Fix permissions error with KVM virtual machine on Debian

I recently upgraded my laptop hard drive and decided to move all the virtual disk files of my virtual machines to my home directory.

However, when trying to run the VM, an error notification appeared:

Error starting domain: internal error process exited while connecting to monitor: Warning: option deprecated, use lost_tick_policy property of kvm-pit instead.
kvm: -drive file=/home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2,if=none,id=drive-ide0-0-0,format=raw,cache=writeback: could not open disk image /home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2: Permission denied

The Details section of that dialog showed me where the error was occurring:

Traceback (most recent call last):
 File "/usr/share/virt-manager/virtManager/asyncjob.py", line 45, in cb_wrapper
 callback(asyncjob, *args, **kwargs)
 File "/usr/share/virt-manager/virtManager/asyncjob.py", line 66, in tmpcb
 callback(*args, **kwargs)
 File "/usr/share/virt-manager/virtManager/domain.py", line 1114, in startup
 self._backend.create()
 File "/usr/lib/python2.7/dist-packages/libvirt.py", line 620, in create
 if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error process exited while connecting to monitor: Warning: option deprecated, use lost_tick_policy property of kvm-pit instead.
kvm: -drive file=/home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2,if=none,id=drive-ide0-0-0,format=raw,cache=writeback: could not open disk image /home/sd/libvirt/images/WinXPsp3IE8-d3.qcow2: Permission denied

 

… or, at least, that’s what I hoped.  Except it didn’t.

For a long time, I played around with permissions on the virtual disk image itself, the directory containing it, and further back/up until reaching ~.  None of it helped.

Then I stumbled upon this libvirt bug report.  Comment #6 by Cole Robinson was what I needed:

“What virt-manager typically offers to do is use ACLs to allow the ‘qemu’ user search permissions on your home dir, which is all it should need and is fairly safe and restrictive.”

In order to check and set this, you’ll need to use the File Access Control utilities – getfacl and setfacl:

# cd /home

My home is “sd”

# getfacl sd

# file: sd
# owner: sd
# group: sd
user::rwx
user:root:--x
user:www-data:r-x
group::r-x
group:www-data:r-x
mask::r-x
other::---

The reason I have www-data with read and execute permissions is that I do web development and testing, and I also keep all my web-dev files in ~ too.  This just makes my system more “portable”, safer to upgrade and/or easier to migrate to a different Linux.

To set the required permission for libvirt / qemu, you just issue this one liner:

# setfacl -m u:libvirt-qemu:r-x sd

.. substituting sd for your own ~ directory name.

setfacl (set file access control) takes three main arguments:

  • the action – in this case, -m means “modify” the ACL;
  • the data to apply, colon-separated: here we specify it’s a user (u) who is libvirt-qemu, and the permissions we want to allow are read and execute (r-x).
  • finally, we specify which file’s or folder’s ACL should be modified – in this case, my home (sd).

After this, my virtual machine runs up perfectly.

This is relevant for Crunchbang and other Debian-related distros.  For Fedora/CentOS, I believe the user should be qemu.

Show what you know...Email this to someoneTweet about this on TwitterShare on Google+Share on FacebookShare on LinkedInPin on PinterestShare on RedditShare on StumbleUponShare on Tumblr

Causes for Eclipse to show “Resource out of sync with filesystem” message

You probably got here because you Googled.  I did ;-)

As an eclipse user, occasionally you get greeted with error messages which are tricky to resolve.  The error, “Resource ‘X’ is out of sync with file system” made me scratch my head for a little while – as far as I could tell, it wasn’t!

Screenshot of error dialog
As an eclipse user, sooner or later you’ll see this.

There can be a few causes of this:

  • If you edit any workspace file from outside of eclipse, which is part of your project, this can throw the error.
  • The same is true of directories - have you renamed/moved/deleted anything?
  • The cause which threw my error was symbolic links.  Because I had changed the name of a target directory, this was enough to trigger this error dialog, even though the file name of the symlink itself was unchanged!

To prevent this dialog appearing, as far as possible, visit Window > Preferences > General > Workspace and select:

  • Refresh using native hooks or polling
  • Refresh on access
Image of eclipse preferences window
Selecting appropriate preferences can keep your workspace up to date and reduce the chance of errors appearing.

The combination of ensuring tight controls on renaming files and directories, together with automating detection of this as much as possible, will lead to a smoother experience with this great integrated development environment.

Show what you know...Email this to someoneTweet about this on TwitterShare on Google+Share on FacebookShare on LinkedInPin on PinterestShare on RedditShare on StumbleUponShare on Tumblr

Resizing a LVM partition on-the-fly in CrunchBang / Debian

When installing Debian, or a derivative OS such as crunchbang, you may have opted to separate out your partitions/logical volumes to manage your disk space more finely.

