Ovirt 4.4/ Centos 8 issue with nfs?
Greetings, I'm trying to upgrade from 4.3 to 4.4. When trying to mount the original nfs items, I'm getting the following error: vdsm.storage.exception.StorageServerAccessPermissionError: Permission settings on the specified path do not allow access to the storage. Verify permission settings on the specified storage path.: 'path = /rhev/data-center/mnt/nfshost:nfs_path' with the following stack trace: 2020-10-08 19:00:17,961+0000 ERROR (jsonrpc/4) [storage.HSM] Could not connect to storageServer (hsm:2421) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/vdsm/storage/fileSD.py", line 82, in validateDirAccess getProcPool().fileUtils.validateAccess(dirPath) File "/usr/lib/python3.6/site-packages/vdsm/storage/outOfProcess.py", line 194, in validateAccess raise OSError(errno.EACCES, os.strerror(errno.EACCES)) PermissionError: [Errno 13] Permission denied During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/vdsm/storage/hsm.py", line 2418, in connectStorageServer conObj.connect() File "/usr/lib/python3.6/site-packages/vdsm/storage/storageServer.py", line 449, in connect return self._mountCon.connect() File "/usr/lib/python3.6/site-packages/vdsm/storage/storageServer.py", line 190, in connect six.reraise(t, v, tb) File "/usr/lib/python3.6/site-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3.6/site-packages/vdsm/storage/storageServer.py", line 183, in connect self.getMountObj().getRecord().fs_file) File "/usr/lib/python3.6/site-packages/vdsm/storage/fileSD.py", line 93, in validateDirAccess raise se.StorageServerAccessPermissionError(dirPath) via an ls, it looks like there are the correct permissions: ls -alh total 0 drwxr-xr-x. 1 vdsm kvm 100 Oct 8 19:15 . drwxr-xr-x. 4 vdsm kvm 115 Oct 8 19:02 .. drwxr-xr-x. 1 vdsm kvm 52 Oct 1 20:35 ffe7b7bb-a391-42a9-9bae-480807509778 d---------. 1 vdsm kvm 22 Mar 17 2020 '#recycle' But, I wrote a short script to check the individual permissions that are checked, and it thinks I can't write to the directory: We can Read From it: /rhev/data-center/mnt/nfshost:nfspath We can't write to it: /rhev/data-center/mnt/nfshost:nfspath We can execute to it: /rhev/data-center/mnt/nfshost:nfspath This is doing a simple: print(os.stat(path)) if os.access(path, os.F_OK): print("It Exists", "/rhev/data-center/mnt/nfshost:nfspath") else: print("It Doesn't Exists", "/rhev/data-center/mnt/nfshost:nfspath") if os.access(path, os.R_OK): print("We can Read From it: ", "/rhev/data-center/mnt/nfshost:nfspath") else: print("We can't Read from it: ", "/rhev/data-center/mnt/nfshost:nfspath") if os.access(path, os.W_OK): print("We can write to it: ", "/rhev/data-center/mnt/nfshost:nfspath") else: print("We can't write to it: ", "/rhev/data-center/mnt/nfshost:nfspath") if os.access(path, os.X_OK): print("We can execute to it: ", "/rhev/data-center/mnt/nfshost:nfspath") else: print("We can can't to it: ", "/rhev/data-center/mnt/nfshost:nfspath") I took this same checks over to the Centos 7 host, and I it passes the checks fine. Does anyone have any ideas? Thanks, Lee
On Mon, Oct 12, 2020 at 6:03 PM <lee.hanel@gmail.com> wrote:
Greetings,
I'm trying to upgrade from 4.3 to 4.4. When trying to mount the original nfs items, I'm getting the following error:
vdsm.storage.exception.StorageServerAccessPermissionError: Permission settings on the specified path do not allow access to the storage. Verify permission settings on the specified storage path.: 'path = /rhev/data-center/mnt/nfshost:nfs_path'
with the following stack trace:
2020-10-08 19:00:17,961+0000 ERROR (jsonrpc/4) [storage.HSM] Could not connect to storageServer (hsm:2421) Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/vdsm/storage/fileSD.py", line 82, in validateDirAccess getProcPool().fileUtils.validateAccess(dirPath) File "/usr/lib/python3.6/site-packages/vdsm/storage/outOfProcess.py", line 194, in validateAccess raise OSError(errno.EACCES, os.strerror(errno.EACCES)) PermissionError: [Errno 13] Permission denied
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/vdsm/storage/hsm.py", line 2418, in connectStorageServer conObj.connect() File "/usr/lib/python3.6/site-packages/vdsm/storage/storageServer.py", line 449, in connect return self._mountCon.connect() File "/usr/lib/python3.6/site-packages/vdsm/storage/storageServer.py", line 190, in connect six.reraise(t, v, tb) File "/usr/lib/python3.6/site-packages/six.py", line 703, in reraise raise value File "/usr/lib/python3.6/site-packages/vdsm/storage/storageServer.py", line 183, in connect self.getMountObj().getRecord().fs_file) File "/usr/lib/python3.6/site-packages/vdsm/storage/fileSD.py", line 93, in validateDirAccess raise se.StorageServerAccessPermissionError(dirPath)
via an ls, it looks like there are the correct permissions:
ls -alh total 0 drwxr-xr-x. 1 vdsm kvm 100 Oct 8 19:15 . drwxr-xr-x. 4 vdsm kvm 115 Oct 8 19:02 .. drwxr-xr-x. 1 vdsm kvm 52 Oct 1 20:35 ffe7b7bb-a391-42a9-9bae-480807509778 d---------. 1 vdsm kvm 22 Mar 17 2020 '#recycle'
The permissions and ownership seem correct, make sure the rest is set as specified: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/htm... In addition make sure you are exporting the shares with *(rw,sync,no_root_suqash) for the relevant export paths on the NFS server side, and there is selinux context set for the shared folders: # ls -lhZ ... drwxr-xr-x. 2 vdsm kvm unconfined_u:object_r:default_t:s0 6 Jul 20 18:21 data
But, I wrote a short script to check the individual permissions that are checked, and it thinks I can't write to the directory:
We can Read From it: /rhev/data-center/mnt/nfshost:nfspath We can't write to it: /rhev/data-center/mnt/nfshost:nfspath We can execute to it: /rhev/data-center/mnt/nfshost:nfspath
This is doing a simple:
print(os.stat(path)) if os.access(path, os.F_OK): print("It Exists", "/rhev/data-center/mnt/nfshost:nfspath") else: print("It Doesn't Exists", "/rhev/data-center/mnt/nfshost:nfspath") if os.access(path, os.R_OK): print("We can Read From it: ", "/rhev/data-center/mnt/nfshost:nfspath") else: print("We can't Read from it: ", "/rhev/data-center/mnt/nfshost:nfspath") if os.access(path, os.W_OK): print("We can write to it: ", "/rhev/data-center/mnt/nfshost:nfspath") else: print("We can't write to it: ", "/rhev/data-center/mnt/nfshost:nfspath") if os.access(path, os.X_OK): print("We can execute to it: ", "/rhev/data-center/mnt/nfshost:nfspath") else: print("We can can't to it: ", "/rhev/data-center/mnt/nfshost:nfspath")
I took this same checks over to the Centos 7 host, and I it passes the checks fine.
Does anyone have any ideas?
Thanks, Lee _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Y33ZNSVWCR6PJC...
ok, I think that the selinux context might be wrong? but I saw nothing in the audit logs about it. drwxr-xr-x. 1 vdsm kvm system_u:object_r:nfs_t:s0 40 Oct 8 17:19 /data I don't see in the ovirt docs what the selinux context needs to be. Is what you shared as an example the correct setting?
On Mon, Oct 12, 2020 at 7:47 PM <lee.hanel@gmail.com> wrote:
ok, I think that the selinux context might be wrong? but I saw nothing in the audit logs about it.
drwxr-xr-x. 1 vdsm kvm system_u:object_r:nfs_t:s0 40 Oct 8 17:19 /data
I don't see in the ovirt docs what the selinux context needs to be. Is what you shared as an example the correct setting?
It's taken from a working nfs setup, what is the /etc/exports (or equiv.) options settings on the server? _______________________________________________
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5OSGBFRHYC3AMI...
my /etc/exports looks like: (rw,async,no_wdelay,crossmnt,insecure,no_root_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) also to note, as vdsm I can create files/directories on the share. On Mon, Oct 12, 2020 at 12:34 PM Amit Bawer <abawer@redhat.com> wrote:
On Mon, Oct 12, 2020 at 7:47 PM <lee.hanel@gmail.com> wrote:
ok, I think that the selinux context might be wrong? but I saw nothing in the audit logs about it.
drwxr-xr-x. 1 vdsm kvm system_u:object_r:nfs_t:s0 40 Oct 8 17:19 /data
I don't see in the ovirt docs what the selinux context needs to be. Is what you shared as an example the correct setting?
It's taken from a working nfs setup, what is the /etc/exports (or equiv.) options settings on the server?
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5OSGBFRHYC3AMI...
On Mon, Oct 12, 2020 at 9:12 PM Lee Hanel <lee.hanel@gmail.com> wrote:
my /etc/exports looks like:
(rw,async,no_wdelay,crossmnt,insecure,no_root_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)
The anongid,anonuid options could be failing the qemu user access check, Is there a special need to have them for the nfs shares for ovirt? I'd suggest to specify the exports for ovirt on their own /export/path1 *(rw,sync,no_root_suqash) /export/path2 *(rw,sync,no_root_suqash) ...
also to note, as vdsm I can create files/directories on the share.
On Mon, Oct 12, 2020 at 12:34 PM Amit Bawer <abawer@redhat.com> wrote:
On Mon, Oct 12, 2020 at 7:47 PM <lee.hanel@gmail.com> wrote:
ok, I think that the selinux context might be wrong? but I saw
nothing in the audit logs about it.
drwxr-xr-x. 1 vdsm kvm system_u:object_r:nfs_t:s0 40 Oct 8 17:19 /data
I don't see in the ovirt docs what the selinux context needs to be. Is
what you shared as an example the correct setting?
It's taken from a working nfs setup, what is the /etc/exports (or equiv.) options settings on the server?
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5OSGBFRHYC3AMI...
On Mon, Oct 12, 2020 at 9:33 PM Amit Bawer <abawer@redhat.com> wrote:
On Mon, Oct 12, 2020 at 9:12 PM Lee Hanel <lee.hanel@gmail.com> wrote:
my /etc/exports looks like:
(rw,async,no_wdelay,crossmnt,insecure,no_root_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)
The anongid,anonuid options could be failing the qemu user access check, Is there a special need to have them for the nfs shares for ovirt? I'd suggest to specify the exports for ovirt on their own /export/path1 *(rw,sync,no_root_suqash) /export/path2 *(rw,sync,no_root_suqash)
mind the typo "squash": /export/path2 *(rw,sync,no_root_squash)
...
also to note, as vdsm I can create files/directories on the share.
On Mon, Oct 12, 2020 at 12:34 PM Amit Bawer <abawer@redhat.com> wrote:
On Mon, Oct 12, 2020 at 7:47 PM <lee.hanel@gmail.com> wrote:
ok, I think that the selinux context might be wrong? but I saw
nothing in the audit logs about it.
drwxr-xr-x. 1 vdsm kvm system_u:object_r:nfs_t:s0 40 Oct 8 17:19 /data
I don't see in the ovirt docs what the selinux context needs to be.
Is what you shared as an example the correct setting?
It's taken from a working nfs setup, what is the /etc/exports (or equiv.) options settings on the server?
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5OSGBFRHYC3AMI...
I have seen a lot of users to use anonguid=36,anonuid=36,all_squash to force the vdsm:kvm ownership on the system. Best Regards, Strahil Nikolov В понеделник, 12 октомври 2020 г., 21:40:42 Гринуич+3, Amit Bawer <abawer@redhat.com> написа: On Mon, Oct 12, 2020 at 9:33 PM Amit Bawer <abawer@redhat.com> wrote:
On Mon, Oct 12, 2020 at 9:12 PM Lee Hanel <lee.hanel@gmail.com> wrote:
my /etc/exports looks like: (rw,async,no_wdelay,crossmnt,insecure,no_root_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100) The anongid,anonuid options could be failing the qemu user access check,
Is there a special need to have them for the nfs shares for ovirt? I'd suggest to specify the exports for ovirt on their own /export/path1 *(rw,sync,no_root_suqash) /export/path2 *(rw,sync,no_root_suqash)
mind the typo "squash": /export/path2 *(rw,sync,no_root_squash)
...
also to note, as vdsm I can create files/directories on the share.
On Mon, Oct 12, 2020 at 12:34 PM Amit Bawer <abawer@redhat.com> wrote:
On Mon, Oct 12, 2020 at 7:47 PM <lee.hanel@gmail.com> wrote:
ok, I think that the selinux context might be wrong? but I saw nothing in the audit logs about it.
drwxr-xr-x. 1 vdsm kvm system_u:object_r:nfs_t:s0 40 Oct 8 17:19 /data
I don't see in the ovirt docs what the selinux context needs to be. Is what you shared as an example the correct setting?
It's taken from a working nfs setup, what is the /etc/exports (or equiv.) options settings on the server?
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5OSGBFRHYC3AMI...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VGLS62COSG774P...
participants (4)
-
Amit Bawer -
Lee Hanel -
lee.hanel@gmail.com
-
Strahil Nikolov