[Users] issue with conversion of ESXi 5 centos VM to fedora19 ovirt host

Madhav V Diwan mdiwan at diwanconsulting.com
Tue Jan 14 17:20:33 UTC 2014 


Issue resolved -- this issue is caused by improper root user permission
to read/write to NFS export share

OK

 here is what i did  with the NFS  and UID 36 tests


first test  as user vdsm  on the ovirt server itself

$ ssh server3

Last login: Sun Jan 12 23:53:58 2014
[mdiwan at server3 ~]$ id vdsm
uid=36(vdsm) gid=36(kvm) groups=36(kvm),179(sanlock),107(qemu)
[mdiwan at server3 ~]$ sudo su - vdsm
[sudo] password for mdiwan: 
This account is currently not available.
[mdiwan at server3 ~]$ sudo vi /etc/passwd
[mdiwan at server3 ~]$ sudo su - vdsm
-bash-4.2$ mkdir /tmp/ovirt-mount
-bash-4.2$ exit
logout
[mdiwan at server3 ~]$ su -
Password: 
[root at server3 ~]# mount server3:/localstorage/nfs /tmp/ovirt-mount
[root at server3 ~]# su - vdsm
-bash-4.2$ whoami
vdsm
-bash-4.2$ id
uid=36(vdsm) gid=36(kvm) groups=36(kvm),107(qemu),179(sanlock)
-bash-4.2$ 
-bash-4.2$ 
-bash-4.2$ cd /tmp/ovirt-mount/8eff2927-3bff-4b15-bdd0-8c4e0f40652d/
-bash-4.2$ ls
dom_md  images  master
-bash-4.2$ touch foo
-bash-4.2$ ls
dom_md  foo  images  master
-bash-4.2$ ls -l
total 0
drwxr-xr-x 2 vdsm kvm 69 Dec 26 19:07 dom_md
-rw-r--r-- 1 vdsm kvm  0 Jan 14 11:39 foo
drwxr-xr-x 2 vdsm kvm  6 Dec 26 19:07 images
drwxr-xr-x 4 vdsm kvm 28 Dec 26 19:07 master
-bash-4.2$ rm foo
-bash-4.2$ ls
dom_md  images  master
-bash-4.2$ exit
logout


second test on a separate server with the ovirt server's NFS export 
with a temporary UID 3 GID 36 user

[root at server2 ~]# mount server3:/
/localstorage/nfs                    /var/lib/exports/iso-20131223154119
/var/lib/exports/iso                 
[root at server2 ~]# mount server3:/localstorage/nfs /tmp/ovirt-mount
[root at server2 ~]# su - vdsm
-bash-4.2$ cd /tmp/ovirt-mount/
-bash-4.2$ ls
8eff2927-3bff-4b15-bdd0-8c4e0f40652d  __DIRECT_IO_TEST__
-bash-4.2$ cd 8eff2927-3bff-4b15-bdd0-8c4e0f40652d/
-bash-4.2$ ls
dom_md  images  master
-bash-4.2$ touch foo
-bash-4.2$ ls
dom_md  foo  images  master
-bash-4.2$ ls  -l
total 0
drwxr-xr-x. 2 vdsm kvm 69 Dec 26 19:07 dom_md
-rw-r--r--. 1 vdsm kvm  0 Jan 14 11:52 foo
drwxr-xr-x. 2 vdsm kvm  6 Dec 26 19:07 images
drwxr-xr-x. 4 vdsm kvm 28 Dec 26 19:07 master
-bash-4.2$ rm foo
-bash-4.2$ ls
dom_md  images  master
-bash-4.2$ exit
logout
[root at server2 ~]# cd /tmp/ovirt-mount/
[root at server2 ovirt-mount]# ls
8eff2927-3bff-4b15-bdd0-8c4e0f40652d  __DIRECT_IO_TEST__
[root at server2 ovirt-mount]# cd 8eff2927-3bff-4b15-bdd0-8c4e0f40652d/
[root at server2 8eff2927-3bff-4b15-bdd0-8c4e0f40652d]# ls
dom_md  images  master
[root at server2 8eff2927-3bff-4b15-bdd0-8c4e0f40652d]# touch foo
touch: cannot touch ‘foo’: Permission denied


ROOT USER FAILS TO WRITE .. definitely NFS permissions.

problem is that vdsm user has /sbin/nologin set in /etc/password , i had
to change that for this test.. and i have been under the impression that
root user should be the one doing the conversion. 
 

based on the above 

I have changed my nfs export to allow root to write this NFS storage,

 the conversion now works 

 thank you Matt

and thank you Richard 


 for taking the time to figure this out with me.
 

Dont like using root for the conversions though, too easy to destroy the
source vms on ESX for my taste.

Going forward i think i am going to make a "conVIRT" user instead of use
root..  i'll let the list know how that goes.  

looks like NFS is the only thing that would need changing ( maybe i can
make it a NFS only account)

Madhav


-----Original Message-----
From: Matthew Booth <mbooth at redhat.com>
To: Madhav V Diwan <mdiwan at diwanconsulting.com>, Richard W.M. Jones
<rjones at redhat.com>
Subject: Re: [Users] issue with conversion of ESXi 5 centos VM to
fedora19 ovirt host
Date: Tue, 14 Jan 2014 16:33:28 +0000

On 14/01/14 16:30, Madhav V Diwan wrote:
> 
> HI all ,
> 
>  Any new ideas about this issue ?.. its blocking me from my ESX
> conversion ...

Hi, Madhav.

I don't see a response from you about the NFS permission test. Did you
do it? I remain convinced that this is your problem.

Matt

> 
> 
> 
> -----Original Message-----
> 
> To: Richard W.M. Jones <rjones at redhat.com>
> 
> Subject: Re: [Users] issue with conversion of ESXi 5 centos VM to
> fedora19 ovirt host
> Date: Sat, 11 Jan 2014 08:57:33 -0500
> 
> setting up a physical /tmp with 1777 permissions did not work ..
> 
>  and i see ovirt/vdsm is making a temporary nfsV4 mount of the target
> export domain to /tmp on the ovirt server 
> (what i thought was a hard link is actually a nfs mount for the duration
> of the conversion) 
> 
> so if the issue is not permissions on /tmp or the fact that we normally
> use  tmpfs , what is left?
> 
> 
> 
> 
> -----Original Message-----
> To: Richard W.M. Jones <rjones at redhat.com>
> 
> Subject: Re: [Users] issue with conversion of ESXi 5 centos VM to
> fedora19 ovirt host
> Date: Fri, 10 Jan 2014 17:26:34 -0500
> 
> 
> i have some spare disk on this server that i can make a /tmp partition
> from .. i am going to try that approach to rule out the tmpfs  as an
> issue
> 
> but woe to those who need such a large physical tmp partition for VM
> conversions.. 
> 
> 
> 
> -----Original Message-----
> From: Madhav V Diwan <mdiwan at diwanconsulting.com>
> To: Richard W.M. Jones <rjones at redhat.com>
> Cc: mbooth at redhat.com, users at ovirt.org
> Subject: Re: [Users] issue with conversion of ESXi 5 centos VM to
> fedora19 ovirt host
> Date: Fri, 10 Jan 2014 14:37:16 -0500
> 
> 
> [mdiwan at server3 ~]$ sudo getenforce
> [sudo] password for mdiwan: 
> Disabled
> 
> [mdiwan at server3 ~]$ cat /etc/fstab | grep "tmp"
> 
> [mdiwan at server3 ~]$ mount | grep "/tmp"
> tmpfs on /tmp type tmpfs (rw)
> 
> 
> selinux is disabled on this server .. at least till we figure this out
> 
> 
> but yes /tmp is a tmpfs mount 
> 
> which makes me wonder how it holds a 100 gig file.. it clearly
> doesn't ... it seems to have a temporary  "hardlink" to the OVIRT nfs
> export share when virt-v2v2 is running???
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Richard W.M. Jones <rjones at redhat.com>
> To: Madhav V Diwan <mdiwan at diwanconsulting.com>
> Cc: mbooth at redhat.com, users at ovirt.org
> Subject: Re: [Users] issue with conversion of ESXi 5 centos VM to
> fedora19 ovirt host
> Date: Fri, 10 Jan 2014 18:53:03 +0000
> 
> On Fri, Jan 10, 2014 at 12:48:43PM -0500, Madhav V Diwan wrote:
>>
>> Sorry richard 
>>
>> seems that it failed even when i tried to set that variable
>>
>> Maybe i set up the command incorrectly?
>>
>> here is what i ran
>>
>>
>> [root at server3 ~]# cat convrtesxhost.sh
>>
>> #!/bin/bash
>>
>> export LIBGUESTFS_TRACE=1 
>> export LIBGUESTFS_DEBUG=1
>> export LIBGUESTFS_BACKEND=direct
>>
>> virt-v2v -ic esx://ESX.decllc.biz/?no_verify=1 -o rhev -os
>> server3.decllc.biz:/localstorage/nfs --network ovirtmgmt razDC  2>&1 |
>> tee /var/log/virt-v2v.log 
> 
> It looks like this is correctly setting the environment variable:
> 
>> [root at server3 ~]# ./convrtesxhost.sh 
>> virt-v2v: Transferring storage volume razDC_razDC: 107374182400 bytes
>> libguestfs: trace: set_verbose true
>> libguestfs: trace: set_verbose = 0
>> libguestfs: trace: set_backend "direct"
>> libguestfs: trace: set_backend = 0
> 
> ^ see that it's set correctly here.
> 
> [...]
>> libguestfs: trace: add_drive
>> "/tmp/dgsXFuqz0X/8eff2927-3bff-4b15-bdd0-8c4e0f40652d/v2v.nCJ17ysL/e1660d18-b67b-4002-9835-10c654e7ee0e/a7afe4c5-ece8-4022-a8ec-964984a8db17" "format:raw" "iface:ide" "name:sda"
>> libguestfs: trace: add_drive = -1 (error)
>> /tmp/dgsXFuqz0X/8eff2927-3bff-4b15-bdd0-8c4e0f40652d/v2v.nCJ17ysL/e1660d18-b67b-4002-9835-10c654e7ee0e/a7afe4c5-ece8-4022-a8ec-964984a8db17: Permission denied at /usr/lib64/perl5/vendor_perl/Sys/Guestfs.pm line 670.
> 
> So this is not the bug I was thinking of.
> 
> (In fact it's obvious now I look closer.  This has nothing to do with
> libvirt, and the error message is being generated by libguestfs
> earlier on)
> 
> Is there some other reason that libguestfs would not be able to open
> that file in /tmp?  Perhaps there is an SELinux AVC?  Or /tmp has
> strange permissions ...?  Is /tmp a tmpfs mount?
> 
> I believe the actual code path you're hitting is this one:
> 
> https://github.com/libguestfs/libguestfs/blob/stable-1.22/src/drives.c#L660
> 
> I'm not exactly sure why that fails.
> 
> Rich.
> 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list