apparmor denies VFIO passthrough: RLIMIT_MEMLOCK and /dev/vfio/XX

Bug #1276719 reported by David Johnson on 2014-02-05
34
This bug affects 5 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
High
Unassigned
Trusty
High
Unassigned

Bug Description

===========================================
SRU Justification:
Impact: VFIO passthrough does not work with libvirt
Test case: See "example xml" below
Regression potential: This only adds permission for qemu to access /dev/vfio* when needed, plus cap_sys_resource for libvirtd. No currently working case should be regressed.
===========================================
When using VFIO for passthrough devices, 2 apparmor violations are encountered:

1) all memory of the VM must be locked, libvirt tries to increase RLIMIT_MEMLOCK

2) access to /dev/vfio/XX is needed by qemu

example xml:

    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
      </source>
    </hostdev>

issue #1:

error message on start of VM:

error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted

apparmor log:

kernel: [ 783.469784] type=1400 audit(1391620864.251:35): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=2106 comm="libvirtd" capability=24 capname="sys_resource"

issue #2:

error message on start of VM:

qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: error opening /dev/vfio/21: Permission denied
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: failed to get group 21
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device initialization failed.
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device 'vfio-pci' could not be initialized

apparmor log:

kernel: [ 1209.299820] type=1400 audit(1391624317.063:46): apparmor="DENIED" operation="open" profile="libvirt-014a4d4f-7644-4cf1-c408-8abb631b3e34" name="/dev/vfio/21" pid=2916 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=106 ouid=106

workaround:

sudo aa-complain /usr/sbin/libvirtd
sudo aa-complain /etc/apparmor.d/libvirt/libvirt-????????-????-????-????-????????????

testing with latest Trusty:

ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library
ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems

David Johnson (davijoh3) on 2014-02-05
tags: added: trusty
David Johnson (davijoh3) on 2014-02-05
description: updated
summary: - apparmor denies RLIMIT_MEMLOCK increase needed for VFIO passthrough
+ apparmor denies VFIO passthrough: RLIMIT_MEMLOCK and /dev/vfio/XX
Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug. It is probably ok to give libvirtd itself the resource capability. However virt-aa-helper will need an update to add access to the appropriate /dev/vfio/* devices.

Changed in libvirt (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Serge Hallyn (serge-hallyn) wrote :

The vfio part of this is fixed in utopic due to upstream commit 74e86b6b25.

I'm marking this fix released. However if you find that you still need the usr.sbin.libvirtd policy to have an extra capability, please reply to this bug and I'll add it.

Changed in libvirt (Ubuntu):
status: Confirmed → Fix Released
Da Xue (daxue) wrote :

Can we get this fix in trusty?

description: updated
Changed in libvirt (Ubuntu Trusty):
importance: Undecided → High
status: New → Confirmed
Changed in libvirt (Ubuntu):
importance: Medium → High

Hello David, or anyone else affected,

Accepted libvirt into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Trusty):
status: Confirmed → Fix Committed
tags: added: verification-needed
Marti (intgr) wrote :

I installed all the binary packages from https://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.3 , then enabled trusty-proposed repository and did a dist-upgrade from there, then rebooted.

But still I am getting this error when trying to start a libvirt domain using vfio:

error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 3221225472: Operation not permitted

Serge Hallyn (serge-hallyn) wrote :

Thanks for testing, Marti. I've pushed a new proposed package 1.2.2-0ubuntu13.1.4 which should add the needed capability to libvirt-bin.

Chris J Arges (arges) wrote :

Hello David, or anyone else affected,

Accepted libvirt into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Marti (intgr) wrote :

Thanks! VFIO passthrough works out of the box now with packages from comment #7.

tags: added: verification-done
removed: verification-needed
Indiana (myindiana-m) wrote :

Hi i also follow this topic but for me the proposed libvirt doesn't seem to solve the problem. When starting the virtual machine i still get a permission denied error.

