Today, I started my Arch Linux virtual machine using virsh start command and ended up with this error - Failed to start domain 'Archlinux_default' error: Cannot access storage file '/home/sk/.local/share/libvirt/images/Archlinux_default.img' (as uid:107, gid:107): Permission denied. It is actually a Vagrant machine created with KVM Libvirt provider.
Then, I tried again to start the VM using vagrant up command. It also displayed the same error.
Bringing machine 'default' up with 'libvirt' provider… ==> default: Checking if box 'archlinux/archlinux' version '20210601.24453' is up to date… ==> default: Starting domain. There was an error talking to Libvirt. The error message is shown below: Call to virDomainCreateWithFlags failed: Cannot access storage file '/home/sk/.local/share/libvirt/images/Archlinux_default.img' (as uid:107, gid:107): Permission denied
Just to be sure, I tried one more time to start the VM from Virt-manager GUI application. This time also it did return the same error.
All the error messages explicitly says that the the qemu user does not have read permission to the Libvirt storage directory.
In this brief tutorial, allow me to show you how to fix "error: Failed to start domain ... error: Cannot access storage file .... (as uid:107, gid:107): Permission denied" in KVM Libvirt.
Fix "Cannot access storage file, Permission denied Error" in KVM Libvirt
This is one of the common KVM Libvirt error. This error will usually occur after changing path of the Libvirt's default storage directory.
A few days ago, I moved the Libvirt storage location to my $HOME directory. That's why I get this error.
We can fix it in two ways.
Method 1:
Step 1: Edit /etc/libvirt/qemu.conf file:
$ sudo nano /etc/libvirt/qemu.conf
Step 2: Find the user and group directives. By default, both are set to "root".
[...] Some examples of valid values are: # user = "qemu" # A user named "qemu" user = "+0" # Super user (uid=0) user = "100" # A user named "100" or a user with uid=100 # #user = "root" The group for QEMU processes run by the system instance. It can be specified in a similar way to user. #group = "root" [...]
Uncomment both lines and replace root with your username and group with libvirt as shown below:
[...] Some examples of valid values are: # user = "qemu" # A user named "qemu" user = "+0" # Super user (uid=0) user = "100" # A user named "100" or a user with uid=100 # user = "sk" The group for QEMU processes run by the system instance. It can be specified in a similar way to user. group = "libvirt" [...]
Press CTRL+O and press ENTER to save the changes and press CTRL+X to exit the file.
Step 3: Restart libvirtd service:
$ sudo systemctl restart libvirtd
Step 4: Please make sure the user is a member of the libvirt group. If not, add the user to libvirt group using command:
$ sudo usermod -a -G libvirt $(whoami)
Step 5: Finally start the VM:
$ virsh start
If you prefer to use vagrant, run this instead:
$ vagrant up
This time the Virtual machine should start.
Step 6: Check the VM status:
$ virsh list
Or,
$ vagrant status
Method 2:
The another to way to fix KVM Libvirt permission issue is by setting proper ACL permission to the Libvirt storage pool directory. In my case, my storage pool directory is located in $HOME directory.
Step 1: Let us get the current ACL permissions to the $HOME directory.
$ sudo getfacl -e /home/sk/
Sample output:
getfacl: Removing leading '/' from absolute path names
file: home/sk/
owner: sk
group: sk
user::rwx
user:qemu:--x #effective:--x
group::--- #effective:---
mask::--x
other::---As you see in the above output, the qemu user doesn't has read permission to the storage pool location. In some distributions, the user name might be libvirt-qemu.
Step 2: Set the read and executable permission for the user qemu using command:
$ sudo setfacl -m u:qemu:rx /home/sk/
Replace qemu and /home/sk/ with your own.
Now, the qemu user has read and executable permission over the storage pool directory. You can verify it using command:
$ sudo getfacl -e /home/sk/
Sample output:
getfacl: Removing leading '/' from absolute path names
file: home/sk/
owner: sk
group: sk
user::rwx
user:qemu:r-x #effective:--x
group::--- #effective:---
mask::--x
other::---Step 3: Restart libvirtd service:
$ sudo systemctl restart libvirtd
Now the Libvirt guest machines will start without any issue.
Conclusion
In this guide, we discussed why we get "cannot access storage file permission denied" error in KVM libvirt and how to fix it in two different ways in Linux.
6 comments
Hey, SK, clear accurate instructions.
Thanks for the assist!
Option 1 worked like a charm, was an update that broke it. Figured there was a conf file overwritten.
Thanks for posting
In my case (Debian 10), the reason why I was being denied access to the images residing in $HOME/.local/share/libvirt/images was libvirt’s apparmour policy. It explicitly denies access to files that reside in hidden folders under $HOME. I found that out by looking at the journalctl logs. In the end decided to move the images to a non hidden folder and the issue disappeared. You could alternatively mess with libvirt’s apparmour policy or set the security driver in qemu.conf to “none”, which I don’t really recommend.
Method 1 of this guide is the only way to get this to work easily without requiring you to dive deep into permission hell.
Thanks a lot.
I am using linuxmint 21 and after doing the instruction in both procedures still have the same problem.
That’s odd. I tested both methods on my testing system and they worked as expected.