I recently upgraded my laptop hard drive and decided to move all the virtual disk files of my virtual machines to my home directory.

However, when trying to run the VM, an error notification appeared:

Error starting domain: internal error process exited while connecting to monitor: Warning: option deprecated, use lost_tick_policy property of kvm-pit instead.
kvm: -drive file=/home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2,if=none,id=drive-ide0-0-0,format=raw,cache=writeback: could not open disk image /home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2: Permission denied

The Details section of that dialog showed me where the error was occurring:

Traceback (most recent call last):
 File "/usr/share/virt-manager/virtManager/asyncjob.py", line 45, in cb_wrapper
 callback(asyncjob, *args, **kwargs)
 File "/usr/share/virt-manager/virtManager/asyncjob.py", line 66, in tmpcb
 callback(*args, **kwargs)
 File "/usr/share/virt-manager/virtManager/domain.py", line 1114, in startup
 self._backend.create()
 File "/usr/lib/python2.7/dist-packages/libvirt.py", line 620, in create
 if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error process exited while connecting to monitor: Warning: option deprecated, use lost_tick_policy property of kvm-pit instead.
kvm: -drive file=/home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2,if=none,id=drive-ide0-0-0,format=raw,cache=writeback: could not open disk image /home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2: Permission denied

… or, at least, that’s what I hoped.  Except it didn’t.

For a long time, I played around with permissions on the virtual disk image itself, the directory containing it, and further back/up until reaching ~.  None of it helped.

Then I stumbled upon this libvirt bug report.  Comment #6 by Cole Robinson was what I needed:

“What virt-manager typically offers to do is use ACLs to allow the ‘qemu’ user search permissions on your home dir, which is all it should need and is fairly safe and restrictive.”

In order to check and set this, you’ll need to use the File Access Control utilities – getfacl and setfacl:

# cd /home

My home is “sd”

# getfacl sd

# file: sd
# owner: sd
# group: sd
user::rwx
user:root:--x
user:www-data:r-x
group::r-x
group:www-data:r-x
mask::r-x
other::---

The reason I have www-data with read and execute permissions is that I do web development and testing, and I also keep all my web-dev files in ~ too.  This just makes my system more “portable”, safer to upgrade and/or easier to migrate to a different Linux.

To set the required permission for libvirt / qemu, you just issue this one liner:

# setfacl -m u:libvirt-qemu:r-x sd

.. substituting sd for your own ~ directory name.

setfacl (set file access control) takes three main arguments:

• the action – in this case, -m means “modify” the ACL;
• the data to apply, colon-separated: here we specify it’s a user (u) who is libvirt-qemu, and the permissions we want to allow are read and execute (r-x).
• finally, we specify which files or folders ACL should be modified – in this case, my home (sd).

After this, my virtual machine runs up perfectly.

This is relevant for Crunchbang and other Debian-related distros.  For Fedora/CentOS, I believe the user should be qemu.