# Virtualization with qemu, libvirtd, virt-manager, ovmf

## wilsonmeier

Hey folks,

i hope someone can help me to get things up and running.

The whole thing drives my totaly crazy.

Currently i have 3 problems.

1. Root user (qemu:///system and qemu:///session) can see the OVMF UEFI image in virt-manager but cannot start the vm. 

   -> Could not access KVM kernel module: Permission denied failed to initialize KVM: Permission denied

2. A normal user (qemu:///session) cannot see the OVMF UEFI image (dropdown shows only Bios) but can start a vm using legacy bios.

   -> Libvrit did not detect any UEFI/OVMF firmware image installed on the host

1. A normal user(qemu:///system) can see the OVMF UEFI image in virt-manager but cannot start the vm. 

   -> Could not access KVM kernel module: Permission denied failed to initialize KVM: Permission denied

Installed packages:

app-emulation/libvirt-1.3.0-r1

app-emulation/libvirt-glib-0.2.3

dev-python/libvirt-python-1.3.0

app-emulation/virt-manager-1.3.2

app-emulation/qemu-2.4.1-r2

OMVF from https://www.kraxel.org/repos/jenkins/edk2/ installed (with ebuild from local overlay) into /usr/share/edk2-ovmf/qemu

```
# ll /usr/share/edk2-ovmf/qemu

total 4,0M

drwxr-xr-x 1 root root   62 12. Jan 20:47 .

drwxr-xr-x 1 root root    8 12. Jan 20:47 ..

-rw-r--r-- 1 root qemu 2,0M 12. Jan 20:47 OVMF.fd

-rw-r--r-- 1 root qemu 1,9M 12. Jan 20:47 OVMF_CODE.fd

-rw-r--r-- 1 root qemu 128K 12. Jan 20:47 OVMF_VARS.fd
```

```
# ll /usr/share/qemu/OVMF.fd

lrwxrwxrwx 1 root root 33 12. Jan 20:47 /usr/share/qemu/OVMF.fd -> /usr/share/edk2-ovmf/qemu/OVMF.fd

```

```
# lsmod | grep kvm

kvm_intel             137463  0

kvm                   255864  1 kvm_intel
```

```
# ll /dev/kvm

crw-rw----+ 1 root root 10, 232  9. Jan 23:56 /dev/kvm
```

```
libvirtd.service - Virtualization daemon

   Loaded: loaded (/usr/lib64/systemd/system/libvirtd.service; disabled; vendor preset: enabled)

  Drop-In: /etc/systemd/system/libvirtd.service.d

           └─00gentoo.conf

   Active: active (running) since Di 2016-01-12 21:28:18 CET; 18min ago

     Docs: man:libvirtd(8)

           http://libvirt.org

 Main PID: 20237 (libvirtd)

   CGroup: /system.slice/libvirtd.service

           └─20237 /usr/sbin/libvirtd
```

```
# cat /etc/systemd/system/libvirtd.service.d/00gentoo.conf

# Uncomment the following three lines to start libvirtd with the '--listen'

# directive such that it listens for TCP/IP connections (honoring the

# listen_tls and listen_tcp settings in /etc/libvirt/libvirtd.conf). If

# libvirtd is started without the '--listen' parameter, network connection

# (for the daemon) is globally disabled:

# [Service]

# ExecStart=

# ExecStart=/usr/sbin/libvirtd --listen
```

```
virtlogd.service - Virtual machine log manager

   Loaded: loaded (/usr/lib64/systemd/system/virtlogd.service; indirect; vendor preset: enabled)

   Active: active (running) since Di 2016-01-12 21:47:33 CET; 1min 32s ago

     Docs: man:virtlogd(8)

           http://libvirt.org

 Main PID: 29181 (virtlogd)

   CGroup: /system.slice/virtlogd.service

           └─29181 /usr/sbin/virtlogd
```

```
# cat /etc/libvirt/qemu.conf| grep nvram

nvram = ["/usr/share/edk2-ovmf/qemu/OVMF.fd:/usr/share/edk2-ovmf/qemu/OVMF_VARS.fd"]
```

```
# cat /etc/passwd

...

qemu:x:77:77:added by portage for libvirt:/dev/null:/sbin/nologin
```

```
# cat /etc/group

kvm:x:78:qemu

qemu:x:77:
```

```
# emerge --info

Portage 2.2.26 (python 3.4.3-final-0, default/linux/amd64/13.0/desktop/plasma/systemd, gcc-5.3.0, glibc-2.21-r1, 4.3.3-gentoo x86_64)

=================================================================

System uname: Linux-4.3.3-gentoo-x86_64-Intel-R-_Core-TM-_i5-3570K_CPU_@_3.40GHz-with-gentoo-2.2

...
```

Whats am i missing?

Thanks

----------

## wilsonmeier

I tried a few things:

1. Change group of /dev/kvm and group of qemu in /etc/libvirt/qemu.conf to "kvm". Restarted libvirtd.

  -> Again: Permission denied

2. Change group of /dev/kvm and group of qemu in /etc/libvirt/qemu.conf to "qemu". Restarted libvirtd.

  -> Again: Permission denied

3. Change group of /dev/kvm and group of qemu in /etc/libvirt/qemu.conf to "root". Restarted libvirtd.

  -> Everything works

But this is more a workaround.

Running the whole thing as root is not how it should be, or?

----------

## mprivozn

Yes & no.

By default, libvirt will run qemu under whatever user the daemon is running as. Therefore, for the qemu:///system (which is the system-wide daemon running as root) the qemu will run under root:root.

If you want to run qemu under different user, you need to reset /dev/kvm perms, enable dynamic_ownership in qemu.conf and set user= group= in the same file.

btw: your /dev/kvm should be owned by root:kvm in order to allow kvm group to set up VMs.

Also, you're not telling it in your post, but you should use OVMF_VARS.fd as a template for your domain letting libvirt to create a special one just for the domain. (<nvram template='/path/to/OVMF_VARS.fd'/>)

----------

## hopchis

I've found that if I want to use uefi with a qemu user session while using virt-manager as a front-end, I have to create a local qemu.conf file at /home/user/.config/libvirt/qemu.conf

Since it is a user session, it does not read the system-wide configuration file but uses qemu defaults. You need to tell the user session where the nvram files are. You can simply copy the /etc/libvirt/qemu.conf file to /home/user/.config/libvirt/qemu.conf and delete every line other than the "nvram =" part. The first time I did this I restarted libvirtd and it seemed to take effect. After I made another change it didn't, which makes sense since the user session doesn't connect to libvirtd. I rebooted and the local configuration worked and the uefi was available in qemu user session mode.

----------

