Booting from ISO - there must be an easier way

Davide Zanon

Dabbler
Joined
Jan 25, 2017
Messages
44
Hi,
so I just installed Truenas SCALE for VM testing purposes and I'm hitting two problems trying to install the os from iso:
first problem, if I try to upload an iso from the VM creation page I get this error
Code:
 Error: Http failure response for http://truenasscaleip/_upload?auth_token=sometoken: 403 Forbidden

second problem, if I skip the upload part and add a cdrom device later with the mount point with the iso, when I start the VM i get this error
Code:
[EFAULT] internal error: process exited while connecting to monitor: 2023-04-05T09:07:07.830370Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/mnt/test/VMs/ISOs","node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}: Could not open '/mnt/test/VMs/ISOs': Permission denied


Searching the forum I read that I have to give permission to libvirt-qemu user to read/write where I store the iso and I did but it seems I'm missing something here.
I created a dedicated dataset for storing various isos and I gave libvirt-qemu full permissions on the dataset.
There must be an easier way to achieve this, I mean this is a basic feature, the official documentation doesn't say anything about it.
What I don't get either is how do I specify the iso I want to boot from?

Thanks
 

LarsR

Guru
Joined
Oct 23, 2020
Messages
719
Basically you only have to save the isos on a dataset on your nas, which you already did.
The rest is done via the setup wizard when creating the vm.
After selecting which guest OS you want to install, where it should be installed, how much resources you want to give the vm there's a menu point to choose installation medium. You can either directly upload an iso or choose a path on the nas where your isos are saved to.
 

Davide Zanon

Dabbler
Joined
Jan 25, 2017
Messages
44
Hi, this part I get it, but there is no mention anywhere whatsoever that one has to give libvirt-qemu permission to the dataset, now I got it to work but I'm not really sure how I did it and this bother me a lot if I need to deploy more VMs or TN SCALE servers (as I'd like to).
Thanks
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
I just copy all installation media to /mnt/<mypool>/iso-images as root with scp - that dataset is publicly readable, done. In ESXi I have a folder by the same name.
 

Patrick_3000

Contributor
Joined
Apr 28, 2021
Messages
167
The way I did this was to navigate to the top-level dataset in a pool and edit the ACL for that dataset, then give user "libvirt-qemu" read only privileges and apply the change recursively, including to child datasets. After that, any image file (.iso) under the top level dataset, including in child datasets, can be mounted in a CD-Rom device in a VM.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
But why? All datasets are by default publicly readable. zfs create <mypool>/iso-images - done.
 

Patrick_3000

Contributor
Joined
Apr 28, 2021
Messages
167
But why? All datasets are by default publicly readable. zfs create <mypool>/iso-images - done.
When I set up datasets, I use ACLs, which I've found to the the easiest way to manage permissions. I have a couple of different human users, each with access to different child datasets under a top level dataset, and ACLs provide granular control to manage this.

With ACLs, I start with a predefined permission configuration, which is by far the easiest way to do it, and the safest predefined permission configuration is "restrictive." Starting with this as the base, one can then add individual users to different child datasets with full control, modify, read, or traverse access as desired.

If you do this, then user libvirt-qemu, which needs permission to mount an image file as a CD-Rom in a VM, will not have permission to access any dataset, so it's necessary to add this user to the ACL.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
Now I understand. In my case this dataset is written by root alone and can be read by anyone, because, hey, installation media. And also there is no share. I use scp only.
 
Top