Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: virt-manger ovmf

  1. #1
    Join Date
    Apr 2007
    Beans
    6

    virt-manger ovmf

    I want to configure a VirtuaI Machine graphically and the virt-manager, qemu packages offered by Ubuntu are a tad too old for my taste so I used the virtualization PPA for Ubuntu (ppa:jacob/virtualisation) to get the latest qemu and libvirt without getting into the headache of compiling them. After that I used

    Code:
    apt-get install ovmf
    to get the OVMF option in libvirt and virt-manager but virt-manger threw this warning
    Libvirt did not detect any UEFI/OVMF firmware image installed on the host
    After some searching I found out that the OVMF image supplied with Ubuntu is quite old so I found a fairly recent one in the unstable packages of Debian 8. After I downloaded it I installed and restarted libvirt-bin using:

    Code:
    dpkg -i ovmf_0~20150106.5c2d456b-1_all.deb
    systemctl restart libvirt-bin
    But still virt-manager would not see OVMF. After some more searching I found this page that explains when virt-manger displays the warning:

    1) libvirt supports the necessary domcapabilities bits,
    2) it detects that qemu supports the necessary command line options, and
    3) libvirt detects a UEFI binary on the host that maps to a known template via qemu.conf
    After reading that I realized that the 3rd option was surely the problem, meaning that when I installed OVMF (either from the Ubuntu PPA or the deb package) it did not create the necessary links in /etc/libvirt/qemu.conf. Opening it I found at the bottom of the file that I have to list the OVMF images in this format:

    Code:
    nvram = [
       "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd"
    ]
    Here is where I hit a wall. I don't know what or how to make an OVMF_VARS file. I only have one image in /usr/share/ovmf/ and I don't understand how I can split it or what is the syntax for the qemu.conf file to put just the unified image.

    PS: I'm a noob when it comes to Linux & Visualization so I'm sorry if my question seems easy or stupid.
    Last edited by darthrevan13; August 30th, 2015 at 10:57 AM.

  2. #2
    Join Date
    Sep 2012
    Beans
    579
    Distro
    Ubuntu Gnome 17.04 Zesty Zapus

    Re: virt-manger ovmf

    There aren't any packages with up-to-date ovmf builds in them so you need to work around...Gerd Hoffman runs a daily OVMF build site, you can grab is files here (https://www.kraxel.org/repos/jenkins/edk2/). You need to grab the one with 'ovmf-x64' in the file name...within the .rpm archive find 2 files named 'OVMF-pure-efi.fd' and 'OVMF_VARS-pure-efi.fd', extract these and put them in /usr/share/qemu/, then change into the same directory and create a symbolic link using 'sudo ln -s OVMF-pure-efi.fd OVMF.fd'. Re-edit /etc/libvirt/qemu.conf and update the nvram link you noted in your post to reflect the new path i.e. /usr/share/qemu/.

    As you're using Jacob's PPA for updated virt tools then virt-manager should now work fine when you select OVMF from the drop list when creating a new vm.

  3. #3
    Join Date
    May 2013
    Beans
    6

    Re: virt-manger ovmf

    Quote Originally Posted by KillerKelvUK View Post
    There aren't any packages with up-to-date ovmf builds in them so you need to work around...Gerd Hoffman runs a daily OVMF build site, you can grab is files here (https://www.kraxel.org/repos/jenkins/edk2/). You need to grab the one with 'ovmf-x64' in the file name...within the .rpm archive find 2 files named 'OVMF-pure-efi.fd' and 'OVMF_VARS-pure-efi.fd', extract these and put them in /usr/share/qemu/, then change into the same directory and create a symbolic link using 'sudo ln -s OVMF-pure-efi.fd OVMF.fd'. Re-edit /etc/libvirt/qemu.conf and update the nvram link you noted in your post to reflect the new path i.e. /usr/share/qemu/.

    As you're using Jacob's PPA for updated virt tools then virt-manager should now work fine when you select OVMF from the drop list when creating a new vm.

    I originally had a similar issue as that presented by darthrevan13. In my case, when attempting to create a VM using Virt-Manager 1.2.1 (from Jacob's PPA) with KVM on an Ubuntu 15.10 host, the pull down menu in Virt-Manager for selecting UEFI reported "UEFI not found" on the system.

    After following the steps that you provided, the pull down menu in Virt-Manager now allows me to select OVMF. So that's a big step forward. Thanks!

    However, I now get a new error message when I attempt to create a VM with OVMF. (I'll just note that I don't get any errors when using Virt-Manager 1.2.1 to create VMs that don't use OVMF.)

