How to convert a raw disk image to a copy-on-write image based on another image for use with kvm and virt-manager?

qemu kvm-virtualization libvirt qcow2

This issue was caused by the way libvirt uses apparmor.

The default behavior is to provide some protection for the host against the guest by restricting which files the virtualization process on the host is allowed to access. libvirt knows that the virtualization process (kvm in this case) needs the disk image in order to operate properly, so it creates an apparmor profile which allows access to windowsxp-1.qcow2. However, it doesn't know that windowsxp-1.qcow2 is backed by basewindowsxp.qcow2, so the apparmor profile doesn't allow access to that file.

It's unfortunate that the error reporting from kvm is so minimal. The underlying failure was almost certainly an EPERM when opening basewindowsxp.qcow, but apparently this error gets flattened out and the useful information lost.

However, reading the system logs will reveal that apparmor is doing something. For example,

May 28 13:12:28 hostname kernel: [ 5338.835932] type=1503 audit(1275066748.269:42): operation="open" pid=10601 parent=1 profile="libvirt-b1a29fd0-698c-11df-9c21-f78cb972735d" requested_mask="::w" denied_mask="::w" fsuid=0 ouid=1001 name="/var/lib/libvirt/images/basewindowsxp.img"

This shows what happens when an apparmor profile denies write access to a file for a process. Each time the vm startup failed because of this misconfiguration, this log message appeared in /var/log/messages.

There are several possible solutions to the problem.

1) Disable apparmor protection. This is controllable via the virt-manager GUI. In the overview section, security subsection, apparmor can be disabled.

2) Manually allow access to the extra file. This is controlled by modifying the apparmor files in /etc/apparmor.d/libvirt/ directory. Adding a line like:

"/var/lib/libvirt/images/basewindowsxp.img" r,

to the file matching the uuid of the vm in question will grant read access to the filename in quotes.

3) Upgrade to a newer version of apparmor/libvirt/the base platform and re-create the VMs. Apparently this misconfiguration has been noticed and is addressed automatically in new enough versions of the software in question.

Related

Replace symbolic-link with target
compromised site
VirtualBox in production? [closed]
Which filesystem would you use when you need to share data between linux and windows in dual-boot setup?
How to change the HTTP GZIP Compression Level for Dynamic Content in IIS7?
Colocation vs Dedicated hosting?
What are your thoughts on whether or not to use a bastion host
ossec features vs snort / tripwire for pci compliance
Exchange 2010 Public Folders High Availability or Load Balancing
Use wakeonlan by hostname rather than MAC/IP
Windows 2003 Domain. Best way to assign permisions to technical support
Artificially burden the CPU