search

seapath / meta-seapath

This is the core of the seapath project. The meta-seapath repo contains the yocto Seapath layer, which contains all the code (yocto recipes) needed to build the seapath images used to install seapath (host, guest, flasher, etc.)
https://lfenergy.org/projects/seapath/
Apache License 2.0
6 stars 10 forks source link

libvirtd hardening are to strict #166

Closed dupremathieu closed 9 months ago

dupremathieu commented 9 months ago

Description Some libvirtd hardening rules block libvirt to do memory locking and configure the PCI passthrough.

Step to reproduce Steps to reproduce the behavior:

  1. Create a VM with attribute in memoryBacking or with a PCI passthrough device
  2. Run the VM
  3. The VM failed to run with permission denied error.

Expected behavior The VM should be run without error.

Example If applicable, add screenshots to help explain your problem.

sudo virsh start --console myVM
error: Failed to start domain 'myVM'
error: internal error: qemu unexpectedly closed the monitor: 2024-02-07T09:02:08.234524Z qemu-system-x86_64: -device vfio-pci,host=0000:07:00.0,id=hostdev0,bus=pci.2,addr=0x0: VFIO_MAP_DMA failed: Cannot allocate memory
2024-02-07T09:02:08.235671Z qemu-system-x86_64: -device vfio-pci,host=0000:07:00.0,id=hostdev0,bus=pci.2,addr=0x0: VFIO_MAP_DMA failed: Cannot allocate memory
2024-02-07T09:02:08.235790Z qemu-system-x86_64: -device vfio-pci,host=0000:07:00.0,id=hostdev0,bus=pci.2,addr=0x0: vfio 0000:07:00.0: failed to setup container for group 49: memory listener initialization failed: Region pc.ram: vfio_dma_map(0x648f08f946c0, 0x0, 0x80000000, 0x715dc0000000) = -12 (Cannot allocate memory)

Workaround Without hardening rules in libvirtd service, the VM can be started.