View Issue Details

IDProjectCategoryView StatusLast Update
0010608CentOS-7libvirtpublic2016-04-07 16:45
Reportermenonbros Assigned To 
PrioritynoneSeveritymajorReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentOS Linux release 7.2.1511 
Product Version7.2.1511 
Summary0010608: Could not access KVM kernel module: Permission denied
DescriptionPermission denied: Unable to create vm's using virt-install command

Steps To Reproduce1. Installed CentOS7.0 (3.10.0-123.el7.x86_64)
2. Upgrade to CentOS7.2 (3.10.0-327.10.1.el7.x86_64) using 'yum upgrade -y'
3. Create a virtual machine using the below command

[root@ganesh ~]# virt-install --name r68server --ram=1024 --disk path=/vmimages/r68server.img --cdrom /iso/test.iso

Starting install...
ERROR internal error: early end of file from monitor: possible problem:
Could not access KVM kernel module: Permission denied
failed to initialize KVM: Permission denied
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start r68server
otherwise, please restart your installation.
Additional Informationlibvirt-1.2.17-13.el7_2.3.x86_64
qemu-2.0.0-1.el7.6.x86_64
virt-install-1.2.1-8.el7.noarch

[root@3.10.0-123.el7.x86_64]# ls -l /dev/kvm
crw-------. 1 root root 10, 232 Mar 24 14:17 /dev/kvm

[root@3.10.0-123.el7.x86_64]# cat /var/log/libvirt/qemu/r68server.log
2016-03-24 15:27:59.699+0000: starting up libvirt version: 1.2.17, package: 13.el7_2.3 (CentOS BuildSystem <http://bugs.centos.org>, 2016-02-16-17:06:00, worker1.bsys.centos.org), qemu version: 2.0.0
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin QEMU_AUDIO_DRV=spice /usr/bin/qemu-system-x86_64 -name r68server -S -machine pc-i440fx-2.0,accel=kvm,usb=off -cpu Opteron_G3 -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 7a5a7d5b-fd4a-4e8c-8401-4123eaaa0022 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-r68server/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-reboot -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x6.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x6 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x6.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x6.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/vmimages/r68server.img,if=none,id=drive-ide0-0-0,format=qcow2 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -drive file=/iso/RHEL-6.7-20150702.0-Server-x86_64-dvd1.iso,if=none,id=drive-ide0-0-1,readonly=on,format=raw -device ide-cd,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=1 -netdev tap,fd=23,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:85:33:6a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5900,addr=127.0.0.1,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on
char device redirected to /dev/pts/3 (label charserial0)
Could not access KVM kernel module: Permission denied
failed to initialize KVM: Permission denied
TagsNo tags attached.
abrt_hash
URL

Activities

menonbros

menonbros

2016-03-24 18:35

reporter   ~0026128

[root@3.10.0-123.el7.x86_64]# lsmod | grep kvm
kvm_amd 65072 0
kvm 525409 1 kvm_amd

cat /var/log/messages
Mar 24 14:19:59 journal: libvirt version: 1.2.17, package: 13.el7_2.3 (CentOS BuildSystem <http://bugs.centos.org>, 2016-02-16-17:06:00, worker1.bsys.centos.org)
Mar 24 14:19:59 journal: Unable to read from monitor: Connection reset by peer
Mar 24 14:19:59 journal: internal error: early end of file from monitor: possible problem:#012Could not access KVM kernel module: Permission denied#012failed to initialize KVM: Permission denied
ie_philwyett

ie_philwyett

2016-03-30 22:10

reporter   ~0026178

What does the following command return.

sudo systemctl list-units | grep libvirt
menonbros

menonbros

2016-04-06 16:56

reporter   ~0026221

[root@ganesh ~]# sudo systemctl list-units | grep libvirt
libvirtd.service loaded active running Virtualization daemon
menonbros

menonbros

2016-04-06 17:13

reporter   ~0026222

Please ignore my earlier comment.

1. I saw the below in /var/log/messages so after reading sealert message set "setsebool -P virt_use_execmem 1", but even after that installation fails.

virt_use_execmem on

[root@ganesh ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

===Installed RPMS===
selinux-policy-3.13.1-60.el7_2.3.noarch
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
libselinux-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64

==/var/log/messages===
Apr 6 22:31:27 ganesh setroubleshoot: SELinux is preventing /usr/bin/qemu-system-x86_64 from using the execmem access on a process. For complete SELinux messages. run sealert -l 1e8cd6ae-11e4-4903-97f6-fd2d58ce3c91
Apr 6 22:31:27 ganesh python: SELinux is preventing /usr/bin/qemu-system-x86_64 from using the execmem access on a process.#012#012***** Plugin catchall_boolean (89.3 confidence) suggests ******************#012#012If you want to allow virt to use execmem#012Then you must tell SELinux about this by enabling the 'virt_use_execmem' boolean.#012#012Do#012setsebool -P virt_use_execmem 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that qemu-system-x86_64 should be allowed execmem access on processes labeled svirt_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012

2. systemctl status libvirtd.service shows the permission denied error.
[root@ganesh ~]# systemctl status libvirtd.service
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; disabled; vendor preset: enabled)
   Active: active (running) since Wed 2016-04-06 22:21:10 IST; 18min ago
     Docs: man:libvirtd(8)
           http://libvirt.org
 Main PID: 2225 (libvirtd)
   CGroup: /system.slice/libvirtd.service
           ├─2225 /usr/sbin/libvirtd
           ├─2319 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
           └─2320 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper

Apr 06 22:21:12 ganesh dnsmasq[2319]: read /etc/hosts - 2 addresses
Apr 06 22:21:12 ganesh dnsmasq[2319]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
Apr 06 22:21:12 ganesh dnsmasq-dhcp[2319]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Apr 06 22:26:21 ganesh libvirtd[2225]: libvirt version: 1.2.17, package: 13.el7_2.3 (CentOS BuildSystem <http://bugs.centos.org>, 2016-02-16-17:06:00, wo...entos.org)
Apr 06 22:26:21 ganesh libvirtd[2225]: Unable to read from monitor: Connection reset by peer
Apr 06 22:26:21 ganesh libvirtd[2225]: internal error: early end of file from monitor: possible problem:
Could not access KVM kernel module: Permission denied failed to initialize KVM: Permission denied...
Apr 06 22:31:26 ganesh libvirtd[2225]: failed to connect to monitor socket: No such process
Apr 06 22:31:26 ganesh libvirtd[2225]: internal error: process exited while connecting to monitor: Could not access KVM kernel module: Permission denied failed to initialize KVM: Permission denied
Apr 06 22:34:25 ganesh libvirtd[2225]: failed to connect to monitor socket: No such process
Apr 06 22:34:25 ganesh libvirtd[2225]: internal error: process exited while connecting to monitor: Could not access KVM kernel module: Permission denied failed to initialize KVM: Permission denied
menonbros

menonbros

2016-04-07 16:45

reporter   ~0026228

Able to get rid of the above issue after setting user/group = root in /etc/libvirt/qemu.conf file. Domains are now getting created.

Issue History

Date Modified Username Field Change
2016-03-24 18:32 menonbros New Issue
2016-03-24 18:35 menonbros Note Added: 0026128
2016-03-30 22:10 ie_philwyett Note Added: 0026178
2016-04-06 16:56 menonbros Note Added: 0026221
2016-04-06 17:13 menonbros Note Added: 0026222
2016-04-07 16:45 menonbros Note Added: 0026228