Solving “Permission Denied” Error When Using ISO File with virt-install in Fedora


4 views

The error message you're encountering indicates QEMU cannot access the ISO file, despite you running the command as root. This typically stems from libvirt/QEMU's permission model rather than filesystem permissions.

Looking at your configuration:
- You're using Fedora 25 as host OS
- SELinux isn't interfering (as you've confirmed)
- The error occurs during ISO file access
- Standard permissions appear correct (since root can access the file)

1. Adjust libvirt/QEMU User Context

The default libvirt configuration runs QEMU as qemu:qemu user/group. Modify /etc/libvirt/qemu.conf:

user = "root"
group = "root"
dynamic_ownership = 0

Then restart libvirtd:

systemctl restart libvirtd

2. Alternative Approach Using --cdrom Instead of --location

For ISO installations, --cdrom is often more reliable:

virt-install \\
--name theta-1 \\
--ram 8000 \\
--disk path=/dev/vg/t1.img \\
--vcpus 8 \\
--os-type linux \\
--os-variant fedora25 \\
--network bridge=br0 \\
--graphics none \\
--console pty,target_type=serial \\
--cdrom=/home/user/Fedora-Server-dvd-x86_64-25-1.3.iso \\
--extra-args 'console=ttyS0,115200n8 serial'

3. Verify AppArmor/SELinux Context

Even if SELinux isn't blocking, ensure proper context:

chcon -t virt_content_t /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso
restorecon -v /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso

Checking Current Permissions

namei -l /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso
ls -lZ /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso

Testing QEMU Access Directly

sudo -u qemu qemu-img info /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso

For production environments, consider these best practices:

1. Dedicated Storage Location

Create a directory specifically for ISO storage:

mkdir -p /var/lib/libvirt/isos
chown root:qemu /var/lib/libvirt/isos
chmod 750 /var/lib/libvirt/isos

2. Filesystem ACLs

Add specific access control:

setfacl -m u:qemu:r /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso

3. Alternative virt-install Syntax

Using kernel/initrd directly:

virt-install \\
--name theta-1 \\
--ram 8000 \\
--disk path=/dev/vg/t1.img \\
--vcpus 8 \\
--os-type linux \\
--os-variant fedora25 \\
--network bridge=br0 \\
--graphics none \\
--console pty,target_type=serial \\
--location=http://mirror.example.com/fedora/releases/25/Server/x86_64/os \\
--extra-args 'console=ttyS0,115200n8 serial'

When attempting to create a Fedora Server VM using virt-install with an ISO location, many users encounter the frustrating "Permission denied" error despite having root privileges. The error typically appears as:

ERROR internal error: qemu unexpectedly closed the monitor: 
qemu-system-x86_64: Could not open '/path/to/iso': Permission denied

The root cause lies in how libvirt/QEMU processes access files through the virtualization stack. Even when running as root, the QEMU process typically drops privileges and runs as a restricted user (often qemu:qemu). This security measure prevents direct access to files outside designated directories.

Method 1: Change File Ownership

The simplest solution is to make the ISO accessible to the QEMU user:

chown qemu:qemu /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso
chmod 644 /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso

Method 2: Use the Correct Storage Location

Move the ISO to libvirt's default storage pool location:

mv /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso /var/lib/libvirt/images/
virt-install --location=/var/lib/libvirt/images/Fedora-Server-dvd-x86_64-25-1.3.iso ...

Method 3: Adjust SELinux Context

For systems with SELinux enabled (default on Fedora):

chcon -t virt_content_t /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso

When all else fails, using --cdrom instead of --location often works better for ISO files:

virt-install \
--name theta-1 \
--ram 8000 \
--disk path=/dev/vg/t1.img \
--vcpus 8 \
--os-type linux \
--os-variant fedora25 \
--network bridge=br0 \
--graphics none \
--console pty,target_type=serial \
--cdrom=/home/user/Fedora-Server-dvd-x86_64-25-1.3.iso \
--extra-args 'console=ttyS0,115200n8 serial'

Check the actual permissions being enforced:

namei -l /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso
ls -lZ /home/user/Fedora-Server-dvd-x86_64-25-1.3.iso

Monitor libvirt logs in real-time during installation attempts:

journalctl -f -u libvirtd