[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
> > Also, please note that in el8 (which will be the only supported OS for > oVirt 4.4), if you do not want to use firewalld, might have to > convert/amend your scripts/conf to use nftables. > > Best regards, > -- > Didi Hi, I'm still using iptables on CentOS8-stream but not sure if it uses nftables or the "old" good netfilter in the backend. (Debian 10 documentation seems more precise on this point) By the way I don't use it on oVirt nodes just on VMs... Just saying it is possible. -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AOYYPYSRZK2KKID5TW5ZGYDJ6RZ357OW/
[ovirt-users] Re: Q: Fixing SELinux Permissions on oVirt node
Hi, you coul'd start with : cat /var/log/audit/audit.log | grep denied | audit2why The messages are quite clear. After you coul'd also refine a little bit more : cat /var/log/audit/audit.log |grep snmpd | audit2allow -M my_module_for_snmpd Remember to renew audit.log sometimes, in order to filter errors more preciselly -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. - Le 29 Mai 20, à 15:14, Andrei Verovski andre...@starlett.lv a écrit : > Hi, > > SELinux is quite cumbersome for someone which not used it before. > > stat /var/log/anvraidcheck.log > # File: ‘/var/log/anvraidcheck.log’ > # Size: 75 Blocks: 8 IO Block: 4096 regular file > # Device: fd08h/64776dInode: 138 Links: 1 > # Access: (0666/-rw-rw-rw-) Uid: (0/root) Gid: (0/root) > # Context: system_u:object_r:cron_log_t:s0 > > ps -eZ | grep snmpd > # system_u:system_r:snmpd_t:s0 1835 ?00:02:00 snmpd > > > How to enforce this policy (if its correct of course)? > > allow snmpd_t cron_log_t:file { read }; > > > >> On 29 May 2020, at 12:31, Alan wrote: >> >> When running from the terminal you are unconfined, hence it runs without >> error. >> >> Probably your only option is to create custom policy to allow this. Although >> I >> would question why the log file you are reading is cron_log_t and not >> var_log_t. >> >> >> On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski >> >> wrote >> >> Hi ! >> >> I’m struggling with SELinux blocking SNMP script from reading log file (oVirt >> node manually installed on CentOS 7). >> Log file is readable by all (chmod ugo+r). >> >> Scripts working fine when executed from terminal. >> >> I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As >> far >> as I know, SELinux can’t be turned off on oVirt node. >> >> Thanks in advance for any suggestion(s). >> >> >> ** >> >> option in snmpd.conf >> >> extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh >> >> >> ** >> script 4anvcheckraid_hp.sh >> >> #!/bin/bash >> >> LOGFILE='/var/log/anvraidcheck.log' >> >> if [ ! -f $LOGFILE ]; then >> exit 0 >> fi >> >> # Variant 1 with sed >> sed '/^[ \t]*$/d' $LOGFILE | while read line; do >> echo "$line" >> exit 1 >> done >> >> # Variant 2 without sed >> while read line >> do >> if [[ "$line" =~ [^[:space:]] ]]; then >> echo "$line" >> exit 1 >> fi >> done < $LOGFILE >> >> >> ** >> >> SELinux audit log: >> >> type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for pid=12142 >> comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138 >> scontext=system_u:system_r:snmpd_t:s0 >> tcontext=system_u:object_r:cron_log_t:s0 >> tclass=file permissive=0 >> >> type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for pid=12141 >> comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138 >> scontext=system_u:system_r:snmpd_t:s0 >> tcontext=system_u:object_r:cron_log_t:s0 >> tclass=file permissive=0 >> >> ___ >> Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> >> To unsubscribe send an email to users-le...@ovirt.org >> <mailto:users-le...@ovirt.org> >> Privacy Statement: https://www.ovirt.org/privacy-policy.html >> <https://www.ovirt.org/privacy-policy.html> >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> <https://www.ovirt.org/community/about/community-guidelines/> >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/ >> <https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/> >> >> > > > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/3MICJMAXCALWNSYLWWJXQABJ4EAHW55L/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/AMCHVEGJ7ATGKTIRXBSRIFKMSNZL7J22/
[ovirt-users] Re: Q: Fixing SELinux Permissions on oVirt node
