** Description changed:
- When using VFIO for passthrough devices, 2 apparmor violations are
- encountered:
+ ===========================================
+ SRU Justification:
+ Impact: VFIO passthrough does not work with libvirt
+ Test case: See "example xml" below
+ Regression potential: This only adds permission for qemu to access /dev/vfio*
when needed, plus cap_sys_resource for libvirtd. No currently working case
should be regressed.
+ ===========================================
+ When using VFIO for passthrough devices, 2 apparmor violations are
encountered:
1) all memory of the VM must be locked, libvirt tries to increase
RLIMIT_MEMLOCK
2) access to /dev/vfio/XX is needed by qemu
example xml:
- <hostdev mode='subsystem' type='pci' managed='yes'>
- <driver name='vfio'/>
- <source>
- <address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
- </source>
- </hostdev>
-
+ <hostdev mode='subsystem' type='pci' managed='yes'>
+ <driver name='vfio'/>
+ <source>
+ <address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
+ </source>
+ </hostdev>
issue #1:
error message on start of VM:
error: internal error: Process exited prior to exec: libvirt: error :
cannot limit locked memory to 18253611008: Operation not permitted
apparmor log:
kernel: [ 783.469784] type=1400 audit(1391620864.251:35):
apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd"
pid=2106 comm="libvirtd" capability=24 capname="sys_resource"
-
issue #2:
error message on start of VM:
qemu-system-x86_64: -device
vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: error opening
/dev/vfio/21: Permission denied
qemu-system-x86_64: -device
vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: vfio: failed to get group
21
qemu-system-x86_64: -device
vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device initialization
failed.
qemu-system-x86_64: -device
vfio-pci,host=03:00.0,id=hostdev0,bus=pci.0,addr=0x6: Device 'vfio-pci' could
not be initialized
apparmor log:
kernel: [ 1209.299820] type=1400 audit(1391624317.063:46):
apparmor="DENIED" operation="open" profile="libvirt-
014a4d4f-7644-4cf1-c408-8abb631b3e34" name="/dev/vfio/21" pid=2916 comm
="qemu-system-x86" requested_mask="rw" denied_mask="rw" fsuid=106
ouid=106
-
workaround:
sudo aa-complain /usr/sbin/libvirtd
sudo aa-complain
/etc/apparmor.d/libvirt/libvirt-????????-????-????-????-????????????
-
testing with latest Trusty:
ii libvirt-bin 1.2.1-0ubuntu5 amd64 programs for the libvirt library
ii libvirt0 1.2.1-0ubuntu5 amd64 library for interfacing with different
virtualization systems
** Changed in: libvirt (Ubuntu Trusty)
Importance: Undecided => High
** Changed in: libvirt (Ubuntu Trusty)
Status: New => Confirmed
** Changed in: libvirt (Ubuntu)
Importance: Medium => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1276719
Title:
apparmor denies VFIO passthrough: RLIMIT_MEMLOCK and /dev/vfio/XX
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1276719/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
