| 2022-05-07 21:26:14 |
Max Goodhart |
bug |
|
|
added bug |
| 2022-05-07 21:26:33 |
Max Goodhart |
description |
Also filed upstream: https://gitlab.com/libvirt/libvirt/-/merge_requests/151
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
```
qemu_spice_gl_scanout_texture: failed to get fd for texture
```
dmesg contains these AppArmor errors:
```
[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
```
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. |
Also filed upstream: https://gitlab.com/libvirt/libvirt/-/merge_requests/151
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
qemu_spice_gl_scanout_texture: failed to get fd for texture
dmesg contains these AppArmor errors:
[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. |
|
| 2022-05-07 21:26:40 |
Max Goodhart |
description |
Also filed upstream: https://gitlab.com/libvirt/libvirt/-/merge_requests/151
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
qemu_spice_gl_scanout_texture: failed to get fd for texture
dmesg contains these AppArmor errors:
[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. |
Also filed upstream:
https://gitlab.com/libvirt/libvirt/-/merge_requests/151
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
qemu_spice_gl_scanout_texture: failed to get fd for texture
dmesg contains these AppArmor errors:
[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. |
|
| 2022-05-07 21:27:28 |
Max Goodhart |
description |
Also filed upstream:
https://gitlab.com/libvirt/libvirt/-/merge_requests/151
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
qemu_spice_gl_scanout_texture: failed to get fd for texture
dmesg contains these AppArmor errors:
[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. |
Also filed upstream:
https://gitlab.com/libvirt/libvirt/-/merge_requests/151
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
qemu_spice_gl_scanout_texture: failed to get fd for texture
dmesg contains these AppArmor errors:
[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. I was able to do so by adding the following line:
"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}" r, |
|
| 2022-05-09 13:19:50 |
Sebastien Bacher |
tags |
|
desktop-lts-wishlist rls-jj-incoming |
|
| 2022-05-11 20:06:02 |
Sergio Durigan Junior |
bug watch added |
|
https://gitlab.gnome.org/GNOME/gnome-boxes/-/issues/586 |
|
| 2022-05-11 20:06:09 |
Sergio Durigan Junior |
tags |
desktop-lts-wishlist rls-jj-incoming |
desktop-lts-wishlist rls-jj-incoming server-todo |
|
| 2022-05-11 20:06:19 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Ubuntu Server |
| 2022-05-11 20:06:27 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Christian Ehrhardt |
| 2022-05-11 20:06:32 |
Sergio Durigan Junior |
libvirt (Ubuntu): importance |
Undecided |
High |
|
| 2022-05-11 20:06:38 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Kinetic |
|
| 2022-05-11 20:06:38 |
Sergio Durigan Junior |
bug task added |
|
libvirt (Ubuntu Kinetic) |
|
| 2022-05-11 20:06:49 |
Sergio Durigan Junior |
libvirt (Ubuntu Kinetic): status |
New |
Triaged |
|
| 2022-05-19 05:54:10 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-05-19 05:54:10 |
Christian Ehrhardt |
bug task added |
|
libvirt (Ubuntu Jammy) |
|
| 2022-05-19 05:54:15 |
Christian Ehrhardt |
libvirt (Ubuntu Jammy): status |
New |
Triaged |
|
| 2022-05-19 06:10:11 |
Christian Ehrhardt |
libvirt (Ubuntu Jammy): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2022-05-19 06:10:13 |
Christian Ehrhardt |
libvirt (Ubuntu Kinetic): assignee |
|
Christian Ehrhardt (paelzer) |
|
| 2022-05-19 06:11:47 |
Christian Ehrhardt |
libvirt (Ubuntu Jammy): importance |
Undecided |
Medium |
|
| 2022-05-19 06:16:52 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/422941 |
|
| 2022-05-19 06:17:23 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/422942 |
|
| 2022-05-19 06:51:03 |
Christian Ehrhardt |
description |
Also filed upstream:
https://gitlab.com/libvirt/libvirt/-/merge_requests/151
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
qemu_spice_gl_scanout_texture: failed to get fd for texture
dmesg contains these AppArmor errors:
[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. I was able to do so by adding the following line:
"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}" r, |
[Impact]
* New GL handling code in qemu/libs triggers apparmor denials in
Jammy and later
* Libvirt already has code that does context aware "if gl is
enabled then allow things". The patch extends those by the
new paths it needs to access.
[Test Plan]
* In your preferred way get a guest of your choice that has UI support,
for example Ubuntu Desktop
* Set virtio graphics and Enable GL acceleration.
Essentially this comes down to those elements:
<video>
<model type='virtio'/>
<driver name='qemu'/>
</video>
<graphics type='spice'>
<listen type='socket'/>
<gl enable='yes'/>
</graphics)
There are various similar equally valid variants that you
can configure this.
You can do the same via the virt-manager Ui if you prefer that.
Without the fix that will trigger apparmor denials and not show the Display correctly.
[Where problems could occur]
* This is just "allowing more" to be read out of the apparmor isolation,
therefore I'd hope that regressions are not happening. The scenarios I
could think of are:
1. a user of Jammy set this up, wasn't really using GL and after the
fix suddenly gets unexpected UI output (unlikely, and not really a
problem)
2. The paths would be considered unsafe to be read by the guest and
thereby be a problem (that is not the case as far as we know so far)
3. There might be a missed issue in the changed code, breaking
virt-aa-helper (the nature of the change makes this unlikely, it
isn't too complex) and that would stop starting new guests.
They'd fail with an apparmor related message then.
None of the above seems realistic or critical to me, I think we are safe with this change.
[Other Info]
* n/a
--- original bug ---
Also filed upstream:
https://gitlab.com/libvirt/libvirt/-/merge_requests/151
I recently upgraded from Ubuntu 21.10 to 22.04. I have an existing VM with virtio video and gl-accelerated Spice display which previously worked.
After the upgrade, virt-manager and virt-viewer display a blank screen. In the qemu libvirt logs, I observe many repetitions of:
qemu_spice_gl_scanout_texture: failed to get fd for texture
dmesg contains these AppArmor errors:
[250001.100362] audit: type=1400 audit(1651958128.696:706): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
[250001.100367] audit: type=1400 audit(1651958128.696:707): apparmor="DENIED" operation="open" profile="libvirt-98a090a8-2fdf-463c-959b-810e5bc88b0d" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=132725 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0
Modifying the AppArmor config for this VM to permit access to the `revision` and `config` sysfs paths fixed this issue for me. The VM display is visible and virgl is working. I was able to do so by adding the following line:
"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device,config,revision}" r, |
|
| 2022-05-23 13:23:45 |
Launchpad Janitor |
libvirt (Ubuntu Kinetic): status |
Triaged |
Fix Released |
|
| 2022-05-25 13:42:33 |
Robie Basak |
libvirt (Ubuntu Jammy): status |
Triaged |
Fix Committed |
|
| 2022-05-25 13:42:35 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-05-25 13:42:37 |
Robie Basak |
bug |
|
|
added subscriber SRU Verification |
| 2022-05-25 13:42:41 |
Robie Basak |
tags |
desktop-lts-wishlist rls-jj-incoming server-todo |
desktop-lts-wishlist rls-jj-incoming server-todo verification-needed verification-needed-jammy |
|
| 2022-05-30 19:33:21 |
Max Goodhart |
tags |
desktop-lts-wishlist rls-jj-incoming server-todo verification-needed verification-needed-jammy |
desktop-lts-wishlist rls-jj-incoming server-todo verification-done-jammy |
|
| 2022-06-01 14:30:21 |
Christian Ehrhardt |
tags |
desktop-lts-wishlist rls-jj-incoming server-todo verification-done-jammy |
desktop-lts-wishlist rls-jj-incoming server-todo verification-done verification-done-jammy |
|
| 2022-06-06 14:12:29 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2022-06-06 14:12:32 |
Launchpad Janitor |
libvirt (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
