Ubuntu
libvirt package

Bug #1276719
Activity log

Activity log for bug #1276719

Date	Who	What changed	Old value	New value	Message
2014-02-05 17:41:08	David Johnson	bug			added bug
2014-02-05 17:53:42	David Johnson	tags		trusty
2014-02-05 18:39:57	David Johnson	description	When using VFIO for passthrough devices, all memory of the VM must be locked. libvirt tries to increase RLIMIT_MEMLOCK, however apparmor is denying this: example xml: <hostdev mode='subsystem' type='pci' managed='yes'> <driver name='vfio'/> <source> <address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/> </source> </hostdev> error message on start of VM: error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted apparmor log: kernel: [ 783.469784] type=1400 audit(1391620864.251:35): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=2106 comm="libvirtd" capability=24 capname="sys_resource" strace of libvirtd shows: [pid 2934] setrlimit(RLIMIT_MEMLOCK, {rlim_cur=178257921024, rlim_max=178257921024}) = -1 EPERM (Operation not permitted) testing with latest Trusty: ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems	When using VFIO for passthrough devices, 2 apparmor violations are encountered: 1) all memory of the VM must be locked, libvirt tries to increase RLIMIT_MEMLOCK 2) access to /dev/vfio/XX is needed by qemu example xml: <hostdev mode='subsystem' type='pci' managed='yes'> <driver name='vfio'/> <source> <address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/> </source> </hostdev> issue #1: error message on start of VM: error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted apparmor log: kernel: [ 783.469784] type=1400 audit(1391620864.251:35): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=2106 comm="libvirtd" capability=24 capname="sys_resource" issue #2: error message on start of VM: qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: error opening /dev/vfio/21: Permission denied qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: failed to get group 21 qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device initialization failed. qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device 'vfio-pci' could not be initialized apparmor log: kernel: [ 1209.299820] type=1400 audit(1391624317.063:46): apparmor="DENIED" operation="open" profile="libvirt-014a4d4f-7644-4cf1-c408-8abb631b3e34" name="/dev/vfio/21" pid=2916 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=106 ouid=106 workaround: sudo aa-complain /usr/sbin/libvirtd sudo aa-complain /etc/apparmor.d/libvirt/libvirt-????????-????-????-????-???????????? testing with latest Trusty: ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems
2014-02-05 18:40:33	David Johnson	summary	apparmor denies RLIMIT_MEMLOCK increase needed for VFIO passthrough	apparmor denies VFIO passthrough: RLIMIT_MEMLOCK and /dev/vfio/XX
2014-02-06 16:53:56	Serge Hallyn	libvirt (Ubuntu): importance	Undecided	Medium
2014-02-06 16:53:56	Serge Hallyn	libvirt (Ubuntu): status	New	Confirmed
2014-03-02 08:38:22	Dave	bug			added subscriber Dave
2014-03-05 23:00:30	Jim Fehlig	bug			added subscriber Jim Fehlig
2014-04-21 18:31:30	Poil	bug			added subscriber Poil
2014-06-17 22:55:24	Serge Hallyn	libvirt (Ubuntu): status	Confirmed	Fix Released
2014-07-14 15:16:12	Serge Hallyn	nominated for series		Ubuntu Trusty
2014-07-14 15:16:12	Serge Hallyn	bug task added		libvirt (Ubuntu Trusty)
2014-07-31 20:46:12	Serge Hallyn	description	When using VFIO for passthrough devices, 2 apparmor violations are encountered: 1) all memory of the VM must be locked, libvirt tries to increase RLIMIT_MEMLOCK 2) access to /dev/vfio/XX is needed by qemu example xml: <hostdev mode='subsystem' type='pci' managed='yes'> <driver name='vfio'/> <source> <address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/> </source> </hostdev> issue #1: error message on start of VM: error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted apparmor log: kernel: [ 783.469784] type=1400 audit(1391620864.251:35): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=2106 comm="libvirtd" capability=24 capname="sys_resource" issue #2: error message on start of VM: qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: