[Users] Can't start a VM - sanlock permission denied

Dan Kenigsberg danken at redhat.com
Mon Oct 15 09:02:45 UTC 2012 

On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote:
> On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
> > ----- Original Message -----
> > > From: "Alexandre Santos" <santosam72 at gmail.com>
> > > To: "Dan Kenigsberg" <danken at redhat.com>
> > > Cc: "Haim Ateya" <hateya at redhat.com>, users at ovirt.org, "Federico Simoncelli" <fsimonce at redhat.com>
> > > Sent: Sunday, October 14, 2012 7:23:36 PM
> > > Subject: Re: [Users] Can't start a VM - sanlock permission denied
> > > 
> > > 2012/10/13 Dan Kenigsberg < danken at redhat.com >
> > > 
> > > On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos wrote:
> > > > Hi,
> > > > after getting to the oVirt Node console (F2) I figured out that
> > > > selinux
> > > > wasn't allowing the sanlock, so I entered the setsebool
> > > > virt_use_sanlock 1
> > > > and the problem is fixed.
> > > 
> > > Which version of vdsm is istalled on your node? and which
> > > selinux-policy? sanlock should work out-of-the-box.
> > > 
> > > 
> > > vdsm-4.10.0-10.fc17
> > > 
> > > on /etc/sysconfig/selinux
> > > SELINUX=enforcing
> > > SELINUXTYPE=targeted
> > 
> > As far as I understand the selinux policies for the ovirt-node are set
> > by recipe/common-post.ks (in the ovirt-node repo):
> > 
> > semanage  boolean -m -S targeted -F /dev/stdin  << \EOF_semanage
> > allow_execstack=0
> > virt_use_nfs=1
> > EOF_semanage
> > 
> > We should update it with what vdsm is currently setting:
> > 
> > virt_use_sanlock=1
> > sanlock_use_nfs=1
> > 
> 
> Shouldn't vdsm be setting these if they're needed?

It should - I'd like to know which vdsm version was it, and why this was
skipped.

> I can certainly set
> the values, but IMO, if vdsm needs it, vdsm should set it.

virt_use_nfs=1 made it into the node. Maybe there was a good reason for
it that applies to virt_use_sanlock as well. (I really hate to persist
the policy files, and dislike the idea of setting virt_use_sanlock every
time vdsmd starts - it's slooooow).

More information about the Users mailing list