On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote:
On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
> ----- Original Message -----
> > From: "Alexandre Santos" <santosam72(a)gmail.com>
> > To: "Dan Kenigsberg" <danken(a)redhat.com>
> > Cc: "Haim Ateya" <hateya(a)redhat.com>, users(a)ovirt.org,
"Federico Simoncelli" <fsimonce(a)redhat.com>
> > Sent: Sunday, October 14, 2012 7:23:36 PM
> > Subject: Re: [Users] Can't start a VM - sanlock permission denied
> >
> > 2012/10/13 Dan Kenigsberg < danken(a)redhat.com >
> >
> > On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
> > > Hi,
> > > after getting to the oVirt Node console (F2) I figured out that
> > > selinux
> > > wasn't allowing the sanlock, so I entered the setsebool
> > > virt_use_sanlock 1
> > > and the problem is fixed.
> >
> > Which version of vdsm is istalled on your node? and which
> > selinux-policy? sanlock should work out-of-the-box.
> >
> >
> > vdsm-4.10.0-10.fc17
> >
> > on /etc/sysconfig/selinux
> > SELINUX=enforcing
> > SELINUXTYPE=targeted
>
> As far as I understand the selinux policies for the ovirt-node are set
> by recipe/common-post.ks (in the ovirt-node repo):
>
> semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage
> allow_execstack=0
> virt_use_nfs=1
> EOF_semanage
>
> We should update it with what vdsm is currently setting:
>
> virt_use_sanlock=1
> sanlock_use_nfs=1
>
Shouldn't vdsm be setting these if they're needed?
It should - I'd like to know which vdsm version was it, and why this was
skipped.
I can certainly set
the values, but IMO, if vdsm needs it, vdsm should set it.
virt_use_nfs=1 made it into the node. Maybe there was a good reason for
it that applies to virt_use_sanlock as well. (I really hate to persist
the policy files, and dislike the idea of setting virt_use_sanlock every
time vdsmd starts - it's slooooow).