[Users] Can't start a VM - sanlock permission denied
Him I managed to install the new oVirt Node on a 8 GB USB Pen. I created the NFS Share anf when I try to Run the VM I get the: M ubuntu is down. Exit message: internal error Failed to open socket to sanlock daemon: Permission denied. I did the setsebool mentioned on the wiki on the engine but still get the error. Is it necessary to configure anywhere else? Alex
It's me again, now less sleepy :-) What I would like to know is if this sanlock permission issue is within the oVirt engine, a problem on the NFS Server or on the oVirt node (it's a 2.5.3 from nightly). On the later, I can't access the console to issue those commands - I don't even know if it's running SELinux at all :-) Alex 2012/10/11 Alexandre Santos <santosam72@gmail.com>
Him I managed to install the new oVirt Node on a 8 GB USB Pen. I created the NFS Share anf when I try to Run the VM I get the: M ubuntu is down. Exit message: internal error Failed to open socket to sanlock daemon: Permission denied.
I did the setsebool mentioned on the wiki on the engine but still get the error. Is it necessary to configure anywhere else?
Alex
On Thu, 2012-10-11 at 11:06 +0100, Alexandre Santos wrote:
It's me again, now less sleepy :-) What I would like to know is if this sanlock permission issue is within the oVirt engine, a problem on the NFS Server or on the oVirt node (it's a 2.5.3 from nightly). On the later, I can't access the console to issue those commands
From the TUI, hit F2 to get a shell.
- I don't even know if it's running SELinux at all :-)
Yes, in enforcing mode always. Mike
Alex
2012/10/11 Alexandre Santos <santosam72@gmail.com> Him I managed to install the new oVirt Node on a 8 GB USB Pen. I created the NFS Share anf when I try to Run the VM I get the: M ubuntu is down. Exit message: internal error Failed to open socket to sanlock daemon: Permission denied.
I did the setsebool mentioned on the wiki on the engine but still get the error. Is it necessary to configure anywhere else?
Alex
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
2012/10/11 Mike Burns <mburns@redhat.com>
On Thu, 2012-10-11 at 11:06 +0100, Alexandre Santos wrote:
It's me again, now less sleepy :-) What I would like to know is if this sanlock permission issue is within the oVirt engine, a problem on the NFS Server or on the oVirt node (it's a 2.5.3 from nightly). On the later, I can't access the console to issue those commands
From the TUI, hit F2 to get a shell.
Thanks a lot. I'll try it later when I get back to my oVirt :-)
- I don't even know if it's running SELinux at all :-)
Yes, in enforcing mode always.
Ok!
Mike
Alex
2012/10/11 Alexandre Santos <santosam72@gmail.com> Him I managed to install the new oVirt Node on a 8 GB USB Pen. I created the NFS Share anf when I try to Run the VM I get the: M ubuntu is down. Exit message: internal error Failed to open socket to sanlock daemon: Permission denied.
I did the setsebool mentioned on the wiki on the engine but still get the error. Is it necessary to configure anywhere else?
Alex
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi Alex, can you please provide some logs (engine + vdsm) ? also, can you verify that sanlock service is running on node ? ----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: users@ovirt.org Sent: Thursday, October 11, 2012 12:06:19 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
It's me again, now less sleepy :-) What I would like to know is if this sanlock permission issue is within the oVirt engine, a problem on the NFS Server or on the oVirt node (it's a 2.5.3 from nightly). On the later, I can't access the console to issue those commands - I don't even know if it's running SELinux at all :-)
Alex
2012/10/11 Alexandre Santos < santosam72@gmail.com >
Him I managed to install the new oVirt Node on a 8 GB USB Pen. I created the NFS Share anf when I try to Run the VM I get the:
M ubuntu is down. Exit message: internal error Failed to open socket to sanlock daemon: Permission denied.
I did the setsebool mentioned on the wiki on the engine but still get the error. Is it necessary to configure anywhere else?
Alex
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hello Haim, sure I'll provide them. I'll enter the node console and will check that. Alex 2012/10/11 Haim Ateya <hateya@redhat.com>
Hi Alex, can you please provide some logs (engine + vdsm) ? also, can you verify that sanlock service is running on node ?
----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: users@ovirt.org Sent: Thursday, October 11, 2012 12:06:19 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
It's me again, now less sleepy :-) What I would like to know is if this sanlock permission issue is within the oVirt engine, a problem on the NFS Server or on the oVirt node (it's a 2.5.3 from nightly). On the later, I can't access the console to issue those commands - I don't even know if it's running SELinux at all :-)
Alex
2012/10/11 Alexandre Santos < santosam72@gmail.com >
Him I managed to install the new oVirt Node on a 8 GB USB Pen. I created the NFS Share anf when I try to Run the VM I get the:
M ubuntu is down. Exit message: internal error Failed to open socket to sanlock daemon: Permission denied.
