StarlingX

  1. Bug #1999445
  2. Comment #2

Comment 2 for bug 1999445

Revision history for this message
Thales Elero Cervi (tcervi) wrote :

The kvm device is always available when stx is installed on labs (as long as the virtualization functions are enabled in the BIOS) and on virtual machines if Nested Virtualization is enabled ("Enable VT-x/AMD-V" on Virtualbox).

The problem here is no longer if the char device exists, but who owns it and which permissions are set. The Debian migration is incomplete on what regards /dev/kvm permissions and it will be handled as part as this bug fix.

---------------------------------------------------------------------------------------------------
For reference, on a CentOS installation where the stx-libvirt-master-centos-* is the image used for the libvirt container, the users/groups and kvm device permissions are the following:

Host:
$ sudo cat /etc/group | egrep 'nova|libvirt|qemu|kvm'
nova:x:162:nova
libvirt:x:991:nova
kvm:x:36:qemu
qemu:x:107:
$ sudo cat /etc/passwd | egrep 'nova|libvirt|qemu|kvm'
nova:x:994:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
$ ls -lha /dev/kvm
crw-rw-rw- 1 root kvm 10, 232 Dez 15 12:11 /dev/kvm

Container:
# cat /etc/group | egrep 'nova|libvirt|qemu|kvm'
kvm:x:36:qemu,nova
qemu:x:107:
libvirt:x:993:
nova:x:42424:
# cat /etc/passwd | egrep 'nova|libvirt|qemu|kvm'
qemu:x:107:107:qemu user:/:/sbin/nologin
nova:x:42424:42424:nova user:/var/lib/nova:/usr/sbin/nologin

That is not quiet what is currently seen on a stx debian installation:
Host:
$sudo cat /etc/group | egrep 'nova|libvirt|qemu|kvm'
nova:x:162:nova
libvirt:x:991:nova
kvm:x:102:
$ sudo cat /etc/passwd | egrep 'nova|libvirt|qemu|kvm'
nova:x:994:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin
$ ls -lha /dev/kvm
crw-rw---- 1 root 36 10, 232 dez 14 20:25 /dev/kvm

Even after switching the libvirt container image to be the stx-libvirt-master-debian-*, some mismatch persists:
$ ls -lha /dev/kvm
crw-rw---- 1 root uuidd 10, 232 dez 14 23:54 /dev/kvm

This is probably because the user/group is not aligned from within the new container.
Container:
# cat /etc/passwd | egrep 'nova|libvirt|qemu|kvm'
nova:x:994:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin
libvirt-qemu:x:64055:109:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin
# cat /etc/group | egrep 'nova|libvirt|qemu|kvm'
nova:x:162:nova
libvirt:x:991:nova
kvm:x:109:nova
libvirt-qemu:x:64055:libvirt-qemu

Apparently we need to align the kvm group inside the container with the group on the host.
And also seems like we missed a couple of libvirt packages when porting it to Debian, mainly the libvirt-daemon-system [1] that has a post-install script which creates the libvirt-qemu user accordingly.

Will be working on it now.

[1] https://salsa.debian.org/libvirt-team/libvirt/-/blob/debian/7.0.0-3/debian/libvirt-daemon-system.postinst