我的 qemu/kvm 运行正常。然后有一天我重启它,它就不能再工作了。它稳定地运行了大概 1-2 年(忽略硬件问题,运行 nvidia 和 amd 都很好),直到最近它开始抛出权限错误。我能想到的就是我在它停止工作的时候安装了 openssh (+ufw)。
但是,当 qemu-kvm 设置为以 root 身份运行时,为什么会因权限错误而中断它呢?
有没有我可以运行的命令来查看是什么阻止了它?我没有主意了。
我已查看了设置虚拟机时使用的所有说明,但找不到问题,正如您所期望的那样,我没有触碰配置文件。我还尝试在 qemu.conf 中更改动态所有权 = 0(原为 1),但之前没有必要这样做,也没有解决问题。我还尝试在没有 vfio 的情况下启动,是的,nvidia 驱动程序工作正常,这不是硬件问题。这正是我所期望的,因为我遇到了 amd 的硬件问题,但我没有收到权限错误,它只是无法在虚拟机内启动,或者虚拟机后来崩溃了。
在它停止工作之前,日志读取(/var/log/libvirt/gamingvm.log)
2019-04-14 04:15:32.147+0000: starting up libvirt version: 1.3.1, package: 1ubuntu10.24 (Marc Deslauriers <[email protected]> Wed, 23 May 2018 13:29:29 -0400), qemu version: 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.34), hostname: freeman
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin QEMU_PA_SAMPLES=128 QEMU_AUDIO_DRV=alsa /usr/bin/qemu-system-x86_64 -name gamingvm -S -machine pc-q35-2.5,accel=kvm,usb=off -cpu host,hv_time,hv_relaxed,hv_vapic,hv_spinlocks=0x1fff -bios /usr/share/qemu/OVMF.fd -m 16000 -realtime mlock=off -smp 6,sockets=1,cores=3,threads=2 -uuid 01bd2ed1-b465-4eba-b6e4-47c6ac8171c6 -nographic -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-gamingvm/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -boot menu=on,strict=on -device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1e -device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x1 -device piix3-usb-uhci,id=usb,bus=pci.2,addr=0x4 -device piix3-usb-uhci,id=usb1,bus=pci.2,addr=0x5 -device piix3-usb-uhci,id=usb2,bus=pci.2,addr=0x6 -device piix3-usb-uhci,id=usb3,bus=pci.2,addr=0x7 -drive file=/home/free/VM/Win7/Win7.img,format=raw,if=none,id=drive-sata0-0-0 -device ide-hd,bus=ide.0,drive=drive-sata0-0-0,id=sata0-0-0,bootindex=2 -drive file=/home/free/VM/Win7/W10X64.MULTi7.RS2.APR2017.ISO,format=raw,if=none,media=cdrom,id=drive-sata0-0-1,readonly=on -device ide-cd,bus=ide.1,drive=drive-sata0-0-1,id=sata0-0-1,bootindex=1 -netdev tap,fd=26,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:36:3b:c4,bus=pci.2,addr=0x1 -device usb-tablet,id=input0 -device AC97,id=sound0,bus=pci.2,addr=0x2 -soundhw ac97 -device ioh3420,bus=pcie.0,addr=1c.0,multifunction=on,port=1,chassis=1,id=root.1 -device vfio-pci,host=01:00.0,bus=root.1,addr=00.0,multifunction=on,x-vga=on -cpu host,kvm=off -msg timestamp=on
Domain id=1 is tainted: high-privileges
Domain id=1 is tainted: custom-argv
Domain id=1 is tainted: host-cpu
2019-04-14T04:24:37.110750Z qemu-system-x86_64: terminating on signal 15 from pid 1248
2019-04-14 04:24:39.913+0000: shutting down
2019-04-14 04:24:49.146+0000: shutting down
---正常运行10分钟
2019-04-14 04:25:22.871+0000: starting up libvirt version: 1.3.1, package: 1ubuntu10.24 (Marc Deslauriers <[email protected]> Wed, 23 May 2018 13:29:29 -0400), qemu version: 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.34), hostname: freeman
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin QEMU_PA_SAMPLES=128 QEMU_AUDIO_DRV=alsa /usr/bin/qemu-system-x86_64 -name gamingvm -S -machine pc-q35-2.5,accel=kvm,usb=off -cpu host,hv_time,hv_relaxed,hv_vapic,hv_spinlocks=0x1fff -bios /usr/share/qemu/OVMF.fd -m 16000 -realtime mlock=off -smp 6,sockets=1,cores=3,threads=2 -uuid 01bd2ed1-b465-4eba-b6e4-47c6ac8171c6 -nographic -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-gamingvm/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -boot menu=on,strict=on -device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1e -device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x1 -device piix3-usb-uhci,id=usb,bus=pci.2,addr=0x4 -device piix3-usb-uhci,id=usb1,bus=pci.2,addr=0x5 -device piix3-usb-uhci,id=usb2,bus=pci.2,addr=0x6 -device piix3-usb-uhci,id=usb3,bus=pci.2,addr=0x7 -drive file=/home/free/VM/Win7/Win7.img,format=raw,if=none,id=drive-sata0-0-0 -device ide-hd,bus=ide.0,drive=drive-sata0-0-0,id=sata0-0-0,bootindex=2 -drive file=/home/free/VM/Win7/WIN7X64.OEM.ENU.FEB2019.iso,format=raw,if=none,media=cdrom,id=drive-sata0-0-1,readonly=on -device ide-cd,bus=ide.1,drive=drive-sata0-0-1,id=sata0-0-1,bootindex=1 -netdev tap,fd=27,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:36:3b:c4,bus=pci.2,addr=0x1 -device usb-tablet,id=input0 -device AC97,id=sound0,bus=pci.2,addr=0x2 -soundhw ac97 -device ioh3420,bus=pcie.0,addr=1c.0,multifunction=on,port=1,chassis=1,id=root.1 -device vfio-pci,host=01:00.0,bus=root.1,addr=00.0,multifunction=on,x-vga=on -cpu host,kvm=off -msg timestamp=on
Domain id=3 is tainted: high-privileges
Domain id=3 is tainted: custom-argv
Domain id=3 is tainted: host-cpu
2019-04-14T06:38:03.272728Z qemu-system-x86_64: terminating on signal 15 from pid 1248
2019-04-14 06:38:05.075+0000: shutting down
-- 正常运行2小时
2019-04-24 22:26:52.873+0000: starting up libvirt version: 1.3.1, package: 1ubuntu10.24 (Marc Deslauriers <[email protected]> Wed, 23 May 2018 13:29:29 -0400), qemu version: 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.34), hostname: freeman
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin QEMU_PA_SAMPLES=128 QEMU_AUDIO_DRV=alsa /usr/bin/qemu-system-x86_64 -name gamingvm -S -machine pc-q35-2.5,accel=kvm,usb=off -cpu host,hv_time,hv_relaxed,hv_vapic,hv_spinlocks=0x1fff -bios /usr/share/qemu/OVMF.fd -m 16000 -realtime mlock=off -smp 6,sockets=1,cores=3,threads=2 -uuid 01bd2ed1-b465-4eba-b6e4-47c6ac8171c6 -nographic -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-gamingvm/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -boot menu=on,strict=on -device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1e -device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x1 -device piix3-usb-uhci,id=usb,bus=pci.2,addr=0x4 -device piix3-usb-uhci,id=usb1,bus=pci.2,addr=0x5 -device piix3-usb-uhci,id=usb2,bus=pci.2,addr=0x6 -device piix3-usb-uhci,id=usb3,bus=pci.2,addr=0x7 -drive file=/home/free/VM/Win10/Win10.img,format=raw,if=none,id=drive-sata0-0-0 -device ide-hd,bus=ide.0,drive=drive-sata0-0-0,id=sata0-0-0,bootindex=2 -drive file=/home/free/VM/Win10/W10X64.MULTi7.RS2.APR2017.ISO,format=raw,if=none,media=cdrom,id=drive-sata0-0-1,readonly=on -device ide-cd,bus=ide.1,drive=drive-sata0-0-1,id=sata0-0-1,bootindex=1 -netdev tap,fd=26,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:36:3b:c4,bus=pci.2,addr=0x1 -device usb-tablet,id=input0 -device AC97,id=sound0,bus=pci.2,addr=0x2 -soundhw ac97 -device ioh3420,bus=pcie.0,addr=1c.0,multifunction=on,port=1,chassis=1,id=root.1 -device vfio-pci,host=01:00.0,bus=root.1,addr=00.0,multifunction=on,x-vga=on -cpu host,kvm=off -msg timestamp=on
