Ubuntu
libvirt package

/dev/kvm: permission denied for libvirtd

Bug #1891092 reported by Russell Wing
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Install 20.04, patch, install kvm, install cockpit. Attempt to create VM via web UI, appears momentarily then disappears and states no VM's. Querying via virsh shows the VM has been created.

This used to work fine, and seems to have stopped with latest patches as of a week or so back. May have imagined but I think I saw recent patches for libvirtd?

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: cockpit 215-1
ProcVersionSignature: Ubuntu 5.4.0-42.46-generic 5.4.44
Uname: Linux 5.4.0-42-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.6
Architecture: amd64
CasperMD5CheckResult: pass
Date: Mon Aug 10 22:22:31 2020
InstallationDate: Installed on 2020-08-10 (0 days ago)
InstallationMedia: Ubuntu-Server 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
PackageArchitecture: all
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: cockpit
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Russell Wing (cyberruss) wrote :
Revision history for this message
Russell Wing (cyberruss) wrote :

Been testing further. Based on errors relating to apparmor tried complain mode for libvirtd followed by reboot and completely disabling apparmor. However no difference and these messages are still in the logs.

Seeing this error in the log:

Unable to open /dev/kvm: Permission denied
CODE_FILE ../../../src/util/virhostcpu.c
CODE_FUNC virHostCPUGetTscInfo
CODE_LINE 1338
LIBVIRT_CODE 38
LIBVIRT_DOMAIN 0
LIBVIRT_SOURCE util.error
PRIORITY 3
SYSLOG_FACILITY 24
_AUDIT_LOGINUID 1000
_AUDIT_SESSION 2
_BOOT_ID 8298d387029b4a00ab2c4ff8889ee65e
_CAP_EFFECTIVE 0
_CMDLINE /usr/sbin/libvirtd --timeout=120
_COMM libvirtd
_EXE /usr/sbin/libvirtd
_GID 1000
_HOSTNAME pdukvm02
_MACHINE_ID b8db10128faf4d6bb85f42a6bf07a3b8
_PID 1337
_SELINUX_CONTEXT unconfined
_SOURCE_REALTIME_TIMESTAMP 1597131226041764
_SYSTEMD_CGROUP /user.slice/user-1000.slice/user@1000.service/dbus.service
_SYSTEMD_INVOCATION_ID 8bd95fa9bc554d5587ed2f307645b7f0
_SYSTEMD_OWNER_UID 1000
_SYSTEMD_SLICE user-1000.slice
_SYSTEMD_UNIT user@1000.service
_SYSTEMD_USER_SLICE -.slice
_SYSTEMD_USER_UNIT dbus.service
_TRANSPORT journal
_UID 1000
__CURSOR s=7a07741964f14008b73e6164241c5bad;i=3c21;b=8298d387029b4a00ab2c4ff8889ee65e;m=17975743;t=5ac9517634db1;x=72d57812f6b29d92
__MONOTONIC_TIMESTAMP 395794243
__REALTIME_TIMESTAMP 1597131226041777

Preceded by:

Failed to read AppArmor profiles list '/sys/kernel/security/apparmor/profiles': Permission denied
CODE_FILE ../../../src/security/security_apparmor.c
CODE_FUNC profile_status
CODE_LINE 87
LIBVIRT_CODE 38
LIBVIRT_DOMAIN 24
LIBVIRT_SOURCE util.error
PRIORITY 3
SYSLOG_FACILITY 24
_AUDIT_LOGINUID 1000
_AUDIT_SESSION 2
_BOOT_ID 8298d387029b4a00ab2c4ff8889ee65e
_CAP_EFFECTIVE 0
_CMDLINE /usr/sbin/libvirtd --timeout=120
_COMM libvirtd
_EXE /usr/sbin/libvirtd
_GID 1000
_HOSTNAME pdukvm02
_MACHINE_ID b8db10128faf4d6bb85f42a6bf07a3b8
_PID 1337
_SELINUX_CONTEXT unconfined
_SOURCE_REALTIME_TIMESTAMP 1597131226002371
_SYSTEMD_CGROUP /user.slice/user-1000.slice/user@1000.service/dbus.service
_SYSTEMD_INVOCATION_ID 8bd95fa9bc554d5587ed2f307645b7f0
_SYSTEMD_OWNER_UID 1000
_SYSTEMD_SLICE user-1000.slice
_SYSTEMD_UNIT user@1000.service
_SYSTEMD_USER_SLICE -.slice
_SYSTEMD_USER_UNIT dbus.service
_TRANSPORT journal
_UID 1000
__CURSOR s=7a07741964f14008b73e6164241c5bad;i=3c20;b=8298d387029b4a00ab2c4ff8889ee65e;m=1796c0aa;t=5ac951762b718;x=9fc636c6f52c48c2
__MONOTONIC_TIMESTAMP 395755690
__REALTIME_TIMESTAMP 1597131226003224

