-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to Run non-root VM with SWTPM #840
Comments
Has this socket file been used before ? Before the |
The socket file is created automatically and is torn down after the virt-install failure. |
Did you restart libvirtd so it re-reads the config file? |
Yes. I tried restarting the services and rebooting. The changes to |
I think it's a libvirt issue because libvirt is setting ownership on the socket file in |
I think I got it working! I changed the I'm testing now but it looks good so far. |
It's quite possible that with my user changing experiments I did not hit the same issue you are seeing. Your issue may be during the
|
Maybe this additional sentence, if acceptable to libvirt community, would help resolve the issue:
|
I think it's also worth noting that the |
Are you sure? I thought that the swtpm socket always gets user and group of the QEMU process so that the QEMU process can access the socket (with mode 0600). |
At least on my systems, it was definitely creating the swtpm socket with |
Libvirt runs swtpm with |
I maintain RHEL9 development machines which are configured to allow libvirt/qemu VMs to be run by regular (non-root/sudo) users. We use Unix socket groups to facilitate this non-root access and it works well.
The problem comes in when trying to use SWTPM. I can configure the
swtpm_group
setting in/etc/libvirt/qemu.conf
and it works to change the group ownership of the swtpm socket in/run/libvirt/qemu/swtpm/
. However, the POSIX permissions on the socket are 0600, so the group ownership change is moot; even though the socket is owned by the correct group, users still cannot use the socket.Steps to reproduce the behavior:
dnf install swtpm swtwpm-tools
/etc/libvirt/qemu.conf
, setting swtpm_group to a group of which the standard users are membersvirt-install --connect qemu:///system --name vm01 --memory=8192 --vcpus=4 --cdrom /shared-scratch/virtual-machines/standard.user/BOOT_ISO.iso --disk /data/scratch/vms/standard.user/vm01-system.qcow2,cache=writeback,bus=virtio --disk /data/scratch/vms/standard.user/vm01-storage.qcow2,cache=writeback,bus=virtio --graphics=vnc --tpm backend.type=emulator,backend.version=2.0,model=tpm-tis --os-variant=rhel9.3 --console pty,target_type=serial
Expected behavior
I expect the swtpm socket to be accessible by the standard user based on group membership.
Instead, the following error is displayed:
The socket perms look as follows:
Desktop:
Versions of relevant components
The text was updated successfully, but these errors were encountered: