Virt-Manager – Fix USB Device Redirection Issue

kvm-virtualizationlibvirtusb

I have a Fedora workstation running an Ubuntu 16.04 virtual machine (KVM
hypervisor). I'd like to redirect a USB device to the VM, but when selecting
"Virtual Machine | Redirect USB device" from virt-manager, I get the
following error:

spice-client-error-quark: Could not redirect <USB device name> at 1-4:
Error setting USB device node ACL: 'Not authorized' (0)

The error window has a "Details" section which just reads "USB redirection
error".

Here is what I've tried so far, without success:

As suggested here, I created a /etc/udev/rules.d/50-spice.rules file with
the following contents, then created a `spice` group and added my user to
this group
```
SUBSYSTEM=="usb", GROUP="spice", MODE="0660"
SUBSYSTEM=="usb_device", GROUP="spice", MODE="0660"
```
Downgraded spice-gtk from the latest version of Fedora 33 (0.39-1) to
0.38-3.
Disabled selinux
sudo chmod 4755 /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper
Upgraded to Fedora 34 which comes with spice-gtk 0.39-2

Best Answer

The solution for me was to create the /etc/udev/rules.d/50-spice.rules files, then to add <allow_any>yes</allow_any> under the <defaults> section in /usr/share/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy. After modification, the file looks like this on my machine:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
          "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
          "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>

  <vendor>The Spice Project</vendor>
  <vendor_url>http://spice-space.org/</vendor_url>
  <icon_name>spice</icon_name>

  <action id="org.spice-space.lowlevelusbaccess">
    <description>Low level USB device access</description>
    <message>Privileges are required for low level USB device access (for usb device pass through).</message>
    <defaults>
      <allow_any>yes</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

</policyconfig>

Related Solutions

Ubuntu – Web-Based Virtual Machine Manager

you can use opennebula or eucalyptus.

Mapping USB Drive Directly to Libvirt KVM Virtual Machine

Check out the 'USB passthrough | Using Libvirt' section of this page from the Edubuntu wiki. More info here and here.

If you don't ever plan to hot plug/unplug the usb drive while the guest is running you could also try adding a section like

<disk type='block' device='disk'>
  <driver name='qemu' type='raw'/>
  <source dev='/dev/sdb'/>
  <target dev='sdb' bus='scsi'/>
</disk>

to your VM's xml definition file. Just change the source dev to match what was assigned to your usb when it was plugged in. However, you can't guarantee the usb's dev assignment will survive reboot if other devices are added or removed, so I'd recommend the approach in the first link above instead.

In case the link disappears, here is the relevant USB passthrough section of the linked docs:

Using Libvirt

fired up a pre-existing vm
virsh start maverick2
plugged in a usb drive
found the usb address using lsusb, which gave me
{{ Bus 002 Device 006: ID 1058:1023 Western Digital Technologies, Inc. }}}

defined a xml file with the device info:

<hostdev mode='subsystem' type='usb'> <source> <vendor id='0x1058'/> <product id='0x1023'/> </source> </hostdev>
passed the usb drive to the vm
sudo virsh attach-device maverick2 /tmp/a.xml
HOWEVER this does not work with apparmor enabled. You must either disable apparmor, or add
/dev/bus/usb/*/[0-9]* rw,
to either /etc/apparmor.d/libvirt-qemu (which gives all guests full access to physical host devices) or to
/etc/apparmor.d/libvirt/libvirt-<uuid>
which will give only the one guest that access. (Thanks to jdstrand for help getting that straight.)

Best Answer

Related Solutions

Ubuntu – Web-Based Virtual Machine Manager

Mapping USB Drive Directly to Libvirt KVM Virtual Machine

Using Libvirt

Related Topic