Vm with hugepages enabled not starting with error, think apparmor denied is the cause

Just a little context. So trying to get balloon driver working in windows 11 and playing around. I may not have the correct settings and am on the wrong path so please be kind on that, still learning incus and pushing my knowledge. Originally I tried without hugepages but wasn’t seeing memory compaction etc. so thought I’d try adding hugepages. I get an instant error on launch of the vm. I do see the hugepages mount during boot debug. I think i probably don’t want ballooning and hugepages at the same time. I’ve also retest it with just hugepages.

I hit an oddity that I suspect shouldn’t be happening. Love for a second opinion as I’m not exactly sure how to debug on the OS itself.

Here is the relevant vm config:

  limits.memory: 12GB
  limits.memory.hugepages: 'true'

nb i use limits.memory.hotplug: 12GB for ballooning

Error i see in the web portal:

Instance start failed w11

Failed to run: forklimits limit=memlock:unlimited:unlimited fd=3 fd=4 -- /opt/incus/bin/qemu-system-x86_64 -S -name w11 -uuid 374d39ce-4d55-4287-ac34-537a13feccd6 -daemonize -cpu host,hv_passthrough,migratable=no,+invtsc -nographic -serial chardev:console -nodefaults -no-user-config -sandbox on,obsolete=deny,elevateprivileges=allow,spawn=allow,resourcecontrol=deny -readconfig /run/incus/w11/qemu.conf -spice unix=on,disable-ticketing=on,addr=/run/incus/w11/qemu.spice -pidfile /run/incus/w11/qemu.pid -D /var/log/incus/w11/qemu.log -smbios type=2,manufacturer=LinuxContainers,product=Incus -run-with user=incus: : exit status 1

and the debug log from when i clicked run instance:

[2026/01/18 16:11:06 GMT] kernel: audit: type=1700 audit(1768752666.166:392): dev=tapf60a1e0f prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
[2026/01/18 16:11:06 GMT] kernel: audit: type=1300 audit(1768752666.166:392): arch=c000003e syscall=44 success=yes exit=40 a0=1c a1=c000ed91a0 a2=28 a3=0 items=0 ppid=1 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="incusd" exe="/opt/incus/bin/incusd" subj=unconfined key=(null)
[2026/01/18 16:11:06 GMT] kernel: audit: type=1327 audit(1768752666.166:392): proctitle=696E63757364002D2D67726F757000696E6375732D61646D696E002D2D6C6F6766696C65002F7661722F6C6F672F696E6375732F696E637573642E6C6F67
[2026/01/18 16:11:06 GMT] kernel: audit: type=1400 audit(1768752666.228:393): apparmor="STATUS" operation="profile_load" profile="unconfined" name="incus-w11_</var/lib/incus>" pid=1417 comm="apparmor_parser"
[2026/01/18 16:11:06 GMT] kernel: audit: type=1300 audit(1768752666.228:393): arch=c000003e syscall=1 success=yes exit=312489 a0=6 a1=7f5a8c7b0010 a2=4c4a9 a3=0 items=0 ppid=1416 pid=1417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apparmor_parser" exe="/usr/sbin/apparmor_parser" subj=unconfined key=(null)
[2026/01/18 16:11:06 GMT] kernel: audit: type=1327 audit(1768752666.228:393): proctitle=61707061726D6F725F706172736572002D72574C002F7661722F6C69622F696E6375732F73656375726974792F61707061726D6F722F6361636865002F7661722F6C69622F696E6375732F73656375726974792F61707061726D6F722F70726F66696C65732F696E6375732D773131
[2026/01/18 16:11:06 GMT] kernel: audit: type=1400 audit(1768752666.251:394): apparmor="DENIED" operation="open" class="file" profile="incus-w11_</var/lib/incus>" name="/proc/1419/mountinfo" pid=1419 comm="incusd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2026/01/18 16:11:06 GMT] kernel: audit: type=1300 audit(1768752666.251:394): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7ffea0194c43 a2=80000 a3=0 items=0 ppid=1286 pid=1419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="incusd" exe="/opt/incus/bin/incusd" subj=incus-w11_</var/lib/incus> key=(null)
[2026/01/18 16:11:06 GMT] systemd: var-lib-incus-devices-w11-config.mount.mount: Deactivated successfully.
[2026/01/18 16:11:06 GMT] kernel: tapf60a1e0f: left allmulticast mode
[2026/01/18 16:11:06 GMT] kernel: tapf60a1e0f: left promiscuous mode
[2026/01/18 16:11:06 GMT] kernel: incusbr0: port 1(tapf60a1e0f) entered disabled state
[2026/01/18 16:11:06 GMT] systemd-networkd: tapf60a1e0f: Link UP
[2026/01/18 16:11:06 GMT] systemd-networkd: tapf60a1e0f: Link DOWN
[2026/01/18 16:11:06 GMT] systemd: var-lib-incus-storage\x2dpools-local-virtual\x2dmachines-w11.mount: Deactivated successfully.
[2026/01/18 16:11:06 GMT] 55-scsi-sg3_id.rules: WARNING: SCSI device zd32 has no device ID, consider changing .SCSI_ID_SERIAL_SRC in 00-scsi-sg3_config.rules

