terraformdebianqemukvm

How can I ensure fitting user right for .qcow2 file in my terraform implementation


I have debian based kvm/qemu installation and want to deploy a virtual machine via terraform.

provider "libvirt" {
  uri = "qemu:///system" # Verbindung zur lokalen QEMU-Instanz
}

resource "libvirt_volume" "debian_image" {
  name = "debian.qcow2"
  pool = "default" # Name des Speicherpools
  #source      = "https://cdimage.debian.org/cdimage/openstack/current/debian-10-openstack-amd64.qcow2"
  source = "https://cloud.debian.org/images/cloud/bullseye/20230912-1501/debian-11-nocloud-ppc64el-20230912-1501.qcow2"
  format = "qcow2"
  #content_type = "raw"
}

resource "libvirt_domain" "debian_vm" {
  name   = "debian-vm"
  memory = "2048"
  vcpu   = 2

  disk {
    volume_id = libvirt_volume.debian_image.id
  }

  network_interface {
    network_name = "testbed_network" # Name des virtuellen Netzwerks
  }
}

resource "libvirt_network" "testbed_network" {
  # the name used by libvirt
  name = "testbed_network"

  # mode can be: "nat" (default), "none", "route", "open", "bridge"
  mode = "nat"

  #  the domain used by the DNS server in this network
  domain = "debian_vm"

  #  list of subnets the addresses allowed for domains connected
  # also derived to define the host addresses
  # also derived to define the addresses served by the DHCP server
  addresses = ["192.168.0.0/24"]

  # (optional) the bridge device defines the name of a bridge device
  # which will be used to construct the virtual network.
  # (only necessary in "bridge" mode)
  # bridge = "br7"

  # (optional) the MTU for the network. If not supplied, the underlying device's
  # default is used (usually 1500)
  # mtu = 9000
}

But unfortunately I run in the error:

Error: error creating libvirt domain: internal error: qemu unexpectedly closed the monitor: 2023-09-25T08:04:58.118075Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/var/lib/libvirt/images/debian.qcow2","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/var/lib/libvirt/images/debian.qcow2': Permission denied
│ 
│   with libvirt_domain.debian_vm,
│   on maint.tf line 14, in resource "libvirt_domain" "debian_vm":
│   14: resource "libvirt_domain" "debian_vm" {

I do not understand how a file that was downloaded by this process can have unfitting user rights config for the same process? Which user needs to be enabled and where (user group, config file...)

I tried to run this main.tf with a fitting providers.tf on the system. Please help me fix this problem.


Solution

  • This is your error

    Could not open '/var/lib/libvirt/images/debian.qcow2': Permission denied

    This is not a terraform issue, but the configuration of your OS and KVM pool.

    resource "libvirt_volume" "debian_image" {
    ...
    pool = "default"
    

    You have configured to use default pool, and looking at your error, it points to "/var/lib/libvirt/images/". You can confirm it with this command: sudo virsh pool-dumpxml default.

    The user that executes the terraform config does not have sufficient permission to wrote to this directory.

    Depending on what OS distro you are running, there are various ways to fix this.

    a. If your KVM host is ubuntu, you can adjust apparmor settings.

    b. you can run terraform as root, but it is not a good practice.

    c. create another pool with terraform, see libvirt_pool in terraform docs.

    d. check dir ownership of images directory: stat -c "%G" /var/lib/libvirt/images and if it is not "root", add yourself to this group (i.e. with usermod command), re-login and try running terraform again.

    if /var/lib/libvirt/images/ dir belongs to "root" group, you can try changing its group ownership to "libvirt-qemu" group and add yourself to that group, but do it at your own risk, and if it is a production server, perhaps you might want to test on another server.