-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permission Denied #546
Comments
I am experiencing the same issue and have the same system configs. I am using the unmodified example from: https://github.com/dmacvicar/terraform-provider-libvirt/tree/master/examples/ubuntu I have tried modifying the user:group libvirtd runs under to be root:root and i receive the same result The image permissions output by terraform apply is as follows: |
Hi all thx for reportong this. However this is not a provider issue. Is an issue part of your libvirt configuration. Permission denied means you don't have rights to write in that dir. Maybe it is your user or other libvirt minimal conf. Try to change default pool repo or investigate on the basic libvirt conf. Needed for let libvirt running. Normally you need user on KVM/libvirt and other stuff depending on which Linux distro. Enjoy |
MalloZup I am not sure that this is the case. If you take a look at the permissions, in my previous comment, on commoninit.iso and ubuntu-0 they are receiving different permissions though they are created via the libvirt provider. I have attempted modifying the qemu.conf to be root:root and still receive permission denied. My libvirt config is unmodified. I have spent hours researching solutions to this problem and have tried several different fixes and no avail. It seems to me that if the provider is responsible for creating the image file that it should be doing so with the correct permissions. Is it possible that this could be a feature request in that we could provide the user:group we need? Note that I have also enabled, as a test, enabled the dynamic permissions configuration in qemu.conf and this had no effect on the image file. |
@MalloZup - sorry meant to ping you on this so it got your attention... see above. |
I'm still having issues after changing the location of the volume to my home dir, I've played around a bit with the file permissions / ownership but don't seem to making much headway. I did notice some apparmor logs in syslog provider-provider-libvirt:
syslog:
I wouldn't be surprised to findout that I've installed or configured something wrong, I'm just having difficulty figuring out what that is. So let my say thanks any help is much appreciated |
@MalloZup - After another day of research I have found some historical context that is interesting. However I DO AGREE... This is NOT an issue with terraform-provider-libvirt. This looks like it may be a recurrence of an issue where QEMU is failing to generate the correct permissions for qcow2 formatted volumes. Either way this issue should be closed on your side. Would be great if we could get some traction with the QEMU team and see what they can find. Thanks again for supporting this provider for terraform! |
@rustychapin @rustychapin @littlehunch issues with Normally in my experience, on a openSUSE machine: i have my user belong to I would disable apparmor and try if if works. i am closing this issue but you can either write on this issue for sync with others or you can also join the |
Thx @andersla for pointer |
I fixed this problem with this: On Ubuntu distros SELinux is enforced by qemu even if it is disabled globally, this might cause unexpected |
This is still true in ubuntu 20.04, thanks to @andersla that pointed to the |
Terraform seems to create the pool with owner/group set to 0:
However libvirtd (which writes the uploaded files, such as the cloud init, or the base ISO) runs as non-root, writing those files as
I think there may be some XSLT that can be applied to the pool definitions that will change the owner/group to the right settings, but I will need to research them. |
@sneak I think you are on to something. I'm confused why the provider creates the pool with the owner/group set to root but requires different permissions for actually starting a domain with an image from such a pool. |
the recipe for @thebithead helped me |
This seems like a known issue w/ apparmor's handling of volumes from a libvirt pool (apparmor profiles require the full path to allow file-access, but
The quick-fix for me was setting |
Hi guys thx for sharing help each other. The terraform libvirt is just a "consumer" of libvirt API so it doesn't change permission etc. As many of you noticed this is more a Is not something unfortunately we can fix it here. |
@gdombrov and @johnjameswhitman -- That fix worked for me as well on Ubuntu 20.04.1. @MalloZup Makes sense. Thanks for all of your work on this project! |
Still running into this Slightly modified workaround is setting |
good |
AppArmor security driver might block in some cases qemu libvirt file access on Debian/Ubuntu. This has already been discussed on the Debian side at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971837 and on the Ubuntu side at: dmacvicar/terraform-provider-libvirt#546
Ubuntu 20.04 with apparmor, I disable apparmor without any effect. Start apparmor and set a value |
* fix instruction message at end of bootstrap script * Add sourcing /etc/profile to ZSH profile * Add sourcing /etc/profile to common user bash * Fix typo in KDE package name on Ubuntu * Add Ubuntu workaround for QEMU permissions: dmacvicar/terraform-provider-libvirt#546 * Add both common user and SSH user to nvm group * Complete and tweak Terraform install through Ansible
* fix instruction message at end of bootstrap script * Add sourcing /etc/profile to ZSH profile * Add sourcing /etc/profile to common user bash * Fix typo in KDE package name on Ubuntu * Add Ubuntu workaround for QEMU permissions: dmacvicar/terraform-provider-libvirt#546 * Add both common user and SSH user to nvm group * Complete and tweak Terraform install through Ansible
The issue in Debian 11.7 and Ubuntu 20.04 LTS prevails... I just did this and it worked for me. I also agree that is not an issue in terraform-provider-libvirt, but, still, if there is a way to push warning to the user recommending to check this, it would be helpful. |
If you have a problem with Could not open '/var/lib/libvirt/images/example.qcow2': Permission denied'
|
@StribPav Thank you very much. This worked for me on Ubuntu |
This issue also happens in Debian 12 and this fix is still relevant |
thanks sooo much to everyone the |
System Information
Linux distribution
Terraform version
Provider and libvirt versions
If that gives you "was not built correctly", get the Git commit hash from your local provider repository:
Checklist
Is your issue/contribution related with enabling some setting/option exposed by libvirt that the plugin does not yet support, or requires changing/extending the provider terraform schema?
Is it a bug or something that does not work as expected? Please make sure you fill the version information below:
Description of Issue/Question
Setup
(Please provide the full main.tf file for reproducing the issue (Be sure to remove sensitive information)
Steps to Reproduce Issue
(Include debug logs if possible and relevant).
Additional information:
Do you have SELinux or Apparmor/Firewall enabled? Some special configuration?
Have you tried to reproduce the issue without them enabled?
The text was updated successfully, but these errors were encountered: