<div dir="ltr">Yeah, AppArmor is enabled, but I put everything (that I could find) into complain mode:<div><br></div><div><div>$ sudo apparmor_status</div><div>apparmor module is loaded.</div><div>12 profiles are loaded.</div> <div>3 profiles are in enforce mode.</div><div> lxc-container-default</div><div> lxc-container-default-with-mounting</div><div> lxc-container-default-with-nesting</div><div>9 profiles are in complain mode.</div><div> /sbin/dhclient</div><div> /usr/bin/lxc-start</div><div> /usr/lib/NetworkManager/nm-dhcp-client.action</div><div> /usr/lib/connman/scripts/dhclient-script</div><div> /usr/lib/libvirt/virt-aa-helper</div><div> /usr/sbin/libvirtd</div> <div> /usr/sbin/ntpd</div><div> /usr/sbin/rsyslogd</div><div> /usr/sbin/tcpdump</div><div>3 processes have profiles defined.</div><div>0 processes are in enforce mode.</div><div>2 processes are in complain mode.</div> <div> /usr/sbin/libvirtd (30419)</div><div> /usr/sbin/ntpd (3418)</div><div>1 processes are unconfined but have a profile defined.</div><div> /usr/sbin/rsyslogd (626)</div></div><div><br></div><div>And still get issues. From libvirtd.log:</div> <div><br></div><div><div>2014-04-16 22:19:10.855+0000: 30419: info : libvirt version: 1.2.2</div><div>2014-04-16 22:19:10.855+0000: 30419: error : virNetSocketReadWire:1446 : Cannot recv data: Connection reset by peer</div> <div>2014-04-16 22:19:10.940+0000: 30420: error : virLXCProcessStart:1299 : internal error: guest failed to start: Unable to create device //var/run/libvirt/lxc/oshi32134.dev/bus/usb//002//003: Operation not permitted</div> <div><br></div><div>2014-04-16 22:19:10.964+0000: 30420: warning : virLXCDomainReAttachHostUsbDevices:388 : Unable to find device 000.000 in list of active USB devices</div></div><div><br></div><div>Thanks in advance for any help, Daniel!</div> <div><br></div><div>Cheers,</div><div>Fil</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 15, 2014 at 1:33 AM, Daniel P. Berrange <span dir="ltr"><<a href="mailto:berrange@redhat.com" target="_blank">berrange@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Fri, Apr 11, 2014 at 05:32:28PM -0700, Filip Maj wrote:<br> > Hi!<br> ><br> > First post, kind of a noobie. I've been working with LXC and libvirt for a<br> > few months now. Trying to do some interesting things with containers and<br> > Android devices :D<br> </div><div><div class="h5">> Here's my entire domain definition:<br> ><br> > <domain type='lxc'><br> > <name>oshi32134</name><br> > <uuid>xxxxx</uuid><br> > <memory unit='KiB'>3145728</memory><br> > <currentMemory unit='KiB'>3145728</currentMemory><br> > <vcpu placement='static'>1</vcpu><br> > <resource><br> > <partition>/machine</partition><br> > </resource><br> > <os><br> > <type arch='i686'>exe</type><br> > <init>/sbin/init</init><br> > </os><br> > <clock offset='utc'/><br> > <on_poweroff>destroy</on_poweroff><br> > <on_reboot>restart</on_reboot><br> > <on_crash>destroy</on_crash><br> > <devices><br> > <emulator>/usr/lib/libvirt/libvirt_lxc</emulator><br> > <filesystem type='mount' accessmode='passthrough'><br> > <source dir='/some/valid/filesystem/location'/><br> > <target dir='/'/><br> > </filesystem><br> > <filesystem type='mount' accessmode='passthrough'><br> > <source dir='/another/valid/filesystem/location'/><br> > <target dir='/mnt/android'/><br> > </filesystem><br> > <interface type='bridge'><br> > <mac address='xx:xx:xx:xx:xx:xx'/><br> > <source bridge='br1'/><br> > </interface><br> > <console type='pty'><br> > <target type='lxc' port='0'/><br> > </console><br> > <hostdev mode='capabilities' type='misc'><br> > <source><br> > <char>/dev/kvm</char><br> > </source><br> > </hostdev><br> > <hostdev mode='subsystem' type='usb' managed='yes'><br> > <source><br> > <vendor id='0x04e8'/><br> > <product id='0x6860'/><br> > </source><br> > </hostdev><br> > </devices><br> > </domain><br> <br> </div></div>Your config looks fine here.<br> <div class=""><br> ><br> > Everything worked fine until I added the USB <hostdev> element. I'm<br> > essentially trying to get access to a physical Android device connected to<br> > the host from inside a container. When I go to start the container, I get<br> > an error about Operation not permitted. Here's the relevant bits from<br> > /var/log/libvirt/lxc/machine.log:<br> ><br> > 2014-04-11 22:46:40.491+0000: starting up<br> > PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin<br> > LIBVIRT_DEBUG=3 LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/libvirt_lxc<br> > --name oshi32134 --console 24 --security=none --handshake 27 --background<br> > --veth vnet1<br> > 2014-04-11 22:46:40.597+0000: 685: info : libvirt version: 1.2.2<br> > 2014-04-11 22:46:40.597+0000: 685: error :<br> > virLXCControllerSetupHostdevSubsysUSB:1390 : Unable to create device<br> > //var/run/libvirt/lxc/oshi32134.dev/bus/usb//002//003: Operation not<br> > permitted<br> > Unable to create device<br> > //var/run/libvirt/lxc/oshi32134.dev/bus/usb//002//003: Operation not<br> > permitted<br> <br> </div>Do you have AppArmour enabled on the machine. That seems like the<br> most likely thing that would result in libvirt getting that permission<br> error.<br> <div class="HOEnZb"><div class="h5"><br> Regards,<br> Daniel<br> --<br> |: <a href="http://berrange.com" target="_blank">http://berrange.com</a> -o- <a href="http://www.flickr.com/photos/dberrange/" target="_blank">http://www.flickr.com/photos/dberrange/</a> :|<br> |: <a href="http://libvirt.org" target="_blank">http://libvirt.org</a> -o- <a href="http://virt-manager.org" target="_blank">http://virt-manager.org</a> :|<br> |: <a href="http://autobuild.org" target="_blank">http://autobuild.org</a> -o- <a href="http://search.cpan.org/~danberr/" target="_blank">http://search.cpan.org/~danberr/</a> :|<br> |: <a href="http://entangle-photo.org" target="_blank">http://entangle-photo.org</a> -o- <a href="http://live.gnome.org/gtk-vnc" target="_blank">http://live.gnome.org/gtk-vnc</a> :|<br> </div></div></blockquote></div><br></div>