[one-users] libvirt not allowing access to /dev/kvm

Jaime Melis jmelis at opennebula.org
Fri Feb 10 07:11:26 PST 2012


Hi Michael,

to figure out what's wrong, can you send us:
$ grep -Ev '^(#|$)' /etc/libvirt/qemu.conf
$ grep -Ev '^(#|$)' /etc/libvirt/libvirtd.conf

I'm aware you already sent part of your qemu.conf... but I'd like to
know if there's anything else besides what you pasted.

cheers,
Jaime


On Wed, Feb 8, 2012 at 7:53 PM, Michael Brown <michael at netdirect.ca> wrote:
> I think I've finally nailed the root cause of my troubles. I posted this
> on http://serverfault.com/q/358118/2101 but you guys may be able to
> answer with more authority:
>
> I have a fresh Open Nebula 3.2.1 installation which I'm trying to get
> working and manage some freshly-installed debian squeeze kvm hosts.
>
> My problem is that when Open Nebula deploys VMs the KVM process does not
> have access to the /dev/kvm device on the host.
>
> I've set up everything according to documentation:
> root at onhost1:~# ls -al /dev/kvm
> crw-rw---- 1 root kvm 10, 232 Feb 8 11:24 /dev/kvm
>
> root at onhost1:~# id oneadmin
> uid=500(oneadmin) gid=500(oneadmin)
> groups=500(oneadmin),106(kvm),108(libvirt)
>
> libvirt/qemu.conf has:
> user = "oneadmin"
> group = "oneadmin"
>
> When libvirt creates VMs they do not have any of the secondary groups
> set so the process doesn't have access to /dev/kvm via file permissions.
> OK, fair enough, though the Open Nebula documentation seems to indicate
> it should be set up this way.
>
> I've tried mounting cgroups to try and resolve this problem. After I do
> so, the kvm process has the following cgroup entry:
>
> 1:devices,cpu:/libvirt/qemu/one-29
>
> corresponding to:
>
> /dev/cgroup/libvirt/qemu/one-29/devices.list:c 10:232 rwm
>
> My lack of understanding of how cgroups work indicate to me that this
> ought to allow the process to access /dev/kvm, but no go.
>
> I can make things work by adding an ACL entry (setfacl -m u:oneadmin:rw
> /dev/kvm) but that doesn't Seem Right. Shouldn't Open Nebula/libvirt be
> handling this?
>
> * What are the Correct Changes to make?
> * Should the documentation be changed?
> * Have I missed something?
>
>
> --
> Michael Brown               | `One of the main causes of the fall of
> Systems Consultant          | the Roman Empire was that, lacking zero,
> Net Direct Inc.             | they had no way to indicate successful
> ☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org



-- 
Jaime Melis
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org | jmelis at opennebula.org



More information about the Users mailing list