Permission denied when using vfio with interface pools
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I have a network configured like this (/etc/libvirt/
<network>
<name>en4</name>
<uuid>
<forward mode='hostdev' managed='yes'>
<pf dev='eno4'/>
</forward>
</network>
If I use this network in a qemu VM like this:
<interface type='network'>
<mac address=
<source network='en4'/>
<model type='rtl8139'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
</interface>
I get an error like this when trying to start it using virsh:
qemu-system-
However, as soon as I pass any device through (e.g. a <hostdev> instead of <interface>), the permission error goes away.
So to me, it looks like when <interface> is using a network that uses a hostdev, libvirt does not set the proper permissions to allow qemu to access the vfio.
---
Description: Ubuntu 18.04.3 LTS
Release: 18.04
libvirt-daemon:
Installed: 4.0.0-1ubuntu8.12
Candidate: 4.0.0-1ubuntu8.12
Hi,
this is a dup to bug 1677398.
The TL;DR is that in some guest description libvirt doesn't know (at the right time and place) what the device will be. Due to that it can't render the per-guest apparmor rules correctly for this extra device.
In a similar fashion bug 1775777 had issues with late additions of vfio devices.
The solution for now is that an admin has to opt-in and allow e.g.
/dev/vfio/* rw,
For all guests by setting that in apparmor. d/abstractions/ libvirt- qemu (bionic) apparmor. d/local/ abstractions/ libvirt- qemu (later versions)
/etc/
or better as it isn't overwritten (conffile conflict) on upgrades
/etc/