Bug 903449 - Guest can not be booted with sandbox on
Guest can not be booted with sandbox on
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
7.0
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Paul Moore
Virtualization Bugs
:
Depends On: 915825
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-23 21:11 EST by yunpingzheng
Modified: 2014-06-17 23:21 EDT (History)
8 users (show)

See Also:
Fixed In Version: kernel-3.8.0-0.38.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 08:13:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
F18 guest definition (2.66 KB, text/xml)
2013-01-24 15:26 EST, Paul Moore
no flags Details

  None (edit)
Description yunpingzheng 2013-01-23 21:11:21 EST
Description of problem:
in rhel7 when boot guest with "-sandbox on" will error.
  qemu-kvm: -sandbox on: failed to install seccomp syscall filter in
the kernel

Version-Release number of selected component (if applicable):
host:
kernel-3.7.0-0.31.el7.x86_64
qemu-kvm-1.3.0-3.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.boot guest with sandbox on
2.
3.
  
Actual results:
boot error

Expected results:
guest can boot normally

Additional info:
qemu_cmd:
/usr/bin/qemu-kvm \
-name 'vm1' \
-nodefaults \
-m 4096 \
-smp 4,cores=2,threads=1,sockets=2 \
-vnc :22 \
-vga std \
-rtc base=utc,clock=host,driftfix=none \
-drive file=/root/qemu_kvm/RHEL-Server-6.4-64-virtio.qcow2,if=none,cache=none,id=virtio0 \
-device virtio-blk-pci,drive=virtio0 \
-device virtio-net-pci,netdev=id3Ibo2c,mac=9a:5e:5f:60:61:62 \
-netdev tap,id=id3Ibo2c,script=/root/qemu_kvm/qemu-ifup-switch \
-device ich9-usb-uhci1,id=usb1 \
-boot order=cdn,once=c,menu=off \
-enable-kvm \
-M q35 \
-monitor stdio \
-chardev socket,id=isa-serial-1,path=/tmp/isa-serial-1,server,nowait \
-device isa-serial,chardev=isa-serial-1 \
-device virtio-serial,id=virt-serial-1,max_ports=31,bus=pcie.0 \
-chardev socket,id=virtio-serial-1-1,path=/tmp/virtio-serial-1-1,server,nowait \
-device virtserialport,chardev=virtio-serial-1-1,name=virtio.serial.1.1,bus=virt-serial-1.0,id=virtio-serial-port1-1 \
-device virtio-serial,id=virt-console-1 \
-chardev socket,id=virtio-console-1-1,path=/tmp/virtio-console-1-1,server,nowait \
-device virtconsole,chardev=virtio-console-1-1,name=virtio.console.1.1,bus=virt-console-1.0 \
-sandbox on
Comment 2 Paul Moore 2013-01-24 15:25:15 EST
I tried to recreate this on a Fedora Rawhide system and everything worked as expected with the following packages installed:

 * kernel-3.8.0-0.rc4.git1.1.fc19.x86_64
 * qemu-kvm-1.3.0-5.fc19.x86_64
 * libseccomp-1.0.1-0.fc19.x86_64

My test process was as follows:

1. Create a F18 guest.  I performed a minimal install but that shouldn't be too critical for this experiment.

2. Edit the guest's XML file, e.g. 'virsh edit <guest>', to add the sandbox QEMU command line option (see attached XML file).

