2014-02-05 17:41:08 |
David Johnson |
bug |
|
|
added bug |
2014-02-05 17:53:42 |
David Johnson |
tags |
|
trusty |
|
2014-02-05 18:39:57 |
David Johnson |
description |
When using VFIO for passthrough devices, all memory of the VM must be locked.
libvirt tries to increase RLIMIT_MEMLOCK, however apparmor is denying this:
example xml:
<hostdev mode='subsystem' type='pci' managed='yes'>
<driver name='vfio'/>
<source>
<address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
</source>
</hostdev>
error message on start of VM:
error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted
apparmor log:
kernel: [ 783.469784] type=1400 audit(1391620864.251:35): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=2106 comm="libvirtd" capability=24 capname="sys_resource"
strace of libvirtd shows:
[pid 2934] setrlimit(RLIMIT_MEMLOCK, {rlim_cur=17825792*1024, rlim_max=17825792*1024}) = -1 EPERM (Operation not permitted)
testing with latest Trusty:
ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library
ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems |
When using VFIO for passthrough devices, 2 apparmor violations are encountered:
1) all memory of the VM must be locked, libvirt tries to increase RLIMIT_MEMLOCK
2) access to /dev/vfio/XX is needed by qemu
example xml:
<hostdev mode='subsystem' type='pci' managed='yes'>
<driver name='vfio'/>
<source>
<address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
</source>
</hostdev>
issue #1:
error message on start of VM:
error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted
apparmor log:
kernel: [ 783.469784] type=1400 audit(1391620864.251:35): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=2106 comm="libvirtd" capability=24 capname="sys_resource"
issue #2:
error message on start of VM:
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: error opening /dev/vfio/21: Permission denied
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: failed to get group 21
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device initialization failed.
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device 'vfio-pci' could not be initialized
apparmor log:
kernel: [ 1209.299820] type=1400 audit(1391624317.063:46): apparmor="DENIED" operation="open" profile="libvirt-014a4d4f-7644-4cf1-c408-8abb631b3e34" name="/dev/vfio/21" pid=2916 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=106 ouid=106
workaround:
sudo aa-complain /usr/sbin/libvirtd
sudo aa-complain /etc/apparmor.d/libvirt/libvirt-????????-????-????-????-????????????
testing with latest Trusty:
ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library
ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems |
|
2014-02-05 18:40:33 |
David Johnson |
summary |
apparmor denies RLIMIT_MEMLOCK increase needed for VFIO passthrough |
apparmor denies VFIO passthrough: RLIMIT_MEMLOCK and /dev/vfio/XX |
|
2014-02-06 16:53:56 |
Serge Hallyn |
libvirt (Ubuntu): importance |
Undecided |
Medium |
|
2014-02-06 16:53:56 |
Serge Hallyn |
libvirt (Ubuntu): status |
New |
Confirmed |
|
2014-03-02 08:38:22 |
Dave |
bug |
|
|
added subscriber Dave |
2014-03-05 23:00:30 |
Jim Fehlig |
bug |
|
|
added subscriber Jim Fehlig |
2014-04-21 18:31:30 |
Poil |
bug |
|
|
added subscriber Poil |
2014-06-17 22:55:24 |
Serge Hallyn |
libvirt (Ubuntu): status |
Confirmed |
Fix Released |
|
2014-07-14 15:16:12 |
Serge Hallyn |
nominated for series |
|
Ubuntu Trusty |
|
2014-07-14 15:16:12 |
Serge Hallyn |
bug task added |
|
libvirt (Ubuntu Trusty) |
|
2014-07-31 20:46:12 |
Serge Hallyn |
description |
When using VFIO for passthrough devices, 2 apparmor violations are encountered:
1) all memory of the VM must be locked, libvirt tries to increase RLIMIT_MEMLOCK
2) access to /dev/vfio/XX is needed by qemu
example xml:
<hostdev mode='subsystem' type='pci' managed='yes'>
<driver name='vfio'/>
<source>
<address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
</source>
</hostdev>
issue #1:
error message on start of VM:
error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted
apparmor log:
kernel: [ 783.469784] type=1400 audit(1391620864.251:35): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=2106 comm="libvirtd" capability=24 capname="sys_resource"
issue #2:
error message on start of VM:
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: error opening /dev/vfio/21: Permission denied
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: failed to get group 21
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device initialization failed.