I was thinking specifically this from the above might be the cause of the failed launch:

[2026/01/18 16:11:06 GMT] kernel: audit: type=1400 audit(1768752666.251:394): apparmor="DENIED" operation="open" class="file" profile="incus-w11_</var/lib/incus>" name="/proc/1419/mountinfo" pid=1419 comm="incusd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Am I misunderstanding something? With hugepages turned off, vm works fine. Hugepages should have worked is what I’m thinking. Is it something on my system (small cheap n100), can someone confirm hugepages works on their incus os?

Can you show the output of incus info --show-log w11?

sure here is the output:

Name: w11
Description:
Status: STOPPED
Type: virtual-machine
Architecture: x86_64
Created: 2026/01/18 00:14 GMT
Last Used: 2026/01/18 19:03 GMT

Snapshots:
+------+----------------------+------------+----------+
| Name |       Taken at       | Expires at | Stateful |
+------+----------------------+------------+----------+
| test | 2026/01/18 19:39 GMT |            | NO       |
+------+----------------------+------------+----------+

Log:

qemu-system-x86_64: unable to map backing store for guest RAM: Cannot allocate memory

and just for clarity, here is the systemd log messages that huge pages got loaded I think on my machine:

[2026/01/18 16:10:08 GMT] systemd: Mounting dev-hugepages.mount - Huge Pages File System...
[2026/01/18 16:10:08 GMT] systemd: Mounted dev-hugepages.mount - Huge Pages File System.

i figured out how to get the memory hotplugging and memory ballooning working. I’m now curious how to use them and when to use them.

so the hugepages are not something I need for what i’m doing currently. happy to help if you think this is something that needs looking into.

thanks

Can you also show incus info --resources?

sure thing:

System:
  UUID: 03000200-0400-0500-0006-000700080009
  Vendor: AZW
  Product: EQ
  Family: Default string
  Version: Default string
  SKU: Default string
  Serial: Default string
  Type: physical
  Chassis:
      Vendor: Default string
      Type: Desktop
      Version: Default string
      Serial: Default string
  Motherboard:
      Vendor: AZW
      Product: EQ
      Serial: Default string
      Version: Default string
  Firmware:
      Vendor: American Megatrends International, LLC.
      Version: N95V104
      Date: 03/17/2023

Load:
  Processes: 211
  Average: 0.00 0.00 0.00

CPU:
  Architecture: x86_64
  Vendor: GenuineIntel
  Name: Intel(R) N100
  Caches:
    - Level 1 (type: Data): 32KiB
    - Level 1 (type: Instruction): 64KiB
    - Level 2 (type: Unified): 2MiB
    - Level 3 (type: Unified): 6MiB
  Cores:
    - Core 0
      Frequency: 700Mhz
      Threads:
        - 0 (id: 0, online: true, NUMA node: 0)
    - Core 1
      Frequency: 1300Mhz
      Threads:
        - 0 (id: 1, online: true, NUMA node: 0)
    - Core 2
      Frequency: 1299Mhz
      Threads:
        - 0 (id: 2, online: true, NUMA node: 0)
    - Core 3
      Frequency: 1345Mhz
      Threads:
        - 0 (id: 3, online: true, NUMA node: 0)
  Frequency: 1161Mhz (min: 700Mhz, max: 3400Mhz)

Memory:
  Free: 14.81GiB
  Used: 1.06GiB
  Total: 15.88GiB

GPU:
  NUMA node: 0
  Vendor: Intel Corporation (8086)
  Product: Alder Lake-N [UHD Graphics] (46d1)
  PCI address: 0000:00:02.0
  Driver: i915 (6.18.5-zabbly+)
  DRM:
    ID: 0
    Card: card0 (226:0)
    Control: controlD64 (226:0)
    Render: renderD128 (226:128)
  SR-IOV information:
    Current number of VFs: 0
    Maximum number of VFs: 7

