On Fri, 2014-03-28 at 16:20 -0500, Christy Perez wrote:
selinux has a special boolean to make it easier for disk images
to be stored on a remote NFS server. Set this to true when a user
adds an NFS storage pool.
Most virtualzation documentation recommends that this be set
to true. For example:
http://www.ovirt.org/Troubleshooting_NFS_Storage_Issues
http://fedoraproject.org/wiki/How_to_debug_Virtualization_problems
This will leave it set to true, even if
the user removes NFS storage pools. It is not a security risk, and
we should not set it to False in case it had already been set by the
user for another non-kimchi use.
Signed-off-by: Christy Perez <christy(a)linux.vnet.ibm.com>
---
src/kimchi/i18n.py | 2 ++
src/kimchi/model/storagepools.py | 5 +++++
2 files changed, 7 insertions(+)
diff --git a/src/kimchi/i18n.py b/src/kimchi/i18n.py
index d45f607..8ade7d7 100644
--- a/src/kimchi/i18n.py
+++ b/src/kimchi/i18n.py
@@ -144,6 +144,8 @@ messages = {
"KCHPOOL0034E": _("Unable to deactivate pool %(name)s as it is
associated with some templates"),
"KCHPOOL0035E": _("Unable to delete pool %(name)s as it is associated
with some templates"),
"KCHPOOL0036E": _("A volume group named '%(name)s' already
exists. Please, choose another name to create the logical pool."),
+ "KCHPOOL0037E": _("Unable to set selinux bool virt_use_nfs for NFS
pool usage. Depending on \
+ your NFS config, this may prevent the pool from being
used."),
IMO, this is too long. Why not only "Unable to set selinux bool
virt_use_nfs for NFS pool usage." ?
"KCHVOL0001E": _("Storage volume %(name)s already exists"),
"KCHVOL0002E": _("Storage volume %(name)s does not exist in storage
pool %(pool)s"),
diff --git a/src/kimchi/model/storagepools.py b/src/kimchi/model/storagepools.py
index 92b2496..d279ffa 100644
--- a/src/kimchi/model/storagepools.py
+++ b/src/kimchi/model/storagepools.py
@@ -126,6 +126,11 @@ class StoragePoolsModel(object):
kimchi_log.error("Problem creating Storage Pool: %s", e)
raise OperationFailed("KCHPOOL0007E",
{'name': name, 'err':
e.get_error_message()})
+ if params['type'] == 'netfs':
+ output, error, returncode = run_command(['setsebool', '-P',
+ 'virt_use_nfs=1'])
+ if error or returncode:
+ kimchi_log.error('KCHPOOL0037E')
Why only logging the message? I think this should be exposed to user.
return name
def _clean_scan(self, pool_name):