903449 – Guest can not be booted with sandbox on

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 903449 - Guest can not be booted with sandbox on

Summary: Guest can not be booted with sandbox on

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Moore
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	915825
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-24 02:11 UTC by yunpingzheng
Modified:	2014-06-18 03:21 UTC (History)
CC List:	8 users (show)
Fixed In Version:	kernel-3.8.0-0.38.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:13:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
F18 guest definition (2.66 KB, text/xml) 2013-01-24 20:26 UTC, Paul Moore	no flags	Details
View All

Description yunpingzheng 2013-01-24 02:11:21 UTC

Description of problem:
in rhel7 when boot guest with "-sandbox on" will error.
  qemu-kvm: -sandbox on: failed to install seccomp syscall filter in
the kernel

Version-Release number of selected component (if applicable):
host:
kernel-3.7.0-0.31.el7.x86_64
qemu-kvm-1.3.0-3.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.boot guest with sandbox on
2.
3.
  
Actual results:
boot error

Expected results:
guest can boot normally

Additional info:
qemu_cmd:
/usr/bin/qemu-kvm \
-name 'vm1' \
-nodefaults \
-m 4096 \
-smp 4,cores=2,threads=1,sockets=2 \
-vnc :22 \
-vga std \
-rtc base=utc,clock=host,driftfix=none \
-drive file=/root/qemu_kvm/RHEL-Server-6.4-64-virtio.qcow2,if=none,cache=none,id=virtio0 \
-device virtio-blk-pci,drive=virtio0 \
-device virtio-net-pci,netdev=id3Ibo2c,mac=9a:5e:5f:60:61:62 \
-netdev tap,id=id3Ibo2c,script=/root/qemu_kvm/qemu-ifup-switch \
-device ich9-usb-uhci1,id=usb1 \
-boot order=cdn,once=c,menu=off \
-enable-kvm \
-M q35 \
-monitor stdio \
-chardev socket,id=isa-serial-1,path=/tmp/isa-serial-1,server,nowait \
-device isa-serial,chardev=isa-serial-1 \
-device virtio-serial,id=virt-serial-1,max_ports=31,bus=pcie.0 \
-chardev socket,id=virtio-serial-1-1,path=/tmp/virtio-serial-1-1,server,nowait \
-device virtserialport,chardev=virtio-serial-1-1,name=virtio.serial.1.1,bus=virt-serial-1.0,id=virtio-serial-port1-1 \
-device virtio-serial,id=virt-console-1 \
-chardev socket,id=virtio-console-1-1,path=/tmp/virtio-console-1-1,server,nowait \
-device virtconsole,chardev=virtio-console-1-1,name=virtio.console.1.1,bus=virt-console-1.0 \
-sandbox on

Comment 2 Paul Moore 2013-01-24 20:25:15 UTC

I tried to recreate this on a Fedora Rawhide system and everything worked as expected with the following packages installed:

 * kernel-3.8.0-0.rc4.git1.1.fc19.x86_64
 * qemu-kvm-1.3.0-5.fc19.x86_64
 * libseccomp-1.0.1-0.fc19.x86_64

My test process was as follows:

1. Create a F18 guest.  I performed a minimal install but that shouldn't be too critical for this experiment.

2. Edit the guest's XML file, e.g. 'virsh edit <guest>', to add the sandbox QEMU command line option (see attached XML file).

3. Restart the guest via libvirt/virtmanager/virsh and observe proper operation of the guest.

Can you verify a similar process?  Have you tried this on Rawhide or just RHEL7?