    Here's an example of the error that I get when I try to use my installation of Virt-Manager 1.2.1 (from Jacob's PPA) on Ubuntu 15.04 and 15.10 to create create a VM with OVMF:

    Unable to complete install: 'internal error: cannot load AppArmor profile 'libvirt-e1318c23-8e80-4f2a-b3f9-9dfe9414da54''

    Traceback (most recent call last):
    File "/usr/share/virt-manager/virtManager/asyncjob.py", line 89, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
    File "/usr/share/virt-manager/virtManager/create.py", line 1873, in do_install
    guest.start_install(meter=meter)
    File "/usr/share/virt-manager/virtinst/guest.py", line 414, in start_install
    noboot)
    File "/usr/share/virt-manager/virtinst/guest.py", line 478, in _create_guest
    dom = self.conn.createLinux(start_xml or final_xml, 0)
    File "/usr/lib/python2.7/dist-packages/libvirt.py", line 3497, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
    libvirtError: internal error: cannot load AppArmor profile 'libvirt-e1318c23-8e80-4f2a-b3f9-9dfe9414da54

    Care to share any thoughts on how to overcome the "cannot load AppArmor profile" error?
    Last edited by GizmoChicken; September 18th, 2015 at 10:08 AM.

  4. #4
    Join Date
    Sep 2012
    Beans
    579
    Distro
    Ubuntu Gnome 17.04 Zesty Zapus

    Re: virt-manger ovmf

    Quote Originally Posted by GizmoChicken View Post
    I originally had a similar issue as that presented by darthrevan13. In my case, when attempting to create a VM using Virt-Manager 1.2.1 (from Jacob's PPA) with KVM on an Ubuntu 15.10 host, the pull down menu in Virt-Manager for selecting UEFI reported "UEFI not found" on the system.

    After following the steps that you provided, the pull down menu in Virt-Manager now allows me to select OVMF. So that's a big step forward. Thanks!

    However, I now get a new error message when I attempt to create a VM with OVMF. (I'll just note that I don't get any errors when using Virt-Manager 1.2.1 to create VMs that don't use OVMF.)

    Here's an example of the error that I get when I try to use my installation of Virt-Manager 1.2.1 (from Jacob's PPA) on Ubuntu 15.04 and 15.10 to create create a VM with OVMF:

    Unable to complete install: 'internal error: cannot load AppArmor profile 'libvirt-e1318c23-8e80-4f2a-b3f9-9dfe9414da54''

    Traceback (most recent call last):
    File "/usr/share/virt-manager/virtManager/asyncjob.py", line 89, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
    File "/usr/share/virt-manager/virtManager/create.py", line 1873, in do_install
    guest.start_install(meter=meter)
    File "/usr/share/virt-manager/virtinst/guest.py", line 414, in start_install
    noboot)
    File "/usr/share/virt-manager/virtinst/guest.py", line 478, in _create_guest
    dom = self.conn.createLinux(start_xml or final_xml, 0)
    File "/usr/lib/python2.7/dist-packages/libvirt.py", line 3497, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
    libvirtError: internal error: cannot load AppArmor profile 'libvirt-e1318c23-8e80-4f2a-b3f9-9dfe9414da54

    Care to share any thoughts on how to overcome the "cannot load AppArmor profile" error?
    Sure...

    Code:
    sudo apt-get purge apparmor  (semi joke here so don't just copy/paste unless you know what you're doing!)
    Depends on whether you want to keep AppArmor or not, I'm sure the mods and other AppArmor supporters will be able to help narrow the problem and offer support but my personal solution was the above command, I don't run AppArmor on my VM host. If you were to google around to find out how to edit AppArmor profiles you will be able to locate the config file for the complaining profile, its likely a file permissions issue to do with libvirt trying to access the new OVMF file/folder...from this you could attempt to update the AppArmor permissions allowed for libvirt. My personal experience is poor with AA however I prob haven't given it enough due attention.

    If I recall you will get more detailed AA output in dmesg and you can also set AA to complain mode so that it will prompt you if/when it denies access. These I think will confirm specifically what AA has a problem with, that will give you good input for some googling around.

    Sorry I can't be of more help on this one...unless your happy to live without AA then I think my first answer is your ticket

  5. #5
    Join Date
    May 2013
    Beans
    6

    Re: virt-manger ovmf

    Quote Originally Posted by KillerKelvUK View Post
    Sure...

