Bug 1719578

Summary: VM failed to start with error "failed to install seccomp syscall filter in the kernel"
Product: Red Hat Enterprise Linux 8 Reporter: yisun
Component: qemu-kvmAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: yduan
Severity: high Docs Contact:
Priority: high    
Version: 8.1CC: ddepaula, eterrell, jinzhao, juzhang, marcandre.lureau, rbalakri, ribarry, virt-maint, weizhan, yanqzhan, yduan, yfu, yisun
Target Milestone: rcKeywords: Automation, Regression, TestBlocker
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm-2.12.0-77.module+el8.1.0+3382+49219945 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1720306 (view as bug list) Environment:
Last Closed: 2019-11-05 20:50:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1720306    

Description yisun 2019-06-12 07:57:55 UTC 
description:
VM failed to start with error "failed to install seccomp syscall filter in the kernel"

versions:
[root@jslave-libvirt-rhel-8 images]# rpm -qa | egrep "libvirt-4|qemu-kvm-2|kernel-4"
kernel-4.18.0-104.el8.x86_64
libvirt-4.5.0-24.module+el8.1.0+3205+41ff0a42.x86_64
qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
python3-libvirt-4.5.0-1.module+el8.1.0+2983+b2ae9c0a.x86_64
kernel-4.18.0-100.el8.x86_64

how reproducible:
100%

key words: REGRESSION
not reproduced with 
qemu-kvm-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64



steps:
1. vm can be started with previous version:
[root@jslave-libvirt-rhel-8 images]# rpm -qa | grep qemu-kvm
qemu-kvm-block-ssh-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-block-gluster-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-core-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-common-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-block-rbd-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-block-curl-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-block-iscsi-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64


[root@jslave-libvirt-rhel-8 images]# virsh start r8
Domain r8 started


2. after qemu-kvm updated, failed to start:
[root@jslave-libvirt-rhel-8 images]# yum update qemu-kvm
...
...


[root@jslave-libvirt-rhel-8 images]# rpm -qa | grep qemu-kvm
qemu-kvm-block-rbd-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-curl-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-iscsi-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-core-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-common-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-ssh-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-gluster-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64


[root@jslave-libvirt-rhel-8 images]# virsh destroy r8
Domain r8 destroyed

[root@jslave-libvirt-rhel-8 images]# virsh start r8
error: Failed to start domain r8
error: internal error: process exited while connecting to monitor: 2019-06-12T07:51:14.183561Z qemu-kvm: -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny: failed to install seccomp syscall filter in the kernel



3. vm's xml as follow:
[root@jslave-libvirt-rhel-8 images]# virsh dumpxml r8
<domain type='kvm'>
  <name>r8</name>
  <uuid>75464011-67be-4231-90d5-67a9c9f35c5c</uuid>
  <memory unit='KiB'>4194304</memory>
  <currentMemory unit='KiB'>4194304</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-rhel7.6.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='host-model' check='partial'>
    <model fallback='allow'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/rhel8.img'/>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:df:11:61'/>
      <source network='default'/>
      <model type='e1000'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='tablet' bus='usb'>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <listen type='address'/>
      <image compression='off'/>
    </graphics>
    <sound model='ich6'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
  </devices>
</domain>



expected result:
vm should start without error.
Comment 2 Yanan Fu 2019-06-12 08:59:45 UTC 
Simple qemu command for this issue:

# /usr/libexec/qemu-kvm -sandbox on -monitor stdio
qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel

# /usr/libexec/qemu-kvm -sandbox off -monitor stdio
QEMU 2.12.0 monitor - type 'help' for more information
(qemu) VNC server running on ::1:5900
Comment 3 Danilo de Paula 2019-06-12 12:47:33 UTC 
This seems to be a big deal. Requesting blocker for it.
Comment 5 Danilo de Paula 2019-06-12 15:33:06 UTC 
I'm not able to reproduce this issue:

