$ echo $?
1
$ cat /tmp/test/testguest-swtpm.log
Creating root CA and a local CA's signing key and issuer cert.
Could not create root-CA:Can't load ./.rnd into RNG
40D7E55E677F0000:error:12000079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:106:Filename=./.rnd
Cannot write random bytes:
40D7E55E677F0000:error:12000079:random number generator:RAND_write_file:Cannot open file:../crypto/rand/randfile.c:240:Filename=./.rnd
Error creating local CA's signing key and cert.
That is kind of the same error, so it really is the user/group and some permissions.
This way we can repro it outside of libvirt, track which access exactly fails and debug/fix it.
# clean libvirt/ swtpm /var/lib/ swtpm-localca /var/log/swtpm
$ sudo apt remove --purge swtpm swtpm-tools
$ sudo rm -rf /var/lib/
# re-create a clean env by re-installing swtpm
$ sudo apt install swtpm swtpm-tools
# Status after install libvirt/ swtpm /var/lib/ swtpm-localca /var/log/swtpm /run/libvirt/ qemu/swtpm libvirt/ swtpm': No such file or directory qemu/swtpm:
$ sudo ls -laF /var/lib/
ls: cannot access '/var/lib/
ls: cannot access '/var/log/swtpm': No such file or directory
/run/libvirt/
total 0
drwxrwx--- 2 libvirt-qemu swtpm 40 Apr 7 10:33 ./
drwxr-xr-x 5 root root 140 Apr 7 10:33 ../
/var/lib/ swtpm-localca:
total 8
drwxr-x--- 2 swtpm root 4096 Apr 7 10:48 ./
drwxr-xr-x 43 root root 4096 Apr 7 10:48 ../
# then failing a start of a VM with swtpm configured
$ virsh start testguest --console
# File/Dir status after this libvirt/ swtpm /var/lib/ swtpm-localca /var/log/swtpm /run/libvirt/ qemu/swtpm /var/log/ swtpm/libvirt/ qemu /var/log/ swtpm/libvirt qemu/swtpm:
$ sudo ls -laF /var/lib/
/run/libvirt/
total 0
drwxrwx--- 2 libvirt-qemu swtpm 40 Apr 7 10:33 ./
drwxr-xr-x 5 root root 140 Apr 7 10:33 ../
/var/lib/ libvirt/ swtpm:
total 8
drwx--x--x 2 root root 4096 Apr 7 10:50 ./
drwxr-xr-x 8 root root 4096 Apr 7 10:50 ../
/var/lib/ swtpm-localca: localca* rootca- cert.pem rootca- privkey. pem
total 20
drwxr-x--- 2 swtpm root 4096 Apr 7 10:50 ./
drwxr-xr-x 43 root root 4096 Apr 7 10:48 ../
-rwxr-xr-x 1 swtpm swtpm 0 Apr 7 10:50 .lock.swtpm-
-rw-r--r-- 1 swtpm swtpm 0 Apr 7 10:50 index.txt
-rw-r--r-- 1 swtpm swtpm 3 Apr 7 10:50 serial
-rw-r--r-- 1 swtpm swtpm 1468 Apr 7 10:50 swtpm-localca-
-rw-r----- 1 swtpm swtpm 2455 Apr 7 10:50 swtpm-localca-
/var/log/swtpm:
total 12
drwx--x--x 3 root root 4096 Apr 7 10:50 ./
drwxrwxr-x 10 root syslog 4096 Apr 7 10:50 ../
drwx--x--x 3 root root 4096 Apr 7 10:50 libvirt/
/var/log/ swtpm/libvirt:
total 12
drwx--x--x 3 root root 4096 Apr 7 10:50 ./
drwx--x--x 3 root root 4096 Apr 7 10:50 ../
drwx-wx--- 2 swtpm swtpm 4096 Apr 7 10:50 qemu/
/var/log/ swtpm/libvirt/ qemu:
total 12
drwx-wx--- 2 swtpm swtpm 4096 Apr 7 10:50 ./
drwx--x--x 3 root root 4096 Apr 7 10:50 ../
-rw-r--r-- 1 swtpm swtpm 1730 Apr 7 10:50 testguest-swtpm.log
---
After this failed try - since the guest is abandoned we have some differences for a retry
- /var/lib/ libvirt/ swtpm/202a34a9- 2ee2-4826- b206-c249f535be 90/tpm2 no more exists swtpm/libvirt/ qemu/testguest- swtpm.log can't be written
- /var/log/
$ sudo rm -rf /tmp/test2 x86_64- linux-gnu/ swtpm/swtpm- localca --type ek --ek b2e69cdcfc19832 f9d174ef4c3af14 cf9843efed4e986 f35d011a4ac0af4 a84adf93a24937b f00da5519272a1f 722ae3aa33b8efb e44b3bcde8ac2cf 781302801643791 f379eab400482f0 c4b8a9aba1676eb 7b0ae45792d3974 6a82164c247d4d3 48aecba70025d74 f7025d2e1896743 617396337f6221b d81429c34980690 56635f9ddf288fe 32d9759fa6a8256 65e56d819b5657f 5ce828e72db17e6 073cf4e4c7f9dfd 8ea18eebae28e9c ffa6ff406d03a8a 15e48a3f5acd7a3 cca7d64b9aef250 cc40a301132d466 f346843f9a3e084 bf9e19fe48b31d2 512f39ddd6bc324 d22db77dad61915 8efa5680ff4816c 7fc645014e6fa03 fb11ede6bc720bb d7 --dir /tmp/test --logfile /tmp/test/ testguest- swtpm.log --vmid testguest: 202a34a9- 2ee2-4826- b206-c249f535be 90 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm- localca. conf --optsfile /etc/swtpm- localca. options
$ mkdir /tmp/test2
$ sudo chown swtpm:swtpm /tmp/test2
$ sudo -u swtpm /usr/lib/
$ echo $? testguest- swtpm.log 0:error: 12000079: random number generator: RAND_load_ file:Cannot open file:.. /crypto/ rand/randfile. c:106:Filename= ./.rnd 0:error: 12000079: random number generator: RAND_write_ file:Cannot open file:.. /crypto/ rand/randfile. c:240:Filename= ./.rnd
1
$ cat /tmp/test/
Creating root CA and a local CA's signing key and issuer cert.
Could not create root-CA:Can't load ./.rnd into RNG
40D7E55E677F000
Cannot write random bytes:
40D7E55E677F000
Error creating local CA's signing key and cert.
That is kind of the same error, so it really is the user/group and some permissions.
This way we can repro it outside of libvirt, track which access exactly fails and debug/fix it.