Unable to share folder with virt-manager/qemu

I’m trying to share a folder between my Fedora 30 host and my Windows 10 guest using virt-manager. I’ve created a folder in my home directory for this purpose, but I can’t start my VM with the folder mounted.

In virt-manager, I added a Filesystem with Type “mount,” Driver “Default,” and Mode “Passthrough.” I’ve set the source path and my target path is E: (nothing exists here on the VM, but Windows should see this as a removable disk). When I try to start the VM, I get an error:

Error starting domain: internal error: process exited while connecting to monitor: 2019-07-19T17:09:52.542881Z qemu-system-x86_64: -device virtio-9p-pci,id=fs0,fsdev=fsdev-fs0,mount_tag=E:,bus=pci.4,addr=0x0: cannot initialize fsdev 'fsdev-fs0': failed to open '/home/bob323/libvirt-shared': Permission denied

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 111, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 66, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1420, in startup
    self._backend.create()
  File "/usr/lib64/python3.7/site-packages/libvirt.py", line 1089, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirt.libvirtError: internal error: process exited while connecting to monitor: 2019-07-19T17:09:52.542881Z qemu-system-x86_64: -device virtio-9p-pci,id=fs0,fsdev=fsdev-fs0,mount_tag=E:,bus=pci.4,addr=0x0: cannot initialize fsdev 'fsdev-fs0': failed to open '/home/bob323/libvirt-shared': Permission denied

I’ve tried adding my user to the libvirt group, editing /etc/libvirt/qemu.conf so that the VM runs with user “qemu” and group “libvirt,” changing the owner of the folder to qemu:libvirt, and finally setting the permissions on the folder wide open with chmod 777, but none of these helps. How can I share a folder through virt-manager?

I bet that it is an SELinux related issue.
Sorry I can’t be more precise right now.
But look at this article, for instance, in order to identity an eventual SELinux alert: https://fedoramagazine.org/troubleshooting-selinux/

As it turns out, the permissions issue was caused by SELinux. Thanks for the article.
Even after solving the permissions issue, though, I’m unable to share the folder. The VM will now start correctly, but Windows doesn’t recognize any of the drivers provided with the Fedora VirtIO Windows Guest package. I’ve got the iso mounted on the guest, but in Device Manager when I select “Browse my computer for drivers” on the unknown PCI device it takes about half a second to determine that none of those drivers will work.

While troubleshooting I also tried creating a Samba server on my computer to use from the VM, but I’m unable to connect to it from within the VM.

Sorry again, I managed to share a folder some time ago, but I can’t be more precise right now.

Did you open the firewall to allow samba traffic on your computer?

Make sure you have marked the checkbox to search for drivers recursively.
Also in some cases you have to cancel the automatic search and select the driver file manually.

@alciregi I was missing that, but that was only part of the problem. It looks like there’s a lot to configure in the Samba configuration file. I’ve got it to where I can at least see the Samba share from the guest, but I can’t get access to it. Since it’s a local share and I’ve restricted it to only the lo and virbr0 interfaces, I’d like to allow access without a password. But even with map to guest = Bad Password in the global parameters and guest ok = Yes in the share configuration, it still won’t even let me try to log in. Do I have to create a dummy user even if I don’t intend to use it?

@vgaetera I did have that box checked. Maybe manual selection is the way to go for a directly shared folder.

Samba share requires proper SELinux context and recursive permissions as mentioned here.

My feelings exactly. I’ve still got SELinux disabled while setting this up, but even setting the context correctly didn’t fix anything. Here’s my smb.conf:

[global]
        workgroup = SAMBA
        security = user
        map to guest = Bad User

        passdb backend = tdbsam
        printing = cups
        printcap name = cups

        interfaces = lo virbr0
        bind interfaces only = true
        guest account = nobody

[printers]
        path = /var/spool/samba
        printable = yes
        browseable = no

[LinuxHost]
        comment = Host SAMBA Server for VM
        path = /home/bob323/libvirt-shared
        guest ok = yes
        force user = nobody
        force group = nobody
        directory mask = 777
        writable = yes
        read only = no
        create mode = 0777
        directory mode = 0777

I’ve got a folder in my home directory called “libvirt-shared” with permissions set to 777, owned by the “nobody” user and “nobody” group. I’ve run smbpasswd -a nobody and set a password for the user (it wouldn’t let me create the user without a password). I’ve even gone through the steps in that linked post a second time.

ls -l -d -Z /{,home/{,bob323/{,libvirt-shared}}}

Post the output.

