Nfs pool in kvm

audiolinux · January 16, 2018, 4:01pm

Hi everybody,

via virsh pool-define-as we created a pool using an NFS storage. The pool could be started and is visible in both UVMM and virsh.

<pool type='netfs'>
  <name>isopool</name>
  <uuid>22d29f9a-00df-4e8c-9df5-765c6f7c199c</uuid>
  <capacity unit='bytes'>5892566810624</capacity>
  <allocation unit='bytes'>2482581798912</allocation>
  <available unit='bytes'>3409985011712</available>
  <source>
    <host name='s01'/>
    <dir path='/volume1/isopool'/>
    <format type='auto'/>
  </source>
  <target>
    <path>/mnt/isopool</path>
    <permissions>
      <mode>0777</mode>
      <owner>111</owner>
      <group>122</group>
    </permissions>
  </target>
</pool>

When we start a guest-system, having an ISO-file mounted from that nfs pool, we got a permission denied message:

Fehler beim Starten der Domain: internal error: process exited while connecting to monitor: 2018-01-16T15:52:13.799517Z qemu-system-x86_64: -drive file=/mnt/isopool/UIU-PE10-Capture-64.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on: Could not open '/mnt/isopool/UIU-PE10-Capture-64.iso': Permission denied

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 88, in cb_wrapper
    callback(asyncjob, *args, **kwargs)

We already changed the ownership to libvirt-qemu user and the permissions file and folder 0777.

The error seems to be a well known behaviour, when selinux is involved. Often we got the suggestion to
setsebool -P virt_use_nfs 1
UCS is not using selinux, right? Because the setsebool command could not be found on our UCS 4.2.

Cheers
Sebastian

pmhahn · January 17, 2018, 9:35am

Yes, UCS does not use (or support) SELinux.

Please be aware that if you use NFS, you must synchronize the numeric user and group identifiers used by Qemu/kvm, e.g. ‘libvirt-qemu’. Otherwise the libvirt daemons will “fight” over the right UID/GID when re-labeling files when a VM is started or stopped.
The qemu process runs as user libvirt-qemu and libvirtd tries to change the permissions of the files so qemu is able to open them. libvirtd is running as user root, which has the permission CAP_FOWNER to change the ownership of files, but this does not work if you use root-squashing with NFS. Make sure sure to use no_root_squash in /etc/exports on your NFS server!

Also check the setting of “user”, “group”, “dynamic_ownership” in /etc/libvirt/qemu.conf.

You should check the permissions of /mnt/isopool/UIU-PE10-Capture-64.iso manually.