Libvirt, KVM USB redirection fails

[ghost]

Issue description

Using USB redirect fails with 'Insufficient permissions'.

Steps to reproduce

Enable libvirtd and KVM, spin up VM with virt-manager/virsh, try to access USB on spice client.

Technical details

Nixos 17.09pre110213.01c3847b9c

[0xABAB]

This needs more information. For example, you are not specifying via which user you are trying to do these things.

[ghost]

User is in wheel and libvirtd. I have found the same issue discussed on arch, with some hack changing ownership of the device to group 'spice'. Also, from same thread, assigning the device manually before starting the VM should work(I havent tested this yet, ongoing)

[ghost]

Changing the ownership of /dev/bus/usb to 'spice' and adding the user to it works.
It seems the arch ppl were using a newer spice-gtk(0.13.3) than I was(0.13). Im updating now to get the same version and give it a try.

[sjau]

I'm facing the same issue with virt-manager. Also I have no group "spice". Can you tell me how you got it to work?

Relevant portions of my configuration.nix:

    # Define a user account. Don't forget to set a password with ‘passwd’.
    users.defaultUserShell = "/var/run/current-system/sw/bin/bash";
    users.extraUsers.${mySecrets.user} = {
        isNormalUser = true;    # creates home, adds to group users, sets default shell
        description = "${mySecrets.user}";
        extraGroups = [ "networkmanager" "vboxusers" "wheel" "audio" "cdrom" "kvm" "libvirtd" ]; # wheel is for the sudo group
        uid = 1000;
        initialHashedPassword = "${mySecrets.hashedpasswd}";
    };


    # Enable libvirtd daemon
    virtualisation.libvirtd = {
        enable = true;
        enableKVM = true;
    };
    services.spice-vdagentd.enable = true;

    environment.systemPackages = with pkgs; [
        ......
        spice
        win-spice
        virtmanager
        virt-viewer
        ......
    ];

[ghost]

I think I also have this issue.

EDIT: Well, for what it's worth, I solved the issue for that device by adding a udev rule similar to https://github.com/sjau/nixos/blob/master/configuration.nix

[bjornfor]

I use this brute force udev rule:

  # Access to /dev/bus/usb/* devices. Needed for virt-manager USB
  # redirection.
  SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664", GROUP="wheel"

(Not sure it's a good idea in general. I'm afraid it may conflict with other more fine grained rules.)

[steveej]

I run virt-manager with sudo at the moment to workaround this issue. Not ideal either but at least I don't have to modify permissions manually.

Another problem I have is that USB auto redirection is not working. Can you confirm this? Manual redirection doesn't work well when flashing firmware to a device that intermittently reboots with a different device id.

[ghost]

I'd probably rather modify perms for a usb device via udev (I think this is actually sort of the generally accepted method) than run it as root. :/

If by auto redirection you mean automatically redirecting when you plug it in, I pleasantly discovered that's a thing by accident and it does in fact work with the udev solution. Presumably because it does keep it's ID.

I don't know why your device changes it's iD? I thought device IDs were static values....
Ah, unless whatever reflashing you're doing changes your ID. I think udev maybe has other matching functionality so maybe it can match on name for example? If there is actually anything you could match on, probably https://wiki.archlinux.org/index.php/udev#List_attributes_of_a_device should help find it.

I really don't know if this is a good idea at all, but maybe it would be possible to just shotgun get access to all usb devices.

It would be nice if the root cause for this could get fixed but I have no idea what the proper fix would be. I guess it's pretty useless to say this since that's probably what everyone wants.

[sjau]

I also modified it by udev:

    # Make smartcard reader and label printer accessible to everyone, so they can be passed to the VM
    services.udev.extraRules = ''
        SUBSYSTEM=="usb", ATTR{idVendor}=="072f", ATTR{idProduct}=="90cc", GROUP="users", MODE="0777"
        SUBSYSTEM=="usb", ATTR{idVendor}=="04f9", ATTR{idProduct}=="2043", GROUP="users", MODE="0777"
    '';

[ghost]

Yes your solution is what I used. :) Lucky google find.

[sjau]

still annoying though :)

[steveej]

If by auto redirection you mean automatically redirecting when you plug it in, I pleasantly discovered that's a thing by accident and it does in fact work with the udev solution. Presumably because it does keep it's ID.

Nice to hear that it's not generally broken on NixOS ;-) However, it's not a permission issue on my end. I have tried both, using sudo and granting access to my user via udev rules.
The issue for me is that virt-manager does not even attempt to redirect automatically, and I have to manually redirect each device.

[theotheroracle]

i'm still experiencing this issue

i'm using a user-session, if that's the issue, i do this so i can use gnome-boxes

i tried adding the above rules: SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", MODE="0664", GROUP="wheel"
from #27199 (comment)

and i tried adding

SUBSYSTEM=="usb", GROUP="libvirtd", MODE="0660"
SUBSYSTEM=="usb_device", GROUP="libvirtd", MODE="0660"

from https://bbs.archlinux.org/viewtopic.php?pid=1628757#p1628757

and i still get the same error

[theotheroracle]

i think it may have been that i just needed to enable spiceguestadditions, under virtualization options, further testing may be needed

[bjornfor]

Yes, all that should be needed is virtualisation.spiceUSBRedirection.enable = true;. I've beein using it for a few NixOS releases.