Comment 3 Paul Moore 2013-01-24 20:26:20 UTC

Created attachment 686979 [details]
F18 guest definition

Comment 4 yunpingzheng 2013-01-28 08:37:29 UTC

hi Paul Moore
(In reply to comment #2)
> I tried to recreate this on a Fedora Rawhide system and everything worked as
> expected with the following packages installed:
> 
>  * kernel-3.8.0-0.rc4.git1.1.fc19.x86_64
>  * qemu-kvm-1.3.0-5.fc19.x86_64
>  * libseccomp-1.0.1-0.fc19.x86_64
> 
> My test process was as follows:
> 
> 1. Create a F18 guest.  I performed a minimal install but that shouldn't be
> too critical for this experiment.
> 
> 2. Edit the guest's XML file, e.g. 'virsh edit <guest>', to add the sandbox
> QEMU command line option (see attached XML file).
> 
> 3. Restart the guest via libvirt/virtmanager/virsh and observe proper
> operation of the guest.
> 
> Can you verify a similar process?  Have you tried this on Rawhide or just
> RHEL7?
I tried it using your xml files in RHEL7, can repeat this issue:

[root@localhost ~]# virsh  start f18-test-1
error: Failed to start domain f18-test-1
error: internal error Process exited while reading console log output: qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel


I just test it on RHEL7(beta). will test it on rhel7(RHEL-7.0-20130120.0), and update this BZ

Comment 5 Sibiao Luo 2013-02-26 09:07:48 UTC

Also hit it on the following environment:
host info:
kernel-3.8.0-0.37.el7.x86_64
qemu-kvm-1.3.0-7.el7.x86_64
guest info:
kernel-3.8.0-0.37.el7.x86_64

boot guest with sandbox enabled, but the it will fail to boot up.
e.g:...-sandbox on -monitor stdio
qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel

Best Regards.
sluo

Comment 6 Sibiao Luo 2013-02-26 09:33:17 UTC

(In reply to comment #5)
> Also hit it on the following environment:
> host info:
> kernel-3.8.0-0.37.el7.x86_64
> qemu-kvm-1.3.0-7.el7.x86_64
> guest info:
> kernel-3.8.0-0.37.el7.x86_64
> 
> boot guest with sandbox enabled, but the it will fail to boot up.
> e.g:...-sandbox on -monitor stdio
> qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel
> 
> Best Regards.
> sluo
hi pmoore, could you help to see this issue which block our syscall filters functional testing, thanks in advance.

Comment 7 Paul Moore 2013-02-26 14:29:50 UTC

I will look at it again today, but based on the errors you are reporting it would appear that the RHEL7 kernel is not being built with the proper seccomp support.

Comment 8 Paul Moore 2013-02-26 15:18:24 UTC

I'm currently trying to find the kernel-3.8.0-0.37.el7.x86_64 package but I just looked at the kernel-3.7.0-0.34.el7.x86_64 package and it does not have CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER enabled.  Once I can verify that the 3.8.0 kernel does not have the right build configuration I will file a BZ with the kernel team.

Comment 9 Paul Moore 2013-02-26 15:26:06 UTC

Unfortunately it does appear that the latest RHEL7 kernel is missing the necessary seccomp support.  RH BZ #915825 has been created to track the missing kernel support.

Comment 10 Paul Moore 2013-02-26 16:38:05 UTC

Until a proper RHEL7 kernel package is available I did a quick scratch build for x86_64 with the necessary kernel support enabled:

* https://brewweb.devel.redhat.com/taskinfo?taskID=5443516

Comment 11 Paul Moore 2013-05-08 12:38:42 UTC

Moving this to modified as the kernel is now built with CONFIG_SECCOMP_FILTER, see BZ 915825.

Comment 15 Xu Han 2014-01-15 02:09:37 UTC

Reproduce this bug with component:
kernel-3.7.0-0.36.el7.x86_64

Steps:
1. Boot guest with '-sandbox on'
# /usr/libexec/qemu-kvm -monitor stdio -sandbox on

Results:
Fail to boot guest:
qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel

Verify this bug with component:
kernel-3.10.0-67.el7.x86_64

Same steps as above.

Results:
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) VNC server running on `::1:5900'
(qemu) info status 
VM status: running

Base on these test results above, this bug has been fixed.

Comment 18 Ludek Smid 2014-06-13 12:13:09 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.