Re: VMware Server 2.0, selinux, and F10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christopher A. Williams wrote: I had promised to do this and post my results a week ago and got thoroughly tied up over the holidays - sorry about that. It was a good Christmas for us though! :) So - I did get around to loading up a server with the latest version of F10 (32-bit in this case) to run the 32-bit version of VMware Server 2.0 (build 122956) to try and answer the burning question: Does selinux need to be disabled for VMware Server to run properly on F10? I know the inpatient out there can't wait to read the whole post, so here's the answer: Yes. According to our testing (a friend of mine who also frequents this list was here too), the current version of VMware Server DOES NOT RUN on F10 (32-bit) unless selinux is DISABLED. Permissive mode doesn't cut it - it still causes VMware Server to not run. Here are the details: Server: Whitebox Supermicro 1U chassis, dual 2.4GHz Pentium Xeon processors, 4GB RAM, Dual Gig-E NICs, dual 250GB IDE drives OS: F10 32-bit, with all patches as of 12-28-08 Kernel: 2.6.27.9-159.fc10 (PAE version - required to see the full 4GB) We loaded a fresh copy F10 with all of the required development tools and supporting stuff VMware Server needs to compile, and left selinux in its default (enforcing) mode and targeted policy. The system was intentionally updated with all of the latest available patches. After rebooting (kernel update that included a switch to the PAE kernel), we then installed VMware Server from the RPM via Package Kit. The initial RPM install went as expected with no errors or issues beyond the warning that the RPM is not signed (Request to VMware: Please, PLEASE make sure that you always sign your RPMs!). Next up was to configure the system. We fired up a terminal window, switched user to root, and then launched vmware-config.pl as normal. The script properly found everything it needed, set up the virtual networks, and compiled all of the modules against the PAE kernel with no errors at all. All of the services reported in as having started successfully when the script exited, which was when the trouble started. We immediately picked up an selinux error saying that one of the modules required the ability to use text relocation. No big deal here, which is why I don't remember off hand which module committed the offense. I'll go back and pull it up next chance - I'm on a different system right now. The selinux troubleshooter gave us the required command to address this issue, so we fixed the problem and off we went. ...Or so we thought. It seems that something else in selinux is interfering with a new VMware Server 2.0 service called VirtualMachines. I'm not sure what the problem is, how it happens, or why. What happens is that you can launch Firefox to talk to VMware server (http://localhost:8222 in this case) and get the VMware Server login page. However, from there you are unable to login. The system times out with a message basically saying that communication with the back-end server processes has been lost. Further checking (service vmware status) shows that several VMware Server services are actually NOT running. Upon trying to restart the vmware services (service vmware restart), we see that the VirtualMachines service has failed. There are no errors I can see, and nothing in dmesg out of the ordinary. Next, we placed selinux into permissive mode to see if anything might pop up or change, and then rebooted the system. We saw exactly the same behavior from VMware Server as before when selinux was in enforcing mode. Finally, we disabled selinux altogether and rebooted once more. This time, VMware Server came up and ran flawlessly. In fact, it was impressively fast given the age of the hardware. Just for grins, we then completely erased VMware Server, rebooted, and double-checked to make sure everything about it was completely gone from the system. We then re-installed it using the exact same procedure as before. VMware Server installed and ran flawlessly. In fact, just to be sure again, we rebooted the server one more time. Again VMware Server came up and ran without issues. Thus, in our testing of this, it is clear there are multiple issues with VMware Server and selinux. One of the issues is that a specific module requires text relocation, which is easily solved. The other issue is going to be a little more difficult to troubleshoot, but clearly there is something that conflicts between selinux and one of the new VMware Server services, and the only way to get around it at this point is to disable selinux. I'll have the system handy for the next day or so to do some additional testing, but then I have to put it back into production. Let me know what specifics I should look for next to find the source of the problem. Cheers, Chris -- == By all means
Re: VMware Server 2.0, selinux, and F10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel J Walsh wrote: Christopher A. Williams wrote: I had promised to do this and post my results a week ago and got thoroughly tied up over the holidays - sorry about that. It was a good Christmas for us though! :) So - I did get around to loading up a server with the latest version of F10 (32-bit in this case) to run the 32-bit version of VMware Server 2.0 (build 122956) to try and answer the burning question: Does selinux need to be disabled for VMware Server to run properly on F10? I know the inpatient out there can't wait to read the whole post, so here's the answer: Yes. According to our testing (a friend of mine who also frequents this list was here too), the current version of VMware Server DOES NOT RUN on F10 (32-bit) unless selinux is DISABLED. Permissive mode doesn't cut it - it still causes VMware Server to not run. Here are the details: Server: Whitebox Supermicro 1U chassis, dual 2.4GHz Pentium Xeon processors, 4GB RAM, Dual Gig-E NICs, dual 250GB IDE drives OS: