Comment 2 for bug 1678322

Hi,
wow a lot of info to pass through - thank you for your report!

I really think we need to understand the apparmor DENY.
apparmor="DENIED" operation="setrlimit" profile="/usr/sbin/libvirtd" pid=6853 comm="libvirtd" rlimit=memlock value=8694792192

#1 Until then you can either use the disable of apparmor that you used:
$ sudo aa-complain /usr/sbin/libvirtd
$ sudo aa-complain /etc/apparmor.d/libvirt/libvirt-<UUID>

#2 Or as Michael oultined for you the libvirt xml change, but to make all three here the next workaround would be:
  <memtune>
    <hard_limit unit='KiB'>16961536</hard_limit>
    <soft_limit unit='KiB'>16961536</soft_limit>
  </memtune>
But I'd assume that hits the same apparmor block (I'll check)

#3 Or you can just raise the limit beforehand on the running qemu
# get the qemu pid
$ prlimit --pid <qemu pid> --memlock=unlimited

IIRC /dev/vfio/vfio rw, should be in via cgroup_acl in qemu.conf, but I''ll recreate your case and make sure.
Back with more updates somewhen later today.