error opening /dev/vfio/21: Permission denied qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: failed to get group 21 qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device initialization failed. qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device 'vfio-pci' could not be initialized apparmor log: kernel: [ 1209.299820] type=1400 audit(1391624317.063:46): apparmor="DENIED" operation="open" profile="libvirt-014a4d4f-7644-4cf1-c408-8abb631b3e34" name="/dev/vfio/21" pid=2916 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=106 ouid=106 workaround: sudo aa-complain /usr/sbin/libvirtd sudo aa-complain /etc/apparmor.d/libvirt/libvirt-????????-????-????-????-???????????? testing with latest Trusty: ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems	=========================================== SRU Justification: Impact: VFIO passthrough does not work with libvirt Test case: See "example xml" below Regression potential: This only adds permission for qemu to access /dev/vfio* when needed, plus cap_sys_resource for libvirtd. No currently working case should be regressed. =========================================== When using VFIO for passthrough devices, 2 apparmor violations are encountered: 1) all memory of the VM must be locked, libvirt tries to increase RLIMIT_MEMLOCK 2) access to /dev/vfio/XX is needed by qemu example xml: <hostdev mode='subsystem' type='pci' managed='yes'> <driver name='vfio'/> <source> <address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/> </source> </hostdev> issue #1: error message on start of VM: error: internal error: Process exited prior to exec: libvirt: error : cannot limit locked memory to 18253611008: Operation not permitted apparmor log: kernel: [ 783.469784] type=1400 audit(1391620864.251:35): apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd" pid=2106 comm="libvirtd" capability=24 capname="sys_resource" issue #2: error message on start of VM: qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: error opening /dev/vfio/21: Permission denied qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: failed to get group 21 qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device initialization failed. qemu-system-x86_64: -device vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device 'vfio-pci' could not be initialized apparmor log: kernel: [ 1209.299820] type=1400 audit(1391624317.063:46): apparmor="DENIED" operation="open" profile="libvirt-014a4d4f-7644-4cf1-c408-8abb631b3e34" name="/dev/vfio/21" pid=2916 comm="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=106 ouid=106 workaround: sudo aa-complain /usr/sbin/libvirtd sudo aa-complain /etc/apparmor.d/libvirt/libvirt-????????-????-????-????-???????????? testing with latest Trusty: ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different virtualization systems
2014-07-31 20:46:23	Serge Hallyn	bug			added subscriber Ubuntu Stable Release Updates Team
2014-07-31 20:46:55	Serge Hallyn	libvirt (Ubuntu Trusty): importance	Undecided	High
2014-07-31 20:46:59	Serge Hallyn	libvirt (Ubuntu Trusty): status	New	Confirmed
2014-07-31 20:47:05	Serge Hallyn	libvirt (Ubuntu): importance	Medium	High
2014-08-05 15:08:53	Chris J Arges	libvirt (Ubuntu Trusty): status	Confirmed	Fix Committed
2014-08-05 15:08:57	Chris J Arges	bug			added subscriber SRU Verification
2014-08-05 15:09:08	Chris J Arges	tags	trusty	trusty verification-needed
2014-08-07 17:02:31	Marti	bug			added subscriber Marti
2014-08-09 00:37:12	Mathew Hodson	tags	trusty verification-needed	trusty verification-done
2014-08-11 18:17:12	Indiana	attachment added		Qemu_win7_log.txt https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1276719/+attachment/4174656/+files/Qemu_win7_log.txt
2014-09-05 14:07:01	Joe Clifford	bug			added subscriber Joe Clifford
2014-09-29 18:25:57	Brian Murray	removed subscriber Ubuntu Stable Release Updates Team
2014-09-29 18:31:15	Launchpad Janitor	libvirt (Ubuntu Trusty): status	Fix Committed	Fix Released
2017-07-10 02:49:16	morment	information type	Public	Public Security
2017-07-11 19:26:38	Seth Arnold	information type	Public Security	Public

Ubuntulibvirt package

Activity log for bug #1276719

Ubuntu
libvirt package