I had added user = "root" because we use the import-to-ovirt.pl to move
Vms from our old virtual platform to ovirt.
My understanding was that was required for the to work.
Is that not true or is the import script not worth the headaches caused?
(
)
[root@ovirt3 prod 4c4bfdf7-bc70-41b2-ab58-710ff8e850bf]# grep ^user
/etc/libvirt/qemu.conf
user = "root"
I'm assuming that's what sets the qemu user.
When I first tried using that script without setting "user = root" it
didn't work.
On 5/20/16 1:16 PM, Nir Soffer wrote:
On Fri, May 20, 2016 at 10:41 PM, Bill James
<bill.james(a)j2.com> wrote:
> attached output from one host. others look similar.
Your qemu runs as *root*:
root root root root qemu qemu qemu qemu /usr/libexec/qemu-kvm
Here is the output from normal installation:
qemu qemu qemu qemu qemu qemu qemu
qemu /usr/libexec/qemu-kvm
I guess that gluster is configure with "option root-squashing on" so you
practically run as "nobody", and you are not in the kvm group.
Running qemu as root is also a security risk, if there is a security bug in qemu
a vm can use it to compromise your host or other vms.
Maybe you can configure gluster to treat root as vdsm using
option translate-uid 0=36
See
http://www.gluster.org/community/documentation/index.php/Translators/feat...
But a better solution is to run qemu as qemu.
Adding Sahina to advise about gluster configuration.
Nir
>
>
>
> On 5/20/16 11:47 AM, Nir Soffer wrote:
>
> On Fri, May 20, 2016 at 9:25 PM, Bill James <bill.james(a)j2.com> wrote:
>> yes
>>
>> [root@ovirt2 prod .shard]# sestatus
>> SELinux status: disabled
>>
>> [root@ovirt3 prod ~]# sestatus
>> SELinux status: disabled
>
> Can you share output of:
>
> ps -e -o euser,user,suser,fuser,egroup,rgroup,sgroup,fgroup,cmd | egrep
'qemu|libvirt'
> ps auxe | egrep 'qemu|libvirt'
>
>>
>>
>>
>>
>> On 5/20/16 11:13 AM, Nir Soffer wrote:
>>
>> On Fri, May 20, 2016 at 9:02 PM, Bill James <bill.james(a)j2.com> wrote:
>>> [root@ovirt1 prod ~]# sestatus
>>> SELinux status: disabled
>>
>> Same on ovirt2?
>>
>>>
>>>
>>>
>>>
>>> On 5/20/16 10:49 AM, Nir Soffer wrote:
>>>
>>> This smells like selinux issues, did yoi try with permissive mode?
>>>
>>> בתאריך 20 במאי 2016 7:59 אחה״צ, "Bill James"
<bill.james(a)j2.com> כתב:
>>>> Nobody has any ideas or thoughts on how to troubleshoot?
>>>>
>>>> why does qemu group work but not kvm when qemu is part of kvm group?
>>>>
>>>> [root@ovirt1 prod vdsm]# grep qemu /etc/group
>>>> cdrom:x:11:qemu
>>>> kvm:x:36:qemu,sanlock
>>>> qemu:x:107:vdsm,sanlock
>>>>
>>>>
>>>> On 5/18/16 3:47 PM, Bill James wrote:
>>>>> another data point.
>>>>> Changing just owner to qemu doesn't help.
>>>>> Changing just group to qemu does. VM starts fine after that.
>>>>>
>>>>>
>>>>>
>>>>> On 05/18/2016 11:49 AM, Bill James wrote:
>>>>>> Some added info. This issue seems to be just like this bug:
>>>>>>
https://bugzilla.redhat.com/show_bug.cgi?id=1052114
>>>>>>
>>>>>> I have verified that chown qemu:qemu of disk image also fixes the
startup issue.
>>>>>> I'm using raw, not qcow images.
>>>>>>
>>>>>>
>>>>>> [root@ovirt2 prod a7af2477-4a19-4f01-9de1-c939c99e53ad]# qemu-img
info 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>> image: 253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>> file format: raw
>>>>>> virtual size: 20G (21474836480 bytes)
>>>>>> disk size: 1.9G
>>>>>> [root@ovirt2 prod a7af2477-4a19-4f01-9de1-c939c99e53ad]# ls -l
253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>> -rw-rw---- 1 qemu qemu 21474836480 May 18 11:38
253f9615-f111-45ca-bdce-cbc9e70406df
>>>>>>
>>>>>> (default perms = vdsm:kvm)
>>>>>>
>>>>>> qemu-img-ev-2.3.0-31.el7_2.4.1.x86_64
>>>>>> qemu-kvm-ev-2.3.0-31.el7_2.4.1.x86_64
>>>>>> libvirt-daemon-1.2.17-13.el7_2.4.x86_64
>>>>>>
>>>>>>
>>>>>> Ideas??
>>>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>>
http://lists.ovirt.org/mailman/listinfo/users
>>>
>>> This email, its contents and attachments contain information from j2 Global,
Inc. and/or its affiliates which may be privileged, confidential or otherwise protected
from disclosure. The information is intended to be for the addressee(s) only. If you are
not an addressee, any disclosure, copy, distribution, or use of the contents of this
message is prohibited. If you have received this email in error please notify the sender
by reply e-mail and delete the original message and any copies. © 2015 j2 Global, Inc. All
rights reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe ® and Onebox ® are
! registere d trademarks of j2 Global, Inc. and its affiliates.
>>
>>
>> This email, its contents and attachments contain information from j2 Global, Inc.
and/or its affiliates which may be privileged, confidential or otherwise protected from
disclosure. The information is intended to be for the addressee(s) only. If you are not an
addressee, any disclosure, copy, distribution, or use of the contents of this message is
prohibited. If you have received this email in error please notify the sender by reply
e-mail and delete the original message and any copies. © 2015 j2 Global, Inc. All rights
reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe ® and Onebox ® are !
registere d trademarks of j2 Global, Inc. and its affiliates.
>
>
> This email, its contents and attachments contain information from j2 Global, Inc.
and/or its affiliates which may be privileged, confidential or otherwise protected from
disclosure. The information is intended to be for the addressee(s) only. If you are not an
addressee, any disclosure, copy, distribution, or use of the contents of this message is
prohibited. If you have received this email in error please notify the sender by reply
e-mail and delete the original message and any copies. © 2015 j2 Global, Inc. All rights
reserved. eFax ®, eVoice ®, Campaigner ®, FuseMail ®, KeepItSafe ® and Onebox ® are !
registere d trademarks of j2 Global, Inc. and its affiliates.