Nested virt fails with 'failed to set MSR' causing QEMU to abort
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
qemu (Ubuntu) |
Fix Released
|
Medium
|
Matthew Ruffell | ||
Focal |
In Progress
|
Medium
|
Matthew Ruffell |
Bug Description
[Impact]
When using an instance on Azure Cloud, nested kvm virtualisation fails with the following error message:
qemu-system-x86_64: error: failed to set MSR 0x48b to 0x11582e00000000
qemu-system-x86_64: /build/
It appears that some systems can expose particular features via CPUID, but can lack the corresponding VMX control for that feature. When this happens, such as with MSR 0x48b on Azure Cloud, attempts to enable the feature fail and QEMU aborts.
[Testcase]
Create an instance on Azure with the latest Focal image, install QEMU, and prepare to launch a VM:
$ sudo -s
# apt install qemu-kvm bridge-utils
# BR_NAME="br0"
# BR_ADDR=
# ip link add "$BR_NAME" type bridge
# ip addr add "$BR_ADDR"/24 dev "$BR_NAME"
# ip link set "$BR_NAME" up
# tap_name="tap1"
# br_name=$BR_NAME
# ip tuntap add $tap_name mode tap user $(whoami) multi_queue
# ip link set $tap_name up
# ip link set $tap_name master $br_name
Download a guest VM:
# wget https:/
Launch the VM:
# /usr/bin/
With an unpatched QEMU, VM creation will fail with:
qemu-system-x86_64: error: failed to set MSR 0x48b to 0x11582e00000000
qemu-system-x86_64: /build/
A test package for focal is available in the following ppa:
https:/
The patched QEMU from the above ppa fixes the problem, and the VM launches successfully.
[Regression Potential]
The code adds a check to see if MSR_IA32_
If a regression were to occur, some systems might be missing VMX's being enabled if these checks were incorrectly skipped, leading to particular features missing for a VM. In the worse case scenario, the VM may not start due to missing or incorrectly set MSRs.
The code is simple and targeted, and I believe the chance for regression is very low.
[Other Info]
The commit that fixes the problem is:
Commit: 4a910e1f6ab4155
From: Vitaly Kuznetsov <email address hidden>
Date: Tue, 31 Mar 2020 18:27:52 +0200
Subject: target/i386: do not set unsupported VMX secondary execution controls
Link: https:/
This fixes 048c951 ("target/i386: work around KVM_GET_MSRS bug for secondary execution controls"), which was introduced in QEMU 4.2, meaning only Focal and Groovy require fixing.
Changed in qemu (Ubuntu Focal): | |
status: | New → In Progress |
Changed in qemu (Ubuntu Groovy): | |
status: | New → In Progress |
Changed in qemu (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in qemu (Ubuntu Groovy): | |
importance: | Undecided → Medium |
Changed in qemu (Ubuntu Focal): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
Changed in qemu (Ubuntu Groovy): | |
assignee: | nobody → Matthew Ruffell (mruffell) |
tags: | added: sts |
no longer affects: | qemu (Ubuntu Groovy) |
Changed in qemu (Ubuntu): | |
status: | In Progress → Fix Released |
Attached is a debdiff for focal.