20 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:13:00 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:15:01 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:15:46 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="prio-rpc-virtqe" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:17:14 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:17:24 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:17:52 host.srv.lan audit[4046]: AVC avc: denied { open } for pid=4046 comm="swtpm" path="/var/log/swtpm/libvirt/qemu/TrueNAS-SCALE-BIOS-swtpm.log" dev="nvme0n1p3" ino=184607445 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:virt_log_t:s0 tclass=file permissive=0
Feb 08 14:17:52 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:19:53 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:21:46 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:24:52 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:26:57 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="prio-rpc-virtqe" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:28:06 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:28:27 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="prio-rpc-virtqe" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 14:29:24 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 15:15:39 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 15:17:24 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 15:53:27 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 15:54:41 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Feb 08 15:54:54 host.srv.lan audit[1550]: AVC avc: denied { write } for pid=1550 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=7599 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
admin@host:~$ rpm -q -a selinux-policy\*
selinux-policy-41.32-1.fc41.noarch
selinux-policy-targeted-41.32-1.fc41.noarch
admin@host:~$ sudo ls -l -a -Z /var/lib/libvirt/images
total 1871684
drwx--x--x. 2 root root system_u:object_r:virt_image_t:s0 66 Feb 8 15:54 .
drwxr-xr-x. 9 root root system_u:object_r:virt_var_lib_t:s0 106 Feb 8 12:37 ..
-rw-r--r--. 1 qemu qemu system_u:object_r:virt_content_t:s0 1874262016 Feb 8 13:12 TrueNAS-SCALE-24.10.2.iso
-rw-------. 1 root root system_u:object_r:virt_image_t:s0 21478375424 Feb 8 15:54 TrueNAS-SCALE.qcow2
admin@host:~$
vgaetera
February 8, 2025, 3:02pm
8
sudo chcon -t virt_image_t /var/lib/libvirt/images/TrueNAS-SCALE-24.10.2.iso
Be sure to shutdown the VM to apply the changes.
nhnh
February 8, 2025, 3:05pm
9
admin@host:~$ sudo chcon -t virt_image_t /var/lib/libvirt/images/TrueNAS-SCALE-24.10.2.iso
admin@host:~$
No change
did force shut-down and deleted VM, testing with fresh VM every time.
nhnh
February 8, 2025, 7:03pm
10
tryied again on virt-manager
here I get:
Unable to complete install: 'internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/truenasscale-swtpm.log' for details.'
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 71, in cb_wrapper
callback(asyncjob, *args, **kwargs)
~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
File "/usr/share/virt-manager/virtinst/install/installer.py", line 726, in start_install
domain = self._create_guest(
guest, meter, initial_xml, final_xml,
doboot, transient)
File "/usr/share/virt-manager/virtinst/install/installer.py", line 667, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
File "/usr/lib64/python3.13/site-packages/libvirt.py", line 4545, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/truenasscale-swtpm.log' for details.
user@localhost:~$ sudo cat /var/log/swtpm/libvirt/qemu/truenasscale-swtpm.log
swtpm at /usr/bin/swtpm does not support TPM 2
vgaetera
February 9, 2025, 8:44am
11
I managed to reproduce this issue.
tee /tmp/local.te << EOF > /dev/null
module local 1.0;
require {
type swtpm_t;
type virt_log_t;
class file open;
}
allow swtpm_t virt_log_t:file open;
EOF
checkmodule -M -m -o /tmp/local.mod /tmp/local.te
semodule_package -o /tmp/local.pp -m /tmp/local.mod
sudo semodule -r local 2> /dev/null
sudo semodule -i /tmp/local.pp
1 Like
nhnh
February 9, 2025, 1:08pm
12
Thank you for trying to reproduce and come up with a module.
I’ve tried it on the server with no luck.
I’m a bit reluctant to try it on my workstation (I need the VM on the server, was just trying to see if I got the same problems with virt-manager on the workstation), as I wouldn’t be able to revert it if it doesn’t work. Is there a way to revert it after trying?
Also, investigating further, I found this issue on virt-manager github , this issue in RHEL and this libvirt commit wich seems to solve the issue in libvirt 11.00.00.
It seems to be the same problem.
In bodhi, libvirt-11.0.0-1-fc42 is stable, but the last package for f41 is libvirt-10.6.0-f-fc41.
Any chance libvirt 11 will be released on f41? If not is there a way to install the f42 version on f41?
ilikelinux
February 9, 2025, 1:18pm
13
I don’t think so. If you have the chance to test F42 in a VM it would be available already as a pre-release. It is not Beta yet but this will soon happen.
glb
February 9, 2025, 5:29pm
14
You could run a command like dnf --releasever=42 update libvirt, but that would put your system in an “unsupported” and possibly unstable state. You might want to take a snapshot of your root file system to be sure you can undo the changes if you decide to attempt that sort of workaround.
nhnh
February 22, 2025, 12:28pm
15
Thanks for your help up to now.
I was able to get this working under fedora 42 booting a f41 VM under UEFI, but it still doesn’t work with the TrueNAS SCALE VM.
Also running my host server under f42 wouldn’t be a solution at this stage.
therefore I posted some more details on theses bugzilla same/similar open bugs, hoping for a solution:https://bugzilla.redhat.com/show_bug.cgi?id=2278123 https://bugzilla.redhat.com/show_bug.cgi?id=2307853
But still open for workarounds in the mean time if anyone has an idea.
ilikelinux
February 22, 2025, 1:42pm
16
In the Virtual Machine Manger > edit > preferences > new vm >> x68 firmware , thy to set to UEFI.
nhnh
February 28, 2025, 4:36pm
17
This update: FEDORA-2025-1c1946f65f — bugfix update for swtpm — Fedora Updates System from this bug: 2278123 – libvirt virtual machines cannot be created with SWTPM when SELinux is enabled: SELinux denials logged. No issues without SWTPM. Multiple user reports solved it for me.
In the mean time I found out that my problem with TrueNAS VM is only partially related and a Problem with TrueNAS / Debian and not Fedora: TrueNAS seems not to work with Secureboot enabled…
1 Like
