Description of problem: When pmdakvm is enabled in PCP it's causing warning in dmesg [96148.189260] Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 [96156.412028] Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 [96216.411377] Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 Version-Release number of selected component (if applicable): fedora 30 How reproducible: everytime Steps to Reproduce: 1. dnf install pcp-selinux.x86_64 pcp.x86_64 pcp-pmda-systemd.x86_64 pcp-pmda-summary.x86_64 pcp-pmda-smart.x86_64 pcp-pmda-lmsensors.x86_64 pcp-system-tools 2. systemctl start pmcd.service 3. wait for the message Actual results: pmdakvm warnings in kernel Expected results: no warnings Additional info: man kernel_lockdown.7 is not available in fedora 30
Looks like your machine has secure boot enabled and its preventing access to performance data in debugfs. Could you 'cat /sys/kernel/security/lockdown' and paste it here please Lukas? I expect the best we'll be able to do from within PCP is detect the situation and put the kvm metrics (and possibly others) into a mode where they just return errors. Thanks for reporting this! Regarding the missing man page, could you open a bug for the kernel component in bugzilla about that one? We wont be able to resolve that in PCP.
Hi, [root@f30 ~]# cat /sys/kernel/security/lockdown none integrity [confidentiality] [root@f30 ~]#
Resolved upstream, will arrive in Fedora in a week or so via pcp-5.1.0. commit d27290cee4ea8b3c2093fc57e9eb4ccf2c27f366 Author: Nathan Scott <nathans> Date: Fri Apr 17 17:35:55 2020 +1000 pmdakvm: do not access debugfs/tracefs when kernel in lockdown When the kernel is in lockdown accessing debugfs causes the kernel to generate errors in dmesg, along the lines: [96148.189260] Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 Using /sys/kernel/security/lockdown state we now avoid this situation. Regression test qa/348 is updated to exercise this new sysfs checking. Resolves Red Hat BZ #1824297.
FEDORA-2020-5135a0cdd3 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5135a0cdd3
FEDORA-2020-bc7c7d9c84 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-bc7c7d9c84
FEDORA-2020-bc7c7d9c84 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-bc7c7d9c84` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bc7c7d9c84 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-5135a0cdd3 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5135a0cdd3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5135a0cdd3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
FEDORA-2020-bc7c7d9c84 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-5135a0cdd3 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
Still exists pcp-5.1.0-1.fc31.x86_64
Hmm, can you add your /sys/kernel/security/lockdown contents here please Subhendu. Thanks!
# cat /sys/kernel/security/lockdown none [integrity] confidentiality
(In reply to Subhendu Ghosh from comment #13) > # cat /sys/kernel/security/lockdown > none [integrity] confidentiality Thanks Subhendu, upstream fix below - will be in pcp-5.1.1 (in two or three weeks). commit 1402649bdfb28832f7eb124fce1707f43bb2b8d3 Author: Nathan Scott <nathans> Date: Sun May 10 15:36:38 2020 +1000 pmdakvm: also handle kernel lockdown in integrity mode Resolves Red Hat BZ 1824297
FEDORA-2020-ae83a76ecd has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ae83a76ecd
FEDORA-2020-8226ccc694 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8226ccc694
FEDORA-2020-8226ccc694 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8226ccc694` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8226ccc694 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-ae83a76ecd has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ae83a76ecd` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ae83a76ecd See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-8226ccc694 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
pcp-5.1.1-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
problem persists. $ rpm -q pcp pcp-5.1.1-1.fc31.x86_64 $ uname -r 5.6.19-200.fc31.x86_64 $ dmesg | grep Lockdown | tail -n1 [97758.962992] Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 $ sudo cat /sys/kernel/security/lockdown none [integrity] confidentiality
Same here: rpm -qa |grep pcp pcp-5.1.1-1.fc32.x86_64 cat /sys/kernel/security/lockdown none [integrity] confidentiality kernel: Lockdown: pmdakvm: debugfs access is restricted; see man kernel_lockdown.7 systemctl status pmcd.service ● pmcd.service - Performance Metrics Collector Daemon Loaded: loaded (/usr/lib/systemd/system/pmcd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-07-23 10:58:43 EDT; 13min ago Docs: man:pmcd(8) Main PID: 2012 (pmcd) Tasks: 7 (limit: 9352) Memory: 62.9M CPU: 474ms CGroup: /system.slice/pmcd.service ├─2012 /usr/libexec/pcp/bin/pmcd ├─2017 /var/lib/pcp/pmdas/root/pmdaroot ├─2027 /var/lib/pcp/pmdas/proc/pmdaproc -d 3 ├─2035 /var/lib/pcp/pmdas/xfs/pmdaxfs -d 11 ├─2039 /var/lib/pcp/pmdas/kvm/pmdakvm -d 95 └─2577 /var/lib/pcp/pmdas/linux/pmdalinux Jul 23 10:58:40 myserver systemd[1]: Starting Performance Metrics Collector Daemon... Jul 23 10:58:45 myserver pmcd[1992]: Starting pmcd ... Jul 23 10:58:52 myserver pmcd[2315]: S Jul 23 10:58:43 myserver systemd[1]: Started Performance Metrics Collector Daemon.