Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use hugepages source type='memfd' to avoid hugetlbfs selinux issues #3781

Closed
crobinso opened this issue Jul 7, 2020 · 8 comments · Fixed by #4027
Closed

Use hugepages source type='memfd' to avoid hugetlbfs selinux issues #3781

crobinso opened this issue Jul 7, 2020 · 8 comments · Fixed by #4027
Assignees
@jean-edouard
Labels
kind/enhancement

Comments

@crobinso
Copy link
Contributor

crobinso commented Jul 7, 2020

Use of <hugepages> with libvirt by default uses hugetlbfs. This provokes some selinux violations with plain container_t, so virt_launcher_t needs to enable extra rules to account for this: https://github.com/kubevirt/kubevirt/blob/master/cmd/virt-handler/virt_launcher.cil

@berrange suggested Kubevirt can avoid these issues by using memfd instead of hugetlbfs. The libvirt XML is:

  <memoryBacking>
    <hugepages/>
    <source type='memfd'/>
  </memoryBacking>

At present this also requires <numa> configuration, the most basic is:

  <cpu>
    <numa>
      <cell cpus='0-$vcpus' memory='$memory'/>
    </numa>
  </cpu>

The numa requirement is a qemu limitation that is fixed in qemu 5.0.0 (see this commit but needs libvirt support before it can be used.

qemu-kvm in av-8.2 libvirt container has memfd support but not the older versions.

/kind enhancement
@rmohr
Copy link
Member

rmohr commented Jul 28, 2020

Thanks @crobinso .

/assign @jean-edouard

alicefr added a commit to alicefr/kubevirt that referenced this issue Aug 20, 2020
@alicefr
Add source in memorybacking
491d2b1 
Add source field and set it equal to memfd.
Workaround for issue:
	kubevirt#3781

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr alicefr mentioned this issue Aug 20, 2020
Merged
alicefr added a commit to alicefr/kubevirt that referenced this issue Aug 21, 2020
@alicefr
Add source in memorybacking
a9158f2 
Add source field and set it equal to memfd.
Workaround for issue:
	kubevirt#3781

Signed-off-by: Alice Frosi <afrosi@redhat.com>
alicefr added a commit to alicefr/kubevirt that referenced this issue Aug 25, 2020
@alicefr
Add source in memorybacking
b18f3d3 
Add source field and set it equal to memfd.
Workaround for issue:
	kubevirt#3781

Signed-off-by: Alice Frosi <afrosi@redhat.com>
alicefr added a commit to alicefr/kubevirt that referenced this issue Aug 26, 2020
@alicefr
Add source in memorybacking
97bc32c 
Add source field and set it equal to memfd.
Workaround for issue:
	kubevirt#3781

Signed-off-by: Alice Frosi <afrosi@redhat.com>
alicefr added a commit to alicefr/kubevirt that referenced this issue Sep 1, 2020
@alicefr
Add source in memorybacking
9603908 
Add source field and set it equal to memfd.
Workaround for issue:
	kubevirt#3781

Signed-off-by: Alice Frosi <afrosi@redhat.com>
@alicefr
Copy link
Member

alicefr commented Sep 1, 2020

@crobinso @berrange do you know from which version libvirt started to support memfd as memory backing?

@berrange
Copy link
Contributor

berrange commented Sep 1, 2020

From 4.10.0 onwards - see https://libvirt.org/formatdomain.html#memory-backing

@crobinso
Copy link
Contributor Author

crobinso commented Sep 1, 2020

@alicefr @berrange but the only qemu version build that supports memfd that kubevirt is 4.2.0-27.el8. any other build doesn't have support enabled yet. I'm not sure what kubevirt's test matrix is though so maybe that's not relevant

@alicefr
Copy link
Member

alicefr commented Sep 1, 2020

@crobinso it is. Some of the tests in the CI are failing because memfd is not supported. I was looking at it with @vladikr and it seems that the testsuite is based on centos 7.

@crobinso
Copy link
Contributor Author

crobinso commented Sep 1, 2020

@alicefr right I believe they use centos7 as the base OS but you'll want to specifically check the qemu package version installed there, because they are are all based on RHEL8 qemu content currently. The question is whether it's version 4.2.0-27 or something older

@alicefr
Copy link
Member

alicefr commented Sep 1, 2020

@crobinso so, do you think that simply checking libvirtd version doesn't help? I was thinking to simply set memfd only if libvirtd is newer than 4.10.0

@crobinso
Copy link
Contributor Author

crobinso commented Sep 1, 2020

@alicefr in practice for kubevirt it may be sufficient if libvirt 4.10 is always paired with a new enough qemu in their CI, I'm not sure. give it a spin and see if it works.

libvirt should be reporting this in its domcapabilities output though which is meant for reporting these types of features, but unfortunately that support is missing (and kubevirt isn't consuming domcapabilities yet anyways)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jean-edouard jean-edouard

Labels
kind/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set memfd for memorybacking alicefr/kubevirt
6 participants
@crobinso @berrange @rmohr @jean-edouard @alicefr @kubevirt-bot