** Changed in: libvirt (Ubuntu)
       Status: Incomplete => Confirmed

** Changed in: apparmor (Ubuntu)
       Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1532007

Title:
  libvirt's apparmor policy prevents starting domain with hugepage-
  backed memory store

Status in apparmor package in Ubuntu:
  Confirmed
Status in libvirt package in Ubuntu:
  Confirmed

Bug description:
  ---Problem Description---
  After enabling hugepages, unable to start a domain with hugepage-packed 
memory store:

  ~# virsh start ubuntu-14_04
  error: Failed to start domain ubuntu-14_04
  error: internal error: process exited while connecting to monitor: 
2015-07-10T14:26:04.627101Z qemu-system-ppc64le: unable to create backing store 
for hugepages: Permission denied
    
  ---uname output---
  Linux cipipeln 3.19.0-21-generic #21-Ubuntu SMP Sun Jun 14 19:33:37 UTC 2015 
ppc64le ppc64le ppc64le GNU/Linux
   
   
  ---Steps to Reproduce---
  1. set the sysctl setting for hugepages to 5000
  2. enable huge pages in /etc/default/qemu-kvm
  3. restart qemu-kvm
  4. restart libvirt 
  5. add to guest xml (using virsh edit)
  <memoryBacking>
     <hugepages/>
  </memoryBacking>
  6. virsh define ubuntu-14_04.xml
  7. virsh start ubuntu-14_04

  ====
  # grep Huge /proc/meminfo 
  AnonHugePages:         0 kB
  HugePages_Total:    5000
  HugePages_Free:     5000
  HugePages_Rsvd:        0
  HugePages_Surp:        0
  Hugepagesize:      16384 kB

  # cat /etc/default/qemu-kvm 
  # To disable qemu-kvm's page merging feature, set KSM_ENABLED=0 and
  # sudo restart qemu-kvm
  KSM_ENABLED=1
  SLEEP_MILLISECS=200
  # To load the vhost_net module, which in some cases can speed up
  # network performance, set VHOST_NET_ENABLED to 1.
  VHOST_NET_ENABLED=1

  # Set this to 1 if you want hugepages to be available to kvm under
  # /run/hugepages/kvm
  KVM_HUGEPAGES=1

  ==
  File permissions on the hugepages mount dir:

  root@cipipeln:~# ls -lah /dev | grep hugep
  drwxr-xr-x  3 root root           0 Jun 16 12:39 hugepages
  root@cipipeln:~# ls -lah /dev/hugepages/
  total 0
  drwxr-xr-x  3 root root    0 Jun 16 12:39 .
  drwxr-xr-x 18 root root 4.9K Jul  8 11:03 ..
  drwxr-xr-x  3 root root    0 Jun 16 12:39 libvirt
  root@cipipeln:~# ls -lah /dev/hugepages/libvirt/
  total 0
  drwxr-xr-x 3 root         root 0 Jun 16 12:39 .
  drwxr-xr-x 3 root         root 0 Jun 16 12:39 ..
  drwxr-xr-x 2 libvirt-qemu kvm  0 Jul  9 18:34 qemu

  ==

  # sysctl -a | grep huge
  vm.hugepages_treat_as_movable = 0
  vm.hugetlb_shm_group = 0
  vm.nr_hugepages = 5000
  vm.nr_hugepages_mempolicy = 5000
  vm.nr_overcommit_hugepages = 0

  ==

  I was able to confirm that running qemu-kvm stand-alone was allocated
  4 hugepages (The number of free huge pages decreased by 4).

  ==
  I also tried:
  - sysctl -w vm.hugetlb_shm_group=X where X was the user id for libvirt, and 
then tried the group id for the kvm group
  - disabling apparmor
  - chmod -R 777 /dev/hugepages
   
  Hi Christy, Are you using apparmor for any specific reason ? If you can 
switch to selinux, it would be convinient for me to debug as I am very 
comfortable with selinux. The issue I see is qemu is not able to create a 
temporary file in /dev/hugepages/libvirt/qemu/qemu_back_mem.ppc_spapr.ram.XXX.

  Can you disable that and try Or confirm if the /dev/hugepages
  directory has relaxed security? I tried relaxing a bit and failed as I
  dont know apparmor well.

  Thanks,
  Shiva

  == Comment: #8 - Christy L. Norman Perez <clnpe...@us.ibm.com> - 2016-01-07 
11:33:19 ==
  (In reply to comment #7)
  > Hi Christy, Are you using apparmor for any specific reason ? If you can
  > switch to selinux, it would be convinient for me to debug as I am very
  > comfortable with selinux. The issue I see is qemu is not able to create a
  > temporary file in
  > /dev/hugepages/libvirt/qemu/qemu_back_mem.ppc_spapr.ram.XXX.

  Nope, not using apparmor for any reason aside from the fact that it's
  default on Ubuntu.

  > 
  > Can you disable that and try Or confirm if the /dev/hugepages directory has
  > relaxed security? I tried relaxing a bit and failed as I dont know apparmor
  > well. 

  I can't believe I didn't look into this before, but it does look like an 
apparmor issue:
  Jan 07 11:17:17 humphrey kernel: audit: type=1400 audit(1452183437.308:281): 
apparmor="DENIED" operation="mknod" 
profile="libvirt-be593664-727a-4905-bdb8-2eb7ccf85700

  So, here's what I did to get this to work:
  root@humphrey:~# aa-complain 
/etc/apparmor.d/libvirt/libvirt-be593664-727a-4905-bdb8-2eb7ccf85700
  Setting /etc/apparmor.d/libvirt/libvirt-be593664-727a-4905-bdb8-2eb7ccf85700 
to complain mode.

  root@humphrey:~# virsh start bz127508
  Domain bz127508 started

  > 
  > Thanks,
  > Shiva

  I think we should reroute this to apparmor, mirror to Ubuntu, and
  request an updated apparmor policy. This change should be done for
  14.04 and applicable releases after.

  Thanks for the suggestion, Shiva!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1532007/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to