Public bug reported: We use Ganeti to spin QEMU/KVM VMs like this:
2017-03-22 12:40:57,002: ganeti-noded pid=14770 INFO RunCmd /usr/bin/kvm -name test01.inet.hre.local -m 2048 -smp 1 -pidfile /var/run/ganeti/kvm-hypervisor/pid/test01.inet.hre.local -balloon virtio,id=balloon,bus=pci.0,addr=0x3 -daemonize -machine pc-i440fx-xenial -monitor unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.monitor,server,nowait -serial unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.serial,server,nowait -usb -display none -chroot /var/run/ganeti/kvm-hypervisor/chroot/test01.inet.hre.local -cpu Haswell-noTSX -uuid d3de5e5b-ac6e-49f6-93c7-f7afdafc8760 -sandbox on -netdev type=tap,id=hotnic-1225493e-pci-5,fd=10 -device virtio-net-pci,mac=aa:00:00:66:9c:35,id=hotnic-1225493e-pci-5,bus=pci.0,addr=0x5,netdev=hotnic-1225493e-pci-5 -qmp unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.qmp,server,nowait -qmp unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.kvmd,server,nowait -boot c -device virtio-blk-pci,drive=hotdisk-a48d943e-pci-4,id=hotdisk-a48d943e-pci-4,bus=pci.0,addr=0x4 -drive file=/var/run/ganeti/instance-disks/test01.inet.hre.local:0,format=raw,if=none,cache=none,id=hotdisk-a48d943e-pci-4,bus=0,unit=4 -S -runas kvm451 2017-03-22 12:43:59,391: ganeti-noded pid=5083 INFO Received signal 15 asking for shutdown This fails due to the seccomp sandbox not letting this syscall: [Wed Mar 22 12:40:57 2017] audit: type=1326 audit(1490200857.157:19): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=14923 comm="qemu- system-x86" exe="/usr/bin/qemu-system-x86_64" sig=31 arch=c000003e syscall=161 compat=0 ip=0x7fd25f068b47 code=0x0 This happens right when the VM tries to start. It looks like syscall=161 is sys_chroot. I suspect that the "-runas" feature will also run into similar problems. I found [0] that adds the missing whitelist entries but was not accepted upstream due to the commit messages being a bit of a mess [1]. IMHO, this would be a useful addition. 0: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03167.html 1: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg04060.html # lsb_release -rd Description: Ubuntu 16.04.2 LTS Release: 16.04 # apt-cache policy qemu-system-x86 linux-image-4.4.0-67-generic qemu-system-x86: Installed: 1:2.5+dfsg-5ubuntu10.9 Candidate: 1:2.5+dfsg-5ubuntu10.9 Version table: *** 1:2.5+dfsg-5ubuntu10.9 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 1:2.5+dfsg-5ubuntu10.6 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 1:2.5+dfsg-5ubuntu10 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages linux-image-4.4.0-67-generic: Installed: 4.4.0-67.88 Candidate: 4.4.0-67.88 Version table: *** 4.4.0-67.88 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: qemu-system-x86 1:2.5+dfsg-5ubuntu10.9 ProcVersionSignature: Ubuntu 4.4.0-67.88-generic 4.4.49 Uname: Linux 4.4.0-67-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Wed Mar 22 12:59:14 2017 InstallationDate: Installed on 2017-03-09 (12 days ago) InstallationMedia: Ubuntu-Server 16.04.2 LTS "Xenial Xerus" - Release amd64 (20170215.8) Lsusb: Bus 002 Device 002: ID 8087:8002 Intel Corp. Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 003: ID 413c:a001 Dell Computer Corp. Hub Bus 001 Device 002: ID 8087:800a Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: Dell Inc. PowerEdge R830 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-67-generic.efi.signed root=/dev/mapper/vghost-root ro kernel.panic=300 SourcePackage: qemu UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 11/09/2016 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.3.4 dmi.board.name: 0VVT0H dmi.board.vendor: Dell Inc. dmi.board.version: A01 dmi.chassis.type: 23 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvr1.3.4:bd11/09/2016:svnDellInc.:pnPowerEdgeR830:pvr:rvnDellInc.:rn0VVT0H:rvrA01:cvnDellInc.:ct23:cvr: dmi.product.name: PowerEdge R830 dmi.sys.vendor: Dell Inc. ** Affects: qemu (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug xenial ** Description changed: We use Ganeti to spin QEMU/KVM VMs like this: 2017-03-22 12:40:57,002: ganeti-noded pid=14770 INFO RunCmd /usr/bin/kvm -name test01.inet.hre.local -m 2048 -smp 1 -pidfile /var/run/ganeti/kvm-hypervisor/pid/test01.inet.hre.local -balloon virtio,id=balloon,bus=pci.0,addr=0x3 -daemonize -machine pc-i440fx-xenial -monitor unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.monitor,server,nowait -serial unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.serial,server,nowait -usb -display none -chroot /var/run/ganeti/kvm-hypervisor/chroot/test01.inet.hre.local -cpu Haswell-noTSX -uuid d3de5e5b-ac6e-49f6-93c7-f7afdafc8760 -sandbox on -netdev type=tap,id=hotnic-1225493e-pci-5,fd=10 -device virtio-net-pci,mac=aa:00:00:66:9c:35,id=hotnic-1225493e-pci-5,bus=pci.0,addr=0x5,netdev=hotnic-1225493e-pci-5 -qmp unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.qmp,server,nowait -qmp unix:/var/run/ganeti/kvm-hypervisor/ctrl/test01.inet.hre.local.kvmd,server,nowait -boot c -device virtio-blk-pci,drive=hotdisk-a48d943e-pci-4,id=hotdisk-a48d943e-pci-4,bus=pci.0,addr=0x4 -drive file=/var/run/ganeti/instance-disks/test01.inet.hre.local:0,format=raw,if=none,cache=none,id=hotdisk-a48d943e-pci-4,bus=0,unit=4 -S -runas kvm451 2017-03-22 12:43:59,391: ganeti-noded pid=5083 INFO Received signal 15 asking for shutdown - This fails due to the seccomp sandbox not letting this syscall: [Wed Mar 22 12:40:57 2017] audit: type=1326 audit(1490200857.157:19): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=14923 comm="qemu- system-x86" exe="/usr/bin/qemu-system-x86_64" sig=31 arch=c000003e syscall=161 compat=0 ip=0x7fd25f068b47 code=0x0 This happens right when the VM tries to start. It looks like syscall=161 is sys_chroot. I suspect that the "-runas" feature will also run into similar problems. I found [0] that adds the missing whitelist entries but was not accepted upstream due to the commit messages being a bit of a mess [1]. IMHO, this would be a useful addition. - 0: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03167.html 1: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg04060.html + + # lsb_release -rd + Description: Ubuntu 16.04.2 LTS + Release: 16.04 + + # apt-cache policy qemu-system-x86 linux-image-4.4.0-67-generic + qemu-system-x86: + Installed: 1:2.5+dfsg-5ubuntu10.9 + Candidate: 1:2.5+dfsg-5ubuntu10.9 + Version table: + *** 1:2.5+dfsg-5ubuntu10.9 500 + 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages + 100 /var/lib/dpkg/status + 1:2.5+dfsg-5ubuntu10.6 500 + 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages + 1:2.5+dfsg-5ubuntu10 500 + 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages + linux-image-4.4.0-67-generic: + Installed: 4.4.0-67.88 + Candidate: 4.4.0-67.88 + Version table: + *** 4.4.0-67.88 500 + 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages + 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages + 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: qemu-system-x86 1:2.5+dfsg-5ubuntu10.9 ProcVersionSignature: Ubuntu 4.4.0-67.88-generic 4.4.49 Uname: Linux 4.4.0-67-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Wed Mar 22 12:59:14 2017 InstallationDate: Installed on 2017-03-09 (12 days ago) InstallationMedia: Ubuntu-Server 16.04.2 LTS "Xenial Xerus" - Release amd64 (20170215.8) Lsusb: - Bus 002 Device 002: ID 8087:8002 Intel Corp. - Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub - Bus 001 Device 003: ID 413c:a001 Dell Computer Corp. Hub - Bus 001 Device 002: ID 8087:800a Intel Corp. - Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub + Bus 002 Device 002: ID 8087:8002 Intel Corp. + Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub + Bus 001 Device 003: ID 413c:a001 Dell Computer Corp. Hub + Bus 001 Device 002: ID 8087:800a Intel Corp. + Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: Dell Inc. PowerEdge R830 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-67-generic.efi.signed root=/dev/mapper/vghost-root ro kernel.panic=300 SourcePackage: qemu UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 11/09/2016 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.3.4 dmi.board.name: 0VVT0H dmi.board.vendor: Dell Inc. dmi.board.version: A01 dmi.chassis.type: 23 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvr1.3.4:bd11/09/2016:svnDellInc.:pnPowerEdgeR830:pvr:rvnDellInc.:rn0VVT0H:rvrA01:cvnDellInc.:ct23:cvr: dmi.product.name: PowerEdge R830 dmi.sys.vendor: Dell Inc. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675114 Title: QEMU seccomp sandbox missing a whitelist To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1675114/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