Domain id=1 is tainted: high-privileges
Domain id=1 is tainted: custom-argv
Domain id=1 is tainted: host-cpu
2019-04-24T22:26:53.162911Z qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot allocate memory
--- 正常 - 没有在启动时立即运行,因此其他东西已经分配了内存 - 我分配了 24GB 中的 16GB,因此如果一般使用意味着当我尝试运行 VM 时已经有 >8gb 被使用,它会失败,只是意味着我必须在启动后立即运行 VM,所以我重新启动了:
2019-04-24 22:29:02.749+0000: starting up libvirt version: 1.3.1, package: 1ubuntu10.24 (Marc Deslauriers <[email protected]> Wed, 23 May 2018 13:29:29 -0400), qemu version: 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.34), hostname: freeman
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin QEMU_PA_SAMPLES=128 QEMU_AUDIO_DRV=alsa /usr/bin/qemu-system-x86_64 -name gamingvm -S -machine pc-q35-2.5,accel=kvm,usb=off -cpu host,hv_time,hv_relaxed,hv_vapic,hv_spinlocks=0x1fff -bios /usr/share/qemu/OVMF.fd -m 16000 -realtime mlock=off -smp 6,sockets=1,cores=3,threads=2 -uuid 01bd2ed1-b465-4eba-b6e4-47c6ac8171c6 -nographic -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-gamingvm/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=localtime -no-shutdown -boot menu=on,strict=on -device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1e -device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x1 -device piix3-usb-uhci,id=usb,bus=pci.2,addr=0x4 -device piix3-usb-uhci,id=usb1,bus=pci.2,addr=0x5 -device piix3-usb-uhci,id=usb2,bus=pci.2,addr=0x6 -device piix3-usb-uhci,id=usb3,bus=pci.2,addr=0x7 -drive file=/home/free/VM/Win10/Win10.img,format=raw,if=none,id=drive-sata0-0-0 -device ide-hd,bus=ide.0,drive=drive-sata0-0-0,id=sata0-0-0,bootindex=2 -drive file=/home/free/VM/Win10/W10X64.MULTi7.RS2.APR2017.ISO,format=raw,if=none,media=cdrom,id=drive-sata0-0-1,readonly=on -device ide-cd,bus=ide.1,drive=drive-sata0-0-1,id=sata0-0-1,bootindex=1 -netdev tap,fd=26,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:36:3b:c4,bus=pci.2,addr=0x1 -device usb-tablet,id=input0 -device AC97,id=sound0,bus=pci.2,addr=0x2 -soundhw ac97 -device ioh3420,bus=pcie.0,addr=1c.0,multifunction=on,port=1,chassis=1,id=root.1 -device vfio-pci,host=01:00.0,bus=root.1,addr=00.0,multifunction=on,x-vga=on -cpu host,kvm=off -msg timestamp=on
Domain id=1 is tainted: high-privileges
Domain id=1 is tainted: custom-argv
Domain id=1 is tainted: host-cpu
shm_open() failed: Permission denied
Failed to create secure directory (/root/.config/pulse): Permission denied
2019-04-24T22:29:03.119665Z qemu-system-x86_64: -device vfio-pci,host=01:00.0,bus=root.1,addr=00.0,multifunction=on,x-vga=on: vfio: error opening /dev/vfio/1: Permission denied
2019-04-24T22:29:03.119682Z qemu-system-x86_64: -device vfio-pci,host=01:00.0,bus=root.1,addr=00.0,multifunction=on,x-vga=on: vfio: failed to get group 1
2019-04-24T22:29:03.119694Z qemu-system-x86_64: -device vfio-pci,host=01:00.0,bus=root.1,addr=00.0,multifunction=on,x-vga=on: Device initialization failed
没有权限!?
