1719578 – VM failed to start with error "failed to install seccomp syscall filter in the kernel"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1719578 - VM failed to start with error "failed to install seccomp syscall filter in the kernel"

Summary: VM failed to start with error "failed to install seccomp syscall filter in th...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	8.1
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.1
Assignee:	Marc-Andre Lureau
QA Contact:	yduan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1720306
TreeView+	depends on / blocked

Reported:	2019-06-12 07:57 UTC by yisun
Modified:	2020-01-21 02:33 UTC (History)
CC List:	13 users (show)
Fixed In Version:	qemu-kvm-2.12.0-77.module+el8.1.0+3382+49219945
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1720306 (view as bug list)
Environment:
Last Closed:	2019-11-05 20:50:27 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:3345	0	None	None	None	2019-11-05 20:51:01 UTC

Description yisun 2019-06-12 07:57:55 UTC

description:
VM failed to start with error "failed to install seccomp syscall filter in the kernel"

versions:
[root@jslave-libvirt-rhel-8 images]# rpm -qa | egrep "libvirt-4|qemu-kvm-2|kernel-4"
kernel-4.18.0-104.el8.x86_64
libvirt-4.5.0-24.module+el8.1.0+3205+41ff0a42.x86_64
qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
python3-libvirt-4.5.0-1.module+el8.1.0+2983+b2ae9c0a.x86_64
kernel-4.18.0-100.el8.x86_64

how reproducible:
100%

key words: REGRESSION
not reproduced with 
qemu-kvm-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64



steps:
1. vm can be started with previous version:
[root@jslave-libvirt-rhel-8 images]# rpm -qa | grep qemu-kvm
qemu-kvm-block-ssh-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-block-gluster-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-core-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-common-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-block-rbd-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-block-curl-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64
qemu-kvm-block-iscsi-2.12.0-75.module+el8.1.0+3252+aa5f0857.x86_64


[root@jslave-libvirt-rhel-8 images]# virsh start r8
Domain r8 started


2. after qemu-kvm updated, failed to start:
[root@jslave-libvirt-rhel-8 images]# yum update qemu-kvm
...
...


[root@jslave-libvirt-rhel-8 images]# rpm -qa | grep qemu-kvm
qemu-kvm-block-rbd-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-curl-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-iscsi-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-core-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-common-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-ssh-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-gluster-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64


[root@jslave-libvirt-rhel-8 images]# virsh destroy r8
Domain r8 destroyed

[root@jslave-libvirt-rhel-8 images]# virsh start r8
error: Failed to start domain r8
error: internal error: process exited while connecting to monitor: 2019-06-12T07:51:14.183561Z qemu-kvm: -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny: failed to install seccomp syscall filter in the kernel



3. vm's xml as follow:
[root@jslave-libvirt-rhel-8 images]# virsh dumpxml r8
<domain type='kvm'>
  <name>r8</name>
  <uuid>75464011-67be-4231-90d5-67a9c9f35c5c</uuid>
  <memory unit='KiB'>4194304</memory>
  <currentMemory unit='KiB'>4194304</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-rhel7.6.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='host-model' check='partial'>
    <model fallback='allow'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/rhel8.img'/>
      <target dev='hda' bus='ide'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:df:11:61'/>
      <source network='default'/>
      <model type='e1000'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='tablet' bus='usb'>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <listen type='address'/>
      <image compression='off'/>
    </graphics>
    <sound model='ich6'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </memballoon>
  </devices>
</domain>



expected result:
vm should start without error.

Comment 2 Yanan Fu 2019-06-12 08:59:45 UTC

Simple qemu command for this issue:

# /usr/libexec/qemu-kvm -sandbox on -monitor stdio
qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel

# /usr/libexec/qemu-kvm -sandbox off -monitor stdio
QEMU 2.12.0 monitor - type 'help' for more information
(qemu) VNC server running on ::1:5900

Comment 3 Danilo de Paula 2019-06-12 12:47:33 UTC

This seems to be a big deal. Requesting blocker for it.

Comment 5 Danilo de Paula 2019-06-12 15:33:06 UTC

I'm not able to reproduce this issue:

[root@virtlab503 ~]# rpm -qa | egrep "libvirt-4|qemu-kvm-2|kernel-4"
kernel-4.18.0-100.el8.x86_64
kernel-4.18.0-104.el8.x86_64
libvirt-4.5.0-24.module+el8.1.0+3205+41ff0a42.x86_64
qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64

[root@virtlab503 ~]# uname -r
4.18.0-104.el8.x86_64

[root@virtlab503 ~]#  rpm -qa | grep qemu-kvm
qemu-kvm-block-curl-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-common-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-iscsi-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-core-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-rbd-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-ssh-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-block-gluster-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64


[root@virtlab503 ~]# /usr/libexec/qemu-kvm -sandbox on -monitor stdio
QEMU 2.12.0 monitor - type 'help' for more information
(qemu) VNC server running on ::1:5900


[root@virtlab503 ~]# /usr/libexec/qemu-kvm -sandbox off -monitor stdio
QEMU 2.12.0 monitor - type 'help' for more information
(qemu) VNC server running on ::1:5900


Also, I tried to import the VM definition from the report (with a nightly image [1]):

[root@virtlab503 ~]# virsh create /tmp/vm.xml 
setlocale: No such file or directory
Domain r8 created from /tmp/vm.xml

[root@virtlab503 ~]# virsh domstate r8
setlocale: No such file or directory
running

[root@virtlab503 ~]# virsh domifaddr r8
setlocale: No such file or directory
 Name       MAC address          Protocol     Address
-------------------------------------------------------------------------------
 vnet0      52:54:00:df:11:61    ipv4         192.168.122.57/24


I tested with a nested environment and in a beaker host.
Same result in both (but I didn't set a vm in the nested environment)

Some considerations:
kernel-4.18.0-100.el8.x86_64 doesn't seem to be in any nightly repository today. I had to download and manually install it.

Even with that Kernel, I wasn't able to reproduce it with qemu-kvm-core-2.12.0-76.
Perhaps there's something more that the reporter did?


[1] http://download.devel.redhat.com/nightly/latest-RHEL-8/compose/BaseOS/x86_64/images/rhel-guest-image-8.1-84.x86_64.qcow2

Comment 11 Yanan Fu 2019-06-13 02:41:07 UTC

Host tree we use: RHEL-8.1.0-20190604.7 

qemu: qemu-kvm-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64
libseccomp : libseccomp-2.3.3-3.el8

Test with same qemu version, update libseccomp to: libseccomp-2.4.1-1.el8.x86_64, work well.

Comment 12 Marc-Andre Lureau 2019-06-13 11:27:22 UTC

(fwiw, libseccomp 2.4 is bug 1602006)

Comment 13 Danilo de Paula 2019-06-13 14:08:14 UTC

(In reply to Marc-Andre Lureau from comment #12)
> (fwiw, libseccomp 2.4 is bug 1602006)

Sorry, I'm packaged with some urgent last-minute-before-release-and-pto.
Can you send a patch bumping it to 2.4?

Comment 14 Marc-Andre Lureau 2019-06-13 15:42:24 UTC

I sent:
[RHEL-8.1.0 qemu-kvm PATCH] qemu-kvm.spec: bump libseccomp >= 2.4.0

for some reason, the bug status isn't updated this time.

Comment 15 Danilo de Paula 2019-06-13 15:57:22 UTC

Missed the Branch: tag

Comment 16 Danilo de Paula 2019-06-13 21:48:05 UTC

Fix included in qemu-kvm-2.12.0-77.module+el8.1.0+3382+49219945

Comment 18 yduan 2019-06-18 02:01:09 UTC

Reproduce with qemu-kvm-core-2.12.0-76.module+el8.1.0+3351+d11c20fa.x86_64 + libseccomp-2.3.3-3.el8.x86_64.
Cannot reproduce with qemu-kvm-core-2.12.0-77.module+el8.1.0+3382+49219945.x86_64 + libseccomp-2.4.1-1.el8.x86_64

So VERIFIED.

Comment 20 errata-xmlrpc 2019-11-05 20:50:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3345

Note You need to log in before you can comment on or make changes to this bug.