Permission problems when creating VM on Slackware

[audriusk]

I intend to publish Slackware build script for docker-machine-kvm so that other Slackware users could benefit from it. I have the script written, but I'm experiencing permission problems when trying to use docker-machine-kvm.

docker-machine version is 0.11.0, libvirt is 3.2.0, qemu is 2.8.1. libvirt is built using --with-qemu-group=users, in /etc/libvirt/qemu.conf group is set to users as well, the line where user is set is commented. qemu is built to set /dev/kvm group to users. Let me know if you need additional information.

When trying to create VM the following happens:

$ docker-machine -D create -d kvm myvm1         
Docker Machine Version:  0.11.0, build 5b27455
Found binary path at /usr/bin/docker-machine-driver-kvm
Launching plugin server for driver kvm
Plugin server listening at address 127.0.0.1:35505
() Calling .GetVersion
Using API Version  1
() Calling .SetConfigRaw
() Calling .GetMachineName
(flag-lookup) Calling .GetMachineName
(flag-lookup) Calling .DriverName
(flag-lookup) Calling .GetCreateFlags
Found binary path at /usr/bin/docker-machine-driver-kvm
Launching plugin server for driver kvm
Plugin server listening at address 127.0.0.1:37091
() Calling .GetVersion
Using API Version  1
() Calling .SetConfigRaw
() Calling .GetMachineName
(myvm1) Calling .GetMachineName
(myvm1) Calling .DriverName
(myvm1) Calling .GetCreateFlags
(myvm1) Calling .SetConfigFromFlags
(myvm1) DBG | SetConfigFromFlags called
Running pre-create checks...
(myvm1) Calling .PreCreateCheck
(myvm1) DBG | About to check libvirt version
(myvm1) DBG | Validating private network
(myvm1) DBG | Validating network default
(myvm1) Calling .GetConfigRaw
Creating machine...
(myvm1) Calling .Create
(myvm1) DBG | local Boot2Docker ISO version:  v17.05.0-ce
(myvm1) Copying /home/audrius/.docker/machine/cache/boot2docker.iso to /home/audrius/.docker/machine/machines/myvm1/boot2docker.iso...
(myvm1) Creating SSH key...
(myvm1) DBG | Verifying executable bit set on /home/audrius/.docker/machine/machines/myvm1
(myvm1) DBG | Setting executable bit set on /home/audrius/.docker/machine/machines/myvm1
(myvm1) DBG | Verifying executable bit set on /home/audrius/.docker/machine/machines
(myvm1) DBG | Verifying executable bit set on /home/audrius/.docker/machine
(myvm1) DBG | Verifying executable bit set on /home/audrius/.docker
(myvm1) DBG | Verifying executable bit set on /home/audrius
(myvm1) DBG | Verifying executable bit set on /home
(myvm1) DBG | Creating VM data disk...
(myvm1) DBG | Creating 20000 MB hard disk image...
(myvm1) DBG | Defining VM...
(myvm1) DBG | Starting VM myvm1
(myvm1) Failed to start: virError(Code=1, Domain=10, Message='internal error: process exited while connecting to monitor: 2017-05-27T17:30:39.454975Z qemu-kvm: -drive file=/home/audrius/.docker/machine/machines/myvm1/myvm1.img,format=raw,if=none,id=drive-ide0-0-0,aio=threads: Could not open '/home/audrius/.docker/machine/machines/myvm1/myvm1.img': Permission denied')
Error creating machine: Error in driver during machine creation: virError(Code=1, Domain=10, Message='internal error: process exited while connecting to monitor: 2017-05-27T17:30:39.454975Z qemu-kvm: -drive file=/home/audrius/.docker/machine/machines/myvm1/myvm1.img,format=raw,if=none,id=drive-ide0-0-0,aio=threads: Could not open '/home/audrius/.docker/machine/machines/myvm1/myvm1.img': Permission denied')
notifying bugsnag: [Error creating machine: Error in driver during machine creation: virError(Code=1, Domain=10, Message='internal error: process exited while connecting to monitor: 2017-05-27T17:30:39.454975Z qemu-kvm: -drive file=/home/audrius/.docker/machine/machines/myvm1/myvm1.img,format=raw,if=none,id=drive-ide0-0-0,aio=threads: Could not open '/home/audrius/.docker/machine/machines/myvm1/myvm1.img': Permission denied')]