好的,所以它在 14 日成功了,但在 4 月 24 日失败了。我检查了我在 4 月 14 日至 24 日之间安装了什么?我安装了 Openssh,它还安装了 ufw 防火墙
我已经运行这个安装程序好几年了,我想要的所有软件都已经安装了。上次更改是在将近一个月前。很可能是相关的。但对我来说,openssh 或 ufw 锁定了我的 nvidia 硬件或 shm_open,这毫无意义?除非它以某种方式增加了安全性???
grep 安装 /var/log/dpkg.log
2019-04-22 17:14:17 status half-installed openssh-client:amd64 1:7.2p2-4ubuntu2.6
2019-04-22 17:14:17 status half-installed openssh-client:amd64 1:7.2p2-4ubuntu2.6
2019-04-22 17:14:17 install openssh-sftp-server:amd64 <none> 1:7.2p2-4ubuntu2.8
2019-04-22 17:14:17 status half-installed openssh-sftp-server:amd64 1:7.2p2-4ubuntu2.8
2019-04-22 17:14:17 install openssh-server:amd64 <none> 1:7.2p2-4ubuntu2.8
2019-04-22 17:14:17 status half-installed openssh-server:amd64 1:7.2p2-4ubuntu2.8
2019-04-22 17:14:18 status installed man-db:amd64 2.7.5-1
2019-04-22 17:14:18 status installed systemd:amd64 229-4ubuntu21.15
2019-04-22 17:14:18 status installed ureadahead:amd64 0.100.0-19
2019-04-22 17:14:18 status installed ufw:all 0.35-0ubuntu2
2019-04-22 17:14:18 status installed openssh-client:amd64 1:7.2p2-4ubuntu2.8
2019-04-22 17:14:18 status installed openssh-sftp-server:amd64 1:7.2p2-4ubuntu2.8
2019-04-22 17:14:19 status installed openssh-server:amd64 1:7.2p2-4ubuntu2.8
2019-04-22 17:14:19 status installed systemd:amd64 229-4ubuntu21.15
2019-04-22 17:14:19 status installed ureadahead:amd64 0.100.0-19
2019-04-22 17:14:19 status installed ufw:all 0.35-0ubuntu2
2019-04-25 00:39:44 install libapr1:amd64 <none> 1.5.2-3
vfio 按照预期在图形驱动程序之前收集卡。从日志中可以看到,软件版本没有变化。
dmesg |grep vfio
[ 5.466467] vfio-pci 0000:01:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=io+mem:owns=none
[ 5.484052] vfio_pci: add [10de:1b06[ffff:ffff]] class 0x000000/00000000
[ 5.508051] vfio_pci: add [10de:10ef[ffff:ffff]] class 0x000000/00000000
[ 38.558212] vfio-pci 0000:01:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=io+mem:owns=none
[ 38.576093] vfio-pci 0000:01:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=io+mem:owns=none
请注意尝试在 38.5 启动 VM
lspci-v
01:00.0 VGA compatible controller: NVIDIA Corporation GP102 [GeForce GTX 1080 Ti] (rev a1) (prog-if 00 [VGA controller])
Subsystem: NVIDIA Corporation Device 120f
Flags: fast devsel, IRQ 11
Memory at de000000 (32-bit, non-prefetchable) [disabled] [size=16M]
Memory at c0000000 (64-bit, prefetchable) [disabled] [size=256M]
Memory at d0000000 (64-bit, prefetchable) [disabled] [size=32M]
I/O ports at e000 [disabled] [size=128]
Expansion ROM at df000000 [disabled] [size=512K]
Capabilities: <access denied>
Kernel driver in use: vfio-pci
Kernel modules: nvidiafb, nouveau
/etc/libvirt/qemu.conf 正确设置为
用户 = “root”
组 = “根”
清除模拟器功能 = 0
动态所有权 = 0(原为 1,我确实更改了它以尝试修复此问题)
cgroup_device_acl = [包括/dev/vfio/1
nographics_allow_host_audio = 1
vnc_allow_host_audio = 1
dmesg 日志:(从 14172 启动虚拟机)
[14072.847851] Valid eCryptfs headers not found in file header region or xattr region, inode 26478193
[14172.505320] vfio-pci 0000:01:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=io+mem:owns=none
[14172.524948] vfio-pci 0000:01:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=io+mem:owns=none
[14173.184929] virbr1: port 1(vnet0) entered blocking state
[14173.184932] virbr1: port 1(vnet0) entered disabled state
[14173.184999] device vnet0 entered promiscuous mode
[14173.201093] virbr1: port 1(vnet0) entered blocking state
[14173.201099] virbr1: port 1(vnet0) entered listening state
[14174.008430] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.
[14174.078791] virbr1: port 1(vnet0) entered disabled state
[14174.079475] device vnet0 left promiscuous mode
[14174.079478] virbr1: port 1(vnet0) entered disabled state
有任何想法吗?