[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
This bug was fixed in the package libvirt - 1.0.0-0ubuntu4 --- libvirt (1.0.0-0ubuntu4) raring; urgency=low * debian/patches/apparmor-allow-hugepages: update apparmor policies to allow use of hugepages. (LP: #646468) * debian/patches/vnc-socket.patch: If a vnc socket is in use, add it's path to the apparmor policy. (LP: #1069534) -- Serge HallynWed, 05 Dec 2012 16:43:04 -0600 ** Changed in: libvirt (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/646468 Title: Apparmor deny when trying to use hugetlbfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/646468/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
** Branch linked: lp:ubuntu/raring-proposed/libvirt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/646468 Title: Apparmor deny when trying to use hugetlbfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/646468/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
** Changed in: libvirt (Ubuntu) Status: Triaged => In Progress ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) => Serge Hallyn (serge-hallyn) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/646468 Title: Apparmor deny when trying to use hugetlbfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/646468/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
A better way to do it would be to modify libvirt to create a directory on the hugetlbfs for the vm (not just for itself), then pass that as the mem-path to kvm and tell the sVirt driver about it somehow. -- Apparmor deny when trying to use hugetlbfs https://bugs.launchpad.net/bugs/646468 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
Look at this PPA https://launchpad.net/~jcollins/+archive/jaminppa -- Apparmor deny when trying to use hugetlbfs https://bugs.launchpad.net/bugs/646468 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
I read about how it unlinks after creation, so I think in general have just a commented line like this in /etc/apparmor.d/abstractions/libvirt-qemu is ok: # Uncomment the following line to enable huge pages in your guests. # owner /dev/hugepages/libvirt/qemu/* rw, It would be better if libvirt could do this dynamically like it does with disks, etc (the SELinux driver may already do this). This should be investigated. ** Changed in: libvirt (Ubuntu) Status: Incomplete => Triaged ** Changed in: libvirt (Ubuntu) Importance: Undecided => Low ** Changed in: libvirt (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- Apparmor deny when trying to use hugetlbfs https://bugs.launchpad.net/bugs/646468 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
Just a follow-up... This actually does work, and since qemu seems to unlink() right after the mkstemp() there's only a small race condition there, and after that the only way to steal another VMs memory is via procfs. Is it worth writing a small doc (or debconf option?) to help people setup hugetlbfs with libvirt? -- Apparmor deny when trying to use hugetlbfs https://bugs.launchpad.net/bugs/646468 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
Ok, that was closer, but this time I get the message: [84836.383289] type=1400 audit(1285366835.469:59): apparmor="DENIED" operation="open" parent=1 profile="libvirt- e2420e79-06d6-f8d0-0523-7c52b3650191" name="/dev/hugepages/libvirt/qemu/kvm.3Ag3N7" pid=1149 comm="kvm" requested_mask="r" denied_mask="r" fsuid=103 ouid=103 When I changed it to "rw" it worked... But does that mean that guests can read each others' memory (if compromised)? -- Apparmor deny when trying to use hugetlbfs https://bugs.launchpad.net/bugs/646468 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
** Tags added: apparmor -- Apparmor deny when trying to use hugetlbfs https://bugs.launchpad.net/bugs/646468 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 646468] Re: Apparmor deny when trying to use hugetlbfs
Can you add this to /etc/apparmor.d/abstractions/libvirt-qemu: owner /dev/hugepages/libvirt/qemu/* w, and try again? ** Changed in: libvirt (Ubuntu) Status: New => Incomplete ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- Apparmor deny when trying to use hugetlbfs https://bugs.launchpad.net/bugs/646468 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs