How I Fixed the “Permission Denied” Error When Restoring My Virtual Machine in libvirt – And How You Can Too

It was a quiet Sunday afternoon. I was sitting at my desk, sipping on coffee, feeling a sense of relief. My system was freshly reinstalled, and everything was nearly back to normal – except for one thing. My Windows 11 virtual machine (VM) wouldn’t start. Instead, I was met with a “Permission Denied” error whenever I tried to power it on. Frustrating, right?

I had just finished restoring my VM disk file (a .qcow2 file) after a backup, but libvirt kept refusing to load it. The error message was cryptic:
“Cannot access storage file ‘/home/user/VM/w11/win11.qcow2’ (as uid:64055, gid:993): Permission denied.”

I thought, surely, it was just a simple permissions issue – after all, I had moved the file from a backup. I was wrong. Hours of poking around in settings, changing file ownerships, and trying various solutions didn’t help. The issue seemed to be much deeper than I expected.

After diving into the world of AppArmor, libvirt configurations, and directory permissions, I finally found the solution that worked. This post is a result of that journey, and I hope it helps save you from the same frustrations. I’ve been there – and now, I can share a solution that will get your VM running smoothly in no time.

Quick Takeaway:

When your VM fails to start due to a “Permission Denied” error, it’s often caused by a combination of directory permissions, AppArmor security restrictions, and libvirt configuration issues. Adjusting the right settings can solve the problem quickly.

1. The Hidden Culprit: Directory Permissions

Most people overlook directory permissions when dealing with VM disk files. They assume that the problem lies in the file permissions themselves. But here’s the thing: libvirt needs to be able to traverse the entire directory path to access your VM’s storage. If any folder in that path doesn’t have the right execute permissions, libvirt won’t be able to reach the file.

I learned this the hard way when I tried to restore my VM disk in /home/user/VM/w11/ and libvirt couldn’t access it. The file had the right ownership and permissions, but the directories themselves weren’t accessible. Fixing this required adding execute permissions to the parent directories like /home, /home/user, and /home/user/VM.

How to fix directory permissions:

1. Run the following commands to grant the right permissions:

sudo chmod +x /home/user
sudo chmod +x /home/user/VM
sudo chmod +x /home/use/VM/w11

2. Test again by trying to access the file as the libvirt user:

sudo -u libvirt-qemu ls /home/user/VM/w11/win11.qcow2

Once I made this simple change, libvirt was able to access the file and start the VM.

2. AppArmor: The Silent Blocker You Didn’t Expect

While I focused on file and directory permissions, I soon realized AppArmor, a security framework on Linux, was blocking access to the storage file. It turns out libvirt is configured to only access files in certain directories by default, such as /var/lib/libvirt/images/. When I tried to keep my disk in /home/user/VM/, AppArmor silently blocked libvirt from accessing it.

After understanding this, I adjusted the AppArmor profile for libvirt, allowing access to my custom folder.

How to modify AppArmor profile:

1. Edit the relevant profile for your VM:

sudo nano /etc/apparmor.d/libvirt/libvirt-848f79f6-8387-4bb4-935a-3deb593b195d

2. Add this line inside the profile:

/home/user/VM/** rwl,

3. Reload the AppArmor profile:

sudo apparmor_parser -r /etc/apparmor.d/libvirt/libvirt-848f79f6-8387-4bb4-935a-3deb593b195d

This small tweak unlocked access to the directory, and I was able to run my VM smoothly after restarting libvirtd.

3. Ownership and Permissions: Still Essential, but Not the Whole Story

Many tutorials suggest that the problem lies entirely in file ownership and permissions. While this is certainly part of the equation, it’s not the only solution. libvirt needs not only read permissions but also execute access on the directories. You may have set the right permissions for your .qcow2 file, but if the system can’t traverse the directories leading up to it, you’re still stuck.

How to ensure file permissions are correct:

1. Set the file’s ownership and permissions as follows:

sudo chown libvirt-qemu:kvm /home/user/VM/w11/win11.qcow2
sudo chmod 660 /home/user/VM/w11/win11.qcow2

2. Verify ownership and permissions with:

ls -l /home/user/VM/w11/win11.qcow2

4. Restarting Libvirt: Don’t Skip This Step

After making these changes, don’t forget to restart libvirtd. It’s not enough to change configurations – libvirt needs to reinitialize to apply the new settings.

Restart the service:

sudo systemctl restart libvirtd

Then, try powering on your VM again, and voilà, it should start without any issues.

5. Moving Your Disk File: The Last Resort

While I eventually solved the issue by modifying permissions and AppArmor settings, another viable option is simply moving the disk file to libvirt’s default storage path: /var/lib/libvirt/images/. This way, you can avoid AppArmor blocking altogether. However, for my case, since I didn’t want to touch my system partition, I stuck with the fix outlined above.

How to move the file:

1. Move the disk to the default storage folder:

sudo mv /home/user/VM/w11/win11.qcow2 /var/lib/libvirt/images/

2. Adjust the VM’s XML configuration to reflect the new path:

sudo virsh edit win11

3. Change the line to:

<source file='/var/lib/libvirt/images/win11.qcow2'/>

Conclusion: Don’t Let Permissions Hold You Back

The next time you face a “Permission Denied” error when restoring a virtual machine, remember these critical steps: directory permissions, AppArmor profiles, and libvirt configurations. By fixing these areas, I was able to get my VM back up and running.

Have you had similar issues with libvirt or other virtualization tools? How did you tackle them? Share your thoughts in the comments below, and let’s keep the conversation going!