apparmor policy prevents using hugepages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Saucy |
Fix Released
|
High
|
Unassigned |
Bug Description
=======
SRU Justification
=======
1. Impact: users cannot use hugepages
2. Development fix: allow libvirt to write to its own hugepage files
3. Stable fix: same as development fix
4. Test case: see below
5. Regression potential: we only add a new apparmor permission to files owned by libvirt, so there should be no regressions.
=======
The generated Apparmor policy prevents a guest from using huge pages.
Steps to reproduce:
1) Set KVM_HUGEPAGES=1 in /etc/default/
2) restart qemu-kvm
3) sysctl vm.nr_hugepages = 256
4) virsh define/edit test-guest
...
<memoryBacking>
<hugepages/>
</memoryBacking>
...
5) virsh start test-guest
6) check /var/log/kern.log searching for:
apparmor="DENIED" operation="mknod" parent=1 profile=
As a temporary measure, I added this to /etc/apparmor.
owner "/run/hugepages
And it works. A better fix would be to fix the policy generator because the huge pages is now pretty visible since it is in /etc/default/
Even if this bug is related to LP: #1001584 I think it's 2 different issues.
# lsb_release -rd
Description: Ubuntu 13.10
Release: 13.10
# apt-cache policy libvirt-bin
libvirt-bin:
Installed: 1.1.1-0ubuntu8.1
Candidate: 1.1.1-0ubuntu8.1
Version table:
*** 1.1.1-0ubuntu8.1 0
500 http://
100 /var/lib/
1.1.1-0ubuntu8 0
500 http://
Changed in libvirt (Ubuntu Saucy): | |
importance: | Undecided → High |
status: | New → Triaged |
description: | updated |
Thanks, this should be applied to trusty and SRUd to saucy.
status: confirmed
importance: high