@bob323, from cursory search it looks like there’s an option to easily share any folder as samba share with “built-in samba” – i.e. without configuring samba server on your host system – in qemu/kvm, but sadly it’s not implemented in virt-manager gui.

This three-post thread on Arch Linux forums summarizes it nicely.

Just so you know there’s an alternative approach.

And one more way – maybe more complicated, but compatible with virt-manager – is described here:

I’ve encountered a comment that this way isn’t recommended for transferring large files though (but with no explanation as to why).

One more tip to configuring Samba server on your host machine. You should check that your guest machine is able to communicate with your host, and for this you need to have a proper network configuration in virt-manager.

Also make sure firewall on a host machine isn’t blocking requests from your guest machine on a proper network interface. Usually, virt-manager will create a new virtual network interface for communicating with guests, so firewall rules for your main network interface won’t automatically apply to it.

dr-xr-xr-x. 20 root       root       system_u:object_r:root_t:s0              4096 Jul 22 11:46 /
drwxr-xr-x.  4 root       root       system_u:object_r:home_root_t:s0         4096 May  3 12:20 /home/
drwx--x---+ 41 bob323     bob323     unconfined_u:object_r:user_home_dir_t:s0 4096 Jul 23 10:20 /home/bob323/
drwxr-xr-x.  2 nobody     nobody     unconfined_u:object_r:samba_share_t:s0   4096 Jul 19 15:26 /home/bob323/libvirt-shared
getfacl $HOME
getfacl: Removing leading '/' from absolute path names
# file: home/bob323
# owner: bob323
# group: bob323
user::rwx
user:qemu:--x
group::---
mask::--x
other::---
setfacl --modify="user:nobody:X,group:nobody:X" $HOME

If that doesn’t help, then:

setfacl --remove-all $HOME
chmod 755 $HOME

That was it! I read up on access control lists and the whole thing still doesn’t make a lot of sense to me, but it looks like that was the last problem to overcome. It still works when I re-enable SELinux too.

@nightromantic I tried your suggestion about spice-webdav, but I ran into a couple of problems. First, the spice-space website claims that spice-webdavd is included with the spice-guest-tools installer, but it’s not. Second, even after installing spice-webdav and running map-drive.bat, there were no new drives mapped, even though the script claims it ran successfully.

To summarize for future readers, here’s the process (as of 2019) to get this working:

  • Ensure Samba is installed
  • Edit smb.conf as reproduced above. The important part is map to guest = Bad User. I’ll come back and update this post if I find that the options should be changed as I suspect the configuration file could be improved.
  • Ensure you have a Samba account for your guest user: smbpasswd -a nobody
  • Enable Samba in your firewall: sudo firewall-cmd --permanent --add-service="samba"; sudo firewall-cmd --reload
  • I suspect the ACL problem was caused by me putting the shared folder inside my home folder. It may be possible to avoid this by putting your shared folder elsewhere. Otherwise, run the setfacl fix in @vgaetera’s post above, which will be marked as the solution.
  • Find your Samba shares in your Windows VM by going to Explorer and typing \\192.168.122.1 in the URL bar. This IP address may be different for you, but I imagine it’s standard across instances of virt-manager. This is the IP address of your host on the “virbr0” network interface, which can be found with ifconfig.
  • At this point I was able to make changes within the folder with my guest but not my main user. I fixed this by running chmod -R 777 libvirt-shared. A more secure solution might be to add your main user and your Samba guest user to a “virt-users” group or something similar and expand full permissions to the group only, or to set a Samba password for your main user and use that as the guest account if that’s even possible.
2 Likes