文章【libvirt & qemu无需重启(在线)更改VNC密码】已于2019-02-17更新。 有两个方法,一个是通过libvirt的virDomainUpdateDeviceFlags接口,另一个是通过qemu-monitor。 以下把“DOMAIN_NAME”替换为虚拟机的名称,“YOU_NEW_VNC_PASSWORD”替换为你的新密码。 通过virDomainUpdateDeviceFlags接口 使用libvirt管理虚拟机的情况下,这个方法是首选,libvirt官方是不推荐使用了libvirt的情况下操纵qemu-monitor的。 首先编写VNC graphic的XML […]
分类:操作系统
qemu with pool/volume storage: Could not open ‘xxxxxxx’: Permission denied
volume信息:
|
1 2 3 4 |
# virsh vol-list test Name Path ------------------------------------------------------------------------------ test.qcow2 /virt/test.qcow2 |
虚拟机disk配置:
|
1 2 3 4 5 6 7 8 9 |
# virsh dumpxml Test ... <disk type='volume' device='disk'> <driver name='qemu' type='qcow2'/> <source pool='test' volume='test.qcow2'/> <target dev='vda' bus='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </disk> ... |
启动虚拟机:
|
1 2 3 |
# virsh start Test error: Failed to start domain Test error: internal error: process exited while connecting to monitor: 2019-02-06T12:54:47.722297Z qemu-system-x86_64: -drive file=/virt/test.qcow2,format=qcow2,if=none,id=drive-virtio-disk0: Could not open '/virt/test.qcow2': Permission denied |
查看syslog:
|
1 2 3 4 |
# cat /var/log/syslog ... kernel: [ 6551.331932] audit: type=1400 audit(1549457961.800:209): apparmor="DENIED" operation="open" profile="libvirt-5831a051-78ee-43b4-a15d-6e520b1b3ab7" name="/virt/test.qcow2" pid=27204 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ... |
似乎没找比较好的方法解决此问题。 一个选择是弃用type=’volume’,改成type=’file’。 另一种选择是关闭apparmor:
|
1 2 3 4 5 |
# vim /etc/libvirt/qemu.conf ... security_driver = "none" ... # systemctl restart libvirtd |
&n […]
libvirtd: virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.
|
1 2 3 |
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found. Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Unable to verify TLS peer: No certificate was found. Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextCheckCertificate:1128 : authentication failed: Failed to verify peer's certificate |
使用TLS连接libvirtd时,默认需要验证客户端是否拥有由CA签名的证书,详见libvirtd配置文件(/etc/libvirt/libvirtd.conf):
|
1 2 3 4 5 6 7 8 9 |
# Flag to disable verification of client certificates # # Client certificate verification is the primary authentication mechanism. # Any client which does not present a certificate signed by the CA # will be rejected. # # Default is to always verify. Uncommenting this will disable # verification - make sure an IP whitelist is set #tls_no_verify_certificate = 1 |
取消此行的注释即可关闭此验证(当然你得启用其它身份认证途径):
|
1 |
#tls_no_verify_certificate = 1 |
也可选择以让CA给客户端签发证书:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# 自行修改CA私钥与证书的路径 CA_KEY_FILE_PATH="/etc/pki/libvirt/private/cakey.pem" CA_CERTIFICATE_FILE_PATH="/etc/pki/CA/cacert.pem" # 客户端私钥,CSR,证书保存路径 PKI_PREFIX="/tmp/client_pki/" CLIENT_PRIVATE_KEY_FILE_PATH="${PKI_PREFIX}/clientkey.pem" CLIENT_CSR_FILE_PATH="${PKI_PREFIX}/clientcsr.pem" CLIENT_CERTIFICATE_FILE_PATH="${PKI_PREFIX}/clientcert.pem" oldUmask=$(umask) umask 0077 mkdir -p ${PKI_PREFIX} # 生成客户端私钥 openssl genrsa -out ${CLIENT_PRIVATE_KEY_FILE_PATH} 2048 # 生成客户端CSR,根据自己需要自行修改subjects openssl req -new -key ${CLIENT_PRIVATE_KEY_FILE_PATH} -subj "/C=CN/ST=China/L=China/O=China/OU=China/CN=ClientCommonName" -out ${CLIENT_CSR_FILE_PATH} # CA通过CSR签发证书,根据需要自行修改有效期 openssl x509 -req -in ${CLIENT_CSR_FILE_PATH} -CA ${CA_CERTIFICATE_FILE_PATH} -CAkey ${CA_KEY_FILE_PATH} -CAcreateserial -out ${CLIENT_CERTIFICATE_FILE_PATH} -days 3650 # 把CA证书放进去 cat ${CA_CERTIFICATE_FILE_PATH} > ${PKI_PREFIX}/cacert.pem umask ${oldUmask} # 把${PKI_PREFIX}传送到客户端 # scp -r ${PKI_PREFIX} username@host:~/libvirt-server-pki |
完成上面的操作后,把整个${PKI_PRE […]
gnome-terminal: Error creating terminal: Timeout was reached