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device 'vfio-pci' could not be initialized
apparmor log:
kernel: [ 1209.299820] type=1400 audit(1391624317.063:46): apparmor="DENIED" operation="open" profile="libvirt-014a4d4f-7644-4cf1-c408-8abb631b3e34" name="/dev/vfio/21" pid=2916 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=106 ouid=106
workaround:
sudo aa-complain /usr/sbin/libvirtd
sudo aa-complain /etc/apparmor.d/libvirt/libvirt-????????-????-????-????-????????????
testing with latest Trusty:
ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library
ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems |
===========================================
SRU Justification:
Impact: VFIO passthrough does not work with libvirt
Test case: See "example xml" below
Regression potential: This only adds permission for qemu to access /dev/vfio* when needed, plus cap_sys_resource for libvirtd. No currently working case should be regressed.
===========================================
When using VFIO for passthrough devices, 2 apparmor violations are encountered:
1) all memory of the VM must be locked, libvirt tries to increase RLIMIT_MEMLOCK
2) access to /dev/vfio/XX is needed by qemu
example xml:
<hostdev mode='subsystem' type='pci' managed='yes'>
<driver name='vfio'/>
<source>
<address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
</source>
</hostdev>
issue #1:
error message on start of VM:
error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted
apparmor log:
kernel: [ 783.469784] type=1400 audit(1391620864.251:35): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=2106 comm="libvirtd" capability=24 capname="sys_resource"
issue #2:
error message on start of VM:
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: error opening /dev/vfio/21: Permission denied
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: failed to get group 21
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device initialization failed.
qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device 'vfio-pci' could not be initialized
apparmor log:
kernel: [ 1209.299820] type=1400 audit(1391624317.063:46): apparmor="DENIED" operation="open" profile="libvirt-014a4d4f-7644-4cf1-c408-8abb631b3e34" name="/dev/vfio/21" pid=2916 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=106 ouid=106
workaround:
sudo aa-complain /usr/sbin/libvirtd
sudo aa-complain /etc/apparmor.d/libvirt/libvirt-????????-????-????-????-????????????
testing with latest Trusty:
ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library
ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems |
|
2014-07-31 20:46:23 |
Serge Hallyn |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2014-07-31 20:46:55 |
Serge Hallyn |
libvirt (Ubuntu Trusty): importance |
Undecided |
High |
|
2014-07-31 20:46:59 |
Serge Hallyn |
libvirt (Ubuntu Trusty): status |
New |
Confirmed |
|
2014-07-31 20:47:05 |
Serge Hallyn |
libvirt (Ubuntu): importance |
Medium |
High |
|
2014-08-05 15:08:53 |
Chris J Arges |
libvirt (Ubuntu Trusty): status |
Confirmed |
Fix Committed |
|
2014-08-05 15:08:57 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
2014-08-05 15:09:08 |
Chris J Arges |
tags |
trusty |
trusty verification-needed |
|
2014-08-07 17:02:31 |
Marti |
bug |
|
|
added subscriber Marti |
2014-08-09 00:37:12 |
Mathew Hodson |
tags |
trusty verification-needed |
trusty verification-done |
|
2014-08-11 18:17:12 |
Indiana |
attachment added |
|
Qemu_win7_log.txt https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1276719/+attachment/4174656/+files/Qemu_win7_log.txt |
|
2014-09-05 14:07:01 |
Joe Clifford |
bug |
|
|
added subscriber Joe Clifford |
2014-09-29 18:25:57 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2014-09-29 18:31:15 |
Launchpad Janitor |
libvirt (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2017-07-10 02:49:16 |
morment |
information type |
Public |
Public Security |
|
2017-07-11 19:26:38 |
Seth Arnold |
information type |
Public Security |
Public |
|