I did the setsebool mentioned on the wiki on the engine but still get the error. Is it necessary to configure anywhere else?
Alex
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed. However, I started getting permission denied error when trying to start the VM that was created on that NFS share. On the ovirt node console, I noticed that the user.group of that share was nobody.nobody instead of vdsm.kvm. I followed the instruction on the wiki about anonguid and anonuid but no luck at all. This was an Ubuntu nfs server. I Installed a FC17 VM on this Ubuntu and tried again and it worked at the first time :-) Ubuntu has a KVM group with guid = 106. Alex 2012/10/11 Alexandre Santos <santosam72@gmail.com>
Hello Haim, sure I'll provide them. I'll enter the node console and will check that.
Alex
2012/10/11 Haim Ateya <hateya@redhat.com>
Hi Alex, can you please provide some logs (engine + vdsm) ? also, can you verify that sanlock service is running on node ?
----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: users@ovirt.org Sent: Thursday, October 11, 2012 12:06:19 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
It's me again, now less sleepy :-) What I would like to know is if this sanlock permission issue is within the oVirt engine, a problem on the NFS Server or on the oVirt node (it's a 2.5.3 from nightly). On the later, I can't access the console to issue those commands - I don't even know if it's running SELinux at all :-)
Alex
2012/10/11 Alexandre Santos < santosam72@gmail.com >
Him I managed to install the new oVirt Node on a 8 GB USB Pen. I created the NFS Share anf when I try to Run the VM I get the:
M ubuntu is down. Exit message: internal error Failed to open socket to sanlock daemon: Permission denied.
I did the setsebool mentioned on the wiki on the engine but still get the error. Is it necessary to configure anywhere else?
Alex
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
However, I started getting permission denied error when trying to start the VM that was created on that NFS share. On the ovirt node console, I noticed that the user.group of that share was nobody.nobody instead of vdsm.kvm. I followed the instruction on the wiki about anonguid and anonuid but no luck at all. This was an Ubuntu nfs server. I Installed a FC17 VM on this Ubuntu and tried again and it worked at the first time :-)
I've seen these problem when using nfs v4 without defining it's id mapper properly. The issue went away when (down?)grading to v3.
Ubuntu has a KVM group with guid = 106.
Dan.
----- Original Message -----
From: "Dan Kenigsberg" <danken@redhat.com> To: "Alexandre Santos" <santosam72@gmail.com> Cc: users@ovirt.org Sent: Saturday, October 13, 2012 11:11:13 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
Just happened to me as well with oVirt node 2.5.2 (0.1.fc17) (Latest on http://wiki.ovirt.org/wiki/OVirt_3.1_release_notes#oVirt_Node)
However, I started getting permission denied error when trying to start the VM that was created on that NFS share. On the ovirt node console, I noticed that the user.group of that share was nobody.nobody instead of vdsm.kvm. I followed the instruction on the wiki about anonguid and anonuid but no luck at all. This was an Ubuntu nfs server. I Installed a FC17 VM on this Ubuntu and tried again and it worked at the first time :-)
I've seen these problem when using nfs v4 without defining it's id mapper properly. The issue went away when (down?)grading to v3.
Ubuntu has a KVM group with guid = 106.
Dan. _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
2012/10/13 Dan Kenigsberg <danken@redhat.com>
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
vdsm-4.10.0-10.fc17 on /etc/sysconfig/selinux SELINUX=enforcing SELINUXTYPE=targeted
However, I started getting permission denied error when trying to start
the
VM that was created on that NFS share. On the ovirt node console, I noticed that the user.group of that share was nobody.nobody instead of vdsm.kvm. I followed the instruction on the wiki about anonguid and anonuid but no luck at all. This was an Ubuntu nfs server. I Installed a FC17 VM on this Ubuntu and tried again and it worked at the first time :-)
I've seen these problem when using nfs v4 without defining it's id mapper properly. The issue went away when (down?)grading to v3.
Ubuntu has a KVM group with guid = 106.
Dan.
----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: "Dan Kenigsberg" <danken@redhat.com> Cc: "Haim Ateya" <hateya@redhat.com>, users@ovirt.org, "Federico Simoncelli" <fsimonce@redhat.com> Sent: Sunday, October 14, 2012 7:23:36 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
2012/10/13 Dan Kenigsberg < danken@redhat.com >
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
vdsm-4.10.0-10.fc17
on /etc/sysconfig/selinux SELINUX=enforcing SELINUXTYPE=targeted
As far as I understand the selinux policies for the ovirt-node are set by recipe/common-post.ks (in the ovirt-node repo): semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage allow_execstack=0 virt_use_nfs=1 EOF_semanage We should update it with what vdsm is currently setting: virt_use_sanlock=1 sanlock_use_nfs=1 -- Federico
On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: "Dan Kenigsberg" <danken@redhat.com> Cc: "Haim Ateya" <hateya@redhat.com>, users@ovirt.org, "Federico Simoncelli" <fsimonce@redhat.com> Sent: Sunday, October 14, 2012 7:23:36 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
2012/10/13 Dan Kenigsberg < danken@redhat.com >
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
vdsm-4.10.0-10.fc17
on /etc/sysconfig/selinux SELINUX=enforcing SELINUXTYPE=targeted
As far as I understand the selinux policies for the ovirt-node are set by recipe/common-post.ks (in the ovirt-node repo):
semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage allow_execstack=0 virt_use_nfs=1 EOF_semanage
We should update it with what vdsm is currently setting:
virt_use_sanlock=1 sanlock_use_nfs=1
Shouldn't vdsm be setting these if they're needed? I can certainly set the values, but IMO, if vdsm needs it, vdsm should set it.
On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote:
On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: "Dan Kenigsberg" <danken@redhat.com> Cc: "Haim Ateya" <hateya@redhat.com>, users@ovirt.org, "Federico Simoncelli" <fsimonce@redhat.com> Sent: Sunday, October 14, 2012 7:23:36 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
2012/10/13 Dan Kenigsberg < danken@redhat.com >
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
vdsm-4.10.0-10.fc17
on /etc/sysconfig/selinux SELINUX=enforcing SELINUXTYPE=targeted
As far as I understand the selinux policies for the ovirt-node are set by recipe/common-post.ks (in the ovirt-node repo):
semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage allow_execstack=0 virt_use_nfs=1 EOF_semanage
We should update it with what vdsm is currently setting:
virt_use_sanlock=1 sanlock_use_nfs=1
Shouldn't vdsm be setting these if they're needed?
It should - I'd like to know which vdsm version was it, and why this was skipped.
I can certainly set the values, but IMO, if vdsm needs it, vdsm should set it.
virt_use_nfs=1 made it into the node. Maybe there was a good reason for it that applies to virt_use_sanlock as well. (I really hate to persist the policy files, and dislike the idea of setting virt_use_sanlock every time vdsmd starts - it's slooooow).
----- Original Message -----
From: "Dan Kenigsberg" <danken@redhat.com> To: "Mike Burns" <mburns@redhat.com> Cc: "Federico Simoncelli" <fsimonce@redhat.com>, users@ovirt.org Sent: Monday, October 15, 2012 11:02:45 AM Subject: Re: [Users] Can't start a VM - sanlock permission denied
On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote:
On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: "Dan Kenigsberg" <danken@redhat.com> Cc: "Haim Ateya" <hateya@redhat.com>, users@ovirt.org, "Federico Simoncelli" <fsimonce@redhat.com> Sent: Sunday, October 14, 2012 7:23:36 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
2012/10/13 Dan Kenigsberg < danken@redhat.com >
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
vdsm-4.10.0-10.fc17
on /etc/sysconfig/selinux SELINUX=enforcing SELINUXTYPE=targeted
As far as I understand the selinux policies for the ovirt-node are set by recipe/common-post.ks (in the ovirt-node repo):
semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage allow_execstack=0 virt_use_nfs=1 EOF_semanage
We should update it with what vdsm is currently setting:
virt_use_sanlock=1 sanlock_use_nfs=1
Shouldn't vdsm be setting these if they're needed?
It should - I'd like to know which vdsm version was it, and why this was skipped.
The version was 4.10.0-10.fc17 and what I thought (but I didn't test yesterday night) is that the ovirt-node was overriding what we were setting. Anyway this is not the case.
I can certainly set the values, but IMO, if vdsm needs it, vdsm should set it.
virt_use_nfs=1 made it into the node. Maybe there was a good reason for it that applies to virt_use_sanlock as well. (I really hate to persist the policy files, and dislike the idea of setting virt_use_sanlock every time vdsmd starts - it's slooooow).
We set them when we install vdsm (not when the service starts) so they should be good to go in the iso. It might be a glitch during the vdsm package installation, it could be something like semanage taking the boolean from the host where the iso is built rather than the root where the package is installed. Do we have the iso build logs? -- Federico
On Mon, 2012-10-15 at 05:55 -0400, Federico Simoncelli wrote:
----- Original Message -----
From: "Dan Kenigsberg" <danken@redhat.com> To: "Mike Burns" <mburns@redhat.com> Cc: "Federico Simoncelli" <fsimonce@redhat.com>, users@ovirt.org Sent: Monday, October 15, 2012 11:02:45 AM Subject: Re: [Users] Can't start a VM - sanlock permission denied
On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote:
On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: "Dan Kenigsberg" <danken@redhat.com> Cc: "Haim Ateya" <hateya@redhat.com>, users@ovirt.org, "Federico Simoncelli" <fsimonce@redhat.com> Sent: Sunday, October 14, 2012 7:23:36 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
2012/10/13 Dan Kenigsberg < danken@redhat.com >
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
vdsm-4.10.0-10.fc17
on /etc/sysconfig/selinux SELINUX=enforcing SELINUXTYPE=targeted
As far as I understand the selinux policies for the ovirt-node are set by recipe/common-post.ks (in the ovirt-node repo):
semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage allow_execstack=0 virt_use_nfs=1 EOF_semanage
We should update it with what vdsm is currently setting:
virt_use_sanlock=1 sanlock_use_nfs=1
Shouldn't vdsm be setting these if they're needed?
It should - I'd like to know which vdsm version was it, and why this was skipped.
The version was 4.10.0-10.fc17 and what I thought (but I didn't test yesterday night) is that the ovirt-node was overriding what we were setting. Anyway this is not the case.
I can certainly set the values, but IMO, if vdsm needs it, vdsm should set it.
virt_use_nfs=1 made it into the node. Maybe there was a good reason for it that applies to virt_use_sanlock as well. (I really hate to persist the policy files, and dislike the idea of setting virt_use_sanlock every time vdsmd starts - it's slooooow).
Agreed, we shouldn't do this every time vdsm starts. I posted a patch to pull these 2 booleans into ovirt-node config. When we start the process of making an ovirt/vdsm plugin rpm, it should move into the new plugin rather than in base ovirt-node.
We set them when we install vdsm (not when the service starts) so they should be good to go in the iso. It might be a glitch during the vdsm package installation, it could be something like semanage taking the boolean from the host where the iso is built rather than the root where the package is installed.
Do we have the iso build logs?
No, not at this point. I'm still building ISOs and RPMs for ovirt-node on my local machine and don't generally persist the build logs for long. Eventually when we move to building only in Jenkins for official releases, we'll have logs persisted long term. Mike
On Mon, Oct 15, 2012 at 05:55:03AM -0400, Federico Simoncelli wrote:
----- Original Message -----
From: "Dan Kenigsberg" <danken@redhat.com> To: "Mike Burns" <mburns@redhat.com> Cc: "Federico Simoncelli" <fsimonce@redhat.com>, users@ovirt.org Sent: Monday, October 15, 2012 11:02:45 AM Subject: Re: [Users] Can't start a VM - sanlock permission denied
On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote:
On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
----- Original Message -----
From: "Alexandre Santos" <santosam72@gmail.com> To: "Dan Kenigsberg" <danken@redhat.com> Cc: "Haim Ateya" <hateya@redhat.com>, users@ovirt.org, "Federico Simoncelli" <fsimonce@redhat.com> Sent: Sunday, October 14, 2012 7:23:36 PM Subject: Re: [Users] Can't start a VM - sanlock permission denied
2012/10/13 Dan Kenigsberg < danken@redhat.com >
On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
Hi, after getting to the oVirt Node console (F2) I figured out that selinux wasn't allowing the sanlock, so I entered the setsebool virt_use_sanlock 1 and the problem is fixed.
Which version of vdsm is istalled on your node? and which selinux-policy? sanlock should work out-of-the-box.
vdsm-4.10.0-10.fc17
on /etc/sysconfig/selinux SELINUX=enforcing SELINUXTYPE=targeted
As far as I understand the selinux policies for the ovirt-node are set by recipe/common-post.ks (in the ovirt-node repo):
semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage allow_execstack=0 virt_use_nfs=1 EOF_semanage
We should update it with what vdsm is currently setting:
virt_use_sanlock=1 sanlock_use_nfs=1
Shouldn't vdsm be setting these if they're needed?
It should - I'd like to know which vdsm version was it, and why this was skipped.
The version was 4.10.0-10.fc17 and what I thought (but I didn't test yesterday night) is that the ovirt-node was overriding what we were setting. Anyway this is not the case.
I can certainly set the values, but IMO, if vdsm needs it, vdsm should set it.
virt_use_nfs=1 made it into the node. Maybe there was a good reason for it that applies to virt_use_sanlock as well. (I really hate to persist the policy files, and dislike the idea of setting virt_use_sanlock every time vdsmd starts - it's slooooow).
We set them when we install vdsm (not when the service starts) so they should be good to go in the iso.
oops, I've forgot about "BZ#832199: move selinux from init to spec" in http://gerrit.ovirt.org/5600 .
It might be a glitch during the vdsm package installation, it could be something like semanage taking the boolean from the host where the iso is built rather than the root where the package is installed.
Do we have the iso build logs?
participants (6)
-
Alexandre Santos -
Dan Kenigsberg -
Federico Simoncelli -
Haim Ateya -
Mike Burns -
Simon Grinberg