Ubuntu
libvirt package

Permissions of files in /etc/libvirt/qemu are too restrictive

Bug #235386 reported by Brian Pitts
4
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Invalid
Wishlist
Unassigned

Bug Description

As a user in the groups kvm and libvirtd I created VMs with virt-install and virt-manager. I edited the xml file defining these VMs to change the amount of RAM allocated to them, but when I tried to reload the VM definitions in virsh as instructed at https://help.ubuntu.com/community/KVM it complained that it could not read them.

/etc/libvirt/qemu$ ls -l
total 16
-rw------- 1 root root 849 2008-05-27 23:31 fedora9.xml
drwxr-xr-x 3 root root 4096 2008-05-04 20:41 networks
-rw------- 1 root root 830 2008-05-05 18:51 opensolaris.xml
-rw------- 1 root root 855 2008-05-27 23:31 opensuse103.xml

$ virsh --connect qemu:///system
Connecting to uri: qemu:///system
Welcome to virsh, the virtualization interactive terminal.

Type: 'help' for help with commands
       'quit' to quit

virsh # define /etc/libvirt/qemu/fedora9.xml
error: Failed to open '/etc/libvirt/qemu/fedora9.xml': Permission denied

virsh # define /etc/libvirt/qemu/opensuse103.xml
error: Failed to open '/etc/libvirt/qemu/opensuse103.xml': Permission denied

Revision history for this message
Soren Hansen (soren) wrote :

This makes no sense. The libvirtd process managing qemu:///system runs as root, so that should work fine. Did you change libvirtd.conf in some way?

Changed in libvirt:
status: New → Incomplete
Revision history for this message
Brian Pitts (bpitts) wrote :

No, I have not changed the configuration. libvirtd may be running as root, but virsh is running as me. It tries to open the file and fails.

When I

virsh # define /etc/libvirt/qemu/opensolaris.xml
error: Failed to open '/etc/libvirt/qemu/opensolaris.xml': Permission denied

strace on virsh shows

open("/etc/libvirt/qemu/opensolaris.xml", O_RDONLY) = -1 EACCES (Permission denied)

Revision history for this message
Soren Hansen (soren) wrote :

Ah, yes, I misread your original report. I'm not sure why you're trying to define a domain that is already defined? The files in /etc/libvirt/qemu describe domains that are already defined, so defining them again would be a no-op. What are you actually trying to do?

Revision history for this message
Brian Pitts (bpitts) wrote :

I had edited the xml file to change some settings of the domain.

According to https://help.ubuntu.com/community/KVM#head-3d3cc318838c52784822e7550dfba68bc7f25084

"If you have made a change to the XML configuration file, you need to tell KVM to reload it before restarting the VM:

virsh # define /etc/libvirt/qemu/mirror.xml
Domain mirror defined from /etc/libvirt/qemu/mirror.xml"

If these instructions are wrong, perhaps someone who know the proper procedure should show that wiki page some love; it references running "define" for an existing domain several times.

Revision history for this message
Brian Pitts (bpitts) wrote :

This bug is marked as incomplete. Is there any more information I can provide?

Revision history for this message
Bryan McLellan (btm) wrote :

I can confirm.

If you load virsh as a user in the libvirtd group, and define a domain from a user readable xml file, libvirt creates a copy in /etc/libvirt/qemu/ that's mode 600 root/root. The user can no longer read these files.

One could use 'dumpxml domain', copy and paste into a new file, then modify the file, and redefine it to update the configuration.

Perhaps these config files should have group access.

Also I noticed that when connecting to virsh as a regular user that using 'save' to save a machine's state still creates a root owned mode 0600 output file.

Bryan McLellan (btm)
Changed in libvirt:
status: Incomplete → Confirmed
Revision history for this message
Mario Zigliotto (marioz) wrote :

Brian,
Have you found a work around?

Revision history for this message
Brian Pitts (bpitts) wrote :

@Mario: I think the process Bryan describes is the way to do it.

E.G.

$ virsh dumpxml foo > /tmp/foo.xml
(edit /tmp/foo.xml as needed)
$ virsh define /tmp/foo.xml

Dustin Kirkland  (kirkland)
Changed in libvirt (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The files in /etc/libvirt/qemu are designed to be used and managed by libvirt and not to be edited by hand. The correct and documented way to make changes to your machine definition is mentioned in comment #8 in this bug.

Changed in libvirt (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.