Source: libvirt
Target: qemu process libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3
Action: change rlimits
TL;DR to re-summarize:
- certain actions let libvirt change the rlimit of the qemu guest
- such actions are memory hotplug on ppc
- pci hotplug of some devices
- libvirtd apparmor profile allows cap_sys_resource
- there is no rlimit rule restricting that in the profile
- a bug in the kernel part of apparmor blocks this and breaks the use-case
- as prechecked by jjohansen he seems to have an idea how to fix (see comment #16)
- but for yet unknown reasons activity fell silent since a few months
- finding that mem hotplug is also affected bumps the priority
Example Deny: 3.238:42) : apparmor="DENIED" operation= "setrlimit" info="cap_ sys_resource" error=-13 profile= "/usr/sbin/ libvirtd" pid=8376 comm="libvirtd" rlimit=memlock value=96468992 peer="libvirt- 70a586a2- ef34-4954- 91ea-9a6ecab52d a3"
[ 774.341606] audit: type=1400 audit(152291559
Source: libvirt 70a586a2- ef34-4954- 91ea-9a6ecab52d a3
Target: qemu process libvirt-
Action: change rlimits
TL;DR to re-summarize:
- certain actions let libvirt change the rlimit of the qemu guest
- such actions are memory hotplug on ppc
- pci hotplug of some devices
- libvirtd apparmor profile allows cap_sys_resource
- there is no rlimit rule restricting that in the profile
- a bug in the kernel part of apparmor blocks this and breaks the use-case
- as prechecked by jjohansen he seems to have an idea how to fix (see comment #16)
- but for yet unknown reasons activity fell silent since a few months
- finding that mem hotplug is also affected bumps the priority