Ubuntu
libvirt package

apparmor policy prevents using hugepages

Bug #1250216 reported by Simon Déziel
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
High
Unassigned
Saucy
Fix Released
High
Unassigned

Bug Description

=================================================
SRU Justification
=================================================
1. Impact: users cannot use hugepages
2. Development fix: allow libvirt to write to its own hugepage files
3. Stable fix: same as development fix
4. Test case: see below
5. Regression potential: we only add a new apparmor permission to files owned by libvirt, so there should be no regressions.
====================================================

The generated Apparmor policy prevents a guest from using huge pages.

Steps to reproduce:

1) Set KVM_HUGEPAGES=1 in /etc/default/qemu-kvm
2) restart qemu-kvm
3) sysctl vm.nr_hugepages = 256
4) virsh define/edit test-guest
  ...
  <memoryBacking>
    <hugepages/>
  </memoryBacking>
  ...
5) virsh start test-guest
6) check /var/log/kern.log searching for:
 apparmor="DENIED" operation="mknod" parent=1 profile="libvirt-42c86291-5d88-443f-96b7-3dbfd22c8658" name="/run/hugepages/kvm/libvirt/qemu/qemu_back_mem.pc.ram.kuj13U" pid=4035 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=107 ouid=107

As a temporary measure, I added this to /etc/apparmor.d/abstractions/libvirt-qemu:

  owner "/run/hugepages/kvm/libvirt/qemu/**" rw,

And it works. A better fix would be to fix the policy generator because the huge pages is now pretty visible since it is in /etc/default/qemu-kvm.

Even if this bug is related to LP: #1001584 I think it's 2 different issues.

# lsb_release -rd
Description: Ubuntu 13.10
Release: 13.10
# apt-cache policy libvirt-bin
libvirt-bin:
  Installed: 1.1.1-0ubuntu8.1
  Candidate: 1.1.1-0ubuntu8.1
  Version table:
 *** 1.1.1-0ubuntu8.1 0
        500 http://security.ubuntu.com/ubuntu/ saucy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1-0ubuntu8 0
        500 http://archive.ubuntu.com/ubuntu/ saucy/main amd64 Packages

See original description
Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1250216] [NEW] apparmor policy prevents using hugepages

Thanks, this should be applied to trusty and SRUd to saucy.

 status: confirmed
 importance: high

Changed in libvirt (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.1.4-0ubuntu2

---------------
libvirt (1.1.4-0ubuntu2) trusty; urgency=low

  * debian/patches/9002-better_default_uri_virsh.patch: Update to fix the
    FTBFS.
 -- Chuck Short <email address hidden> Wed, 13 Nov 2013 11:04:29 -0500

Changed in libvirt (Ubuntu):
status: Confirmed → Fix Released
Serge Hallyn (serge-hallyn)
Changed in libvirt (Ubuntu Saucy):
importance: Undecided → High
status: New → Triaged
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Simon, or anyone else affected,

Accepted libvirt into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.1.1-0ubuntu8.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libvirt (Ubuntu Saucy):
status: Triaged → Fix Committed
tags: added: verification-needed
Revision history for this message
Simon Déziel (sdeziel) wrote :

Thanks Serge and Chuck, excellent support as always! Verification done on Saucy.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.1.1-0ubuntu8.2

---------------
libvirt (1.1.1-0ubuntu8.2) saucy-proposed; urgency=low

  * add d/p/util_use_w_flag_when_calling_iptables.patch (LP: #1245322)
  * debian/apparmor/libvirt-qemu: allow access to usb info (LP: #1245251)
  * debian/apparmor/libvirt-qemu: allow access to hugepages mounts
    (LP: #1250216)
 -- Serge Hallyn <email address hidden> Thu, 14 Nov 2013 10:09:24 -0600

Changed in libvirt (Ubuntu Saucy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.