** Changed in: libvirt (Ubuntu) Status: Incomplete => Confirmed ** Changed in: apparmor (Ubuntu) Status: Incomplete => Confirmed
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1532007 Title: libvirt's apparmor policy prevents starting domain with hugepage- backed memory store Status in apparmor package in Ubuntu: Confirmed Status in libvirt package in Ubuntu: Confirmed Bug description: ---Problem Description--- After enabling hugepages, unable to start a domain with hugepage-packed memory store: ~# virsh start ubuntu-14_04 error: Failed to start domain ubuntu-14_04 error: internal error: process exited while connecting to monitor: 2015-07-10T14:26:04.627101Z qemu-system-ppc64le: unable to create backing store for hugepages: Permission denied ---uname output--- Linux cipipeln 3.19.0-21-generic #21-Ubuntu SMP Sun Jun 14 19:33:37 UTC 2015 ppc64le ppc64le ppc64le GNU/Linux ---Steps to Reproduce--- 1. set the sysctl setting for hugepages to 5000 2. enable huge pages in /etc/default/qemu-kvm 3. restart qemu-kvm 4. restart libvirt 5. add to guest xml (using virsh edit) <memoryBacking> <hugepages/> </memoryBacking> 6. virsh define ubuntu-14_04.xml 7. virsh start ubuntu-14_04 ==== # grep Huge /proc/meminfo AnonHugePages: 0 kB HugePages_Total: 5000 HugePages_Free: 5000 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 16384 kB # cat /etc/default/qemu-kvm # To disable qemu-kvm's page merging feature, set KSM_ENABLED=0 and # sudo restart qemu-kvm KSM_ENABLED=1 SLEEP_MILLISECS=200 # To load the vhost_net module, which in some cases can speed up # network performance, set VHOST_NET_ENABLED to 1. VHOST_NET_ENABLED=1 # Set this to 1 if you want hugepages to be available to kvm under # /run/hugepages/kvm KVM_HUGEPAGES=1 == File permissions on the hugepages mount dir: root@cipipeln:~# ls -lah /dev | grep hugep drwxr-xr-x 3 root root 0 Jun 16 12:39 hugepages root@cipipeln:~# ls -lah /dev/hugepages/ total 0 drwxr-xr-x 3 root root 0 Jun 16 12:39 . drwxr-xr-x 18 root root 4.9K Jul 8 11:03 .. drwxr-xr-x 3 root root 0 Jun 16 12:39 libvirt root@cipipeln:~# ls -lah /dev/hugepages/libvirt/ total 0 drwxr-xr-x 3 root root 0 Jun 16 12:39 . drwxr-xr-x 3 root root 0 Jun 16 12:39 .. drwxr-xr-x 2 libvirt-qemu kvm 0 Jul 9 18:34 qemu == # sysctl -a | grep huge vm.hugepages_treat_as_movable = 0 vm.hugetlb_shm_group = 0 vm.nr_hugepages = 5000 vm.nr_hugepages_mempolicy = 5000 vm.nr_overcommit_hugepages = 0 == I was able to confirm that running qemu-kvm stand-alone was allocated 4 hugepages (The number of free huge pages decreased by 4). == I also tried: - sysctl -w vm.hugetlb_shm_group=X where X was the user id for libvirt, and then tried the group id for the kvm group - disabling apparmor - chmod -R 777 /dev/hugepages Hi Christy, Are you using apparmor for any specific reason ? If you can switch to selinux, it would be convinient for me to debug as I am very comfortable with selinux. The issue I see is qemu is not able to create a temporary file in /dev/hugepages/libvirt/qemu/qemu_back_mem.ppc_spapr.ram.XXX. Can you disable that and try Or confirm if the /dev/hugepages directory has relaxed security? I tried relaxing a bit and failed as I dont know apparmor well. Thanks, Shiva == Comment: #8 - Christy L. Norman Perez <clnpe...@us.ibm.com> - 2016-01-07 11:33:19 == (In reply to comment #7) > Hi Christy, Are you using apparmor for any specific reason ? If you can > switch to selinux, it would be convinient for me to debug as I am very > comfortable with selinux. The issue I see is qemu is not able to create a > temporary file in > /dev/hugepages/libvirt/qemu/qemu_back_mem.ppc_spapr.ram.XXX. Nope, not using apparmor for any reason aside from the fact that it's default on Ubuntu. > > Can you disable that and try Or confirm if the /dev/hugepages directory has > relaxed security? I tried relaxing a bit and failed as I dont know apparmor > well. I can't believe I didn't look into this before, but it does look like an apparmor issue: Jan 07 11:17:17 humphrey kernel: audit: type=1400 audit(1452183437.308:281): apparmor="DENIED" operation="mknod" profile="libvirt-be593664-727a-4905-bdb8-2eb7ccf85700 So, here's what I did to get this to work: root@humphrey:~# aa-complain /etc/apparmor.d/libvirt/libvirt-be593664-727a-4905-bdb8-2eb7ccf85700 Setting /etc/apparmor.d/libvirt/libvirt-be593664-727a-4905-bdb8-2eb7ccf85700 to complain mode. root@humphrey:~# virsh start bz127508 Domain bz127508 started > > Thanks, > Shiva I think we should reroute this to apparmor, mirror to Ubuntu, and request an updated apparmor policy. This change should be done for 14.04 and applicable releases after. Thanks for the suggestion, Shiva! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1532007/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp