Looking Glass Error - AppArmor

Error starting domain: internal error: process exited while connecting to monitor:
2019-11-24T04:48:19.002966Z qemu-system-x86_64: -object memory-backend-file,id=shmmem-shmem0,mem-path=/dev/shm/looking-glass,size=33554432,share=yes: can't open backing store /dev/shm/looking-glass for guest RAM: Permission denied

Traceback (most recent call last):
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 89, in b_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/asyncjob.py", line 125, in tmpcb
    callback(*args, **kwargs)
  File "/usr/share/virt-manager/virtManager/libvirtobject.py", line 82, in newfn
    ret = fn(self, *args, **kwargs)
  File "/usr/share/virt-manager/virtManager/domain.py", line 1508, in startup
    self._backend.create()
  File "/usr/lib/python2.7/dist-packages/libvirt.py", line 1062, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: internal error: process exited while connecting to monitor: 2019-11-24T04:48:19.002966Z qemu-system-x86_64: -object memory-backend-file,id=shmmem-shmem0,mem-path=/dev/shm/looking-glass,size=33554432,share=yes: can't open backing store /dev/shm/looking-glass for guest RAM: Permission denied

I’ve done some looking online but I am yet to find any information on how I can address this error. If it matters I am running ubuntu 18.04 and two GPU’s the main being a gtx 650 for my linux host and an RX 580 for the windows guest. On a Ryzen 2nd gen platform.

You have a general file permission error, qemu doesn’t have permission to create and/or open the file /dev/shm/looking-glass

Perhaps someone here better versed with libvirt can help you with the specifics, also please ensure you followed the official LG wiki.

https://looking-glass.hostfission.com/wiki/index.php?title=Installation

Followed the guide right up until the part were you have to start the VM. Did it several times to make sure I had no mistakes up until that point. Even adjusting the permissions of the directory doesn’t seem to fix it.

Each Linux distro is different, this is not a Looking Glass issue but an issue with understanding and configuring file access permissions. You might also have SELinux or AppArmor getting in the way, but without using libvirt myself on Ubuntu there is little help I can give you.

I suggest you do some research on how file permissions work on Linux and start your investigations from there. Remember that libvirt tells qemu to run and switch users during it’s startup, it may not be running as who you think it is when it tries to open the shared memory device.

IIRC it starts as the KVM user, and then switches to libvirt, or your user account, I don’t recall the specifics.

If you need some help understanding file permission modes I have a video here that explains exactly what chmod is doing and how to use it properly.

For future reference of ubuntu users, the problem is apparmor disabling it worked a charm. Thanks a bunch for the help gnif cheers.

2 Likes

No need to disable apparmor. This is what I posed in the Mint forums

Preview: (SOLVED) Cannot start LookingGlass permission denied error attempting to access \dev\shm\looking-glass

Hi All,

This is my first post here and my first week using Mint and pretty much linux in general. I ended up on this road because I found the idea of GPU passthrough to be one of the best things to hit the VM world that I know of. A true win for on the metal or close to the metal hypervisors.

After much experimentation and a few setbacks I have Linux Mint running with passthrough for an Nvidia GT 1030 and it works very well. I started playing around with LookingGlass ( not working quite yet ) and I hit this and solved it along the way, thought I would share the answer.

Using Virtual Machine Manger

The error happens becasuse Apparmor, although having a profile for libvirt, does not allow the virtual machine to access the passthrough memory that lookingglass needs to relay the video memory pack and forth.
This will start to occur right after you add the section

<shmem name='looking-glass'>
  <model type='ivshmem-plain'/>
  <size unit='M'>32</size>
</shmem>

to your VM.
You can confirm this is caused by app armor by

:~$ dmesg | grep apparmor

and looking for

[39429.125121] audit: type=1400 audit(1575395500.878:51): apparmor="DENIED" operation="mknod" profile="libvirt-afe8d93f-f233-4f65-9dc0-4b03c8eb5750" name="[color=#4000FF]/dev/shm/looking-glass[/color]" pid=6133 comm="qemu-system-x86" requested_mask="c" denied_mask="c" fsuid=64055 ouid=64055

you can also confirm the virtual machine by

sudo virsh edit yourvmname

)

<domain type='kvm'>
  <name>MSRemote</name>
  <uuid>afe8d93f-f233-4f65-9dc0-4b03c8eb5750</uuid>

at the start of the VM you just edited

This can be fixed without disabling apparmor by adding this line

/dev/shm/looking-glass rw,

to /etc/apparmor.d/abstractions/libvirt-qemu ( or possibly lxc depending on your use )
and this will effect all current and new VMs

Reference on this setting is here.

I guess I cant post a link. reference for this setting is at apparmor/apparmor/wikis/Libvirt
in the gitlab page for apparmor. there is a section devoted to libvirt

cheers

1 Like

Permission resolution described in evdev passthrough guide:

This issue should be fixed in libvirt 5.10, with no manual policy changes required.

https://www.libvirt.org/news.html#v5.10.0
https://bugzilla.redhat.com/show_bug.cgi?id=1761645

1 Like

@pantato
This particular rabbit hole resulted in a bigger permission nightmare than you can possibly imagine. :pensive:

So what’s going on now? I can help.

1 Like