    Code:
    sudo apt-get purge apparmor  (semi joke here so don't just copy/paste unless you know what you're doing!)
    Depends on whether you want to keep AppArmor or not, I'm sure the mods and other AppArmor supporters will be able to help narrow the problem and offer support but my personal solution was the above command, I don't run AppArmor on my VM host. If you were to google around to find out how to edit AppArmor profiles you will be able to locate the config file for the complaining profile, its likely a file permissions issue to do with libvirt trying to access the new OVMF file/folder...from this you could attempt to update the AppArmor permissions allowed for libvirt. My personal experience is poor with AA however I prob haven't given it enough due attention.

    If I recall you will get more detailed AA output in dmesg and you can also set AA to complain mode so that it will prompt you if/when it denies access. These I think will confirm specifically what AA has a problem with, that will give you good input for some googling around.

    Sorry I can't be of more help on this one...unless your happy to live without AA then I think my first answer is your ticket
    Thanks for the reply. Much appreciated!

    Just to confirm, you also experienced the "cannot load AppArmor profile" error when attempting to create a VM with OVMF? And to get past that error, you purged AppArmor?

    Well, I'm not quite ready to the employ the "sudo apt-get purge apparmor" nuclear option just yet. And while I'm not opposed to editing AppArmor profiles, I had hoped that I could overcome the problem otherwise, such as by editing permissions on some files, which, as you speculate, is the likely culprit. When/if I get a chance, I'll do some more digging. I may even try again using the QEMU command line in an attempt to rule in/out libvirt's participation in the error.

    By the way, I did ask for support on the virt-tools-list a few weeks ago, but so far, no answer. See https://www.redhat.com/archives/virt.../msg00064.html

  6. #6
    Join Date
    May 2008
    Beans
    94

    Re: virt-manger ovmf

    did you install the standard Ubuntu ovmf package first ? I installed this before anything else in order to ensure the correct links permissions etc were in place ... then installed the latest from Gerds repository over the top ... and didn't experience any problems

    fwiw I had a number of issues with AppArmor interfering with virtualisation & passthrough, not this one tho. I recall having to work my way thru all the logs and even went so far as to create my own AppArmor entries in /etc/apparmor.d/libvirt/ ..... unnecessarily as it happens
    then after more tinkering I found I could operate successfully using my own (non admin) logon if I made the following changes to /etc/apparmor.d/abstractions/libvirt-qemu
    Code:
    # WARNING: this gives the guest direct access to host hardware and specific
      # portions of shared memory. This is required for sound using ALSA with kvm,
      # but may constitute a security risk. If your environment does not require
      # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
      # the rules for files in /dev.
      /{dev,run}/shm r,
     # ================ START Changes ================ #
      /{dev,run}/shm/pulse-shm* rw,
      @{HOME}/.config/puls** rwk,
      @{HOME}/** r,
      # Only necessary if running as root, which we no longer are
      #/root/.config/puls** rwk,
      #/root/.asoundrc r,
      /dev/vfio/* rw,
      /dev/hugepages/libvirt** rw,
      # ================ END Changes ================ #
      /{dev,run}/shmpulse-shm* r,
      /{dev,run}/shmpulse-shm* rwk,
      /dev/snd/* rw,
      capability ipc_lock,
    I'm not suggesting you need the same ... but it suggests some useful entries

    you may need to add a line to provide read write access to the vars files along the lines of
    Code:
    /usr/share/qemu/OVMF** rwk,
    good luck

  7. #7
    Join Date
    May 2013
    Beans
    6

    Re: virt-manger ovmf

    Quote Originally Posted by redger View Post
    did you install the standard Ubuntu ovmf package first ? I installed this before anything else in order to ensure the correct links permissions etc were in place ... then installed the latest from Gerds repository over the top ... and didn't experience any problems

    fwiw I had a number of issues with AppArmor interfering with virtualisation & passthrough, not this one tho. I recall having to work my way thru all the logs and even went so far as to create my own AppArmor entries in /etc/apparmor.d/libvirt/ ..... unnecessarily as it happens
    then after more tinkering I found I could operate successfully using my own (non admin) logon if I made the following changes to /etc/apparmor.d/abstractions/libvirt-qemu
    Code:
    # WARNING: this gives the guest direct access to host hardware and specific
      # portions of shared memory. This is required for sound using ALSA with kvm,
      # but may constitute a security risk. If your environment does not require
      # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
      # the rules for files in /dev.
      /{dev,run}/shm r,
     # ================ START Changes ================ #
      /{dev,run}/shm/pulse-shm* rw,
      @{HOME}/.config/puls** rwk,
      @{HOME}/** r,
      # Only necessary if running as root, which we no longer are
      #/root/.config/puls** rwk,
      #/root/.asoundrc r,
      /dev/vfio/* rw,
      /dev/hugepages/libvirt** rw,
      # ================ END Changes ================ #
      /{dev,run}/shmpulse-shm* r,
      /{dev,run}/shmpulse-shm* rwk,
      /dev/snd/* rw,
      capability ipc_lock,
    I'm not suggesting you need the same ... but it suggests some useful entries