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
$ gnome-terminal --disable-factory # Error creating terminal: Timeout was reached $ tail /var/log/syslog Jan 9 15:11:32 mint dbus-daemon[1594]: [session uid=1000 pid=1594] Activating via systemd: service name='org.a11y.Bus' unit='at-spi-dbus-bus.service' requested by ':1.73' (uid=1000 pid=2265 comm="/usr/lib/gnome-terminal/gnome-terminal-server --ap" label="unconfined") Jan 9 15:11:32 mint systemd[1515]: Starting Accessibility services bus... Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:32 mint dbus-daemon[1594]: [session uid=1000 pid=1594] Successfully activated service 'org.a11y.Bus' Jan 9 15:11:32 mint systemd[1515]: Started Accessibility services bus. Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: dbus-daemon[2271]: Activating service name='org.a11y.atspi.Registry' requested by ':1.0' (uid=1000 pid=2265 comm="/usr/lib/gnome-terminal/gnome-terminal-server --ap" label="unconfined") Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:32 mint at-spi2-registr[2273]: Could not open X display Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: dbus-daemon[2271]: Successfully activated service 'org.a11y.atspi.Registry' Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:32 mint at-spi2-registr[2273]: AT-SPI: Cannot open default display Jan 9 15:11:32 mint dbus-daemon[1594]: [session uid=1000 pid=1594] Activating via systemd: service name='org.freedesktop.portal.Desktop' unit='xdg-desktop-portal.service' requested by ':1.75' (uid=1000 pid=2265 comm="/usr/lib/gnome-terminal/gnome-terminal-server --ap" label="unconfined") Jan 9 15:11:32 mint systemd[1515]: Starting Portal service... Jan 9 15:11:32 mint dbus-daemon[1594]: [session uid=1000 pid=1594] Activating via systemd: service name='org.freedesktop.portal.Documents' unit='xdg-document-portal.service' requested by ':1.77' (uid=1000 pid=2278 comm="/usr/lib/xdg-desktop-portal/xdg-desktop-portal " label="unconfined") Jan 9 15:11:32 mint systemd[1515]: Starting flatpak document portal service... Jan 9 15:11:32 mint dbus-daemon[1594]: [session uid=1000 pid=1594] Activating via systemd: service name='org.freedesktop.impl.portal.PermissionStore' unit='xdg-permission-store.service' requested by ':1.78' (uid=1000 pid=2282 comm="/usr/lib/xdg-desktop-portal/xdg-document-portal " label="unconfined") Jan 9 15:11:32 mint systemd[1515]: Starting sandboxed app permission store... Jan 9 15:11:32 mint dbus-daemon[1594]: [session uid=1000 pid=1594] Successfully activated service 'org.freedesktop.impl.portal.PermissionStore' Jan 9 15:11:32 mint systemd[1515]: Started sandboxed app permission store. Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: dbus-daemon[2271]: Activating service name='org.a11y.atspi.Registry' requested by ':1.2' (uid=1000 pid=2277 comm="/usr/bin/gnome-terminal.real --app-id com.canonica" label="unconfined") Jan 9 15:11:32 mint dbus-daemon[1594]: [session uid=1000 pid=1594] Successfully activated service 'org.freedesktop.portal.Documents' Jan 9 15:11:32 mint systemd[1515]: Started flatpak document portal service. Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:32 mint at-spi2-registr[2290]: Could not open X display Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: dbus-daemon[2271]: Successfully activated service 'org.a11y.atspi.Registry' Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry Jan 9 15:11:32 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:32 mint at-spi2-registr[2290]: AT-SPI: Cannot open default display Jan 9 15:11:32 mint dbus-daemon[1594]: [session uid=1000 pid=1594] Activating via systemd: service name='org.freedesktop.impl.portal.desktop.gtk' unit='xdg-desktop-portal-gtk.service' requested by ':1.77' (uid=1000 pid=2278 comm="/usr/lib/xdg-desktop-portal/xdg-desktop-portal " label="unconfined") Jan 9 15:11:32 mint systemd[1515]: Starting Portal service (GTK+/GNOME implementation)... Jan 9 15:11:32 mint xdg-desktop-portal-gtk[2306]: No protocol specified Jan 9 15:11:32 mint xdg-desktop-portal-gtk[2306]: Unable to init server: Could not connect: Connection refused Jan 9 15:11:32 mint [2306]: cannot open display: :0 Jan 9 15:11:32 mint systemd[1515]: xdg-desktop-portal-gtk.service: Main process exited, code=exited, status=1/FAILURE Jan 9 15:11:32 mint systemd[1515]: xdg-desktop-portal-gtk.service: Failed with result 'exit-code'. Jan 9 15:11:32 mint systemd[1515]: Failed to start Portal service (GTK+/GNOME implementation). Jan 9 15:11:57 mint xdg-desktop-por[2278]: Failed to create file chooser proxy: Error calling StartServiceByName for org.freedesktop.impl.portal.desktop.gtk: Timeout was reached Jan 9 15:11:57 mint xdg-desktop-por[2278]: g_dbus_interface_skeleton_set_flags: assertion 'G_IS_DBUS_INTERFACE_SKELETON (interface_)' failed Jan 9 15:11:57 mint xdg-desktop-por[2278]: invalid (NULL) pointer instance Jan 9 15:11:57 mint xdg-desktop-por[2278]: g_signal_connect_data: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Jan 9 15:11:57 mint xdg-desktop-por[2278]: g_dbus_interface_skeleton_export: assertion 'G_IS_DBUS_INTERFACE_SKELETON (interface_)' failed Jan 9 15:11:57 mint kernel: [ 230.225288] show_signal_msg: 18 callbacks suppressed Jan 9 15:11:57 mint kernel: [ 230.225292] xdg-desktop-por[2278]: segfault at 8 ip 0000556bffa8c7c8 sp 00007ffe13916dd0 error 4 in xdg-desktop-portal[556bffa79000+7c000] Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: dbus-daemon[2271]: Activating service name='org.a11y.atspi.Registry' requested by ':1.0' (uid=1000 pid=2265 comm="/usr/lib/gnome-terminal/gnome-terminal-server --ap" label="unconfined") Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:57 mint at-spi2-registr[2312]: Could not open X display Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: dbus-daemon[2271]: Successfully activated service 'org.a11y.atspi.Registry' Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:57 mint at-spi2-registr[2312]: AT-SPI: Cannot open default display Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: dbus-daemon[2271]: Activating service name='org.a11y.atspi.Registry' requested by ':1.0' (uid=1000 pid=2265 comm="/usr/lib/gnome-terminal/gnome-terminal-server --ap" label="unconfined") Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:57 mint at-spi2-registr[2314]: Could not open X display Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: dbus-daemon[2271]: Successfully activated service 'org.a11y.atspi.Registry' Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry Jan 9 15:11:57 mint at-spi-bus-launcher[2266]: No protocol specified Jan 9 15:11:57 mint at-spi2-registr[2314]: AT-SPI: Cannot open default display Jan 9 15:11:57 mint systemd[1515]: xdg-desktop-portal.service: Main process exited, code=dumped, status=11/SEGV Jan 9 15:11:57 mint systemd[1515]: xdg-desktop-portal.service: Failed with result 'core-dump'. Jan 9 15:11:57 mint systemd[1515]: Failed to start Portal service. |
Fix:
|
1 2 |
$ dbus-update-activation-environment --systemd DBUS_SESSION_BUS_ADDRESS DISPLAY XAUTHORITY $ gnome-terminal --disable-factory |
References: Gnome applications slow start due to failing services
Cygwin/X X Server TCP direct connection
网络上大都是SSH X11 Forward的资料,鲜有Client直连Server的,某些环境下,还是希望能直接一点。 安装Cygwin/X 首先要安装Cygwin/X,具体步骤,官方文档已经写得很清楚了:Installing Cygwin/X。 启动Cygwin/X X Server Cygwin/X X Server默认仅监听Unix Socket,非本地的Client连接需要启用TCP协议,加入启动参数”-listen tcp”即可,详见官方文档:xserver-nolisten-tcp-default。 可以通过修改快捷方式XWin Server加入该启动参数: […]