2013-11-11 21:04:16 |
Simon Déziel |
bug |
|
|
added bug |
2013-11-11 22:09:15 |
Serge Hallyn |
libvirt (Ubuntu): importance |
Undecided |
High |
|
2013-11-11 22:09:15 |
Serge Hallyn |
libvirt (Ubuntu): status |
New |
Confirmed |
|
2013-11-14 09:29:13 |
Launchpad Janitor |
libvirt (Ubuntu): status |
Confirmed |
Fix Released |
|
2013-11-14 16:48:40 |
Serge Hallyn |
nominated for series |
|
Ubuntu Saucy |
|
2013-11-14 16:48:40 |
Serge Hallyn |
bug task added |
|
libvirt (Ubuntu Saucy) |
|
2013-11-14 16:48:58 |
Serge Hallyn |
libvirt (Ubuntu Saucy): importance |
Undecided |
High |
|
2013-11-14 16:48:58 |
Serge Hallyn |
libvirt (Ubuntu Saucy): status |
New |
Triaged |
|
2013-11-14 16:50:52 |
Serge Hallyn |
description |
The generated Apparmor policy prevents a guest from using huge pages.
Steps to reproduce:
1) Set KVM_HUGEPAGES=1 in /etc/default/qemu-kvm
2) restart qemu-kvm
3) sysctl vm.nr_hugepages = 256
4) virsh define/edit test-guest
...
<memoryBacking>
<hugepages/>
</memoryBacking>
...
5) virsh start test-guest
6) check /var/log/kern.log searching for:
apparmor="DENIED" operation="mknod" parent=1 profile="libvirt-42c86291-5d88-443f-96b7-3dbfd22c8658" name="/run/hugepages/kvm/libvirt/qemu/qemu_back_mem.pc.ram.kuj13U" pid=4035 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
As a temporary measure, I added this to /etc/apparmor.d/abstractions/libvirt-qemu:
owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
And it works. A better fix would be to fix the policy generator because the huge pages is now pretty visible since it is in /etc/default/qemu-kvm.
Even if this bug is related to LP: #1001584 I think it's 2 different issues.
# lsb_release -rd
Description: Ubuntu 13.10
Release: 13.10
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.1.1-0ubuntu8.1
Candidate: 1.1.1-0ubuntu8.1
Version table:
*** 1.1.1-0ubuntu8.1 0
500 http://security.ubuntu.com/ubuntu/ saucy-security/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1-0ubuntu8 0
500 http://archive.ubuntu.com/ubuntu/ saucy/main amd64 Packages |
=================================================
SRU Justification
=================================================
1. Impact: users cannot use hugepages
2. Development fix: allow libvirt to write to its own hugepage files
3. Stable fix: same as development fix
4. Test case: see below
5. Regression potential: we only add a new apparmor permission to files owned by libvirt, so there should be no regressions.
====================================================
The generated Apparmor policy prevents a guest from using huge pages.
Steps to reproduce:
1) Set KVM_HUGEPAGES=1 in /etc/default/qemu-kvm
2) restart qemu-kvm
3) sysctl vm.nr_hugepages = 256
4) virsh define/edit test-guest
...
<memoryBacking>
<hugepages/>
</memoryBacking>
...
5) virsh start test-guest
6) check /var/log/kern.log searching for:
apparmor="DENIED" operation="mknod" parent=1 profile="libvirt-42c86291-5d88-443f-96b7-3dbfd22c8658" name="/run/hugepages/kvm/libvirt/qemu/qemu_back_mem.pc.ram.kuj13U" pid=4035 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
As a temporary measure, I added this to /etc/apparmor.d/abstractions/libvirt-qemu:
owner "/run/hugepages/kvm/libvirt/qemu/**" rw,
And it works. A better fix would be to fix the policy generator because the huge pages is now pretty visible since it is in /etc/default/qemu-kvm.
Even if this bug is related to LP: #1001584 I think it's 2 different issues.
# lsb_release -rd
Description: Ubuntu 13.10
Release: 13.10
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.1.1-0ubuntu8.1
Candidate: 1.1.1-0ubuntu8.1
Version table:
*** 1.1.1-0ubuntu8.1 0
500 http://security.ubuntu.com/ubuntu/ saucy-security/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1-0ubuntu8 0
500 http://archive.ubuntu.com/ubuntu/ saucy/main amd64 Packages |
|
2013-11-14 18:40:16 |
Brian Murray |
libvirt (Ubuntu Saucy): status |
Triaged |
Fix Committed |
|
2013-11-14 18:40:18 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2013-11-14 18:40:19 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2013-11-14 18:40:21 |
Brian Murray |
tags |
|
verification-needed |
|
2013-11-14 19:20:06 |
Simon Déziel |
tags |
verification-needed |
verification-done |
|
2013-11-26 19:18:05 |
Stéphane Graber |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2013-11-26 19:23:12 |
Launchpad Janitor |
libvirt (Ubuntu Saucy): status |
Fix Committed |
Fix Released |
|