Thanks! I applied the patch, and now it works also inside the docker container, for all architectures (i386, x86_64, arm, aarch64) for which I have test cases at hand. Indeed, since the container is configured by a public cloud service, there is no possibility to change any security settings. Disabling mbind unless explicitly requested seems to be the best way to go here. On 30.04.20 19:42, Philippe Mathieu-Daudé wrote: > Typo "empty" in patch subject. > > On 4/30/20 5:46 PM, Igor Mammedov wrote: >> Since 5.0 QEMU uses hostmem backend for allocating main guest RAM. >> The backend however calls mbind() which is typically NOP >> in case of default policy/absent host-nodes bitmap. >> However when runing in container with black-listed mbind() >> syscall, QEMU fails to start with error >>   "cannot bind memory to host NUMA nodes: Operation not permitted" >> even when user hasn't provided host-nodes to pin to explictly >> (which is the case with -m option) >> >> To fix issue, call mbind() only in case when user has provided >> host-nodes explicitly (i.e. host_nodes bitmap is not empty). >> That should allow to run QEMU in containers with black-listed >> mbind() without memory pinning. If QEMU provided memory-pinning >> is required user still has to white-list mbind() in container >> configuration. >> >> Reported-by: Manuel Hohmann >> Signed-off-by: Igor Mammedov >> --- >> CC: berrange@redhat.com >> CC: ehabkost@redhat.com >> CC: pbonzini@redhat.com >> CC: mhohmann@physnet.uni-hamburg.de >> CC: qemu-stable@nongnu.org >> --- >>   backends/hostmem.c | 6 ++++-- >>   1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/backends/hostmem.c b/backends/hostmem.c >> index 327f9eebc3..0efd7b7bd6 100644 >> --- a/backends/hostmem.c >> +++ b/backends/hostmem.c >> @@ -383,8 +383,10 @@ host_memory_backend_memory_complete(UserCreatable *uc, Error **errp) >>           assert(sizeof(backend->host_nodes) >= >>                  BITS_TO_LONGS(MAX_NODES + 1) * sizeof(unsigned long)); >>           assert(maxnode <= MAX_NODES); >> -        if (mbind(ptr, sz, backend->policy, >> -                  maxnode ? backend->host_nodes : NULL, maxnode + 1, flags)) { >> + >> +        if (maxnode && >> +            mbind(ptr, sz, backend->policy, backend->host_nodes, maxnode + 1, >> +                  flags)) { >>               if (backend->policy != MPOL_DEFAULT || errno != ENOSYS) { >>                   error_setg_errno(errp, errno, >>                                    "cannot bind memory to host NUMA nodes"); >> >