Hi,
Quoting Pavel Hrdina (2020-01-20 14:29:36)
> On Sat, Jan 18, 2020 at 11:17:11PM +0100, Pol Van Aubel wrote:
> > Hi all,
> >
> > I've disabled cgroups v1 on my system with the kernel boot option
> > "systemd.unified_cgroup_hierarchy=1". Since doing so, USB
hotplugging
> > fails to work, seemingly due to a permissions problem with BPF. Please
> > note that the technique I'm going to describe worked just fine for
> > hotplugging USB devices to running domains until this change.
> > Attaching / detaching USB devices when the domain is down still works as
> > expected.
> >
> > I get the same error when attaching a device in virt-manager, as I do
> > when running the following command:
> >
> > sudo virsh attach-device wenger /dev/stdin --persistent <<END
> > <hostdev mode='subsystem' type='usb'
managed='yes'>
> > <source startupPolicy='optional'>
> > <vendor id='0x046d' />
> > <product id='0xc215' />
> > </source>
> > </hostdev>
> > END
> >
> > This returns
> > error: Failed to attach device from /dev/stdin
> > error: failed to load cgroup BPF prog: Operation not permitted
> >
> >
> > virt-manager returns basically the same error, but for completeness'
> > sake, here it is:
> >
> > failed to load cgroup BPF prog: Operation not permitted
> >
> > Traceback (most recent call last):
> > File "/usr/share/virt-manager/virtManager/addhardware.py", line
1327, in _add_device
> > self.vm.attach_device(dev)
> > File "/usr/share/virt-manager/virtManager/object/domain.py", line
920, in attach_device
> > self._backend.attachDevice(devxml)
> > File "/usr/lib/python3.8/site-packages/libvirt.py", line 590, in
attachDevice
> > if ret == -1: raise libvirtError ('virDomainAttachDevice() failed',
dom=self)
> > libvirt.libvirtError: failed to load cgroup BPF prog: Operation not permitted
> >
> >
> > Now, libvirtd is running as root, so I don't understand why any
> > operation on BPF programs is not permitted. I've dug into libvirt's
code
> > a bit to see what is throwing this error and it boils down to
> >
<
https://github.com/libvirt/libvirt/blob/7d608469621a3fda72dff2a89308e68cc...
> > and
> >
<
https://github.com/libvirt/libvirt/blob/02bf7cc68bfc76242f02d23e73cad3661...
> > but I have no clue what that syscall is doing, so that's where my
> > debugging capability basically ends.
> >
> > Maybe this is something as simple as setting the right ACL somewhere. I
> > haven't touched /etc/libvirt/qemu.conf except for setting nvram. There
> > *is* something about cgroup_device_acl there but afaict that's for
> > cgroups v1, when there was still a device cgroup controller. Any help
> > would be greatly appreciated.
> >
> >
> > Domain log files:
> > Upon execution of the above commands, nothing gets added to the domain
> > log in /var/log/qemu/wenger.log, so I've decided they're likely
> > irrelevant to the issue. Please ask for any additional info required.
> >
> >
> > System information:
> > Arch Linux, (normal) kernel 5.4.11
> > libvirt 5.10.0
> > qemu 4.2.0, using KVM.
> > Host system is x86_64 on an intel 5820k.
> > Guest system is probably irrelevant, but is Windows 10 on the same.
> >
> >
> > Possibly relevant kernel build options:
> > $ zgrep BPF /proc/config.gz
> > [22:55:52]: zgrep BPF /proc/config.gz
> >
> > CONFIG_CGROUP_BPF=y
> > CONFIG_BPF=y
> > CONFIG_BPF_SYSCALL=y
> > CONFIG_BPF_JIT_ALWAYS_ON=y
> > CONFIG_IPV6_SEG6_BPF=y
> > CONFIG_NETFILTER_XT_MATCH_BPF=m
> > # CONFIG_BPFILTER is not set
> > CONFIG_NET_CLS_BPF=m
> > CONFIG_NET_ACT_BPF=m
> > CONFIG_BPF_JIT=y
> > CONFIG_BPF_STREAM_PARSER=y
> > CONFIG_LWTUNNEL_BPF=y
> > CONFIG_HAVE_EBPF_JIT=y
> > CONFIG_BPF_EVENTS=y
> > # CONFIG_BPF_KPROBE_OVERRIDE is not set
> > # CONFIG_TEST_BPF is not set
>
> Hi
>
> I've installed clean archlinux to try this out and it works as expected,
> I'm able to attach USB device into a VM.
>
> My system env is mostly the same as yours except for kernel version:
>
> kernel 5.4.13
> libvirt 5.10.0
> qemu 4.2.0, using KVM.
>
> Please enable libvirt debug logs [1] and share the output with us.
I've updated to 5.4.13 and created a barebones VM without storage to
reproduce the behaviour. libvirtd debug logs are attached. There appear
to be two BPF failures of the same BPF program (?). The first is on line
23209, which appears to be part of machine startup, and which I don't
actually notice. The second one is where I manually add the USB device,
on line 30599.
Thanks,
Thanks for the logs, but it did not help to figure out where the issue
is. I was hoping to see some error output from the syscall but the line
that should contain it is empty:
2020-01-20 19:47:15.589+0000: 8579: debug : virBPFLoadProg:78 :
Can you please check system logs and output of dmesg?
I've managed to run into this article [1] that explains that even if you
have all permissions and no SELinux you can still be blocked by
something called kernel_lockdown and it should appear in dmesg.
Pavel
[1]
<