Revision history for this message
Russell Wing (cyberruss) wrote :

Further update...works when you use the session option to create the VM (rather than system).

Horribly slow though with all the negatives of using session rather than system.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cockpit (Ubuntu):
status: New → Confirmed
Revision history for this message
thomas (thve25) wrote :

virtual machine are not showing up in cockpit for me either..

user@1000.service
Unable to open /dev/kvm: Permission denied
CODE_FILE ../../../src/util/virhostcpu.c
CODE_FUNC virHostCPUGetTscInfo
CODE_LINE 1338
LIBVIRT_CODE 38
LIBVIRT_DOMAIN 0
LIBVIRT_SOURCE util.error
PRIORITY 3
SYSLOG_FACILITY 24
_AUDIT_LOGINUID 1000
_AUDIT_SESSION 231
_BOOT_ID ed32e050bf3f4c6c9e65a444fc97d558
_CAP_EFFECTIVE 0
_CMDLINE /usr/sbin/libvirtd --timeout=120
_COMM libvirtd
_EXE /usr/sbin/libvirtd
_GID 1000
_HOSTNAME server
_MACHINE_ID d069092338e6405383d6f01c79c3c8c6
_PID 3386417
_SELINUX_CONTEXT libvirtd (enforce)
_SOURCE_REALTIME_TIMESTAMP 1599991665126197
_SYSTEMD_CGROUP /user.slice/user-1000.slice/user@1000.service/dbus.service
_SYSTEMD_INVOCATION_ID 19a6f696a48c42f09fd220d96e1c6736
_SYSTEMD_OWNER_UID 1000
_SYSTEMD_SLICE user-1000.slice
_SYSTEMD_UNIT user@1000.service
_SYSTEMD_USER_SLICE -.slice
_SYSTEMD_USER_UNIT dbus.service
_TRANSPORT journal
_UID 1000
__CURSOR s=ba94d4384f73448dbe1298e0846a518e;i=1dd14;b=ed32e050bf3f4c6c9e65a444fc97d558;m=9fd342ffa7;t=5af2f16d7eb43;x=3420629679f7ad8d
__MONOTONIC_TIMESTAMP 686444183463
__REALTIME_TIMESTAMP 1599991665126211

Revision history for this message
Martin Pitt (pitti) wrote :

> Unable to open /dev/kvm: Permission denied

This means that you need to allow access to /dev/kvm. For the "session" mode you most probably need to add your user to the "kvm" group. On a desktop this happens via dynamic "local seat" ACLs, but not on a remote server.

For "system" mode this smells like AppArmor interfering and blocking access to /dev/kvm to libvirt?

This does not happen in a default OS install, so I don't know how that breaks on your system. Either way, this is far outside of what cockpit-machines does, so reassigning to libvirt.

summary: - Fresh install of cockpit on 20.04 after patching can no longer manage
- virtual machines
+ /dev/kvm: permission denied for libvirt
summary: - /dev/kvm: permission denied for libvirt
+ /dev/kvm: permission denied for libvirtd
affects: cockpit (Ubuntu) → libvirt (Ubuntu)
Revision history for this message
Paride Legovini (paride) wrote :

Hello, I doubt this is a libvirt bug either. Please make sure your user is in the 'kvm' group as Martin suggested. To check for AppArmor issues please run

  sudo dmesg -W

on a terminal and then try to reproduce the issue. If there's an AppArmor issues you'll see lines like:

[183041.589586] audit: type=1400 audit(1704369117.010:742): apparmor="DENIED" operation="open" class="file" profile= ...

showing up on dmesg. If this is the case, please copy/paste them here.

Changed in libvirt (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for libvirt (Ubuntu) because there has been no activity for 60 days.]

Changed in libvirt (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.