Bug 1824297
Summary: | pmdakvm is causing: [96148.189260] Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 in dmesg | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Herbolt <lherbolt> |
Component: | pcp | Assignee: | Nathan Scott <nathans> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 30 | CC: | agerstmayr, mgoodwin, nathans, rbergero, rkudyba, sghosh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pcp-5.1.0 pcp-5.1.0-1.fc31 pcp-5.1.0-1.fc32 pcp-5.1.1-1.fc32 pcp-5.1.1-1.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-05-03 04:53:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Herbolt
2020-04-15 18:32:19 UTC
Looks like your machine has secure boot enabled and its preventing access to performance data in debugfs. Could you 'cat /sys/kernel/security/lockdown' and paste it here please Lukas? I expect the best we'll be able to do from within PCP is detect the situation and put the kvm metrics (and possibly others) into a mode where they just return errors. Thanks for reporting this! Regarding the missing man page, could you open a bug for the kernel component in bugzilla about that one? We wont be able to resolve that in PCP. Hi, [root@f30 ~]# cat /sys/kernel/security/lockdown none integrity [confidentiality] [root@f30 ~]# Resolved upstream, will arrive in Fedora in a week or so via pcp-5.1.0. commit d27290cee4ea8b3c2093fc57e9eb4ccf2c27f366 Author: Nathan Scott <nathans> Date: Fri Apr 17 17:35:55 2020 +1000 pmdakvm: do not access debugfs/tracefs when kernel in lockdown When the kernel is in lockdown accessing debugfs causes the kernel to generate errors in dmesg, along the lines: [96148.189260] Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 Using /sys/kernel/security/lockdown state we now avoid this situation. Regression test qa/348 is updated to exercise this new sysfs checking. Resolves Red Hat BZ #1824297. FEDORA-2020-5135a0cdd3 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5135a0cdd3 FEDORA-2020-bc7c7d9c84 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-bc7c7d9c84 FEDORA-2020-bc7c7d9c84 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-bc7c7d9c84` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bc7c7d9c84 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-5135a0cdd3 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5135a0cdd3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5135a0cdd3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. FEDORA-2020-bc7c7d9c84 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-5135a0cdd3 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. Still exists pcp-5.1.0-1.fc31.x86_64 Hmm, can you add your /sys/kernel/security/lockdown contents here please Subhendu. Thanks! # cat /sys/kernel/security/lockdown none [integrity] confidentiality (In reply to Subhendu Ghosh from comment #13) > # cat /sys/kernel/security/lockdown > none [integrity] confidentiality Thanks Subhendu, upstream fix below - will be in pcp-5.1.1 (in two or three weeks). commit 1402649bdfb28832f7eb124fce1707f43bb2b8d3 Author: Nathan Scott <nathans> Date: Sun May 10 15:36:38 2020 +1000 pmdakvm: also handle kernel lockdown in integrity mode Resolves Red Hat BZ 1824297 FEDORA-2020-ae83a76ecd has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ae83a76ecd FEDORA-2020-8226ccc694 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8226ccc694 FEDORA-2020-8226ccc694 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8226ccc694` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8226ccc694 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-ae83a76ecd has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ae83a76ecd` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ae83a76ecd See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-8226ccc694 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. pcp-5.1.1-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. problem persists. $ rpm -q pcp pcp-5.1.1-1.fc31.x86_64 $ uname -r 5.6.19-200.fc31.x86_64 $ dmesg | grep Lockdown | tail -n1 [97758.962992] Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 $ sudo cat /sys/kernel/security/lockdown none [integrity] confidentiality Same here: rpm -qa |grep pcp pcp-5.1.1-1.fc32.x86_64 cat /sys/kernel/security/lockdown none [integrity] confidentiality kernel: Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 systemctl status pmcd.service ● pmcd.service - Performance Metrics Collector Daemon Loaded: loaded (/usr/lib/systemd/system/pmcd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-07-23 10:58:43 EDT; 13min ago Docs: man:pmcd(8) Main PID: 2012 (pmcd) Tasks: 7 (limit: 9352) Memory: 62.9M CPU: 474ms CGroup: /system.slice/pmcd.service ├─2012 /usr/libexec/pcp/bin/pmcd ├─2017 /var/lib/pcp/pmdas/root/pmdaroot ├─2027 /var/lib/pcp/pmdas/proc/pmdaproc -d 3 ├─2035 /var/lib/pcp/pmdas/xfs/pmdaxfs -d 11 ├─2039 /var/lib/pcp/pmdas/kvm/pmdakvm -d 95 └─2577 /var/lib/pcp/pmdas/linux/pmdalinux Jul 23 10:58:40 myserver systemd[1]: Starting Performance Metrics Collector Daemon... Jul 23 10:58:45 myserver pmcd[1992]: Starting pmcd ... Jul 23 10:58:52 myserver pmcd[2315]: S Jul 23 10:58:43 myserver systemd[1]: Started Performance Metrics Collector Daemon. |