----- Original Message ----- > From: "Brian Vetter" <[email protected]> > To: "Haim Ateya" <[email protected]> > Cc: [email protected], [email protected] > Sent: Wednesday, October 24, 2012 6:24:31 PM > Subject: Re: [Users] SELinux policy issue with oVirt/sanlock > > I removed lock_manager=sanlock from the settings file, restarted the > daemons, and all works fine right now. I'm guessing that means there > is no locking of the VMs (the default?). that's right, i'm glad it works for you, but it just a workaround since we expect this configuration to work, it would be much appreciated if you could open a bug on that issue so we can track and resolve when possible. please attach all required logs such as: vdsm.log, libvirtd.log, qemu.log (under /var/log/libvirt/qemu/), audit.log, sanlock.log and /var/log/messages.
thanks, Haim > > In any case, the setting of the lock_manager to sanlock was not done > by myself but presumably via the host/vdsm installation on my fc17 > host. So if that is the desired setting, then there appears to be an > issue with selinux policies, nfs storage for VMs, and sanlock that > still needs to be resolved in the nightly builds. > > Brian > > On Oct 24, 2012, at 9:51 AM, Haim Ateya wrote: > > > ----- Original Message ----- > >> From: "Brian Vetter" <[email protected]> > >> To: "Haim Ateya" <[email protected]> > >> Cc: [email protected], [email protected] > >> Sent: Wednesday, October 24, 2012 4:11:17 PM > >> Subject: Re: [Users] SELinux policy issue with oVirt/sanlock > >> > >> Here you go.... > >> > >> # getsebool -a | grep sanlock > >> sanlock_use_fusefs --> off > >> sanlock_use_nfs --> on > >> sanlock_use_samba --> off > >> virt_use_sanlock --> on > >> > >> > >> # grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf > >> dynamic_ownership=0 > >> spice_tls=1 > >> spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" > >> lock_manager="sanlock" > > > > this entry looks problematic to me (use sanlock as lock manager of > > the vms), please comment this entry, restart libvirt and vdsm, and > > try again. > > > >> > >> On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote: > >> > >>> Hi Brian, > >>> > >>> please run the following commands and paste your output: > >>> > >>> getsetbool -a | grep sanlock > >>> > >>> cat /etc/libvirt/qemu.conf > >>> > >>> > >>> ----- Original Message ----- > >>>> From: "Brian Vetter" <[email protected]> > >>>> To: [email protected] > >>>> Cc: [email protected] > >>>> Sent: Wednesday, October 24, 2012 6:34:07 AM > >>>> Subject: [Users] SELinux policy issue with oVirt/sanlock > >>>> > >>>> I get the following AVC msg when trying to run a VM from the > >>>> ovirt > >>>> admin tool: > >>>> > >>>> type=AVC msg=audit(1351051834.851:720): avc: denied { read } > >>>> for > >>>> pid=979 comm="sanlock" > >>>> name="8798edc0-dbd2-466d-8be9-1997f63e196f" > >>>> dev="dm-4" ino=3145737 > >>>> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 > >>>> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file > >>>> > >>>> The file it is attempting to read I believe (from the > >>>> sanlock.log > >>>> file) is the following: > >>>> > >>>> # ls -lZ > >>>> /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease > >>>> -rw-rw----. vdsm kvm system_u:object_r:nfs_t:s0 > >>>> > >>>> /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease > >>>> > >>>> I'm no SELinux policy expert, so I 'm not sure what is exactly > >>>> wrong. > >>>> The situation is that the VM image file is stored on an NFS file > >>>> server (in this case, configured using NFSv3). Both the client > >>>> and > >>>> the server are fc17. The error occurs when trying to start the > >>>> VM. > >>>> The version of oVirt I am using is a recent nightly build > >>>> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be > >>>> making > >>>> a wild guess that the sanlock process doesn't have rights to > >>>> open > >>>> some nfs resources but I'm way over the end of my skis. > >>>> > >>>> Brian > >>>> > >>>> _______________________________________________ > >>>> Users mailing list > >>>> [email protected] > >>>> http://lists.ovirt.org/mailman/listinfo/users > >>>> > >> > >> > > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
