[Bug 1276719] [NEW] apparmor denies RLIMIT_MEMLOCK increase needed for VFIO passthrough

Wed Feb 5 17:41:08 UTC 2014

Public bug reported:

When using VFIO for passthrough devices, all memory of the VM must be
locked.

libvirt tries to increase RLIMIT_MEMLOCK, however apparmor is denying
this:

example xml:

    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x03' slot='0x00' function='0x1'/>
      </source>
    </hostdev>

error message on start of VM:

error: internal error: Process exited prior to exec: libvirt:  error :
cannot limit locked memory to 18253611008: Operation not permitted

apparmor log:

kernel: [  783.469784] type=1400 audit(1391620864.251:35):
apparmor="DENIED" operation="capable" profile="/usr/sbin/libvirtd"
pid=2106 comm="libvirtd" capability=24  capname="sys_resource"

strace of libvirtd shows:

[pid  2934] setrlimit(RLIMIT_MEMLOCK, {rlim_cur=17825792*1024,
rlim_max=17825792*1024}) = -1 EPERM (Operation not permitted)

testing with latest Trusty:

ii  libvirt-bin        1.2.1-0ubuntu5         amd64        programs for the libvirt library
ii  libvirt0           1.2.1-0ubuntu5         amd64        library for interfacing with different virtualization systems

** Affects: libvirt (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/1276719

Title:
  apparmor denies RLIMIT_MEMLOCK increase needed for VFIO passthrough

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1276719/+subscriptions