Two observations after discussing with Hui on IRC: 1) Hugepage filesystem
Right now, the apparmor profile only allows access to: # for access to hugepages owner "/run/hugepages/kvm/libvirt/qemu/**" rw, if the hugepage FS is mounted elsewhere, any hugepage access will be blocked by apparmor. The fact that the rule also specifies a subdirectory may also create problems, but I'm not 100% sure on that (depends on how dpdk shared hugepage memory with the guest device I think). 2) vhost-user device access The configuration for the vhost-user device created in OVS will also be blocked by apparmor: -chardev socket,id=charnet0,path=/var/run/openvswitch/vhu5392206b-dc -netdev type=vhost-user,id=hostnet0,chardev=charnet0 -device virtio-net- pci,netdev=hostnet0,id=net0,mac=fa:16:3e:e5:41:f1,bus=pci.0,addr=0x3 I'm assuming these will always be located in /var/run/openvswitch - but that's probably a little to generic for an apparmor rule - do they always follow as particular naming convention? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1513367 Title: qemu-system-x86_64/kvm-spice failed to boot a vm with appmor enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1513367/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
