Ubuntu
apparmor package

  1. Bug #2073214
  2. Comment #8

Comment 8 for bug 2073214

Revision history for this message
Tim Richardson (tim-richardson) wrote (last edit ): Re: hugepages causes permissions error [apparmor profile]

One workaround is to do

aa-complain /etc/apparmor.d/libvirt/libvirt-<UUID>

You may need to
touch /etc/apparmor.d/libvirt/libvirt-<UUID>.files

because the .files may not be present, it is created and removed dynamically by libvirt

Another workaround is to (accidentally) break the apparmor profile so it can't be correctly parsed. I believe that in this case, libvirt launches the VM anyway, but with no apparmor profile ... this is a bit sneaky.

So if you want to investigate apparmor, you have to see the libirt-<UUID> profile in aa-status. It defaults to enforce. If it's not there, fix the problem.

With aa-enforce on, vm launch fails but there is no logging anywhere I can find of a DENIED message.
So as an absolute apparmor beginner, I have no clues.

The best I can do is with strace
on the libvirtd process

root@elecgear:/home/tim# strace -f -p 4818 2>&1 | grep memfd
[pid 11307] memfd_create("test", MFD_CLOEXEC|MFD_ALLOW_SEALING) = 3
[pid 11307] memfd_create("test", MFD_CLOEXEC|MFD_HUGETLB) = 3
[pid 11307] memfd_create("memory-backend-memfd", MFD_CLOEXEC|MFD_ALLOW_SEALING|MFD_HUGETLB|21<<MFD_HUGE_SHIFT) = 20
[pid 11307] write(2, "failed to resize memfd to 214748"..., 55) = 55