Re: USB-hotplugging fails with "failed to load cgroup BPF prog: Operation not permitted" on cgroups v2

Hi, Quoting Pavel Hrdina (2020-01-20 14:29:36) > On Sat, Jan 18, 2020 at 11:17:11PM +0100, Pol Van Aubel wrote: > > Hi all, > > > > I've disabled cgroups v1 on my system with the kernel boot option > > "systemd.unified_cgroup_hierarchy=1". Since doing so, USB hotplugging > > fails to work, seemingly due to a permissions problem with BPF. Please > > note that the technique I'm going to describe worked just fine for > > hotplugging USB devices to running domains until this change. > > Attaching / detaching USB devices when the domain is down still works as > > expected. > > > > I get the same error when attaching a device in virt-manager, as I do > > when running the following command: > > > > sudo virsh attach-device wenger /dev/stdin --persistent <<END > > <hostdev mode='subsystem' type='usb' managed='yes'> > > <source startupPolicy='optional'> > > <vendor id='0x046d' /> > > <product id='0xc215' /> > > </source> > > </hostdev> > > END > > > > This returns > > error: Failed to attach device from /dev/stdin > > error: failed to load cgroup BPF prog: Operation not permitted > > > > > > virt-manager returns basically the same error, but for completeness' > > sake, here it is: > > > > failed to load cgroup BPF prog: Operation not permitted > > > > Traceback (most recent call last): > > File "/usr/share/virt-manager/virtManager/addhardware.py", line 1327, in _add_device > > self.vm.attach_device(dev) > > File "/usr/share/virt-manager/virtManager/object/domain.py", line 920, in attach_device > > self._backend.attachDevice(devxml) > > File "/usr/lib/python3.8/site-packages/libvirt.py", line 590, in attachDevice > > if ret == -1: raise libvirtError ('virDomainAttachDevice() failed', dom=self) > > libvirt.libvirtError: failed to load cgroup BPF prog: Operation not permitted > > > > > > Now, libvirtd is running as root, so I don't understand why any > > operation on BPF programs is not permitted. I've dug into libvirt's code > > a bit to see what is throwing this error and it boils down to > > <https://github.com/libvirt/libvirt/blob/7d608469621a3fda72dff2a89308e68cc... > > and > > <https://github.com/libvirt/libvirt/blob/02bf7cc68bfc76242f02d23e73cad3661... > > but I have no clue what that syscall is doing, so that's where my > > debugging capability basically ends. > > > > Maybe this is something as simple as setting the right ACL somewhere. I > > haven't touched /etc/libvirt/qemu.conf except for setting nvram. There > > *is* something about cgroup_device_acl there but afaict that's for > > cgroups v1, when there was still a device cgroup controller. Any help > > would be greatly appreciated. > > > > > > Domain log files: > > Upon execution of the above commands, nothing gets added to the domain > > log in /var/log/qemu/wenger.log, so I've decided they're likely > > irrelevant to the issue. Please ask for any additional info required. > > > > > > System information: > > Arch Linux, (normal) kernel 5.4.11 > > libvirt 5.10.0 > > qemu 4.2.0, using KVM. > > Host system is x86_64 on an intel 5820k. > > Guest system is probably irrelevant, but is Windows 10 on the same. > > > > > > Possibly relevant kernel build options: > > $ zgrep BPF /proc/config.gz > > [22:55:52]: zgrep BPF /proc/config.gz > > > > CONFIG_CGROUP_BPF=y > > CONFIG_BPF=y > > CONFIG_BPF_SYSCALL=y > > CONFIG_BPF_JIT_ALWAYS_ON=y > > CONFIG_IPV6_SEG6_BPF=y > > CONFIG_NETFILTER_XT_MATCH_BPF=m > > # CONFIG_BPFILTER is not set > > CONFIG_NET_CLS_BPF=m > > CONFIG_NET_ACT_BPF=m > > CONFIG_BPF_JIT=y > > CONFIG_BPF_STREAM_PARSER=y > > CONFIG_LWTUNNEL_BPF=y > > CONFIG_HAVE_EBPF_JIT=y > > CONFIG_BPF_EVENTS=y > > # CONFIG_BPF_KPROBE_OVERRIDE is not set > > # CONFIG_TEST_BPF is not set > > Hi > > I've installed clean archlinux to try this out and it works as expected, > I'm able to attach USB device into a VM. > > My system env is mostly the same as yours except for kernel version: > > kernel 5.4.13 > libvirt 5.10.0 > qemu 4.2.0, using KVM. > > Please enable libvirt debug logs [1] and share the output with us. I've updated to 5.4.13 and created a barebones VM without storage to reproduce the behaviour. libvirtd debug logs are attached. There appear to be two BPF failures of the same BPF program (?). The first is on line 23209, which appears to be part of machine startup, and which I don't actually notice. The second one is where I manually add the USB device, on line 30599. Thanks,