Not able to add pcie card to guest: Operation not permitted

Mauricio Tavares raubvogel at gmail.com
Sat Apr 25 11:27:04 UTC 2020 

On Fri, Apr 24, 2020 at 9:30 PM Mauricio Tavares <raubvogel at gmail.com> wrote:
>
> On Fri, Apr 24, 2020 at 4:35 PM Peter Crowther
> <peter.crowther at melandra.com> wrote:
> >
> > On Fri, 24 Apr 2020 at 21:10, Mauricio Tavares <raubvogel at gmail.com> wrote:
> >>
> >> Let's say I have libvirt
> >>
> >> [root at vmhost2 ~]# virsh version
> >> [...]
> >>
> >> Running hypervisor: QEMU 2.12.0
> >> [root at vmhost2 ~]#
> >> [...]
> >
> > When I try to start the guest I get the following error message:
> >>
> >>
> >> [root at vmhost2 ~]# virsh start testfedora
> >> error: Failed to start domain testfedora
> >> error: internal error: qemu unexpectedly closed the monitor:
> >> 2020-04-24T20:01:35.341020Z qemu-kvm: -device
> >> vfio-pci,host=01:00.0,id=hostdev0,bus=pci.8,addr=0x0: vfio error:
> >> 0000:01:00.0: failed to setup INTx fd: Operation not permitted
> >>
> >> [root at vmhost2 ~]#
> >>
> >> Why is it telling me that is not permitted?
> >>
> > The guest will be running as qemu on the host.  Does qemu have appropriate permissions in the host, and does that include in any hardening like SElinux that you're running?
> >
>
> I tried with selinux in permissive mode to see if it made a
> difference. Not much.
>
> [root at vmhost2 ~]# getenforce
> Permissive
> [root at vmhost2 ~]# virsh start testfedora
> error: Failed to start domain testfedora
> error: internal error: qemu unexpectedly closed the monitor:
> 2020-04-25T00:43:36.621246Z qemu-kvm: -device
> vfio-pci,host=01:00.0,id=hostdev0,bus=pci.8,addr=0x0: vfio error:
> 0000:01:00.0: failed to setup INTx fd: Operation not permitted
>
> [root at vmhost2 ~]#
>
> For the fun of it, I swapped that card with another one (same speed,
> number of ports, diff brand), so it is on th every sam epci slot:
>
> [root at vmhost2 ~]# virsh nodedev-dumpxml pci_0000_01_00_0
> <device>
>   <name>pci_0000_01_00_0</name>
>   <path>/sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0</path>
>   <parent>pci_0000_00_01_0</parent>
>   <driver>
>     <name>vfio-pci</name>
>   </driver>
>   <capability type='pci'>
>     <domain>0</domain>
>     <bus>1</bus>
>     <slot>0</slot>
>     <function>0</function>
>     <product id='0x4000' />
>     <vendor id='0x19ee'>Netronome Systems, Inc.</vendor>
>     <capability type='virt_functions' maxCount='64'/>
>     <iommuGroup number='1'>
>       <address domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
>       <address domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
>     </iommuGroup>
>     <pci-express>
>       <link validity='cap' port='0' speed='8' width='8'/>
>       <link validity='sta' speed='2.5' width='8'/>
>     </pci-express>
>   </capability>
> </device>
>
>
> [root at vmhost2 ~]#
>
> And it starts without an issue:
>
> [root at vmhost2 ~]# virsh start testfedora
> Domain testfedora started
>
> [root at vmhost2 ~]#
>
> Inside the guest:
>
> [root at testfedora ~]# dmesg |grep -i netronome
> [   12.327316] nfp: NFP PCIe Driver, Copyright (C) 2014-2017 Netronome Systems
> [   12.335036] nfp 0000:07:00.0: Netronome Flow Processor
> NFP4000/NFP5000/NFP6000 PCIe Card Probe
> [root at testfedora ~]#
>
> so I do not know what is going on.
>
      My last statement can be translated to "I am doing PCI
passthrough, which to me means I am passing the entire card --
whatever it is -- to the guest." Just for the sake of argument, I also
created a centos8 guest and had the same outcome. Who is doing the pci
passthrough thingie: libvirt or qemu? Just want to see where I should
put my efforts on.

I have the

Also, I decided for the fun of it to create a docker container in the
same host and pass the card to it. That seemed to have worked better

[root at ce3077ee015c /]# ls /sys/bus/pci/devices/0000\:01\:00.0/
aer_dev_correctable       infiniband_srp/           pools
aer_dev_fatal             infiniband_verbs/         power/
aer_dev_nonfatal          iommu/                    remove
ari_enabled               iommu_group/              rescan
broken_parity_status      irq                       reset
class                     local_cpulist             resource
config                    local_cpus                resource0
consistent_dma_mask_bits  max_link_speed            resource2
current_link_speed        max_link_width            resource2_wc
current_link_width        mlx4_port1                revision
d3cold_allowed            mlx4_port1_mtu            rom
device                    mlx4_port2                subsystem/
dma_mask_bits             mlx4_port2_mtu            subsystem_device
driver/                   modalias                  subsystem_vendor
driver_override           msi_bus                   uevent
enable                    msi_irqs/                 vendor
infiniband/               net/                      vpd
infiniband_mad/           numa_node

[root at ce3077ee015c /]# cat /sys/bus/pci/devices/0000\:01\:00.0/device
0x1003
[root at ce3077ee015c /]#

Of course the test is to configure card to use or to program it, but I
have so far been more successful. Which makes me even more confused.

> > Cheers,
> >
> > - Peter
> >

More information about the libvirt-users mailing list