F10 32-bit, with all patches as of 12-28-08 Kernel: 2.6.27.9-159.fc10 (PAE version - required to see the full 4GB) We loaded a fresh copy F10 with all of the required development tools and supporting stuff VMware Server needs to compile, and left selinux in its default (enforcing) mode and targeted policy. The system was intentionally updated with all of the latest available patches. After rebooting (kernel update that included a switch to the PAE kernel), we then installed VMware Server from the RPM via Package Kit. The initial RPM install went as expected with no errors or issues beyond the warning that the RPM is not signed (Request to VMware: Please, PLEASE make sure that you always sign your RPMs!). Next up was to configure the system. We fired up a terminal window, switched user to root, and then launched vmware-config.pl as normal. The script properly found everything it needed, set up the virtual networks, and compiled all of the modules against the PAE kernel with no errors at all. All of the services reported in as having started successfully when the script exited, which was when the trouble started. We immediately picked up an selinux error saying that one of the modules required the ability to use text relocation. No big deal here, which is why I don't remember off hand which module committed the offense. I'll go back and pull it up next chance - I'm on a different system right now. The selinux troubleshooter gave us the required command to address this issue, so we fixed the problem and off we went. ...Or so we thought. It seems that something else in selinux is interfering with a new VMware Server 2.0 service called VirtualMachines. I'm not sure what the problem is, how it happens, or why. What happens is that you can launch Firefox to talk to VMware server (http://localhost:8222 in this case) and get the VMware Server login page. However, from there you are unable to login. The system times out with a message basically saying that communication with the back-end server processes has been lost. Further checking (service vmware status) shows that several VMware Server services are actually NOT running. Upon trying to restart the vmware services (service vmware restart), we see that the VirtualMachines service has failed. There are no errors I can see, and nothing in dmesg out of the ordinary. Next, we placed selinux into permissive mode to see if anything might pop up or change, and then rebooted the system. We saw exactly the same behavior from VMware Server as before when selinux was in enforcing mode. Finally, we disabled selinux altogether and rebooted once more. This time, VMware Server came up and ran flawlessly. In fact, it was impressively fast given the age of the hardware. Just for grins, we then completely erased VMware Server, rebooted, and double-checked to make sure everything about it was completely gone from the system. We then re-installed it using the exact same procedure as before. VMware Server installed and ran flawlessly. In fact, just to be sure again, we rebooted the server one more time. Again VMware Server came up and ran without issues. Thus, in our testing of this, it is clear there are multiple issues with VMware Server and selinux. One of the issues is that a specific module requires text relocation, which is easily solved. The other issue is going to be a little more difficult to troubleshoot, but clearly there is something that conflicts between selinux and one of the new VMware Server services, and the only way to get around it at this point is to disable selinux. I'll have the system handy for the next day or so to do some additional testing, but then I have to put it back into production. Let me know what specifics I should look for next to find the source of the problem. Cheers, Chris --
VMware Server 2.0, selinux, and F10
I had promised to do this and post my results a week ago and got thoroughly tied up over the holidays - sorry about that. It was a good Christmas for us though! :) So - I did get around to loading up a server with the latest version of F10 (32-bit in this case) to run the 32-bit version of VMware Server 2.0 (build 122956) to try and answer the burning question: Does selinux need to be disabled for VMware Server to run properly on F10? I know the inpatient out there can't wait to read the whole post, so here's the answer: Yes. According to our testing (a friend of mine who also frequents this list was here too), the current version of VMware Server DOES NOT RUN on F10 (32-bit) unless selinux is DISABLED. Permissive mode doesn't cut it - it still causes VMware Server to not run. Here are the details: Server: Whitebox Supermicro 1U chassis, dual 2.4GHz Pentium Xeon processors, 4GB RAM, Dual Gig-E NICs, dual 250GB IDE drives OS: F10 32-bit, with all patches as of 12-28-08 Kernel: 2.6.27.9-159.fc10 (PAE version - required to see the full 4GB) We loaded a fresh copy F10 with all of the required development tools and supporting stuff VMware Server needs to compile, and left selinux in its default (enforcing) mode and targeted policy. The system was intentionally updated with all of the latest available patches. After rebooting (kernel update that included a switch to the PAE kernel), we then installed VMware Server from the RPM via Package Kit. The initial RPM install went as expected with no errors or issues beyond the warning that the RPM is not signed (Request to VMware: Please, PLEASE make sure that you always sign your RPMs!). Next up was to configure the system. We fired up a terminal window, switched user to root, and then launched vmware-config.pl as normal. The script properly found everything it needed, set up the virtual networks, and compiled all of the modules against the PAE kernel with no errors at all. All of the services reported in as having started successfully when the script exited, which was when the trouble started. We immediately picked up an selinux error saying that