[Users] Can't start a VM - sanlock permission denied

Dan Kenigsberg danken at redhat.com
Mon Oct 15 12:19:58 UTC 2012


On Mon, Oct 15, 2012 at 05:55:03AM -0400, Federico Simoncelli wrote:
> ----- Original Message -----
> > From: "Dan Kenigsberg" <danken at redhat.com>
> > To: "Mike Burns" <mburns at redhat.com>
> > Cc: "Federico Simoncelli" <fsimonce at redhat.com>, users at ovirt.org
> > Sent: Monday, October 15, 2012 11:02:45 AM
> > Subject: Re: [Users] Can't start a VM - sanlock permission denied
> > 
> > On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote:
> > > On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote:
> > > > ----- Original Message -----
> > > > > From: "Alexandre Santos" <santosam72 at gmail.com>
> > > > > To: "Dan Kenigsberg" <danken at redhat.com>
> > > > > Cc: "Haim Ateya" <hateya at redhat.com>, users at ovirt.org,
> > > > > "Federico Simoncelli" <fsimonce at redhat.com>
> > > > > Sent: Sunday, October 14, 2012 7:23:36 PM
> > > > > Subject: Re: [Users] Can't start a VM - sanlock permission
> > > > > denied
> > > > > 
> > > > > 2012/10/13 Dan Kenigsberg < danken at redhat.com >
> > > > > 
> > > > > On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos
> > > > > wrote:
> > > > > > Hi,
> > > > > > after getting to the oVirt Node console (F2) I figured out
> > > > > > that
> > > > > > selinux
> > > > > > wasn't allowing the sanlock, so I entered the setsebool
> > > > > > virt_use_sanlock 1
> > > > > > and the problem is fixed.
> > > > > 
> > > > > Which version of vdsm is istalled on your node? and which
> > > > > selinux-policy? sanlock should work out-of-the-box.
> > > > > 
> > > > > 
> > > > > vdsm-4.10.0-10.fc17
> > > > > 
> > > > > on /etc/sysconfig/selinux
> > > > > SELINUX=enforcing
> > > > > SELINUXTYPE=targeted
> > > > 
> > > > As far as I understand the selinux policies for the ovirt-node
> > > > are set
> > > > by recipe/common-post.ks (in the ovirt-node repo):
> > > > 
> > > > semanage  boolean -m -S targeted -F /dev/stdin  << \EOF_semanage
> > > > allow_execstack=0
> > > > virt_use_nfs=1
> > > > EOF_semanage
> > > > 
> > > > We should update it with what vdsm is currently setting:
> > > > 
> > > > virt_use_sanlock=1
> > > > sanlock_use_nfs=1
> > > > 
> > > 
> > > Shouldn't vdsm be setting these if they're needed?
> > 
> > It should - I'd like to know which vdsm version was it, and why this
> > was skipped.
> 
> The version was 4.10.0-10.fc17 and what I thought (but I didn't test yesterday
> night) is that the ovirt-node was overriding what we were setting.
> Anyway this is not the case.
> 
> > > I can certainly set
> > > the values, but IMO, if vdsm needs it, vdsm should set it.
> > 
> > virt_use_nfs=1 made it into the node. Maybe there was a good reason
> > for it that applies to virt_use_sanlock as well. (I really hate to
> > persist the policy files, and dislike the idea of setting virt_use_sanlock
> > every time vdsmd starts - it's slooooow).
> 
> We set them when we install vdsm (not when the service starts) so they should
> be good to go in the iso.

oops, I've forgot about "BZ#832199: move selinux from init to spec" in
http://gerrit.ovirt.org/5600 .

> It might be a glitch during the vdsm package
> installation, it could be something like semanage taking the boolean from the
> host where the iso is built rather than the root where the package is installed.
> 
> Do we have the iso build logs?



More information about the Users mailing list