3. Restart the guest via libvirt/virtmanager/virsh and observe proper operation of the guest.

Can you verify a similar process?  Have you tried this on Rawhide or just RHEL7?
Comment 3 Paul Moore 2013-01-24 15:26:20 EST
Created attachment 686979 [details]
F18 guest definition
Comment 4 yunpingzheng 2013-01-28 03:37:29 EST
hi Paul Moore
(In reply to comment #2)
> I tried to recreate this on a Fedora Rawhide system and everything worked as
> expected with the following packages installed:
> 
>  * kernel-3.8.0-0.rc4.git1.1.fc19.x86_64
>  * qemu-kvm-1.3.0-5.fc19.x86_64
>  * libseccomp-1.0.1-0.fc19.x86_64
> 
> My test process was as follows:
> 
> 1. Create a F18 guest.  I performed a minimal install but that shouldn't be
> too critical for this experiment.
> 
> 2. Edit the guest's XML file, e.g. 'virsh edit <guest>', to add the sandbox
> QEMU command line option (see attached XML file).
> 
> 3. Restart the guest via libvirt/virtmanager/virsh and observe proper
> operation of the guest.
> 
> Can you verify a similar process?  Have you tried this on Rawhide or just
> RHEL7?
I tried it using your xml files in RHEL7, can repeat this issue:

[root@localhost ~]# virsh  start f18-test-1
error: Failed to start domain f18-test-1
error: internal error Process exited while reading console log output: qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel


I just test it on RHEL7(beta). will test it on rhel7(RHEL-7.0-20130120.0), and update this BZ
Comment 5 Sibiao Luo 2013-02-26 04:07:48 EST
Also hit it on the following environment:
host info:
kernel-3.8.0-0.37.el7.x86_64
qemu-kvm-1.3.0-7.el7.x86_64
guest info:
kernel-3.8.0-0.37.el7.x86_64

boot guest with sandbox enabled, but the it will fail to boot up.
e.g:...-sandbox on -monitor stdio
qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel

Best Regards.
sluo
Comment 6 Sibiao Luo 2013-02-26 04:33:17 EST
(In reply to comment #5)
> Also hit it on the following environment:
> host info:
> kernel-3.8.0-0.37.el7.x86_64
> qemu-kvm-1.3.0-7.el7.x86_64
> guest info:
> kernel-3.8.0-0.37.el7.x86_64
> 
> boot guest with sandbox enabled, but the it will fail to boot up.
> e.g:...-sandbox on -monitor stdio
> qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel
> 
> Best Regards.
> sluo
hi pmoore, could you help to see this issue which block our syscall filters functional testing, thanks in advance.
Comment 7 Paul Moore 2013-02-26 09:29:50 EST
I will look at it again today, but based on the errors you are reporting it would appear that the RHEL7 kernel is not being built with the proper seccomp support.
Comment 8 Paul Moore 2013-02-26 10:18:24 EST
I'm currently trying to find the kernel-3.8.0-0.37.el7.x86_64 package but I just looked at the kernel-3.7.0-0.34.el7.x86_64 package and it does not have CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER enabled.  Once I can verify that the 3.8.0 kernel does not have the right build configuration I will file a BZ with the kernel team.
Comment 9 Paul Moore 2013-02-26 10:26:06 EST
Unfortunately it does appear that the latest RHEL7 kernel is missing the necessary seccomp support.  RH BZ #915825 has been created to track the missing kernel support.
Comment 10 Paul Moore 2013-02-26 11:38:05 EST
Until a proper RHEL7 kernel package is available I did a quick scratch build for x86_64 with the necessary kernel support enabled:

* https://brewweb.devel.redhat.com/taskinfo?taskID=5443516
Comment 11 Paul Moore 2013-05-08 08:38:42 EDT
Moving this to modified as the kernel is now built with CONFIG_SECCOMP_FILTER, see BZ 915825.
Comment 15 Xu Han 2014-01-14 21:09:37 EST
Reproduce this bug with component:
kernel-3.7.0-0.36.el7.x86_64

Steps:
1. Boot guest with '-sandbox on'
# /usr/libexec/qemu-kvm -monitor stdio -sandbox on

Results:
Fail to boot guest:
qemu-kvm: -sandbox on: failed to install seccomp syscall filter in the kernel

Verify this bug with component:
kernel-3.10.0-67.el7.x86_64

Same steps as above.

Results:
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) VNC server running on `::1:5900'
(qemu) info status 
VM status: running

Base on these test results above, this bug has been fixed.
Comment 18 Ludek Smid 2014-06-13 08:13:09 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.