[Users] Can't start a VM - sanlock permission denied
Federico Simoncelli
fsimonce at redhat.com
Mon Oct 15 09:55:03 UTC 2012
----- Original Message -----
> From: "Dan Kenigsberg" <danken at redhat.com>
> To: "Mike Burns" <mburns at redhat.com>
> Cc: "Federico Simoncelli" <fsimonce at redhat.com>, users at ovirt.org
> Sent: Monday, October 15, 2012 11:02:45 AM
> Subject: Re: [Users] Can't start a VM - sanlock permission denied
>
> On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote:
> > On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
> > > ----- Original Message -----
> > > > From: "Alexandre Santos" <santosam72 at gmail.com>
> > > > To: "Dan Kenigsberg" <danken at redhat.com>
> > > > Cc: "Haim Ateya" <hateya at redhat.com>, users at ovirt.org,
> > > > "Federico Simoncelli" <fsimonce at redhat.com>
> > > > Sent: Sunday, October 14, 2012 7:23:36 PM
> > > > Subject: Re: [Users] Can't start a VM - sanlock permission
> > > > denied
> > > >
> > > > 2012/10/13 Dan Kenigsberg < danken at redhat.com >
> > > >
> > > > On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos
> > > > wrote:
> > > > > Hi,
> > > > > after getting to the oVirt Node console (F2) I figured out
> > > > > that
> > > > > selinux
> > > > > wasn't allowing the sanlock, so I entered the setsebool
> > > > > virt_use_sanlock 1
> > > > > and the problem is fixed.
> > > >
> > > > Which version of vdsm is istalled on your node? and which
> > > > selinux-policy? sanlock should work out-of-the-box.
> > > >
> > > >
> > > > vdsm-4.10.0-10.fc17
> > > >
> > > > on /etc/sysconfig/selinux
> > > > SELINUX=enforcing
> > > > SELINUXTYPE=targeted
> > >
> > > As far as I understand the selinux policies for the ovirt-node
> > > are set
> > > by recipe/common-post.ks (in the ovirt-node repo):
> > >
> > > semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage
> > > allow_execstack=0
> > > virt_use_nfs=1
> > > EOF_semanage
> > >
> > > We should update it with what vdsm is currently setting:
> > >
> > > virt_use_sanlock=1
> > > sanlock_use_nfs=1
> > >
> >
> > Shouldn't vdsm be setting these if they're needed?
>
> It should - I'd like to know which vdsm version was it, and why this
> was skipped.
The version was 4.10.0-10.fc17 and what I thought (but I didn't test yesterday
night) is that the ovirt-node was overriding what we were setting.
Anyway this is not the case.
> > I can certainly set
> > the values, but IMO, if vdsm needs it, vdsm should set it.
>
> virt_use_nfs=1 made it into the node. Maybe there was a good reason
> for it that applies to virt_use_sanlock as well. (I really hate to
> persist the policy files, and dislike the idea of setting virt_use_sanlock
> every time vdsmd starts - it's slooooow).
We set them when we install vdsm (not when the service starts) so they should
be good to go in the iso. It might be a glitch during the vdsm package
installation, it could be something like semanage taking the boolean from the
host where the iso is built rather than the root where the package is installed.
Do we have the iso build logs?
--
Federico
More information about the Users
mailing list