I opted to do this.  My partitions were set up thus:

$ sudo lvs 

 LV     VG   Attr     LSize   
 home   t420 -wi-ao-- 438.10g 
 root   t420 -wi-ao-- 332.00m 
 swap_1 t420 -wi-ao-- 15.50g     <-- way too big!
 tmp    t420 -wi-ao-- 369.00m    <-- way too small!
 usr    t420 -wi-ao-- 8.38g 
 var    t420 -wi-ao-- 2.79g

This was not working for me.  Doing backups using the easy backintime was proving difficult, as backintime relied on more /tmp space than I had.

As I rarely touched swap space, I figured that 15.5G was probably a bit large for my needs.  Thankfully, nabbing swap space and reusing it for the filesystem is easy as pie – and all achieved with no downtime.

Here’s the sequence I typed into a terminal.  First, turn off swap:

$ sudo swapoff -a

Then resize the swap volume:

$ sudo lvresize -L 8GB /dev/t420/swap_1

Now re-format the swap partition before using it again:

$ sudo mkswap /dev/t420/swap_1

Then turn swap availability back on:

$ sudo swapon -a

And finally, resize the /tmp partition on-the-fly:

$ sudo lvextend -L +1G -r -v /dev/t420/tmp

Because the LVM tools have semi-awareness with respect to filesystems, the resizing of /tmp (using the -r switch) was achieved on-line – no need to log out, reboot or anything else.  The verbose (-v) switch allowed me to see everything that was happening.

The new partition sizing is:

 LV     VG   Attr     LSize 
 home   t420 -wi-ao-- 438.10g 
 root   t420 -wi-ao-- 332.00m 
 swap_1 t420 -wi-ao-- 8.00g 
 tmp    t420 -wi-ao-- 1.37g 
 usr    t420 -wi-ao-- 8.38g 
 var    t420 -wi-ao-- 2.79g

I also have 6.5G spare on the hard drive now, in case it’s needed by another logical volume.

LVM rocks for easy filesystem management!  Try it out!

 

Show what you know...Email this to someoneTweet about this on TwitterShare on Google+Share on FacebookShare on LinkedInPin on PinterestShare on RedditShare on StumbleUponShare on Tumblr

Yet another Seagate hard disk fails on me

It all starts with that strange sound… In my machine’s case, a whining noise.  As a sysadmin and/or experienced geek, you know something’s wrong.  I suspect the head assembly has become detached and is scraping along the disk surface at 7200rpm… 

SMART stats for the offending drive
SMART stats for the offending drive, which wasn’t being used outside design parameters, despite GNOME-disk-utility’s opinion!

Naturally, the usual recovery tools don’t work… and the drive sounds shot.

# pvmove /dev/sdd1 /dev/sdg1
/dev/sdd1: Moved: 0.0%
/dev/sdd1: Moved: 0.0%
/dev/sdd1: read failed after 0 of 2048 at 0: Input/output error
No physical volume label read from /dev/sdd1
Physical volume /dev/sdd1 not found
ABORTING: Can’t reread PV /dev/sdd1
ABORTING: Can’t reread VG for /dev/sdd1

# dd if=/dev/sdd1 of=dev/sdg1 bs=4096
dd: reading `/dev/sdd1′: Input/output error
2+0 records in
2+0 records out
8192 bytes (8.2 kB) copied, 0.0992418 s, 82.5 kB/s

# dd if=/dev/sdd of=dev/sdg bs=4096
dd: reading `/dev/sdd’: Input/output error
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.0205753 s, 199 kB/s

This is the third 1TB Seagate ES.2 drive I’ve had develop bad sectors.  Although they have a 5 year warranty, they seem to start expiring after 3.

Thank goodness I have backups…

#whodoyoutrust

Show what you know...Email this to someoneTweet about this on TwitterShare on Google+Share on FacebookShare on LinkedInPin on PinterestShare on RedditShare on StumbleUponShare on Tumblr

Laptop fan noisy?  Mine was.

I have a Thinkpad T420 – now 2 years, 6 months old.  Started to notice the fan seemed a bit noisier than normal and the CPU was reporting a temperature of around 60deg C, even when the machine wasn’t doing very much.

As suspected, 30 months of usage without a clean is a little bit too long.  Cleaning a laptop fan can be fairly straightforward – this took just two screw removals.  Of course, always seek advice and YouTube videos if you need help to do yours! ;-)

After the procedure, my laptop runs about 10-15deg C cooler and is much quieter.