[root@virtlab503 ~]# rpm -qa | egrep "libvirt-4|qemu-kvm-2|kernel-4"
kernel-4.18.0-100.el8.x86_64
kernel-4.18.0-104.el8.x86_64
libvirt-4.5.0-24.module+el8.1.0+3205+41ff0a42.x86_64
qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64

[root@virtlab503 ~]# uname -r
4.18.0-104.el8.x86_64

[root@virtlab503 ~]#  rpm -qa | grep qemu-kvm
qemu-kvm-block-curl-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-common-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-iscsi-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-core-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-rbd-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-ssh-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-gluster-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64


[root@virtlab503 ~]# /usr/libexec/qemu-kvm -sandbox on -monitor stdio
QEMU 2.12.0 monitor - type 'help' for more information
(qemu) VNC server running on ::1:5900


[root@virtlab503 ~]# /usr/libexec/qemu-kvm -sandbox off -monitor stdio
QEMU 2.12.0 monitor - type 'help' for more information
(qemu) VNC server running on ::1:5900


Also, I tried to import the VM definition from the report (with a nightly image [1]):

[root@virtlab503 ~]# virsh create /tmp/vm.xml 
setlocale: No such file or directory
Domain r8 created from /tmp/vm.xml

[root@virtlab503 ~]# virsh domstate r8
setlocale: No such file or directory
running

[root@virtlab503 ~]# virsh domifaddr r8
setlocale: No such file or directory
 Name       MAC address          Protocol     Address
-------------------------------------------------------------------------------
 vnet0      52:54:00:df:11:61    ipv4         192.168.122.57/24


I tested with a nested environment and in a beaker host.
Same result in both (but I didn't set a vm in the nested environment)

Some considerations:
kernel-4.18.0-100.el8.x86_64 doesn't seem to be in any nightly repository today. I had to download and manually install it.

Even with that Kernel, I wasn't able to reproduce it with qemu-kvm-core-2.12.0-76.
Perhaps there's something more that the reporter did?


[1] http://download.devel.redhat.com/nightly/latest-RHEL-8/compose/BaseOS/x86_64/images/rhel-guest-image-8.1-84.x86_64.qcow2
Comment 11 Yanan Fu 2019-06-13 02:41:07 UTC 
Host tree we use: RHEL-8.1.0-20190604.7 

qemu: qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
libseccomp : libseccomp-2.3.3-3.el8

Test with same qemu version, update libseccomp to: libseccomp-2.4.1-1.el8.x86_64, work well.
Comment 12 Marc-Andre Lureau 2019-06-13 11:27:22 UTC 
(fwiw, libseccomp 2.4 is bug 1602006)
Comment 13 Danilo de Paula 2019-06-13 14:08:14 UTC 
(In reply to Marc-Andre Lureau from comment #12)
> (fwiw, libseccomp 2.4 is bug 1602006)

Sorry, I'm packaged with some urgent last-minute-before-release-and-pto.
Can you send a patch bumping it to 2.4?
Comment 14 Marc-Andre Lureau 2019-06-13 15:42:24 UTC 
I sent:
[RHEL-8.1.0 qemu-kvm PATCH] qemu-kvm.spec: bump libseccomp >= 2.4.0

for some reason, the bug status isn't updated this time.
Comment 15 Danilo de Paula 2019-06-13 15:57:22 UTC 
Missed the Branch: tag
Comment 16 Danilo de Paula 2019-06-13 21:48:05 UTC 
Fix included in qemu-kvm-2.12.0-77.module+el8.1.0+3382+49219945
Comment 18 yduan 2019-06-18 02:01:09 UTC 
Reproduce with qemu-kvm-core-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64 + libseccomp-2.3.3-3.el8.x86_64.
Cannot reproduce with qemu-kvm-core-2.12.0-77.module+el8.1.0+3382+49219945.x86_64 + libseccomp-2.4.1-1.el8.x86_64

So VERIFIED.
Comment 20 errata-xmlrpc 2019-11-05 20:50:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3345