The permissions of VM files:

$ ls -l ~/.docker/machine/machines/myvm1/
total 39960
-rw------- 1 root    users    40894464 May 27 20:30 boot2docker.iso
-rw------- 1 audrius users        2685 May 27 20:30 config.json
-rw------- 1 audrius users        1679 May 27 20:30 id_rsa
-rw------- 1 audrius users         381 May 27 20:30 id_rsa.pub
-rw-r--r-- 1 root    root  20971520000 May 27 20:30 myvm1.img

I've found that the only way to make it work is to set user to myself (audrius) and group to users in /etc/libvirt/qemu.conf, but setting it like this causes permission problems with existing regular VMs in /var/lib/libvirt/images/ and doesn't feel right in general.

[zakame]

@audriusk I figured this one out: it is due to ~/.docker/machine/machines/myvm1 not having enough executable bit for group:

...
(docker-machine-01) DBG | Verifying executable bit set on /home/zakame/.docker/machine/machines/docker-machine-01
(docker-machine-01) DBG | Setting executable bit set on /home/zakame/.docker/machine/machines/docker-machine-01
(docker-machine-01) DBG | Verifying executable bit set on /home/zakame/.docker/machine/machines
(docker-machine-01) DBG | Verifying executable bit set on /home/zakame/.docker/machine
(docker-machine-01) DBG | Verifying executable bit set on /home/zakame/.docker
(docker-machine-01) DBG | Verifying executable bit set on /home/zakame
(docker-machine-01) DBG | Verifying executable bit set on /home
...
[zakame:~] 5s 1 % ls -l .docker/machine/machines/                  
total 0
drwx-----x 1 zakame users 126 Jul 19 18:06 docker-machine-01

Adding the group execute bit on the machine-specific directory (in my case, docker-machine-01) will make it work:

[zakame:~] % chmod g+x .docker/machine/machines/docker-machine-01/
[zakame:~] % docker-machine -D start docker-machine-01           
Docker Machine Version:  0.12.0, build 45c69ad
Found binary path at /home/zakame/src/go/bin/docker-machine-driver-kvm
Launching plugin server for driver kvm
Plugin server listening at address 127.0.0.1:46441
() Calling .GetVersion
Using API Version  1
() Calling .SetConfigRaw
() Calling .GetMachineName
command=start machine=docker-machine-01
Starting "docker-machine-01"...
(docker-machine-01) Calling .GetState
(docker-machine-01) DBG | Getting current state...
(docker-machine-01) DBG | Fetching VM...
(docker-machine-01) Calling .Start
(docker-machine-01) DBG | Starting VM docker-machine-01
...
(docker-machine-01) DBG | GetIP called for docker-machine-01
(docker-machine-01) DBG | Failed to retrieve dnsmasq leases from /var/lib/libvirt/dnsmasq/docker-machines.leases
(docker-machine-01) DBG | IP address: 192.168.42.209
(docker-machine-01) DBG | Unable to locate IP address for MAC 52:54:00:99:e8:b0
(docker-machine-01) Calling .GetState
(docker-machine-01) DBG | Getting current state...
Machine "docker-machine-01" was started.
...
Started machines may have new IP addresses. You may need to re-run the `docker-machine env` command.
Making call to close driver server
(docker-machine-01) Calling .Close
Successfully made call to close driver server
Making call to close connection to plugin binary
[zakame:~] 40s % 

Will post a PR in a bit.

[audriusk]

Thanks for the fix @zakame and sorry for long delay. I decided to go with (slightly modified version of) it and submitted a build script to SlackBuilds.org, even though I'm not feeling comfortable changing the default behavior on directory permissions. Still think it's better than having non-functional docker-machine-kvm on Slackware.

[zakame]

minikube's kvm2 driver also exhibits this issue.