#cleanmachine #laptoprepair #dusty +Lenovo #thinkpad

(Warning, images are grotesque scenes of mostly human skin.  Some microscopic lifeforms may have been “damaged” during the making of these images…)

Show what you know...Email this to someoneTweet about this on TwitterShare on Google+Share on FacebookShare on LinkedInPin on PinterestShare on RedditShare on StumbleUponShare on Tumblr

LONDON SEVENS RUGBY TICKETS FO…

LONDON SEVENS RUGBY TICKETS FOR SALE

If you live anywhere near London, this is sure to be a great time.  The sevens are fast-paced, quick-changing rugby games.  Fantastic atmosphere at Twickenham, too.

2 x Tickets – £10 each for Saturday 10th of May

12 x Tickets – £10 each for Sunday 11th May. Get the lot for £100.

It's an awesome day out.

Can receive payment by PayPal and post first class to you.

PM if interested!

#london #londonsevens #rugby  

Show what you know...Email this to someoneTweet about this on TwitterShare on Google+Share on FacebookShare on LinkedInPin on PinterestShare on RedditShare on StumbleUponShare on Tumblr

Beware: what goes up, sometimes stays up!

Regain security
Regain email privacy & security

Part #3 of the Data Liberation series

Is there ever time in the day to reconsider your online security? I mean, really consider it?

Take the most common access point for communication in the 21st century – email. Yes, you read that right. It’s still email. Email is the root of online authentication for people worldwide, not only allowing them a “safe place” to recover lost account credentials, but also facilitating properly secured communications with the use of PGP signed and encrypted email. But is your email storage secure?

The woes of web mail

The “problem” with email is that its ubiquity spawned, some years ago, the explosion of “free” web mail services. All the big players provide it. These services are advertising-supported. In other words, the cost of providing such services are met by revenue generated from scanning your email and providing “relevant” adverts within your browser to click on. Each click is tracked and the advertiser billed accordingly.

An issue here, then, is that your email is scanned. All your emails are read by an indexing process which scours every single nugget of information. What information could that include? How could it be used? How about this little list for starters:

  • the date & time
  • the sender’s name and email address
  • their computer’s name
  • their network (i.e. their email provider, their ISP, any intervening mail routers)
  • their probable native language
  • their approximate location when sending the message (obtained from their original IP address)
  • your approximate location when reading the email (based on your IP address)
  • yours and their exact locations if using any location service

That’s not all

If the sender is using the same “free” web-mail service as you:

  • if they use a calendar in that service, what they were doing when they emailed you (giving an insight into the sender’s thought processes…)
  • if they maintain a contact list / address book in that web-mail service, that service may “know” you are a friend or family member of the sender
  • in this case, it will also know their friends – and your friends – and any shared friends too.  It can start to build up a map of contacts – who knows who and possibly why.
  • Knowing “who knows who” means those related contacts’ web-mail services can be interrogated for commonalities, such as shared events (in a calendar), shared interests via a social network, and so on.

Web cam

There are yet more ways your data can be exposed. If they are not using the same “free” web-mail service, but are using another service which they log into using their web mail service’s credentials:

  • that web-mail service provider could poll the other services to see what data you are sending (e.g. what you are posting) to those services
  • it can map any correspondence to or from your contact via its services even when not in relation to your email – e.g. It can expose a contact’s movements, their communications and interests in a given time-frame.
  • they can even be exposed by their use of related services from that provider. For example, new photos into a flickr or instagram account which is public, can be mapped back from their date, time and location to the IP address that was used to query location services.

Finally, a crucial problem with all online services is that there is no guarantee your data is actually deleted when you choose to delete it.  After hitting “delete” through a web site, this could simply flag the email to be removed from your visible account and stored in MegaWebCorp’s vault of “deleted” email, remaining there forever.  Or until needed…

This is the risk of putting data into another provider’s hands – what gets uploaded or stored in your name, stays there in your name, forever.  What goes up, sometimes stays up.

Resolving the privacy crisis

Coming back to email, then, the first priority for someone who wants to maintain some privacy with respect to their life activity needs first to remove the source of indexing from MegaWebCorp’s database – the link between all things you do, your email address.

When the email address is removed from the purview of MegaWebCorp’s systems, your online activity can start to become your business – not the advertiser’s.

Getting your own address is simple.  You can register a domain name with any of numerous providers around the world and sign up for a low-cost hosting plan.  For any person who values their privacy and the sanctity of anonymity, this is a small hurdle to overcome.

For the gain in privacy you can achieve by hosting your own web site, the price attached to a “free” web-mail account may seem rather high.

Bootnote

ArsTechnica has an interesting article published yesterday (30 March 2014) on “metadata as surveillance” .

 

Show what you know...Email this to someoneTweet about this on TwitterShare on Google+Share on FacebookShare on LinkedInPin on PinterestShare on RedditShare on StumbleUponShare on Tumblr