[ovirt-users] Re: posix storage migration issue on 4.4 cluster
On Wed, 4 Aug 2021, Sketch wrote:
What doesn't work is live migration of running VMs between hosts running
4.4.7 (or 4.4.6 before I updated) when their disks are on ceph. It appears
that vdsm attempts to launch the VM on the destination host, and it either
fails to start or dies right after starting (not entirely clear from the
logs). Then the running VM gets paused due to a storage error.
After further investigation, I've found the problem appears to be selinux
related. Setting the systems to permissive mode allows VMs to be live
migrated. I tailed the audit logs on both hosts and found a couple of
denies which probably explains the lack of useful errors in the vdsm logs,
though I'm not sure how to fix the problem.
Source host:
type=AVC msg=audit(1628052789.412:3381): avc: denied { read } for pid=570656
comm="live_migration" name="6f82b02d-8c22-4d50-a30e-53511776354c"
dev="ceph" ino=1099511715125 scontext=system_u:system_r:svirt_t:s0:c752,c884
tcontext=system_u:object_r:svirt_image_t:s0:c411,c583 tclass=file permissive=0
type=AVC msg=audit(1628052790.557:3382): avc: denied { read } for pid=570656
comm="worker"
path="/rhev/data-center/mnt/10.1.88.75,10.1.88.76,10.1.88.77:_vmstore/e8ec5645-fc1b-4d64-a145-44aa8ac5ef48/images/eb15970b-7b94-4cce-ab44-50f57850aa7f/6f82b02d-8c22-4d50-a30e-53511776354c"
dev="ceph" ino=1099511715125 scontext=system_u:system_r:svirt_t:s0:c752,c884
tcontext=system_u:object_r:svirt_image_t:s0:c411,c583 tclass=file permissive=0
# ls -lidZ
/rhev/data-center/mnt/10.1.88.75,10.1.88.76,10.1.88.77:_vmstore/e8ec5645-fc1b-4d64-a145-44aa8ac5ef48/images/eb15970b-7b94-4cce-ab44-50f57850aa7f/6f82b02d-8c22-4d50-a30e-53511776354c
1099511715125 -rw-rw----. 1 vdsm kvm system_u:object_r:svirt_image_t:s0:c344,c764
52031193088 Aug 3 23:51
/rhev/data-center/mnt/10.1.88.75,10.1.88.76,10.1.88.77:_vmstore/e8ec5645-fc1b-4d64-a145-44aa8ac5ef48/images/eb15970b-7b94-4cce-ab44-50f57850aa7f/6f82b02d-8c22-4d50-a30e-53511776354c
Destination host:
type=AVC msg=audit(1628052787.312:1789): avc: denied { getattr } for pid=115062
comm="qemu-kvm" name="/" dev="ceph" ino=1099511636351
scontext=system_u:system_r:svirt_t:s0:c411,c583 tcontext=system_u:object_r:cephfs_t:s0
tclass=filesystem permissive=0
# ls -lidZ /rhev/data-center/mnt/10.1.88.75,10.1.88.76,10.1.88.77:_vmstore
1099511636351 drwxr-xr-x. 3 vdsm kvm unconfined_u:object_r:cephfs_t:s0 1 Aug 3 23:14
/rhev/data-center/mnt/10.1.88.75,10.1.88.76,10.1.88.77:_vmstore