fix nvme by disabling qemu security driver

NVMe drives are attached via extra qemu commands, this causes launching of guests to fail as qemu cannot access the drives. On Fedora, setting the right ownership of the drives seems to make this work with SELinux. However this is not enough on Debian and Ubuntu where Apparmor still blocks reading of /var/lib/libvirt/images. As this is designed for dev work, this change disables the security driver for qemu to avoid this problem. It's better than disabling SELinux. This change adds a new variable `virt_infra_security_driver` which lets you set the driver you want to use. It is set to "none" by default in order to disable it. Depending on your host, set this in your kvmhost vars to either "selinux" or "apparmor" if you want to keep it enabled for your system. If someone knows of a proper fix for Debian/Ubuntu (Apparmor?) then please let me know. For a good explanation, see here: coreos/bugs#2083 (comment)
csmart · May 3, 2020 · a76ec44 · a76ec44
1 parent 7cdf1c5
commit a76ec44
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/tasks/validations.yml b/tasks/validations.yml
@@ -100,6 +100,32 @@
         executable: /bin/bash
       changed_when: false
 
+    # Set security driver on qemu (none/SELinux/Apparmor)
+    # Defaulting to "none" disables it and enables use of NVMe drives successfully on all distros
+    # Else we get permissions denied on NVMe disk images
+    - name: "KVM host only: Set libvirtd security driver"
+      lineinfile:
+        path: /etc/libvirt/qemu.conf
+        insertafter: '^#security_driver ='
+        regexp: '^security_driver ='
+        line: 'security_driver = "{{ virt_infra_security_driver | default("none") }}"'
+      register: result_qemuconf
+      when:
+        - inventory_hostname in groups['kvmhost']
+      become: true
+
+    - name: "KVM host only: Restart libvirtd if config changed"
+      service:
+        name: "libvirtd"
+        state: restarted
+        enabled: yes
+      register: result_libvirtd_restart
+      ignore_errors: yes
+      when:
+        - inventory_hostname in groups['kvmhost']
+        - result_qemuconf.changed
+      become: true
+
     - name: "KVM host only: Ensure libvirtd is running"
       service:
         name: "libvirtd"

diff --git a/vars/debian.yml b/vars/debian.yml
@@ -16,3 +16,6 @@ virt_infra_host_pkgs_deps:
   - python3-lxml
   - qemu-utils
   - virtinst
+
+virt_infra_host_image_owner: libvirt-qemu
+virt_infra_host_image_group: libvirt-qemu
diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml
@@ -14,3 +14,6 @@ virt_infra_host_pkgs_deps:
   - python3-lxml
   - qemu-utils
   - virtinst
+
+virt_infra_host_image_owner: libvirt-qemu
+virt_infra_host_image_group: libvirt-qemu