[Pkg-libvirt-maintainers] Bug#993856: libvirt-daemon-system: vfio device passthrough fails with device pools due to apparmor profile
Vasudev Kamath
vasudev at debian.org
Tue Sep 7 10:45:26 BST 2021
Package: libvirt-daemon-system
Version: 7.6.0-1
Severity: important
Dear Maintainer,
Possibly related bug [1]. Issue is similar to what is explained in this bug
but is not addressed by the fix which is already present in src:libvirt 7.6
version.
PS: Though I reporting from unstable machine actual test was done using libvirt 7.6
from unstable built for Bullseye.
I'm defining the network device pool which looks like below
<network>
<name>passthrough</name>
<uuid>f152e522-96d1-4a74-8aae-01f94244f8df</uuid>
<forward mode='hostdev' managed='yes'>
<pf dev='ens6np0'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x00' function='0x1'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x00' function='0x2'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x00' function='0x3'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x00' function='0x4'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x00' function='0x5'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x00' function='0x6'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x00' function='0x7'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x01' function='0x0'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x01' function='0x1'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x01' function='0x2'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x01' function='0x3'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x01' function='0x4'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x01' function='0x5'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x01' function='0x6'/>
<address type='pci' domain='0x0000' bus='0x18' slot='0x01' function='0x7'/>
</forward>
</network>
And the network configuration in libvirt domain looks like below
<interface type='network'>
<mac address='52:54:00:e1:5b:95'/>
<source network='passthrough'/>
<teaming type='transient' persistent='ua-backup0'/>
<address type='pci' domain='0x0000' bus='0x08' slot='0x00' function='0x0'/>
</interface>
When I start the domain even though domain starts fine VF pass through does not happen and the following
message is seen in the dmesg output
[11236.601474] audit: type=1400 audit(1630925018.676:49): apparmor="DENIED" operation="open" profile="libvirt-e70e9c2c-110c-401c-982f-cb384d158471" name="/dev/vfio/315" pid=5929 comm=43505520382F4B564D requested_mask="wr" denied_mask="wr" fsuid=64055 ouid=64055
and passthrough does not happen.
Note that this does not happen if the device pool interface is not present during start of domain and hot
attached using below command
sudo virsh attach-device --live --config debian10 network-pool-debian10.xml
To get the above working here is what I did I edited the /etc/apparmor.d/libvirt/libvirt-e70e9c2c-110c-401c-982f-cb384d158471 to
add line /dev/vfio/vfio rw, and this is what the changed file looks like
iaas at 515-21020200100006:~$ sudo cat /etc/apparmor.d/libvirt/libvirt-e70e9c2c-110c-401c-982f-cb384d158471
#
# This profile is for the domain whose UUID matches this file.
#
#include <tunables/global>
profile libvirt-e70e9c2c-110c-401c-982f-cb384d158471 flags=(attach_disconnected) {
#include <abstractions/libvirt-qemu>
#include <libvirt/libvirt-e70e9c2c-110c-401c-982f-cb384d158471.files>
#
# for vfio hotplug on systems without static vfio (LP: #1775777)
/dev/vfio/vfio rw,
}
Post the change I did following
sudo aa-teardown
sudo systemctl restart libvirtd
sudo systemctl restart apparmor
And on the next start device passthrough happens. I'm not sure if what I did is right but this seems to work
and I would be happy to see this done in the apparmor profile shipped by libvirt.
PS: I'm noob with apparmor all I did was bit of experiment to get the things working for my usecase.
If any other information is needed from my side please let me know.
[1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1775777
Thanks and Regards,
Vasudev
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libvirt-daemon-system depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.77
ii gettext-base 0.21-4
ii iptables 1.8.7-1
ii libvirt-clients 7.6.0-1
ii libvirt-daemon 7.6.0-1
ii libvirt-daemon-config-network 7.6.0-1
ii libvirt-daemon-config-nwfilter 7.6.0-1
ii libvirt-daemon-system-systemd 7.6.0-1
ii logrotate 3.18.1-2
ii policykit-1 0.105-31
Versions of packages libvirt-daemon-system recommends:
ii dmidecode 3.3-3
ii dnsmasq-base [dnsmasq-base] 2.85-1
ii iproute2 5.13.0-2
ii mdevctl 0.81-1
ii parted 3.4-1
Versions of packages libvirt-daemon-system suggests:
ii apparmor 2.13.6-10
pn auditd <none>
ii nfs-common 1:1.3.4-6
ii open-iscsi 2.1.3-5
pn pm-utils <none>
ii radvd 1:2.18-3
ii systemd 247.9-1
pn systemtap <none>
pn zfsutils <none>
-- Configuration Files:
/etc/libvirt/qemu.conf [Errno 13] Permission denied: '/etc/libvirt/qemu.conf'
-- debconf information:
libvirt-daemon-system/id_warning: true
More information about the Pkg-libvirt-maintainers
mailing list