11:34 p.m.
I get the following AVC msg when trying to run a VM from the ovirt admin tool:
type=AVC msg=audit(1351051834.851:720): avc: denied { read } for pid=979
comm="sanlock" name="8798edc0-dbd2-466d-8be9-1997f63e196f"
dev="dm-4" ino=3145737 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
The file it is attempting to read I believe (from the sanlock.log file) is the following:
# ls -lZ
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
-rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
I'm no SELinux policy expert, so I 'm not sure what is exactly wrong. The
situation is that the VM image file is stored on an NFS file server (in this case,
configured using NFSv3). Both the client and the server are fc17. The error occurs when
trying to start the VM. The version of oVirt I am using is a recent nightly build
(ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be making a wild guess
that the sanlock process doesn't have rights to open some nfs resources but I'm
way over the end of my skis.
Brian
1:07 a.m.
----- Original Message -----
From: "Brian Vetter" <bjvetter(a)gmail.com>
To: selinux(a)lists.fedoraproject.org
Cc: users(a)ovirt.org
Sent: Wednesday, October 24, 2012 6:34:07 AM
Subject: [Users] SELinux policy issue with oVirt/sanlock
I get the following AVC msg when trying to run a VM from the ovirt
admin tool:
type=AVC msg=audit(1351051834.851:720): avc: denied { read } for
pid=979 comm="sanlock" name="8798edc0-dbd2-466d-8be9-1997f63e196f"
dev="dm-4" ino=3145737
scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
The file it is attempting to read I believe (from the sanlock.log
file) is the following:
# ls -lZ
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
-rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
Hi Brian,
please run the following commands and paste your output:
getsetbool -a | grep sanlock
cat /etc/libvirt/qemu.conf
I'm no SELinux policy expert, so I 'm not sure what is exactly wrong.
The situation is that the VM image file is stored on an NFS file
server (in this case, configured using NFSv3). Both the client and
the server are fc17. The error occurs when trying to start the VM.
The version of oVirt I am using is a recent nightly build
(ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be making
a wild guess that the sanlock process doesn't have rights to open
some nfs resources but I'm way over the end of my skis.
Brian
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
9:11 a.m.
Here you go....
# getsebool -a | grep sanlock
sanlock_use_fusefs --> off
sanlock_use_nfs --> on
sanlock_use_samba --> off
virt_use_sanlock --> on
# grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf
dynamic_ownership=0
spice_tls=1
spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
lock_manager="sanlock"
On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote:
Hi Brian,
please run the following commands and paste your output:
getsetbool -a | grep sanlock
cat /etc/libvirt/qemu.conf
----- Original Message -----
> From: "Brian Vetter" <bjvetter(a)gmail.com>
> To: selinux(a)lists.fedoraproject.org
> Cc: users(a)ovirt.org
> Sent: Wednesday, October 24, 2012 6:34:07 AM
> Subject: [Users] SELinux policy issue with oVirt/sanlock
>
> I get the following AVC msg when trying to run a VM from the ovirt
> admin tool:
>
> type=AVC msg=audit(1351051834.851:720): avc: denied { read } for
> pid=979 comm="sanlock"
name="8798edc0-dbd2-466d-8be9-1997f63e196f"
> dev="dm-4" ino=3145737
> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
>
> The file it is attempting to read I believe (from the sanlock.log
> file) is the following:
>
> # ls -lZ
>
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
> -rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0
>
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
>
> I'm no SELinux policy expert, so I 'm not sure what is exactly wrong.
> The situation is that the VM image file is stored on an NFS file
> server (in this case, configured using NFSv3). Both the client and
> the server are fc17. The error occurs when trying to start the VM.
> The version of oVirt I am using is a recent nightly build
> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be making
> a wild guess that the sanlock process doesn't have rights to open
> some nfs resources but I'm way over the end of my skis.
>
> Brian
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
9:51 a.m.
----- Original Message -----
From: "Brian Vetter" <bjvetter(a)gmail.com>
To: "Haim Ateya" <hateya(a)redhat.com>
Cc: users(a)ovirt.org, selinux(a)lists.fedoraproject.org
Sent: Wednesday, October 24, 2012 4:11:17 PM
Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
Here you go....
# getsebool -a | grep sanlock
sanlock_use_fusefs --> off
sanlock_use_nfs --> on
sanlock_use_samba --> off
virt_use_sanlock --> on
# grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf
dynamic_ownership=0
spice_tls=1
spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
lock_manager="sanlock"
this entry looks problematic to me (use sanlock as lock manager of the vms), please
comment this entry, restart libvirt and vdsm, and try again.
On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote:
> Hi Brian,
>
> please run the following commands and paste your output:
>
> getsetbool -a | grep sanlock
>
> cat /etc/libvirt/qemu.conf
>
>
> ----- Original Message -----
>> From: "Brian Vetter" <bjvetter(a)gmail.com>
>> To: selinux(a)lists.fedoraproject.org
>> Cc: users(a)ovirt.org
>> Sent: Wednesday, October 24, 2012 6:34:07 AM
>> Subject: [Users] SELinux policy issue with oVirt/sanlock
>>
>> I get the following AVC msg when trying to run a VM from the ovirt
>> admin tool:
>>
>> type=AVC msg=audit(1351051834.851:720): avc: denied { read } for
>> pid=979 comm="sanlock"
name="8798edc0-dbd2-466d-8be9-1997f63e196f"
>> dev="dm-4" ino=3145737
>> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
>>
>> The file it is attempting to read I believe (from the sanlock.log
>> file) is the following:
>>
>> # ls -lZ
>>
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
>> -rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0
>>
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
>>
>> I'm no SELinux policy expert, so I 'm not sure what is exactly
>> wrong.
>> The situation is that the VM image file is stored on an NFS file
>> server (in this case, configured using NFSv3). Both the client and
>> the server are fc17. The error occurs when trying to start the VM.
>> The version of oVirt I am using is a recent nightly build
>> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be
>> making
>> a wild guess that the sanlock process doesn't have rights to open
>> some nfs resources but I'm way over the end of my skis.
>>
>> Brian
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
11:24 a.m.
I removed lock_manager=sanlock from the settings file, restarted the daemons, and all
works fine right now. I'm guessing that means there is no locking of the VMs (the
default?).
In any case, the setting of the lock_manager to sanlock was not done by myself but
presumably via the host/vdsm installation on my fc17 host. So if that is the desired
setting, then there appears to be an issue with selinux policies, nfs storage for VMs, and
sanlock that still needs to be resolved in the nightly builds.
Brian
On Oct 24, 2012, at 9:51 AM, Haim Ateya wrote:
----- Original Message -----
> From: "Brian Vetter" <bjvetter(a)gmail.com>
> To: "Haim Ateya" <hateya(a)redhat.com>
> Cc: users(a)ovirt.org, selinux(a)lists.fedoraproject.org
> Sent: Wednesday, October 24, 2012 4:11:17 PM
> Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
>
> Here you go....
>
> # getsebool -a | grep sanlock
> sanlock_use_fusefs --> off
> sanlock_use_nfs --> on
> sanlock_use_samba --> off
> virt_use_sanlock --> on
>
>
> # grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf
> dynamic_ownership=0
> spice_tls=1
> spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
> lock_manager="sanlock"
this entry looks problematic to me (use sanlock as lock manager of the vms), please
comment this entry, restart libvirt and vdsm, and try again.
>
> On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote:
>
>> Hi Brian,
>>
>> please run the following commands and paste your output:
>>
>> getsetbool -a | grep sanlock
>>
>> cat /etc/libvirt/qemu.conf
>>
>>
>> ----- Original Message -----
>>> From: "Brian Vetter" <bjvetter(a)gmail.com>
>>> To: selinux(a)lists.fedoraproject.org
>>> Cc: users(a)ovirt.org
>>> Sent: Wednesday, October 24, 2012 6:34:07 AM
>>> Subject: [Users] SELinux policy issue with oVirt/sanlock
>>>
>>> I get the following AVC msg when trying to run a VM from the ovirt
>>> admin tool:
>>>
>>> type=AVC msg=audit(1351051834.851:720): avc: denied { read } for
>>> pid=979 comm="sanlock"
name="8798edc0-dbd2-466d-8be9-1997f63e196f"
>>> dev="dm-4" ino=3145737
>>> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
>>>
>>> The file it is attempting to read I believe (from the sanlock.log
>>> file) is the following:
>>>
>>> # ls -lZ
>>>
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
>>> -rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0
>>>
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
>>>
>>> I'm no SELinux policy expert, so I 'm not sure what is exactly
>>> wrong.
>>> The situation is that the VM image file is stored on an NFS file
>>> server (in this case, configured using NFSv3). Both the client and
>>> the server are fc17. The error occurs when trying to start the VM.
>>> The version of oVirt I am using is a recent nightly build
>>> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be
>>> making
>>> a wild guess that the sanlock process doesn't have rights to open
>>> some nfs resources but I'm way over the end of my skis.
>>>
>>> Brian
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>
>
12:03 p.m.
----- Original Message -----
From: "Brian Vetter" <bjvetter(a)gmail.com>
To: "Haim Ateya" <hateya(a)redhat.com>
Cc: users(a)ovirt.org, selinux(a)lists.fedoraproject.org
Sent: Wednesday, October 24, 2012 6:24:31 PM
Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
I removed lock_manager=sanlock from the settings file, restarted the
daemons, and all works fine right now. I'm guessing that means there
is no locking of the VMs (the default?).
that's right, i'm glad it works
for you, but it just a workaround since we expect this configuration to work, it would be
much appreciated if you
could open a bug on that issue so we can track and resolve when possible.
please attach all required logs such as: vdsm.log, libvirtd.log, qemu.log (under
/var/log/libvirt/qemu/), audit.log, sanlock.log and /var/log/messages.
thanks,
Haim
In any case, the setting of the lock_manager to sanlock was not done
by myself but presumably via the host/vdsm installation on my fc17
host. So if that is the desired setting, then there appears to be an
issue with selinux policies, nfs storage for VMs, and sanlock that
still needs to be resolved in the nightly builds.
Brian
On Oct 24, 2012, at 9:51 AM, Haim Ateya wrote:
> ----- Original Message -----
>> From: "Brian Vetter" <bjvetter(a)gmail.com>
>> To: "Haim Ateya" <hateya(a)redhat.com>
>> Cc: users(a)ovirt.org, selinux(a)lists.fedoraproject.org
>> Sent: Wednesday, October 24, 2012 4:11:17 PM
>> Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
>>
>> Here you go....
>>
>> # getsebool -a | grep sanlock
>> sanlock_use_fusefs --> off
>> sanlock_use_nfs --> on
>> sanlock_use_samba --> off
>> virt_use_sanlock --> on
>>
>>
>> # grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf
>> dynamic_ownership=0
>> spice_tls=1
>> spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"
>> lock_manager="sanlock"
>
> this entry looks problematic to me (use sanlock as lock manager of
> the vms), please comment this entry, restart libvirt and vdsm, and
> try again.
>
>>
>> On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote:
>>
>>> Hi Brian,
>>>
>>> please run the following commands and paste your output:
>>>
>>> getsetbool -a | grep sanlock
>>>
>>> cat /etc/libvirt/qemu.conf
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Brian Vetter" <bjvetter(a)gmail.com>
>>>> To: selinux(a)lists.fedoraproject.org
>>>> Cc: users(a)ovirt.org
>>>> Sent: Wednesday, October 24, 2012 6:34:07 AM
>>>> Subject: [Users] SELinux policy issue with oVirt/sanlock
>>>>
>>>> I get the following AVC msg when trying to run a VM from the
>>>> ovirt
>>>> admin tool:
>>>>
>>>> type=AVC msg=audit(1351051834.851:720): avc: denied { read }
>>>> for
>>>> pid=979 comm="sanlock"
>>>> name="8798edc0-dbd2-466d-8be9-1997f63e196f"
>>>> dev="dm-4" ino=3145737
>>>> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023
>>>> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
>>>>
>>>> The file it is attempting to read I believe (from the
>>>> sanlock.log
>>>> file) is the following:
>>>>
>>>> # ls -lZ
>>>>
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
>>>> -rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0
>>>>
/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease
>>>>
>>>> I'm no SELinux policy expert, so I 'm not sure what is exactly
>>>> wrong.
>>>> The situation is that the VM image file is stored on an NFS file
>>>> server (in this case, configured using NFSv3). Both the client
>>>> and
>>>> the server are fc17. The error occurs when trying to start the
>>>> VM.
>>>> The version of oVirt I am using is a recent nightly build
>>>> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be
>>>> making
>>>> a wild guess that the sanlock process doesn't have rights to
>>>> open
>>>> some nfs resources but I'm way over the end of my skis.
>>>>
>>>> Brian
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>
>>
9:50 p.m.
----- Original Message -----
From: "Haim Ateya" <hateya(a)redhat.com>
To: "Brian Vetter" <bjvetter(a)gmail.com>
Cc: users(a)ovirt.org, selinux(a)lists.fedoraproject.org
Sent: Wednesday, October 24, 2012 7:03:39 PM
Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
----- Original Message -----
> From: "Brian Vetter" <bjvetter(a)gmail.com>
> To: "Haim Ateya" <hateya(a)redhat.com>
> Cc: users(a)ovirt.org, selinux(a)lists.fedoraproject.org
> Sent: Wednesday, October 24, 2012 6:24:31 PM
> Subject: Re: [Users] SELinux policy issue with oVirt/sanlock
>
> I removed lock_manager=sanlock from the settings file, restarted
> the
> daemons, and all works fine right now. I'm guessing that means
> there
> is no locking of the VMs (the default?).
that's right, i'm glad it works for you, but it just a workaround
since we expect this configuration to work, it would be much
appreciated if you
could open a bug on that issue so we can track and resolve when
possible.
please attach all required logs such as: vdsm.log, libvirtd.log,
qemu.log (under /var/log/libvirt/qemu/), audit.log, sanlock.log and
/var/log/messages.
What's the bug number? To clarify/recap:
- the lock_manager=sanlock configuration is correct (and it shouldn't
be removed)
- you should set setenforce 0 (with lock_manager=sanlock) and try to
start a VM; all the avc errors that you find in /var/log/messages
and in /var/log/audit/audit.log should be used to open a selinux
policy bug
--
Federico
4414
days inactive
4415
days old
6 comments
3 participants
participants (3)
-
Brian Vetter -
Federico Simoncelli -
Haim Ateya