[ovirt-users] Possible SELinux problems with ovirt syncronizing networks
Dan Kenigsberg
danken at redhat.com
Mon May 18 12:06:23 UTC 2015
On Fri, May 15, 2015 at 03:03:48PM -0500, Jeremy Utley wrote:
> Hello all!
>
> Running ovirt 3.5 on CentOS 7 currently, and running into a little
> problem. All my nodes are currently showing the ovirtmgmt network as
> unsyncronized. When I try to force them to sync, it fails. Looking at the
> /var/log/vdsm/supervdsm.log file on one of the nodes, it looks like it has
> to do with SELinux. See:
>
> http://pastebin.com/NX7yetVW
>
> Which contains a dump of the supervdsm.log file when I tried to force
> syncronization. Judging from what I'm seeing, after VDSM writes the new
> network configuration files to /etc/sysconfig/network-scripts/ifcfg-*, it
> attempts to run a selinux.restorecon function against those files. Since
> we disable SELinux by default on all our servers, this action is failing
> with Errno 61 (see lines 66-71 and 86-91 in the above-mentioned pastebin).
> Is this normal? Is ovirt expecting to run with SELinux enabled? Or am I
> mis-interpreting this log output?
>
> Thanks for any help or advice you can give me!
The log has
..."ignoring restorecon error in case SElinux is disabled"...
meaning that Vdsm decided to allow working with SElinux disabled, but it
is recommended, full-heartedly, that you enable SElinux on your hosts.
For example, the recent qemu flaw
https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
becomes much limited when SElinux enabled.
http://stopdisablingselinux.com/
And now to your networking question:
Your log excerpt ends with a successful setSafeNetworkConfig, which
means that setupNetwork has succeeded and that Engine knows that. We'd
need to dig deeper to understand why the nets keep being out-of-sync.
Does engine.log has clues?
More information about the Users
mailing list