** Also affects: libvirt (Ubuntu Saucy) Importance: Undecided Status: New
** Changed in: libvirt (Ubuntu Saucy) Importance: Undecided => High ** Changed in: libvirt (Ubuntu Saucy) Status: New => Triaged ** Description changed: + ================================================= + SRU Justification + ================================================= + 1. Impact: users cannot use hugepages + 2. Development fix: allow libvirt to write to its own hugepage files + 3. Stable fix: same as development fix + 4. Test case: see below + 5. Regression potential: we only add a new apparmor permission to files owned by libvirt, so there should be no regressions. + ==================================================== + The generated Apparmor policy prevents a guest from using huge pages. Steps to reproduce: 1) Set KVM_HUGEPAGES=1 in /etc/default/qemu-kvm 2) restart qemu-kvm 3) sysctl vm.nr_hugepages = 256 4) virsh define/edit test-guest - ... - <memoryBacking> - <hugepages/> - </memoryBacking> - ... + ... + <memoryBacking> + <hugepages/> + </memoryBacking> + ... 5) virsh start test-guest 6) check /var/log/kern.log searching for: - apparmor="DENIED" operation="mknod" parent=1 profile="libvirt-42c86291-5d88-443f-96b7-3dbfd22c8658" name="/run/hugepages/kvm/libvirt/qemu/qemu_back_mem.pc.ram.kuj13U" pid=4035 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=107 ouid=107 + apparmor="DENIED" operation="mknod" parent=1 profile="libvirt-42c86291-5d88-443f-96b7-3dbfd22c8658" name="/run/hugepages/kvm/libvirt/qemu/qemu_back_mem.pc.ram.kuj13U" pid=4035 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=107 ouid=107 + As a temporary measure, I added this to /etc/apparmor.d/abstractions + /libvirt-qemu: - As a temporary measure, I added this to /etc/apparmor.d/abstractions/libvirt-qemu: - - owner "/run/hugepages/kvm/libvirt/qemu/**" rw, + owner "/run/hugepages/kvm/libvirt/qemu/**" rw, And it works. A better fix would be to fix the policy generator because the huge pages is now pretty visible since it is in /etc/default/qemu- kvm. Even if this bug is related to LP: #1001584 I think it's 2 different issues. - # lsb_release -rd Description: Ubuntu 13.10 Release: 13.10 # apt-cache policy libvirt-bin libvirt-bin: - Installed: 1.1.1-0ubuntu8.1 - Candidate: 1.1.1-0ubuntu8.1 - Version table: - *** 1.1.1-0ubuntu8.1 0 - 500 http://security.ubuntu.com/ubuntu/ saucy-security/main amd64 Packages - 100 /var/lib/dpkg/status - 1.1.1-0ubuntu8 0 - 500 http://archive.ubuntu.com/ubuntu/ saucy/main amd64 Packages + Installed: 1.1.1-0ubuntu8.1 + Candidate: 1.1.1-0ubuntu8.1 + Version table: + *** 1.1.1-0ubuntu8.1 0 + 500 http://security.ubuntu.com/ubuntu/ saucy-security/main amd64 Packages + 100 /var/lib/dpkg/status + 1.1.1-0ubuntu8 0 + 500 http://archive.ubuntu.com/ubuntu/ saucy/main amd64 Packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1250216 Title: apparmor policy prevents using hugepages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1250216/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs