Bug#916587: [Pkg-libvirt-maintainers] Bug#916587: AppArmor breaks virtio-gpu + virgl
Hi, On Mon, Apr 01, 2019 at 10:40:12AM +0200, intrigeri wrote: > Control: tag -1 + patch > > Guido Günther: > > I had going through the open apparmor issues and especially the OpenGL > > ones on my TODO list for buster > > I've triaged the AppArmor issues last week-end :) > > > but if you'd pick that up that would be totally awesome. > > Done: https://salsa.debian.org/libvirt-team/libvirt/merge_requests/11 > > Tested in a sid VM with: > > - QXL (virt-manager's default) → no regression spotted > - virtio-gpu + 3D acceleration (what this bug is about) >→ works fine Applied. Thanks a lot! I'll wait for a couple of days in case more commits come tickling in and then upload for buster. -- Guido
Bug#916587: [Pkg-libvirt-maintainers] Bug#916587: AppArmor breaks virtio-gpu + virgl
Control: tag -1 + patch Guido Günther: > I had going through the open apparmor issues and especially the OpenGL > ones on my TODO list for buster I've triaged the AppArmor issues last week-end :) > but if you'd pick that up that would be totally awesome. Done: https://salsa.debian.org/libvirt-team/libvirt/merge_requests/11 Tested in a sid VM with: - QXL (virt-manager's default) → no regression spotted - virtio-gpu + 3D acceleration (what this bug is about) → works fine Cheers, -- intrigeri
Bug#916587: [Pkg-libvirt-maintainers] Bug#916587: AppArmor breaks virtio-gpu + virgl
Hi, On Sat, Mar 30, 2019 at 05:18:01PM +0100, intrigeri wrote: > Control: severity -1 important > Control: tag -1 + fixed-upstream > > Hi, > > bumping severity as this totally breaks an option offered to users via > virt-manager. > > Now, I've verified that virt-manager in current sid still creates new > VMs with QXL graphics by default, so this bug only affects users who > opt in for virtio + 3D acceleration. As such, I'm unsure how much of > a stretch it would be to request a freeze exception — Guido, what do > you think? I had going through the open apparmor issues and especially the OpenGL ones on my TODO list for buster but if you'd pick that up that would be totally awesome. Cheers, -- Guido > > If it helps, I'd be happy to test the corresponding upstream patches: > >commit f2cbb94eabdd5e3422c45b1afa48eb4c951c09e0 >Author: Christian Ehrhardt >Date: Tue Mar 5 13:38:38 2019 +0100 > >security: aa-helper: gl devices in sysfs at arbitrary depth > >commit 00fbb9e51678f76effa2d20e78a9be861ad5f484 >Author: Christian Ehrhardt >Date: Fri Mar 1 07:25:59 2019 +0100 > >security: aa-helper: nvidia rules for gl devices > >commit 27a9ebf28183cb3c3c784fcab622e67e978eb3dc >Author: Christian Ehrhardt >Date: Tue Feb 12 11:12:52 2019 +0100 > >security: aa-helper: generate more rules for gl devices > >commit d85e8e400b48f1b4c1dfbf438dda83cd959eacf7 >Author: Christian Ehrhardt >Date: Tue Feb 12 10:33:23 2019 +0100 > >security: aa-helper: allow virt-aa-helper to read /dev/dri > >commit fb01e1a44daea773cd53f275cad6f031506c20db >Author: Christian Ehrhardt >Date: Mon Jan 14 15:15:06 2019 +0200 > >virt-aa-helper: generate rules for gl enabled graphics devices > > Cheers! > > ___ > Pkg-libvirt-maintainers mailing list > pkg-libvirt-maintain...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
Bug#916587: AppArmor breaks virtio-gpu + virgl
Control: severity -1 important Control: tag -1 + fixed-upstream Hi, bumping severity as this totally breaks an option offered to users via virt-manager. Now, I've verified that virt-manager in current sid still creates new VMs with QXL graphics by default, so this bug only affects users who opt in for virtio + 3D acceleration. As such, I'm unsure how much of a stretch it would be to request a freeze exception — Guido, what do you think? If it helps, I'd be happy to test the corresponding upstream patches: commit f2cbb94eabdd5e3422c45b1afa48eb4c951c09e0 Author: Christian Ehrhardt Date: Tue Mar 5 13:38:38 2019 +0100 security: aa-helper: gl devices in sysfs at arbitrary depth commit 00fbb9e51678f76effa2d20e78a9be861ad5f484 Author: Christian Ehrhardt Date: Fri Mar 1 07:25:59 2019 +0100 security: aa-helper: nvidia rules for gl devices commit 27a9ebf28183cb3c3c784fcab622e67e978eb3dc Author: Christian Ehrhardt Date: Tue Feb 12 11:12:52 2019 +0100 security: aa-helper: generate more rules for gl devices commit d85e8e400b48f1b4c1dfbf438dda83cd959eacf7 Author: Christian Ehrhardt Date: Tue Feb 12 10:33:23 2019 +0100 security: aa-helper: allow virt-aa-helper to read /dev/dri commit fb01e1a44daea773cd53f275cad6f031506c20db Author: Christian Ehrhardt Date: Mon Jan 14 15:15:06 2019 +0200 virt-aa-helper: generate rules for gl enabled graphics devices Cheers!
Bug#916587: AppArmor breaks virtio-gpu + virgl
I got the virto-gpu + Virgl configuration to work with the configuration file I posted. When I edited the file I fumbled a bit so I suspect what happened is that at some point I broke the AppArmor state in some subtle way. Then it all got fixed a bit later when I rebooted. So the important thing is: the file I posted works! -- Francois Gouget http://fgouget.free.fr/ question = ( to ) ? be : ! be; -- Wm. Shakespeare
Bug#916587: AppArmor breaks virtio-gpu + virgl
How exactly do you see these logs? I'm trying to start a Linux guest on Debian testing host, using virt-manager and user session. I enabled OpenGL and 3D acceleration and it fails like this: Error starting domain: internal error: qemu unexpectedly closed the monitor Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/asyncjob.py", line 111, in tmpcb callback(*args, **kwargs) File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 66, in newfn ret = fn(self, *args, **kwargs) File "/usr/share/virt-manager/virtManager/domain.py", line 1400, in startup self._backend.create() File "/usr/lib/python3/dist-packages/libvirt.py", line 1080, in create if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self) libvirt.libvirtError: internal error: qemu unexpectedly closed the monitor When OpenGL isn't enabled, it starts fine. I have libvirglrenderer0 installed. I wonder if it's related to the above apparmor issue. Editing /etc/apparmor.d/libvirt/TEMPLATE.qemu didn't help in my case either. Regards, Hillel Lubman.
Bug#916587: AppArmor breaks virtio-gpu + virgl
Thanks for posting this to the Debian bug list. It did indeed make finding it easier! Unfortunately I'm still getting the same error after modifying /etc/apparmor.d/libvirt/TEMPLATE.qemu. Maybe I missed something. Here's my file: - #include profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { #include /dev/dri/ r, /dev/dri/renderD128 rw, /etc/drirc r, /{etc,usr/share}/glvnd/egl_vendor.d/ r, /{etc,usr/share}/glvnd/egl_vendor.d/*.json r, /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r, /usr/lib/x86_64-linux-gnu/dri/*_dri.so m, } - The errors are the same you were getting: 2019-01-10T00:01:34.834520Z qemu-system-x86_64: egl: no drm render node available 2019-01-10T00:01:34.834548Z qemu-system-x86_64: Failed to initialize EGL render node for SPICE GL And kern.log has these audit entries: Jan 10 01:01:34 amboise kernel: [225665.603042] audit: type=1400 audit(1547078494.295:809): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" pid=32064 comm="apparmor_parser" Jan 10 01:01:34 amboise kernel: [225665.728974] audit: type=1400 audit(1547078494.423:810): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" pid=32067 comm="apparmor_parser" Jan 10 01:01:34 amboise kernel: [225665.868380] audit: type=1400 audit(1547078494.563:811): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" pid=32070 comm="apparmor_parser" Jan 10 01:01:34 amboise kernel: [225665.977689] audit: type=1400 audit(1547078494.671:812): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" pid=32073 comm="apparmor_parser" Jan 10 01:01:34 amboise kernel: [225666.077274] audit: type=1400 audit(1547078494.771:813): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" pid=32112 comm="apparmor_parser" Jan 10 01:01:35 amboise kernel: [225666.357611] audit: type=1400 audit(1547078495.051:814): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" pid=32123 comm="apparmor_parser" -- Francois Gouget http://fgouget.free.fr/ Stolen from an Internet user: "f u cn rd ths, u cn gt a gd jb n cmptr prgrmmng !"