[Users] Help required: Selinux disable for ovirt iso image

Wed Feb 19 21:16:26 UTC 2014

I managed to dig,dig dig and have finally resolved issue #1 without
reinstall

steps
1.  put host in maintenance mode
2, log in to host and:
2a. mount -o,rw,remount /run/initramfs/live

2b. edit /run/initramfs/live/grub2/grub.cfg and add selinux=0 to the
end of the kernel line (starts with "linux /vmlinuz0"

2c. reboot the host

3. log in and try "getenforce" - selinux says disabled.

4. I tried to "Activate" the host and the manager returned
"non-operational", so I had to remove and re-add the host.

Manager version: 3.3.3-2.fc19 and iso ovirt-node-iso-3.0.3-1.1.vdsm.fc19.iso

On Wed, Feb 19, 2014 at 12:14 PM, David Smith <dsmith at mypchelp.com> wrote:

> side note ,reinstalling the nodes to resolve the selinux issue really
> isn't a great proposition, its time consuming, an after-the-fact method of
> editing the grub line and adding selinux=0 or enforcing=0 whichever it may
> be would be ideal.
>
>
> On Wed, Feb 19, 2014 at 11:05 AM, David Smith <dsmith at mypchelp.com> wrote:
>
>> I apologize if this comes off a little brusque, but there's really a lot
>> of random information out there right now, to the point where i've seen it
>> confuse not only myself but other new installers. Based on the problems I
>> still have, I have a suggestion, and I also need some help.  Again, some of
>> this may come off as a bit of a TLDR Rant but if ovirt is to become
>> popular, I believe my experience as a hardware engineer, software/hardware
>> QA director/manager/engineer, may be valuable to this project.
>>
>> Two things keep me from getting this system working for me in a useful
>> manner:
>> #1, and the most important blocker: Disabling or fixing selinux, using
>> ovirt-node-iso-3.0.3-1.1.vdsm.fc19.iso.
>>
>> #2, getting raritan pdu support
>>
>> For issue #1: I've had a lot of people say "disable selinux" or "fix
>> selinux" all over this user list and in recent replies. This really isn't
>> fully helpful information. Even stating "edit the /etc/selinux/config" or
>> use the kernel boot command "selinux=0" or read some other doc on the
>> internet. These all apply to full fledged releases, not to the ovirt iso
>> image. The main issue is that SSHD is not being allowed through selinux by
>> default on this image.  The right thing to do would be to fix the image and
>> re-release it, and DELETE the broken one that is currently available.
>> However a simple doc explaining how to persist the selinux disable or fix
>> the SSHD problem with selinux would be the easiest solution.
>> Others ran me down the path of "edit the selinux file and persist it"
>> which didn't work, but gave no productive help on how to make it permanent.
>> Equally I've been told to edit the grub config and add selinux=0 to the
>> kernel, however after attempting this, adding it manually at the grub boot
>> causes the system not to boot, and I haven't found the *right* grub.cfg
>> file to edit and persist to keep the changes.
>>
>> For issue #2: I've hacked up some of the fence-agents scripts and am in
>> the process of attempting to figure out how to compile/set up my own local
>> copy to verify the raritan changes. Ideally the fence-agents folks would
>> add a "generic support" portion, which I may actually do myself as well,
>> allowing *any* PDU with at least the usual login/password/command/logout
>> sequence to be used. So you see, I'm not totally useless, I'm helping here.
>>
>> Next suggestions:
>> A) Compatibility list
>> B) Cleanup of old project crap
>>
>> For A)
>> For each release, I suggest there be a spreadsheet or simple document
>> that shows which ovirt ISO images are compatible with which manager
>> versions.
>> There could be a wiki where people can add references to bug #s that have
>> been found and links to their solutions. Right now there are ancient docs
>> all over google searches that send people down paths of days of turmoil to
>> no avail.
>>
>> For B)
>> When iso images or other releases are superseded because of blocking,
>> non-operable bugs, they should either be resolved and re-released or a
>> clear path to making them function be documented.  Once a re-release is
>> done, the old images should be wiped out or moved to a clearly marked
>> deprecated folder.
>>
>> Thats my 100 cents worth, I really do appreciate the work and effort that
>> goes into this project, it appears to be a wonderful one, I hope to make
>> good use of it, but the initial learning curve is a real deal breaker I'm
>> sure for many others, especially not those willing and able to spend the
>> time hacking at it like I have for the past week.
>>
>> Thanks!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140219/f6d473ae/attachment-0001.html>