I cannot open any virtual machines in GNOME Boxes. I have tried both a Windows 7 one, and a Parabola one. I can create them, but when I actually try to open them, I get the message that it failed to open it. I also tried running it in the command line, but the program never opens (even though the process starts in the background, and takes up 25-30% of my CPU). All my packages are up-to-date, using sudo apt update && sudo apt upgrade, and I have tried in both the Wayland and Xorg sessions. I have also rebooted the Librem 13v2 several times. GNOME Boxes is currently at version 3.26.2.
|Resolved||chris.lamb||T292 GNOME Boxes won't run any virtual machines|
|Resolved||mak||T447 Please add "kvm" to the list of default groups|
|Duplicate||None||T715 GNOME Boxes: "User is not in kvm group" error on startup|
Also experiencing this issue - can't start any VM from a known good ISO. Running PureOS OEM image, gnome-boxes is 3.26.2 - issue persists across multiple DEs and reboots.
When invoked from the terminal, failure to start VM outputs:
(gnome-boxes:4756): Boxes-WARNING **: machine.vala:611: Failed to start Ubuntu 16.04: Unable to start domain: unsupported configuration: CPU mode 'custom' for x86_64 kvm domain on x86_64 host is not supported by hypervisor
Invoking "gnome-boxes --checks" outputs:
(gnome-boxes:4696): Boxes-WARNING **: util-app.vala:250: Failed to execute child process ?restorecon? (No such file or directory) • The CPU is capable of virtualization: yes • The KVM module is loaded: yes • Libvirt KVM guest available: yes • Boxes storage pool available: yes • The SELinux context is default: no
Possibly related to T320.
EDIT: I can create and run VMs fine in virt-manager, as well as import them into gnome-boxes. Boxes fails to start the known good VM, same errors. virsh dumpxml for the imported VM:
<domain type='kvm'> <name>generic</name> <uuid>3be55eb6-16dc-4339-99d0-f02702019d1b</uuid> <title>generic</title> <metadata> <boxes:gnome-boxes xmlns:boxes="https://wiki.gnome.org/Apps/Boxes"> <os-state>installed</os-state> <media>/var/lib/libvirt/images/generic.qcow2</media> </boxes:gnome-boxes> </metadata> <memory unit='KiB'>1048576</memory> <currentMemory unit='KiB'>1048576</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64' machine='pc-i440fx-2.11'>hvm</type> </os> <features> <acpi/> <apic/> <vmport state='off'/> </features> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/bin/kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='writeback'/> <source file='/home/jwolf/.local/share/gnome-boxes/images/generic'/> <target dev='hda' bus='ide'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> <disk type='file' device='cdrom'> <driver name='qemu' type='raw'/> <target dev='hdb' bus='ide'/> <readonly/> <boot order='1'/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> <controller type='usb' index='0' model='ich9-ehci1'> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/> </controller> <controller type='usb' index='0' model='ich9-uhci1'> <master startport='0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/> </controller> <controller type='usb' index='0' model='ich9-uhci2'> <master startport='2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/> </controller> <controller type='usb' index='0' model='ich9-uhci3'> <master startport='4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/> </controller> <controller type='pci' index='0' model='pci-root'/> <controller type='ide' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> </controller> <controller type='virtio-serial' index='0'> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </controller> <interface type='user'> <mac address='52:54:00:6d:80:04'/> <model type='rtl8139'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <serial type='pty'> <target type='isa-serial' port='0'> <model name='isa-serial'/> </target> </serial> <console type='pty'> <target type='serial' port='0'/> </console> <channel type='spicevmc'> <target type='virtio' name='com.redhat.spice.0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <channel type='spiceport'> <source channel='org.spice-space.webdav.0'/> <target type='virtio' name='org.spice-space.webdav.0'/> <address type='virtio-serial' controller='0' bus='0' port='2'/> </channel> <input type='mouse' bus='ps2'/> <input type='keyboard' bus='ps2'/> <graphics type='spice'> <listen type='none'/> <image compression='off'/> </graphics> <sound model='ich6'> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </sound> <video> <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> <redirdev bus='usb' type='spicevmc'> <address type='usb' bus='0' port='1'/> </redirdev> <redirdev bus='usb' type='spicevmc'> <address type='usb' bus='0' port='2'/> </redirdev> <memballoon model='virtio'> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </memballoon> </devices> </domain>
I think we could do two things here:
- Patch gnome-boxes to show a brief warning if the current users is not part of the kvm group (at some point, probably startup) and show them the "sudo adduser $(whoami)" and then ask them to log out and log back in (reboot not required). We should not run it and it wouldn't work even if we did due to the logging-out requirement.
- (optional) Ensure that new installations of PureOS have. I think this is the defaultGroups setting in calamares, so pinging @mak here.
What we can't reliably in PureOS do is add existing users to this group AIUI.
@chris.lamb Ah, I missed the first highlight.
Does adding a user to the kvm group imply any "weaker" security? If not, we can add new users created in the installer to the kvm group, but we likely will have to do that globally, so not only users created by Calamares are in the kvm group by default, but also new user created by our OEM setup wizard.
@chris.lamb Modifying the groups of existing users is evil(tm), and just like writing into $HOME, I don't think we should do that.
Instead, GNOME Boxes could maybe show a nicer error message, so users can add themselves to the group explicitly if they want to.
The groups in which users are is a choice of the administrator who might have intentionally left them out of the kvm group, and we shouldn't change that automatically for every user via a package.
@chris.lamb Obviously IMO no package should do this, but purely academically: The seed packages are inadequate, because they are purely metapackages - their purpose is to pull in other packages that make the actual changes and can be removed individually. We would need a package that is on every system though, and one that actually already influences the behavior of users and groups.
The only package that fits this would be the base-files package, because that one already sets group and path defaults and also is on every system.
Alternatively, the gnome-boxes package could do this, but it would be very unexpected for users to see that the group configuration they have set changes for all users due to installing a package.
In any case, I eally don't think this is something we should do ^^ - we should address this for new installations and/or newly created users though.
Jup, we are in agreement - and you did say "academically", so I never though you actually wanted to make that change. But I wanted to make absolutely sure that I was just brainstorming here and had no actual intention of modifying user's group settings in a package - sorry for the confusion :-)
I have added my user to the kvm group but when restarting libvirtd, I got the following error :
virFirewallValidateBackend:193 : direct firewall backend requested, but /sbin/ebtables is not available: No such file or directory
So I installed ebtables from apt but now I get the following error :
virGetUserID:1045 : invalid argument: Failed to parse user 'libvirt-qemu'
@guido told me that QEMU was updated on Debian so I will wait for that to get to PureOS and update the issue.