** Description changed:
+ When using VFIO for passthrough devices, 2 apparmor violations are
+ encountered:
+ 1) all memory of the VM must be locked, libvirt tries to increase
+ RLIMIT_MEMLOCK
- When using VFIO for passthrough devices, all memory of the VM must be locked.
-
- libvirt tries to increase RLIMIT_MEMLOCK, however apparmor is denying
- this:
-
+ 2) access to /dev/vfio/XX is needed by qemu
example xml:
<hostdev mode='subsystem' type='pci' managed='yes'>
<driver name='vfio'/>
<source>
<address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
</source>
</hostdev>
+ issue #1:
+
error message on start of VM:
- error: internal error: Process exited prior to exec: libvirt: error :
+ error: internal error: Process exited prior to exec: libvirt: error :
cannot limit locked memory to 18253611008: Operation not permitted
apparmor log:
- kernel: [ 783.469784] type=1400 audit(1391620864.251:35):
+ kernel: [ 783.469784] type=1400 audit(1391620864.251:35):
apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd"
- pid=2106 comm="libvirtd" capability=24 capname="sys_resource"
+ pid=2106 comm="libvirtd" capability=24 capname="sys_resource"
- strace of libvirtd shows:
+ issue #2:
- [pid 2934] setrlimit(RLIMIT_MEMLOCK, {rlim_cur=17825792*1024,
- rlim_max=17825792*1024}) = -1 EPERM (Operation not permitted)
+ error message on start of VM:
+
+ qemu-system-x86_64: -device
vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: error opening
/dev/vfio/21: Permission denied
+ qemu-system-x86_64: -device
vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: failed to get group
21
+ qemu-system-x86_64: -device
vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device initialization
failed.
+ qemu-system-x86_64: -device
vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device 'vfio-pci' could
not be initialized
+
+ apparmor log:
+
+ kernel: [ 1209.299820] type=1400 audit(1391624317.063:46):
+ apparmor="DENIED" operation="open" profile="libvirt-
+ 014a4d4f-7644-4cf1-c408-8abb631b3e34" name="/dev/vfio/21" pid=2916 comm
+ ="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=106
+ ouid=106
+
+
+ workaround:
+
+ sudo aa-complain /usr/sbin/libvirtd
+ sudo aa-complain
/etc/apparmor.d/libvirt/libvirt-????????-????-????-????-????????????
testing with latest Trusty:
- ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the
libvirt library
- ii libvirt0 1.2.1-0ubuntu5 amd64 library for
interfacing with different virtualization systems
+ ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library
+ ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different
virtualization systems
** Summary changed:
- apparmor denies RLIMIT_MEMLOCK increase needed for VFIO passthrough
+ apparmor denies VFIO passthrough: RLIMIT_MEMLOCK and /dev/vfio/XX
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1276719
Title:
apparmor denies VFIO passthrough: RLIMIT_MEMLOCK and /dev/vfio/XX
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1276719/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
