Booting EFI VMs

When working with EFI VMs, we need to provide a section in XML config similar to this one:

<os firmware='efi'>
  <loader readonly='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>

This will in turn create VARS file in /var/lib/libvirt/qemu/nvram/
However, since OpenNebula sets dynamic_ownership to 0 in /etc/libvirt/qemu.conf, file is unreadable and VM can’t be booted.
Error shown in VMs log is:

Wed Jul 31 16:51:45 2019 [Z0][VMM][I]: error: internal error: process exited while connecting to monitor: 2019-07-31T14:51:45.160555Z qemu-system-x86_64: -drive file=/var/lib/libvirt/qemu/nvram/one-1934_VARS.fd,if=pflash,format=raw,unit=1: Could not open '/var/lib/libvirt/qemu/nvram/one-1934_VARS.fd': Permission denied

Manually changing permissions from root:root to oneadmin makes VM bootable.
Changing dynamic_ownership to 1 makes VM bootable every time without manual actions.

We definitelly don’t want to change ownership every time VM is booted (or new one created).

However, since OpenNebula changes default value of dynamic_ownership we’re reluctant to revert it.

Can someone please explain how to properly handle this situation?
Also, if it is not supported, and we have to enable dynamic_ownership; what would be the impact of this?

Versions of the related components and OS (frontend, hypervisors, VMs):
OpenNebula 5.8.1
Ubuntu 18.04

Steps to reproduce:
Create template that contains EFI necessary XML changes.
Instantiate such a template.

Current results:
Deployment fails due to bad permissions on VARS file.

Expected results:
Deployments succeeds.

1 Like

I’d like to get an answer to this as well.

See also

After stumbling on same issue I’ve ended up using /var/lib/one/datastores/xxx/ovmf/vms-nvram/

But I’m using deploy tools that alter the template before start.
Which generates
<loader readonly="yes" type="pflash">/var/lib/one/datastores/xxx/ovmf/OVMF_CODE-pure-efi.fd</loader> <nvram>/var/lib/one/datastores/xxx/ovmf/vms-nvram/one-176-OVMF_VARS-pure-efi.fd</nvram>

End result is vars are not on the local drive, but each VM has it’s own file, on datastore. Also I’m free to use whatever version i wan’t instead of the one that comes with distro.

Guys I’ve created an issue to include support for this naively:

1 Like