Bug#916587: [Pkg-libvirt-maintainers] Bug#916587: AppArmor breaks virtio-gpu + virgl

2019-04-01 Thread Guido Günther 
Hi,
On Mon, Apr 01, 2019 at 10:40:12AM +0200, intrigeri wrote:
> Control: tag -1 + patch
> 
> Guido Günther:
> > I had going through the open apparmor issues and especially the OpenGL
> > ones on my TODO list for buster
> 
> I've triaged the AppArmor issues last week-end :)
> 
> > but if you'd pick that up that would be totally awesome.
> 
> Done: https://salsa.debian.org/libvirt-team/libvirt/merge_requests/11
> 
> Tested in a sid VM with:
> 
>  - QXL (virt-manager's default) → no regression spotted
>  - virtio-gpu + 3D acceleration (what this bug is about)
>→ works fine

Applied. Thanks a lot!

I'll wait for a couple of days in case more commits come tickling in and
then upload for buster.
 -- Guido

Bug#916587: [Pkg-libvirt-maintainers] Bug#916587: AppArmor breaks virtio-gpu + virgl

2019-04-01 Thread intrigeri 
Control: tag -1 + patch

Guido Günther:
> I had going through the open apparmor issues and especially the OpenGL
> ones on my TODO list for buster

I've triaged the AppArmor issues last week-end :)

> but if you'd pick that up that would be totally awesome.

Done: https://salsa.debian.org/libvirt-team/libvirt/merge_requests/11

Tested in a sid VM with:

 - QXL (virt-manager's default) → no regression spotted
 - virtio-gpu + 3D acceleration (what this bug is about)
   → works fine

Cheers,
-- 
intrigeri

Bug#916587: [Pkg-libvirt-maintainers] Bug#916587: AppArmor breaks virtio-gpu + virgl

2019-03-31 Thread Guido Günther 
Hi,
On Sat, Mar 30, 2019 at 05:18:01PM +0100, intrigeri wrote:
> Control: severity -1 important
> Control: tag -1 + fixed-upstream
> 
> Hi,
> 
> bumping severity as this totally breaks an option offered to users via
> virt-manager.
> 
> Now, I've verified that virt-manager in current sid still creates new
> VMs with QXL graphics by default, so this bug only affects users who
> opt in for virtio + 3D acceleration. As such, I'm unsure how much of
> a stretch it would be to request a freeze exception — Guido, what do
> you think?

I had going through the open apparmor issues and especially the OpenGL
ones on my TODO list for buster but if you'd pick that up that would be
totally awesome.

Cheers,
 -- Guido

> 
> If it helps, I'd be happy to test the corresponding upstream patches:
> 
>commit f2cbb94eabdd5e3422c45b1afa48eb4c951c09e0
>Author: Christian Ehrhardt 
>Date:   Tue Mar 5 13:38:38 2019 +0100
>
>security: aa-helper: gl devices in sysfs at arbitrary depth
>
>commit 00fbb9e51678f76effa2d20e78a9be861ad5f484
>Author: Christian Ehrhardt 
>Date:   Fri Mar 1 07:25:59 2019 +0100
>
>security: aa-helper: nvidia rules for gl devices
>
>commit 27a9ebf28183cb3c3c784fcab622e67e978eb3dc
>Author: Christian Ehrhardt 
>Date:   Tue Feb 12 11:12:52 2019 +0100
>
>security: aa-helper: generate more rules for gl devices
>
>commit d85e8e400b48f1b4c1dfbf438dda83cd959eacf7
>Author: Christian Ehrhardt 
>Date:   Tue Feb 12 10:33:23 2019 +0100
>
>security: aa-helper: allow virt-aa-helper to read /dev/dri
>
>commit fb01e1a44daea773cd53f275cad6f031506c20db
>Author: Christian Ehrhardt 
>Date:   Mon Jan 14 15:15:06 2019 +0200
>
>virt-aa-helper: generate rules for gl enabled graphics devices
> 
> Cheers!
> 
> ___
> Pkg-libvirt-maintainers mailing list
> pkg-libvirt-maintain...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers

Bug#916587: AppArmor breaks virtio-gpu + virgl

2019-03-30 Thread intrigeri 
Control: severity -1 important
Control: tag -1 + fixed-upstream

Hi,

bumping severity as this totally breaks an option offered to users via
virt-manager.

Now, I've verified that virt-manager in current sid still creates new
VMs with QXL graphics by default, so this bug only affects users who
opt in for virtio + 3D acceleration. As such, I'm unsure how much of
a stretch it would be to request a freeze exception — Guido, what do
you think?

If it helps, I'd be happy to test the corresponding upstream patches:

   commit f2cbb94eabdd5e3422c45b1afa48eb4c951c09e0
   Author: Christian Ehrhardt 
   Date:   Tue Mar 5 13:38:38 2019 +0100
   
   security: aa-helper: gl devices in sysfs at arbitrary depth
   
   commit 00fbb9e51678f76effa2d20e78a9be861ad5f484
   Author: Christian Ehrhardt 
   Date:   Fri Mar 1 07:25:59 2019 +0100
   
   security: aa-helper: nvidia rules for gl devices
   
   commit 27a9ebf28183cb3c3c784fcab622e67e978eb3dc
   Author: Christian Ehrhardt 
   Date:   Tue Feb 12 11:12:52 2019 +0100
   
   security: aa-helper: generate more rules for gl devices
   
   commit d85e8e400b48f1b4c1dfbf438dda83cd959eacf7
   Author: Christian Ehrhardt 
   Date:   Tue Feb 12 10:33:23 2019 +0100
   
   security: aa-helper: allow virt-aa-helper to read /dev/dri
   
   commit fb01e1a44daea773cd53f275cad6f031506c20db
   Author: Christian Ehrhardt 
   Date:   Mon Jan 14 15:15:06 2019 +0200
   
   virt-aa-helper: generate rules for gl enabled graphics devices

Cheers!

Bug#916587: AppArmor breaks virtio-gpu + virgl

2019-02-27 Thread Francois Gouget 


I got the virto-gpu + Virgl configuration to work with the configuration 
file I posted.

When I edited the file I fumbled a bit so I suspect what happened is 
that at some point I broke the AppArmor state in some subtle way. Then 
it all got fixed a bit later when I rebooted.

So the important thing is: the file I posted works!

-- 
Francois Gouget   http://fgouget.free.fr/
question = ( to ) ? be : ! be;
  -- Wm. Shakespeare

Bug#916587: AppArmor breaks virtio-gpu + virgl

2019-01-31 Thread Hillel Lubman 
How exactly do you see these logs?

I'm trying to start a Linux guest on Debian testing host, using virt-manager 
and user session.
I enabled OpenGL and 3D acceleration and it fails like this:

Error starting domain: internal error: qemu unexpectedly closed the monitor

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper
callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 111, in tmpcb
callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 66, in newfn
ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1400, in startup
self._backend.create()
  File "/usr/lib/python3/dist-packages/libvirt.py", line 1080, in create
if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirt.libvirtError: internal error: qemu unexpectedly closed the monitor

When OpenGL isn't enabled, it starts fine.  I have libvirglrenderer0 installed. 
I wonder if it's related to the above apparmor issue.

Editing  /etc/apparmor.d/libvirt/TEMPLATE.qemu didn't help in my case either.

Regards,
Hillel Lubman.

Bug#916587: AppArmor breaks virtio-gpu + virgl

2019-01-09 Thread Francois Gouget 


Thanks for posting this to the Debian bug list. It did indeed make 
finding it easier!

Unfortunately I'm still getting the same error after modifying 
/etc/apparmor.d/libvirt/TEMPLATE.qemu. Maybe I missed something.
Here's my file:

-

#include 

profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
  #include 

  /dev/dri/ r,
  /dev/dri/renderD128 rw,
  /etc/drirc r,
  /{etc,usr/share}/glvnd/egl_vendor.d/ r,
  /{etc,usr/share}/glvnd/egl_vendor.d/*.json r,
  
/sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor}
 r,
  /usr/lib/x86_64-linux-gnu/dri/*_dri.so m,
}
-

The errors are the same you were getting:

2019-01-10T00:01:34.834520Z qemu-system-x86_64: egl: no drm render node 
available
2019-01-10T00:01:34.834548Z qemu-system-x86_64: Failed to initialize EGL render 
node for SPICE GL


And kern.log has these audit entries:

Jan 10 01:01:34 amboise kernel: [225665.603042] audit: type=1400 
audit(1547078494.295:809): apparmor="STATUS" operation="profile_load" 
profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" 
pid=32064 comm="apparmor_parser"
Jan 10 01:01:34 amboise kernel: [225665.728974] audit: type=1400 
audit(1547078494.423:810): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" 
pid=32067 comm="apparmor_parser"
Jan 10 01:01:34 amboise kernel: [225665.868380] audit: type=1400 
audit(1547078494.563:811): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" 
pid=32070 comm="apparmor_parser"
Jan 10 01:01:34 amboise kernel: [225665.977689] audit: type=1400 
audit(1547078494.671:812): apparmor="STATUS" operation="profile_replace" 
info="same as current profile, skipping" profile="unconfined" 
name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" pid=32073 
comm="apparmor_parser"
Jan 10 01:01:34 amboise kernel: [225666.077274] audit: type=1400 
audit(1547078494.771:813): apparmor="STATUS" operation="profile_replace" 
profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" 
pid=32112 comm="apparmor_parser"
Jan 10 01:01:35 amboise kernel: [225666.357611] audit: type=1400 
audit(1547078495.051:814): apparmor="STATUS" operation="profile_remove" 
profile="unconfined" name="libvirt-c1cd8951-9ae3-4a76-a364-69f648d51447" 
pid=32123 comm="apparmor_parser"


-- 
Francois Gouget   http://fgouget.free.fr/
 Stolen from an Internet user:
  "f u cn rd ths, u cn gt a gd jb n cmptr prgrmmng !"