If i bind the device from command line and run qemu from command line all works fine.
I converted the working command line to virsh and the difference that i see is vfio-pci are command line arguments in the xml :

<qemu:commandline>
    <qemu:arg value='-rtc'/>
    <qemu:arg value='base=localtime'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='ioh3420,bus=pcie.0,addr=1c.0,multifunction=on,port=1,chassis=1,id=roo try t'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='vfio-pci,host=04:00.0,bus=root,addr=00.0,multifunction=on,x-vga=on'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='vfio-pci,host=04:00.1,bus=root,addr=00.1'/>
    <qemu:arg value='-device'/>
    <qemu:arg value='ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0,bootindex=1'/>
  </qemu:commandline>

When i start the vm in virt manager i get this message :

internal error: early end of file from monitor: possible problem:
qemu-system-x86_64: -device vfio-pci,host=04:00.0,bus=root,addr=00.0,multifunction=on,x-vga=on: vfio: error opening /dev/vfio/17: Permission denied
qemu-system-x86_64: -device vfio-pci,host=04:00.0,bus=root,addr=00.0,multifunction=on,x-vga=on: vfio: failed to get group 17
qemu-system-x86_64: -device vfio-pci,host=04:00.0,bus=root,addr=00.0,multifunction=on,x-vga=on: Device initialization failed.
qemu-system-x86_64: -device vfio-pci,host=04:00.0,bus=root,addr=00.0,multifunction=on,x-vga=on: Device 'vfio-pci' could not be initialized

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 96, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 117, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1162, in startup
    self._backend.create()
  File "/usr/lib/python2.7/dist-packages/libvirt.py", line 866, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error: early end of file from monitor: possible problem:
qemu-system-x86_64: -device vfio-pci,host=04:00.0,bus=root,addr=00.0,multifunction=on,x-vga=on: vfio: error opening /dev/vfio/17: Permission denied
qemu-system-x86_64: -device vfio-pci,host=04:00.0,bus=root,addr=00.0,multifunction=on,x-vga=on: vfio: failed to get group 17
qemu-system-x86_64: -device vfio-pci,host=04:00.0,bus=root,addr=00.0,multifunction=on,x-vga=on: Device initialization failed.
qemu-system-x86_64: -device vfio-pci,host=04:00.0,bus=root,addr=00.0,multifunction=on,x-vga=on: Device 'vfio-pci' could not be initialized

Any idea ?

Thanks

Serge Hallyn (serge-hallyn) wrote :

@Indiana,

could you please show the results of:

sudo grep DENIED /var/log/syslog | grep libvirt
dpkg -l | grep libvirt

Indiana (myindiana-m) wrote :

Hi, the output in attachment.

In the syslog i do not see any DENIED log. I think apparmor in complain mode for libvirt for tests that i did earlier. I will check this.
I added the output in attachment and added also the qemu log for this VM. There i see 2 different messages. By the first attempt i'll tried to start the vm after a Fresh reboot of the host. By the second attempt i get the permission denied after i runned a small script to do the vfio binding.

#!/bin/bash

modprobe vfio-pci

for dev in "$@"; do
        vendor=$(cat /sys/bus/pci/devices/$dev/vendor)
        device=$(cat /sys/bus/pci/devices/$dev/device)
        if [ -e /sys/bus/pci/devices/$dev/driver ]; then
                echo $dev > /sys/bus/pci/devices/$dev/driver/unbind
        fi
        echo $vendor $device > /sys/bus/pci/drivers/vfio-pci/new_id
done

Serge Hallyn (serge-hallyn) wrote :

Sorry, I only just noticed that you were using qemu:commandline sections to add the vfio devices. This prevents virt-aa-helper from knowing that you need the /dev/vfio/* permissions. Please take a look at http://libvirt.org/formatdomain.html, searching for all occurances of 'vfio', for more information.

The verification of the Stable Release Update for libvirt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.2-0ubuntu13.1.4

---------------
libvirt (1.2.2-0ubuntu13.1.4) trusty-proposed; urgency=medium

  * debian/apparmor/usr.sbin.libvirtd - add cap-sys-resource to fully
    fix (LP: #1276719)

libvirt (1.2.2-0ubuntu13.1.3) trusty-proposed; urgency=medium

  * 9026-fix-apparmor-profile-for-vfio-pci-passthrough - allow VFIO passthrough
    (LP: #1276719)
  * 9027-virt-aa-helper-allow-access-to-vhost-net - allow access to
    /dev/vhost-net if domain needs it (LP: #1322568)
 -- Serge Hallyn <email address hidden> Thu, 07 Aug 2014 12:46:22 -0500

Changed in libvirt (Ubuntu Trusty):
status: Fix Committed → Fix Released
morment (zhoumokuo) on 2017-07-10
information type: Public → Public Security
information type: Public Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers