Apparmor blocks usb devices in libvirt in Saucy

I found a workaround by adding the following to /etc/apparmor.d/abstractions/libvirt-qemu :

  /dev/bus/usb/ r,
  /etc/udev/udev.conf r,
  /sys/bus/ r,
  /sys/class/ r,

I have not tested this myself, but the accesses listed in comment #1 look ok to add to /etc/apparmor.d/abstractions/libvirt-qemu. Seems like qemu changed the way it finds things and needs these new accesses.

Quoting Jamie Strandboge (<email address hidden>):
> I have not tested this myself, but the accesses listed in comment #1
> look ok to add to /etc/apparmor.d/abstractions/libvirt-qemu. Seems like
> qemu changed the way it finds things and needs these new accesses.

Thanks, Jamie. I've not yet tested myself (kvm module not loading)
but I'll add the permissions after testing.

 importance: high
 status: confirmed

@ClaudeD,

could you please list either a kvm command line or a virsh dumpxml output (or both) for a domain that has trouble? I tried to reproduce jsut passing in a yubikey, but had no permission problems.

(in my test, the kvm command was started with specific hostbus=2,hostaddr=4 information, so presumably you're passing in something more generic which requires qemu to look for host info...)

<domain type='kvm'>
   <name>windows-xp</name>
   <uuid>655920dd-7b6f-f20b-bb77-b5bbaa133eee</uuid>
   <memory unit='KiB'>1048576</memory>
   <currentMemory unit='KiB'>1048576</currentMemory>
   <vcpu placement='static' current='1'>2</vcpu>
   <os>
     <type arch='x86_64' machine='pc-i440fx-1.4'>hvm</type>
     <boot dev='hd'/>
   </os>
   <features>
     <acpi/>
     <apic/>
     <pae/>
   </features>
   <clock offset='localtime'/>
   <on_poweroff>destroy</on_poweroff>
   <on_reboot>restart</on_reboot>
   <on_crash>restart</on_crash>
   <devices>
     <emulator>/usr/bin/kvm-spice</emulator>
     <disk type='file' device='disk'>
       <driver name='qemu' type='raw' cache='writeback'/>
       <source file='/home/vm/windowsxp.img'/>
       <target dev='vda' bus='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x07'
function='0x0'/>
     </disk>
     <disk type='file' device='cdrom'>
       <driver name='qemu' type='raw'/>
       <target dev='hdc' bus='ide'/>
       <readonly/>
       <address type='drive' controller='0' bus='1' target='0' unit='0'/>
     </disk>
     <controller type='usb' index='0'>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x2'/>
     </controller>
     <controller type='ide' index='0'>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x1'/>
     </controller>
     <controller type='virtio-serial' index='0'>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x05'
function='0x0'/>
     </controller>
     <controller type='pci' index='0' model='pci-root'/>
     <interface type='network'>
       <mac address='52:54:00:4f:de:62'/>
       <source network='default'/>
       <model type='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
     </interface>
     <serial type='pty'>
       <target port='0'/>
     </serial>
     <console type='pty'>
       <target type='serial' port='0'/>
     </console>
     <channel type='spicevmc'>
       <target type='virtio' name='com.redhat.spice.0'/>
       <address type='virtio-serial' controller='0' bus='0' port='1'/>
     </channel>
     <input type='tablet' bus='usb'/>
     <input type='mouse' bus='ps2'/>
     <graphics type='spice' autoport='yes'/>
     <sound model='ich6'>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x04'
function='0x0'/>
     </sound>
     <video>
       <model type='qxl' ram='65536' vram='65536' heads='1'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x0'/>
     </video>
     <hostdev mode='subsystem' type='usb' managed='yes'>
       <source>
         <vendor id='0x03f0'/>
         <product id='0x7504'/>
       </source>
     </hostdev>
     <hostdev mode='subsystem' type='usb' managed='yes'>
       <source>
         <vendor id='0x0fcf'/>
         <product id='0x1004'/>
       </source>
     </hostdev>
     <hostdev mode='subsystem' type='usb' managed='yes'>
       <source>
         <vendor id='0x9710'/>
         <product id='0x7780'/>
       </source>
     </hostdev>
     <memballoon model='virtio'>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x06'
function='0x0'/>
...

Using the #1 work around, got my USB devices working again.
(Installed USBDeview in Windows to have a view of the USB tree in Windows guest.)

Oh, and I had been using kvm-qemu via the virtual machine manager.
Here's what my qemu command looks like:

medberry@handsofblue:~$ sudo cat /proc/3378/cmdline |xargs -0
qemu-system-x86_64 -machine accel=kvm:tcg -name Fitbit -S -machine pc-i440fx-1.5,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 162efb1b-c7c6-e1ee-ee57-cadf20930861 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/Fitbit.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/home/medberry/Documents/Win7.qcow,if=none,id=drive-ide0-0-0,format=raw -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -netdev tap,fd=27,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:8c:87:ac,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0 -vnc 127.0.0.1:0 -vga std -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device usb-host,hostbus=3,hostaddr=9,id=hostdev0 -device usb-host,hostbus=3,hostaddr=10,id=hostdev1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5

xml for my domain

@Serge

I was passing in specific devices all along and this just doesn't work in Saucy.

medberry@handsofblue:~$ dpkg -l libvirt-bin qemu-system
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============================================-============================-============================-===================================================================================================
ii libvirt-bin 1.1.1-0ubuntu8 amd64 programs for the libvirt library
ii qemu-system 1.5.0+dfsg-3ubuntu5 amd64 QEMU full system emulation binaries

(and yes I was able to setup my new Fitbit Force after all the hoop jumping... Yay)

Updates should be made to:
https://help.ubuntu.com/community/KVM/Managing
for the USB Passthrough method.

(It also may have some errors--are we still limited to USB 1.1?)

@med,

I'm confused. What is "the #1 workaround" in comment #6, and what are you saying in comment #9 that does not work?

My intent is to push the apparmor lines into policy as soon as 1.1.4 hits trusty, then SRU to saucy. Though if you're saying that does not work, then not :)

This bug was fixed in the package libvirt - 1.1.4-0ubuntu2

---------------
libvirt (1.1.4-0ubuntu2) trusty; urgency=low

  * debian/patches/9002-better_default_uri_virsh.patch: Update to fix the
    FTBFS.
 -- Chuck Short <email address hidden> Wed, 13 Nov 2013 11:04:29 -0500

Hello ClaudeD, or anyone else affected,

Accepted libvirt into saucy-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libvirt/1.1.1-0ubuntu8.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello libvirt people,

I've been experimenting with kvm with saucy host and guests in the last couple days. I ran into the problem where, while the desktop vm launched correctly, I was unable to type in my password or click into that field--usb seemed to not work. So, I followed the directions in #13 and it's links and did the EnabledProposed. I installed the libvirt/1.1.1-0ubuntu8.2 package, but it didn't work at first. Now, I don't know if it would have at that point if I had added the USB controller (I think it was, I'm not in front of that computer now) at that time and set it to USB 2, but anyway, at first it didn't work. So then I installed all of the regular kvm packages in the proposed group that had the -0ubuntu8.2 numbering, I think there were 5 altogether. Anyway, after I added these 5 proposed packages, added the USB controller and set to USB 2, it work great. I wish I had more precise details. I'm now using one vm for a saucy desktop with spice and also have a 12.04 vm server using a .vdi that I imported from vbox (after converting to .gcow2). Thanks for your work. Let me know if I can provide further info.

Tested 1.1.1-0ubuntu8.2 on my workstation : usb devices were correctly detected and activated in my Windows XP guest.

I have installed the update 1.1.1-0ubuntu8.2 in a test environment and it's looking good now. Is it possible to upgrade our servers with apt-get upgrade (how long will it take before it is available?) or must I use the proposed package?

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package libvirt - 1.1.1-0ubuntu8.2

---------------
libvirt (1.1.1-0ubuntu8.2) saucy-proposed; urgency=low

  * add d/p/util_use_w_flag_when_calling_iptables.patch (LP: #1245322)
  * debian/apparmor/libvirt-qemu: allow access to usb info (LP: #1245251)
  * debian/apparmor/libvirt-qemu: allow access to hugepages mounts
    (LP: #1250216)
 -- Serge Hallyn <email address hidden> Thu, 14 Nov 2013 10:09:24 -0600