NICs:
  Card 0:
    NUMA node: 0
    Vendor: Intel Corporation (8086)
    Product: Ethernet Controller I225-V (15f3)
    PCI address: 0000:01:00.0
    Driver: igc (6.18.5-zabbly+)
    Ports:
      - Port 0 (ethernet)
        ID: _p7c8334b9b553
        Address: 7c:83:34:b9:b5:53
        Supported modes: 10baseT/Half, 10baseT/Full, 100baseT/Half, 100baseT/Full, 1000baseT/Full, 2500baseT/Full
        Supported ports: twisted pair
        Port type: twisted pair
        Transceiver type: internal
        Auto negotiation: true
        Link detected: true
        Link speed: 2500Mbit/s (full duplex)
  Card 1:
    NUMA node: 0
    Vendor: Intel Corporation (8086)
    Product: Ethernet Controller I225-V (15f3)
    PCI address: 0000:02:00.0
    Driver: igc (6.18.5-zabbly+)
    Ports:
      - Port 0 (ethernet)
        ID: _p7c8334b9b554
        Address: 7c:83:34:b9:b5:54
        Supported modes: 10baseT/Half, 10baseT/Full, 100baseT/Half, 100baseT/Full, 1000baseT/Full, 2500baseT/Full
        Supported ports: twisted pair
        Port type: twisted pair
        Transceiver type: internal
        Auto negotiation: true
        Link detected: false
  Card 2:
    NUMA node: 0
    Vendor: Intel Corporation (8086)
    Product: CNVi: Wi-Fi (54f0)
    PCI address: 0000:00:14.3

Disks:
  Disk 0:
    NUMA node: 0
    ID: nvme0n1
    Device: 259:0
    Model: 512GB SSD
    Type: nvme
    Size: 476.94GiB
    WWN: nvme.1e4b-434e313333424833303130333138-353132474220535344-00000001
    Read-Only: false
    Removable: false
    Partitions:
      - Partition 1
        ID: nvme0n1p1
        Device: 259:1
        Read-Only: false
        Size: 2.00GiB
      - Partition 10
        ID: nvme0n1p10
        Device: 259:10
        Read-Only: false
        Size: 25.00GiB
      - Partition 11
        ID: nvme0n1p11
        Device: 259:11
        Read-Only: false
        Size: 443.64GiB
      - Partition 2
        ID: nvme0n1p2
        Device: 259:2
        Read-Only: false
        Size: 100.00MiB
      - Partition 3
        ID: nvme0n1p3
        Device: 259:3
        Read-Only: false
        Size: 16.00KiB
      - Partition 4
        ID: nvme0n1p4
        Device: 259:4
        Read-Only: false
        Size: 100.00MiB
      - Partition 5
        ID: nvme0n1p5
        Device: 259:5
        Read-Only: false
        Size: 1.00GiB
      - Partition 6
        ID: nvme0n1p6
        Device: 259:6
        Read-Only: false
        Size: 16.00KiB
      - Partition 7
        ID: nvme0n1p7
        Device: 259:7
        Read-Only: false
        Size: 100.00MiB
      - Partition 8
        ID: nvme0n1p8
        Device: 259:8
        Read-Only: false
        Size: 1.00GiB
      - Partition 9
        ID: nvme0n1p9
        Device: 259:9
        Read-Only: false
        Size: 4.00GiB
  Disk 1:
    NUMA node: 0
    ID: sda
    Device: 8:0
    Model: SAMSUNG MZ7LN256
    Type: scsi
    Size: 238.47GiB
    Read-Only: false
    Removable: false
    Partitions:
      - Partition 1
        ID: sda1
        Device: 8:1
        Read-Only: false
        Size: 238.47GiB
      - Partition 9
        ID: sda9
        Device: 8:9
        Read-Only: false
        Size: 8.00MiB

USB device:
  Vendor: Intel Corp.
  Vendor ID: 8087
  Product: AX201 Bluetooth
  Product ID: 0026
  Bus Address: 1
  Device Address: 2

PCI devices:
  Device 0:
    Address: 0000:00:00.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N Processor Host Bridge/DRAM Registers
    Product ID: 461c
    NUMA node: 0
    IOMMU group: 1
    Driver: igen6_edac
  Device 1:
    Address: 0000:00:02.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N [UHD Graphics]
    Product ID: 46d1
    NUMA node: 0
    IOMMU group: 0
    Driver: i915
  Device 2:
    Address: 0000:00:14.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N PCH USB 3.2 xHCI Host Controller
    Product ID: 54ed
    NUMA node: 0
    IOMMU group: 2
    Driver: xhci_hcd
  Device 3:
    Address: 0000:00:14.2
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N PCH Shared SRAM
    Product ID: 54ef
    NUMA node: 0
    IOMMU group: 2
    Driver:
  Device 4:
    Address: 0000:00:14.3
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: CNVi: Wi-Fi
    Product ID: 54f0
    NUMA node: 0
    IOMMU group: 3
    Driver:
  Device 5:
    Address: 0000:00:15.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product:
    Product ID: 54e8
    NUMA node: 0
    IOMMU group: 4
    Driver: intel-lpss
  Device 6:
    Address: 0000:00:15.1
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product:
    Product ID: 54e9
    NUMA node: 0
    IOMMU group: 4
    Driver: intel-lpss
  Device 7:
    Address: 0000:00:16.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N PCH HECI Controller
    Product ID: 54e0
    NUMA node: 0
    IOMMU group: 5
    Driver: mei_me
  Device 8:
    Address: 0000:00:17.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N SATA AHCI Controller
    Product ID: 54d3
    NUMA node: 0
    IOMMU group: 6
    Driver: ahci
  Device 9:
    Address: 0000:00:1c.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N PCI Express Root Port #7
    Product ID: 54be
    NUMA node: 0
    IOMMU group: 7
    Driver: pcieport
  Device 10:
    Address: 0000:00:1d.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N PCI Express Root Port #9
    Product ID: 54b0
    NUMA node: 0
    IOMMU group: 8
    Driver: pcieport
  Device 11:
    Address: 0000:00:1d.2
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N PCI Express Root Port #11
    Product ID: 54b2
    NUMA node: 0
    IOMMU group: 9
    Driver: pcieport
  Device 12:
    Address: 0000:00:1e.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N Serial IO UART Host Controller
    Product ID: 54a8
    NUMA node: 0
    IOMMU group: 10
    Driver: intel-lpss
  Device 13:
    Address: 0000:00:1e.3
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product:
    Product ID: 54ab
    NUMA node: 0
    IOMMU group: 10
    Driver: intel-lpss
  Device 14:
    Address: 0000:00:1f.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N PCH eSPI Controller
    Product ID: 5481
    NUMA node: 0
    IOMMU group: 11
    Driver:
  Device 15:
    Address: 0000:00:1f.3
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N PCH High Definition Audio Controller
    Product ID: 54c8
    NUMA node: 0
    IOMMU group: 11
    Driver: snd_hda_intel
  Device 16:
    Address: 0000:00:1f.4
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N SMBus
    Product ID: 54a3
    NUMA node: 0
    IOMMU group: 11
    Driver: i801_smbus
  Device 17:
    Address: 0000:00:1f.5
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Alder Lake-N SPI (flash) Controller
    Product ID: 54a4
    NUMA node: 0
    IOMMU group: 11
    Driver: intel-spi
  Device 18:
    Address: 0000:01:00.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Ethernet Controller I225-V
    Product ID: 15f3
    NUMA node: 0
    IOMMU group: 12
    Driver: igc
  Device 19:
    Address: 0000:02:00.0
    Vendor: Intel Corporation
    Vendor ID: 8086
    Product: Ethernet Controller I225-V
    Product ID: 15f3
    NUMA node: 0
    IOMMU group: 13
    Driver: igc
  Device 20:
    Address: 0000:03:00.0
    Vendor: MAXIO Technology (Hangzhou) Ltd.
    Vendor ID: 1e4b
    Product: NVMe SSD Controller MAP1202 (DRAM-less)
    Product ID: 1202
    NUMA node: 0
    IOMMU group: 14
    Driver: nvme

You don’t appear to have hugepages configured on that system or it would have showed up under the Memory section.

Did you bump /proc/sys/vm/nr_hugepages to actually allocate some huge pages on your system?

I’m probably missing how to do that on IncusOS if it is possible. My understanding is that that part might not be accessible? Did have looking at the docs after you mentioned it but I think this is where my understanding is struggling a little. I don’t quite see how to access the proc filesystem. I’m not quite finding anything in the cli or api that fits the bill. Could you please point me in the right direction?

Ah oops, I missed that this was in the IncusOS category

It’s not possible yet but would be quite easy to add to the kernel settings we’ve recently introduced.

Please file a feature request at https://github.com/lxc/incus-os/issues/new and it should be pretty easy for us to add.

Stéphane

Brill thank you. Created Add to the kernel settings ability to configure hugepages · Issue #826 · lxc/incus-os · GitHub

Let me know if I goofed up the issue in anyway and I’ll correct it.