Blank screen when viewing GL-accelerated virtio screen on 22.04
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Christian Ehrhardt | ||
Jammy |
Fix Released
|
Medium
|
Christian Ehrhardt | ||
Kinetic |
Fix Released
|
High
|
Christian Ehrhardt |
Bug Description
[Impact]
* New GL handling code in qemu/libs triggers apparmor denials in
Jammy and later
* Libvirt already has code that does context aware "if gl is
enabled then allow things". The patch extends those by the
new paths it needs to access.
[Test Plan]
* In your preferred way get a guest of your choice that has UI support,
for example Ubuntu Desktop
* Set virtio graphics and Enable GL acceleration.
Essentially this comes down to those elements:
<video>
<model type='virtio'/>
<driver name='qemu'/>
</video>
<graphics type='spice'>
<listen type='socket'/>
<gl enable='yes'/>
</graphics)
There are various similar equally valid variants that you
can configure this.
You can do the same via the virt-manager Ui if you prefer that.
Without the fix that will trigger apparmor denials and not show the Display correctly.
[Where problems could occur]
* This is just "allowing more" to be read out of the apparmor isolation,
therefore I'd hope that regressions are not happening. The scenarios I
could think of are:
1. a user of Jammy set this up, wasn't really using GL and after the
fix suddenly gets unexpected UI output (unlikely, and not really a
problem)
2. The paths would be considered unsafe to be read by the guest and
thereby be a problem (that is not the case as far as we know so far)
3. There might be a missed issue in the changed code, breaking
virt-
isn't too complex) and that would stop starting new guests.
They'd fail with an apparmor related message then.
None of the above seems realistic or critical to me, I think we are safe with this change.
[Other Info]
* n/a
--- original bug ---
Also filed upstream:
https:/
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
qemu_spice_
dmesg contains these AppArmor errors:
[250001.100362] audit: type=1400 audit(165195812
[250001.100367] audit: type=1400 audit(165195812
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. I was able to do so by adding the following line:
"/sys/
Related branches
- Sergio Durigan Junior (community): Approve
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 75 lines (+53/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1972075-Allow-VM-to-read-sysfs-PCI-config-revision-files.patch (+45/-0)
- Sergio Durigan Junior (community): Approve
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 75 lines (+53/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1972075-Allow-VM-to-read-sysfs-PCI-config-revision-files.patch (+45/-0)
description: | updated |
description: | updated |
description: | updated |
tags: | added: desktop-lts-wishlist rls-jj-incoming |
Changed in libvirt (Ubuntu Jammy): | |
status: | New → Triaged |
description: | updated |
tags: | added: verification-done |
The Desktop team would like to see that one considered as high and see a SRU to 22.04 if possible once we have a fix available