Sorry, the strings to grep for are the ones in comm="the_string" (in your example for example it's "sed") - Le 29 Mai 20, à 15:31, Michaël Couren cou...@abes.fr a écrit : > Hi, > you coul'd start with : > > cat /var/log/audit/audit.log | grep denied | audit2why > > The messages are quite clear. > > After you coul'd also refine a little bit more : > > cat /var/log/audit/audit.log |grep snmpd | audit2allow -M my_module_for_snmpd > > Remember to renew audit.log sometimes, in order to filter errors more > preciselly > -- > Cordialement / Best regards, Michaël Couren, > ABES, Montpellier, France. > > > > - Le 29 Mai 20, à 15:14, Andrei Verovski andre...@starlett.lv a écrit : > >> Hi, >> >> SELinux is quite cumbersome for someone which not used it before. >> >> stat /var/log/anvraidcheck.log >> # File: ‘/var/log/anvraidcheck.log’ >> # Size: 75 Blocks: 8 IO Block: 4096 regular file >> # Device: fd08h/64776dInode: 138 Links: 1 >> # Access: (0666/-rw-rw-rw-) Uid: (0/root) Gid: (0/root) >> # Context: system_u:object_r:cron_log_t:s0 >> >> ps -eZ | grep snmpd >> # system_u:system_r:snmpd_t:s0 1835 ?00:02:00 snmpd >> >> >> How to enforce this policy (if its correct of course)? >> >> allow snmpd_t cron_log_t:file { read }; >> >> >> >>> On 29 May 2020, at 12:31, Alan wrote: >>> >>> When running from the terminal you are unconfined, hence it runs without >>> error. >>> >>> Probably your only option is to create custom policy to allow this. >>> Although I >>> would question why the log file you are reading is cron_log_t and not >>> var_log_t. >>> >>> >>> On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski >>> >>> wrote >>> >>> Hi ! >>> >>> I’m struggling with SELinux blocking SNMP script from reading log file >>> (oVirt >>> node manually installed on CentOS 7). >>> Log file is readable by all (chmod ugo+r). >>> >>> Scripts working fine when executed from terminal. >>> >>> I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. >>> As far >>> as I know, SELinux can’t be turned off on oVirt node. >>> >>> Thanks in advance for any suggestion(s). >>> >>> >>> ** >>> >>> option in snmpd.conf >>> >>> extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh >>> >>> >>> ** >>> script 4anvcheckraid_hp.sh >>> >>> #!/bin/bash >>> >>> LOGFILE='/var/log/anvraidcheck.log' >>> >>> if [ ! -f $LOGFILE ]; then >>> exit 0 >>> fi >>> >>> # Variant 1 with sed >>> sed '/^[ \t]*$/d' $LOGFILE | while read line; do >>> echo "$line" >>> exit 1 >>> done >>> >>> # Variant 2 without sed >>> while read line >>> do >>> if [[ "$line" =~ [^[:space:]] ]]; then >>> echo "$line" >>> exit 1 >>> fi >>> done < $LOGFILE >>> >>> >>> ** >>> >>> SELinux audit log: >>> >>> type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for >>> pid=12142 >>> comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138 >>> scontext=system_u:system_r:snmpd_t:s0 >>> tcontext=system_u:object_r:cron_log_t:s0 >>> tclass=file permissive=0 >>> >>> type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for >>> pid=12141 >>> comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138 >>> scontext=system_u:system_r:snmpd_t:s0 >>> tcontext=system_u:object_r:cron_log_t:s0 >>> tclass=file permissive=0 >>> >>> ___ >>> Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> >>> To unsubscribe send an email to users-le...@ovirt.org >>> <mailto:users-le...@ovirt.org> >>> Privacy Statement: https://www.ovirt.org/privacy-policy.html >>> <https://www.ovirt.org/privacy-policy.html> >>> oVirt Code of Conduct: >>> https://www.ovirt.org/community/
[ovirt-users] Engine certificate and HTTPS : broken on recent Firefox
Hi, Is there a "verified"* way to add a valid certificate to an oVirt 4.3 engine ? (or suppress HTTP Strict Transport Security) It is no more possible to add a security exception (on latest Firefox 80.0.1 Linux) and I don't want to use 2 browsers (like sanp-chromium just for oVirt...) *"verified" : I mean we have already tried official doc (many months ago) but with no success Thanks -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/COB3FSPO3YWNZSEPVPX2VZFNHKHOYBM4/
[ovirt-users] Re: Cannot Increase Hosted Engine VM Memory
> > On Wed, 11 Dec 2019 at 09:36, Serhiy Morhun > wrote: > >> Hello, did anyone find a resolution for this issue? I'm having exactly the >> same problem: Hi, same issue for us, the solution was : Make a snappshot Edit the properties, putting 32768 MB for "Mem", 131072 MB for "Max" and 32768 MB for "Guaranteed" Then reboot the server (cold reboot) -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/S33OGCAO6KOSLFCVIKX5MNQ3M2UC3ZQ5/