On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote:
On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: "Dan Kenigsberg" <danken@redhat.com> Cc: "Haim Ateya" <hateya@redhat.com>, users@ovirt.org, "Federico Simoncelli" <fsimonce@redhat.com> Sent: Sunday, October 14, 2012 7:23:36 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
2012/10/13 Dan Kenigsberg < danken@redhat.com >
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
vdsm-4.10.0-10.fc17
on /etc/sysconfig/selinux SELINUX=enforcing SELINUXTYPE=targeted
As far as I understand the selinux policies for the ovirt-node are set by recipe/common-post.ks (in the ovirt-node repo):
semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage allow_execstack=0 virt_use_nfs=1 EOF_semanage
We should update it with what vdsm is currently setting:
virt_use_sanlock=1 sanlock_use_nfs=1
Shouldn't vdsm be setting these if they're needed?
It should - I'd like to know which vdsm version was it, and why this was skipped.
I can certainly set the values, but IMO, if vdsm needs it, vdsm should set it.
virt_use_nfs=1 made it into the node. Maybe there was a good reason for it that applies to virt_use_sanlock as well. (I really hate to persist the policy files, and dislike the idea of setting virt_use_sanlock every time vdsmd starts - it's slooooow).