Example Deny: [ 774.341606] audit: type=1400 audit(1522915593.238:42): apparmor="DENIED" operation="setrlimit" info="cap_sys_resource" error=-13 profile="/usr/sbin/libvirtd" pid=8376 comm="libvirtd" rlimit=memlock value=96468992 peer="libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3"
Source: libvirt Target: qemu process libvirt-70a586a2-ef34-4954-91ea-9a6ecab52da3 Action: change rlimits TL;DR to re-summarize: - certain actions let libvirt change the rlimit of the qemu guest - such actions are memory hotplug on ppc - pci hotplug of some devices - libvirtd apparmor profile allows cap_sys_resource - there is no rlimit rule restricting that in the profile - a bug in the kernel part of apparmor blocks this and breaks the use-case - as prechecked by jjohansen he seems to have an idea how to fix (see comment #16) - but for yet unknown reasons activity fell silent since a few months - finding that mem hotplug is also affected bumps the priority -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1679704 Title: libvirt profile is blocking global setrlimit despite having no rlimit rule To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1679704/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