one of the modules required the ability to use text relocation. No big deal here, which is why I don't remember off hand which module committed the offense. I'll go back and pull it up next chance - I'm on a different system right now. The selinux troubleshooter gave us the required command to address this issue, so we fixed the problem and off we went. ...Or so we thought. It seems that something else in selinux is interfering with a new VMware Server 2.0 service called VirtualMachines. I'm not sure what the problem is, how it happens, or why. What happens is that you can launch Firefox to talk to VMware server (http://localhost:8222 in this case) and get the VMware Server login page. However, from there you are unable to login. The system times out with a message basically saying that communication with the back-end server processes has been lost. Further checking (service vmware status) shows that several VMware Server services are actually NOT running. Upon trying to restart the vmware services (service vmware restart), we see that the VirtualMachines service has failed. There are no errors I can see, and nothing in dmesg out of the ordinary. Next, we placed selinux into permissive mode to see if anything might pop up or change, and then rebooted the system. We saw exactly the same behavior from VMware Server as before when selinux was in enforcing mode. Finally, we disabled selinux altogether and rebooted once more. This time, VMware Server came up and ran flawlessly. In fact, it was impressively fast given the age of the hardware. Just for grins, we then completely erased VMware Server, rebooted, and double-checked to make sure everything about it was completely gone from the system. We then re-installed it using the exact same procedure as before. VMware Server installed and ran flawlessly. In fact, just to be sure again, we rebooted the server one more time. Again VMware Server came up and ran without issues. Thus, in our testing of this, it is clear there are multiple issues with VMware Server and selinux. One of the issues is that a specific module requires text relocation, which is easily solved. The other issue is going to be a little more difficult to troubleshoot, but clearly there is something that conflicts between selinux and one of the new VMware Server services, and the only way to get around it at this point is to disable selinux. I'll have the system handy for the next day or so to do some additional testing, but then I have to put it back into production. Let me know what specifics I should look for next to find the source of the problem. Cheers, Chris -- == By all means marry; If you get a good wife, you'll be happy. If you get a bad one, you'll become a philosopher. --Socrates -- fedora-list mailing list fedora-list@redhat.com To unsubscribe:
Re: VMware Server 2.0, selinux, and F10
On Monday 29 December 2008 11:09:48 Christopher A. Williams wrote: Thus, in our testing of this, it is clear there are multiple issues with VMware Server and selinux. One of the issues is that a specific module requires text relocation, which is easily solved. The other issue is going to be a little more difficult to troubleshoot, but clearly there is something that conflicts between selinux and one of the new VMware Server services, and the only way to get around it at this point is to disable selinux. Thanks for this report, Christopher. I can't comment because I'm still not running Ver 2, but my issue with your previous posts on this question is addressed by this. Hopefully, Dan Walsh will appear before you lose access to the system and can try to help figure things out - he's always been extremely helpful to me when he's dealt with issues I've had. -- Claude Jones Brunswick, MD -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: VMware Server 2.0, selinux, and F10
On Mon, 2008-12-29 at 12:27 -0500, Claude Jones wrote: On Monday 29 December 2008 11:09:48 Christopher A. Williams wrote: Thus, in our testing of this, it is clear there are multiple issues with VMware Server and selinux. One of the issues is that a specific module requires text relocation, which is easily solved. The other issue is going to be a little more difficult to troubleshoot, but clearly there is something that conflicts between selinux and one of the new VMware Server services, and the only way to get around it at this point is to disable selinux. Thanks for this report, Christopher. I can't comment because I'm still not running Ver 2, but my issue with your previous posts on this question is addressed by this. Hopefully, Dan Walsh will appear before you lose access to the system and can try to help figure things out - he's always been extremely helpful to me when he's dealt with issues I've had. Well, the good news is I have to put this server back into production so that I can work on the other server. It's the identical hardware / software combo, but running on F9. We're going to transfer the VMs across to the freshly loaded F10 box and then do this all over again with the other machine. The real issue for me is that I'll be traveling to London next week on business, and with no VPN access available for this, I'll be just a little too far away to get to either server. I'll still monitor the list though, and it seems several others have been able to reproduce exactly what I have found. Hopefully between all of us we can figure out what's going on here. Cheers, Chris -- If you get to thinkin' you're a person of some influence, try orderin' someone else's dog around. --Cowboy Wisdom -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: VMware Server 2.0, selinux, and F10
On Monday 29 December 2008 18:38:35 Christopher A. Williams wrote: Hopefully between all of us we can figure out what's going on here. yes, that's the kind of talk I like to hear last time I was in London was 41 years ago... -- Claude Jones Brunswick, MD -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