    you may need to add a line to provide read write access to the vars files along the lines of
    Code:
    /usr/share/qemu/OVMF** rwk,
    good luck

    Hi redger,

    Thanks much for the suggestions. Much appreciated. Unfortunately, none of those AppArmor edits, at least in my hands, seems to have overcome the error.

    Just for kicks, I tried KillerKelvUK's (semi-joking) suggestion to purge AppArmor. Sure enough, after purging AppArmor, I can create and run VMs using OVMF with virt-manager. For me, that's not a long-term option. But it's good to know that the error truly does result from some aberrant interaction with AppArmor.

    I've been testing on Ubuntu 15.10 pre-release. After the official release, I'll try again with a clean install. Maybe something will have been cleared up by then.

    GizmoChicken
    Last edited by GizmoChicken; September 29th, 2015 at 01:23 PM.

  8. #8
    Join Date
    May 2008
    Beans
    94

    Red face Re: virt-manger ovmf

    I also added comments similar to above apparmor entries into /etc/libvirt/qemu.conf

    Code:
    # ============= Start Change ============== #
    cgroup_device_acl = [
        "/dev/null", "/dev/full", "/dev/zero",
        "/dev/random", "/dev/urandom",
        "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
        "/dev/rtc","/dev/hpet", "/dev/vfio/vfio",
        "/dev/vfio/1", "/dev/vfio/14", "/dev/vfio/15", "/dev/vfio/16", "/dev/vfio/17",
        "/dev/shm", "/root/.config/pulse", "/dev/snd",
    ]
    # ============= Start Change ============== #
    Plus some other possibilities
    Code:
    # Notes: The DAC security driver is always enabled; as a result, the
    # value of security_driver cannot contain "dac".  The value "none" is
    # a special value; security_driver can be set to that value in
    # isolation, but it cannot appear in a list of drivers.
    #
    #security_driver = "selinux"
    # ============= Start Change ============== #
    # Setting to None Didn't help me - might help you (I set mine back to apparmor)
    #security_driver = "apparmor"
    security_driver = "none"
    # ============= End Change ============== #
    Code:
    # If set to non-zero, then attempts to create unconfined
    # guests will be blocked. Defaults to 0.
    # ============= Start Change ============== #
    security_require_confined = 0
    #security_require_confined = 1
    # ============= End Change ============== #
    If you're passing hardware through, this may also help
    Code:
    relaxed_acs_check = 1
    Also in /etc/libvirt/qemu.conf you could set libvirt to run as root (not recommended, but you an do it - I have commented these out in my copy)
    Code:
    # ============= Start Change ============== #
    user = "root"
    
    # The group for QEMU processes run by the system instance. It can be
    # specified in a similar way to user.
    group = "root"
    # ============= End Change ============== #
    plus one or 2 other possibilities in the same file (you may not need all these, but I'll document them anyway
    Code:
    hugetlbfs_mount = "/dev/hugepages"
    Code:
    clear_emulator_capabilities = 1
    Code:
    vnc_allow_host_audio = 1
    Code:
    nographics_allow_host_audio = 1
    once again .. good luck

  9. #9
    Join Date
    Oct 2015
    Beans
    12

    Re: virt-manger ovmf

    With regards to the AppArmor profile issue noted above by GizmoChicken, I have noticed that adding:
    Code:
    security_driver = "none"
    to /etc/libvirt/qemu.conf seems to resolve the issue (don't forget to systemctl restart libvirt-bin.service).

  10. #10
    Join Date
    Mar 2013
    Beans
    27

    Re: virt-manger ovmf

    download the ovmf deb package from debians website make sure its the newer unstable version. migrate to downloads via terminal and use command sudo dpkg -i ovmf.........
    after sudo virsh edit (your vm name) add this in the os section of your xml file


    <os>

    <loader readonly='yes' type='rom'>/usr/share/ovmf/OVMF.fd</loader> <------------------------------------- this

    </os>

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •