Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
On Wed, Jan 07, Konrad Rzeszutek Wilk wrote: > On Wed, Jan 07, 2015 at 10:53:06AM +0100, Olaf Hering wrote: > > Its my understanding that the reported SELinux failure is not only > > related to the context= mount option, but also to the socket passing > > from systemd. > > I couldn't spot any errors in SELinux for this. Perhaps I had misconfigured? Last year you said xenstored did not start, even with patch #1 applied. I dont know if you added the required fstab changes. So if current staging works fine with SELinux enabled we could go with this change for the service file, instead of the wrapper: ExecStart=/usr/bin/env $XENSTORED --no-fork $XENSTORED_ARGS Does that work for you? If yes, lets get rid of the XENSTORED_TRACE= boolean and use a new XENSTORED_ARGS= variable instead. That would make patch #7 alot simpler. Olaf ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
On Wed, Jan 07, 2015 at 10:53:06AM +0100, Olaf Hering wrote: > On Mon, Jan 05, Konrad Rzeszutek Wilk wrote: > > > +Release Issues > > +== > > + > > +While we did the utmost to get a release out, there are certain > > +fixes which were not complete on time. As such please reference this > > +section if you are running into trouble. > > + > > +* systemd not working with Fedora Core 20, 21 or later (systemctl > > + reports xenstore failing to start). > > + > > + Systemd support is now part of Xen source code. While utmost work has > > + been done to make the systemd files compatible across all the > > + distributions, there might issues when using systemd files from > > + Xen sources. The work-around is to define an mount entry in > > + /etc/fstab as follow: > > + > > + tmpfs /var/lib/xenstored tmpfs > > + mode=755,context="system_u:object_r:xenstored_var_lib_t:s0" 0 0 > > + > > + > > Shouldnt this go into a new SELinux section in the INSTALL file? It is going in the web-page for 'Release Issues' and such. > > Its my understanding that the reported SELinux failure is not only > related to the context= mount option, but also to the socket passing > from systemd. I couldn't spot any errors in SELinux for this. Perhaps I had misconfigured? > > > Olaf ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
On Mon, Jan 05, Konrad Rzeszutek Wilk wrote: > +Release Issues > +== > + > +While we did the utmost to get a release out, there are certain > +fixes which were not complete on time. As such please reference this > +section if you are running into trouble. > + > +* systemd not working with Fedora Core 20, 21 or later (systemctl > + reports xenstore failing to start). > + > + Systemd support is now part of Xen source code. While utmost work has > + been done to make the systemd files compatible across all the > + distributions, there might issues when using systemd files from > + Xen sources. The work-around is to define an mount entry in > + /etc/fstab as follow: > + > + tmpfs /var/lib/xenstored tmpfs > + mode=755,context="system_u:object_r:xenstored_var_lib_t:s0" 0 0 > + > + Shouldnt this go into a new SELinux section in the INSTALL file? Its my understanding that the reported SELinux failure is not only related to the context= mount option, but also to the socket passing from systemd. Olaf ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
On Tue, Jan 06, 2015 at 03:00:16PM +, Ian Jackson wrote:
> Konrad Rzeszutek Wilk writes ("Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug:
> systemd changes for 4.5"):
> > #4 ("tools/hotplug: use xencommons as EnvironmentFile in
> > xenconsoled.service")
> > #5 ("tools/hotplug: use XENCONSOLED_TRACE in xenconsoled.service")
> > #6 ("tools/hotplug: remove EnvironmentFile from
> > xen-qemu-dom0-disk-backend.service")
> >
> > need Acks.
>
> Done.
Thank you. Let me apply #1-#6 in staging then.
>
> > For patch #1 ("tools/hotplug: remove SELinux options from
> > var-lib-xenstored.mount")
> >
> > Release-Acked-by: Konrad Rzeszutek Wilk
> > Tested-by: Konrad Rzeszutek Wilk
> >
> > with the below change to README file. It also needs an Ack.
>
> Done.
>
> > For patch #7 (" tools/hotplug: add wrapper to start xenstored")
> >
> > Tested-by: Konrad Rzeszutek Wilk
> > However there is a question in there for Ian:
> >
> > "The place of the wrapper is currently LIBEXEC_BIN, it has to be
> > decided what the final location is supposed to be. IanJ wants it in
> > "/etc".
> > "
> >
> > IanJ - any specific reasons for having it in /etc instead of
> > LIBEXEC_BIN? This is in regards to the introduction of this file:
>
> I explained this in my previous response and made what I thought was
> an unequivocal declaration about the location of the file.
>
> > Such as this might be good (Or perhaps move it to the INSTALL file)
> ...
> > --- a/README
> > +++ b/README
> ...
> > +Release Issues
> > +==
>
> I'm happy to have this particular issue here in the README.
>
> But I think the release notes need to be out of tree. This is so that
> if we discover an issue between last commit deadline and release, we
> can update the release notes.
Will create one on the Wiki and add it there.
>
> Thanks,
> Ian.
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
Konrad Rzeszutek Wilk writes ("Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug:
systemd changes for 4.5"):
> #4 ("tools/hotplug: use xencommons as EnvironmentFile in xenconsoled.service")
> #5 ("tools/hotplug: use XENCONSOLED_TRACE in xenconsoled.service")
> #6 ("tools/hotplug: remove EnvironmentFile from
> xen-qemu-dom0-disk-backend.service")
>
> need Acks.
Done.
> For patch #1 ("tools/hotplug: remove SELinux options from
> var-lib-xenstored.mount")
>
> Release-Acked-by: Konrad Rzeszutek Wilk
> Tested-by: Konrad Rzeszutek Wilk
>
> with the below change to README file. It also needs an Ack.
Done.
> For patch #7 (" tools/hotplug: add wrapper to start xenstored")
>
> Tested-by: Konrad Rzeszutek Wilk
> However there is a question in there for Ian:
>
> "The place of the wrapper is currently LIBEXEC_BIN, it has to be
> decided what the final location is supposed to be. IanJ wants it in
> "/etc".
> "
>
> IanJ - any specific reasons for having it in /etc instead of
> LIBEXEC_BIN? This is in regards to the introduction of this file:
I explained this in my previous response and made what I thought was
an unequivocal declaration about the location of the file.
> Such as this might be good (Or perhaps move it to the INSTALL file)
...
> --- a/README
> +++ b/README
...
> +Release Issues
> +==
I'm happy to have this particular issue here in the README.
But I think the release notes need to be out of tree. This is so that
if we discover an issue between last commit deadline and release, we
can update the release notes.
Thanks,
Ian.
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
On Mon, 2015-01-05 at 16:22 -0500, Konrad Rzeszutek Wilk wrote: > However there is a question in there for Ian: > > "The place of the wrapper is currently LIBEXEC_BIN, it has to be > decided what the final location is supposed to be. IanJ wants it in > "/etc". > " > > IanJ - any specific reasons for having it in /etc instead of > LIBEXEC_BIN? IIRC Ian explained this is the course of the thread. It's because an administrator might reasonably want to edit the file to apply local configuration. It is in effect a configuration file masquerading as a script. > > The workaround is to document what the 'context' is .. or whatever > > else is needed to make this work. > > Such as this might be good (Or perhaps move it to the INSTALL file) I think the Release Notes are the right place for this sort of information. e.g. http://wiki.xenproject.org/wiki/Xen_Project_4.4_Release_Notes#Known_issues Ian. ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
On Wed, Dec 31, 2014 at 10:31:06AM -0500, Konrad Rzeszutek Wilk wrote:
> On Mon, Dec 22, 2014 at 09:06:40AM +0100, Olaf Hering wrote:
> > On Fri, Dec 19, Konrad Rzeszutek Wilk wrote:
> >
> > > On Fri, Dec 19, 2014 at 12:25:26PM +0100, Olaf Hering wrote:
> > > > This is a resend of these two series:
> > > > http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00858.html
> > > > http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00669.html
> > > >
> > > > New in v3 is a wrapper to run xenstored. See its patch description
> > > > for details.
> > > >
> > > > Patch 2-6 should be applied for 4.5.0.
IanJ, Wei, IanC, please read below.
Patch #2-#6:
Release-Acked-by: Konrad Rzeszutek Wilk
Tested-by: Konrad Rzeszutek Wilk
#2,#3 has an Ack
#4 ("tools/hotplug: use xencommons as EnvironmentFile in xenconsoled.service")
#5 ("tools/hotplug: use XENCONSOLED_TRACE in xenconsoled.service")
#6 ("tools/hotplug: remove EnvironmentFile from
xen-qemu-dom0-disk-backend.service")
need Acks.
> > > >
> > > > The first and the last one still has issues with xenstored and
> > > > SELinux. See below. Up to now no solution is known to me.
> > > >
> > > >
> > > > The first patch fixes Arch Linux and does not break anything. As such
> > > > it should be safe to be applied for 4.5.0. SELinux users (who build
> > > > from source) should put their special mount options into fstab. Distro
For patch #1 ("tools/hotplug: remove SELinux options from
var-lib-xenstored.mount")
Release-Acked-by: Konrad Rzeszutek Wilk
Tested-by: Konrad Rzeszutek Wilk
with the below change to README file. It also needs an Ack.
For patch #7 (" tools/hotplug: add wrapper to start xenstored")
Tested-by: Konrad Rzeszutek Wilk
However there is a question in there for Ian:
"The place of the wrapper is currently LIBEXEC_BIN, it has to be
decided what the final location is supposed to be. IanJ wants it in
"/etc".
"
IanJ - any specific reasons for having it in /etc instead of
LIBEXEC_BIN? This is in regards to the introduction of this file:
diff --git a/tools/hotplug/Linux/xenstored.sh.in
b/tools/hotplug/Linux/xenstored.sh.in
new file mode 100644
index 000..dc806ee
--- /dev/null
+++ b/tools/hotplug/Linux/xenstored.sh.in
@@ -0,0 +1,6 @@
+#!/bin/sh
+if test -n "$XENSTORED_TRACE"
+then
+ XENSTORED_ARGS=" -T /var/log/xen/xenstored-trace.log"
+fi
+exec $XENSTORED $@ $XENSTORED_ARGS
> > >
> > > Could you elaborate what that is? As in what is that 'special mount
> > > options'?
> >
> > The context= mount option, about which we argue since a few weeks?
>
> You said 'special mount options into fstab' ? Is that the same as 'context='??
> (checks the manpage) AHA, it is!
>
>
> In which case would it just to say that this needs to be added as
> a workaround:
>
> xenstored /var/lib/xenstored xenstored
> context="system_u:object_r:xenstored_var_lib_t:s0" 1 1
To be exact:
tmpfs /var/lib/xenstored tmpfs
mode=755,context="system_u:object_r:xenstored_var_lib_t:s0" 0 0
>
> > See patch #1.
> >
> > > > packages will most likely include a proper .service file.
> > > >
> > > >
> > > > The last patch addresses the XENSTORED_TRACE issue. But SELinux will
> > > > most likely still not work.
> > > >
> > > > Possible ways to handle launching xenstored and SELinux:
> > > >
> > > > - do nothing
> > > > pro: - no Xen source changes required
> > > > con: - possible unhappy users who build from source and still have
> > > > SELinux enabled
> > >
> > > At this stage I prefer this and just have in the release notes the
> > > work-around documented.
> >
> > Which workaround is that? No SELinux on Fedora?
>
> That is not an option.
>
> The workaround is to document what the 'context' is .. or whatever
> else is needed to make this work.
Such as this might be good (Or perhaps move it to the INSTALL file)
diff --git a/README b/README
index 412607a..7d74214 100644
--- a/README
+++ b/README
@@ -33,6 +33,26 @@ This file contains some quick-start instructions to install
Xen on
your system. For more information see http:/www.xen.org/ and
http://wiki.xen.org/
+Release Issues
+==
+
+While we did the utmost to get a release out, there are certain
+fixes which were not complete on time. As such please reference this
+section if you are running into trouble.
+
+* systemd not working with Fedora Core 20, 21 or later (systemctl
+ reports xenstore failing to start).
+
+ Systemd support is now part of Xen source code. While utmost work has
+ been done to make the systemd files compatible across all the
+ distributions, there might issues when using systemd files from
+ Xen sources. The work-around is to define an mount entry in
+ /etc/fstab as follow:
+
+ tmpfs /var/lib/xenstored tmpfs
+ mode=755,context="system_u:object_r:x
Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
On Mon, Dec 22, 2014 at 09:06:40AM +0100, Olaf Hering wrote: > On Fri, Dec 19, Konrad Rzeszutek Wilk wrote: > > > On Fri, Dec 19, 2014 at 12:25:26PM +0100, Olaf Hering wrote: > > > This is a resend of these two series: > > > http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00858.html > > > http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00669.html > > > > > > New in v3 is a wrapper to run xenstored. See its patch description > > > for details. > > > > > > Patch 2-6 should be applied for 4.5.0. > > > > > > The first and the last one still has issues with xenstored and > > > SELinux. See below. Up to now no solution is known to me. > > > > > > > > > The first patch fixes Arch Linux and does not break anything. As such > > > it should be safe to be applied for 4.5.0. SELinux users (who build > > > from source) should put their special mount options into fstab. Distro > > > > Could you elaborate what that is? As in what is that 'special mount > > options'? > > The context= mount option, about which we argue since a few weeks? You said 'special mount options into fstab' ? Is that the same as 'context='?? (checks the manpage) AHA, it is! In which case would it just to say that this needs to be added as a workaround: xenstored /var/lib/xenstored xenstored context="system_u:object_r:xenstored_var_lib_t:s0" 1 1 > See patch #1. > > > > packages will most likely include a proper .service file. > > > > > > > > > The last patch addresses the XENSTORED_TRACE issue. But SELinux will > > > most likely still not work. > > > > > > Possible ways to handle launching xenstored and SELinux: > > > > > > - do nothing > > > pro: - no Xen source changes required > > > con: - possible unhappy users who build from source and still have > > > SELinux enabled > > > > At this stage I prefer this and just have in the release notes the > > work-around documented. > > Which workaround is that? No SELinux on Fedora? That is not an option. The workaround is to document what the 'context' is .. or whatever else is needed to make this work. > > Olaf ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
On Fri, Dec 19, Konrad Rzeszutek Wilk wrote: > On Fri, Dec 19, 2014 at 12:25:26PM +0100, Olaf Hering wrote: > > This is a resend of these two series: > > http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00858.html > > http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00669.html > > > > New in v3 is a wrapper to run xenstored. See its patch description > > for details. > > > > Patch 2-6 should be applied for 4.5.0. > > > > The first and the last one still has issues with xenstored and > > SELinux. See below. Up to now no solution is known to me. > > > > > > The first patch fixes Arch Linux and does not break anything. As such > > it should be safe to be applied for 4.5.0. SELinux users (who build > > from source) should put their special mount options into fstab. Distro > > Could you elaborate what that is? As in what is that 'special mount options'? The context= mount option, about which we argue since a few weeks? See patch #1. > > packages will most likely include a proper .service file. > > > > > > The last patch addresses the XENSTORED_TRACE issue. But SELinux will > > most likely still not work. > > > > Possible ways to handle launching xenstored and SELinux: > > > > - do nothing > > pro: - no Xen source changes required > > con: - possible unhappy users who build from source and still have > > SELinux enabled > > At this stage I prefer this and just have in the release notes the > work-around documented. Which workaround is that? No SELinux on Fedora? Olaf ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH 0/7 v3] tools/hotplug: systemd changes for 4.5
On Fri, Dec 19, 2014 at 12:25:26PM +0100, Olaf Hering wrote: > This is a resend of these two series: > http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00858.html > http://lists.xenproject.org/archives/html/xen-devel/2014-12/msg00669.html > > New in v3 is a wrapper to run xenstored. See its patch description > for details. > > Patch 2-6 should be applied for 4.5.0. > > The first and the last one still has issues with xenstored and > SELinux. See below. Up to now no solution is known to me. > > > The first patch fixes Arch Linux and does not break anything. As such > it should be safe to be applied for 4.5.0. SELinux users (who build > from source) should put their special mount options into fstab. Distro Could you elaborate what that is? As in what is that 'special mount options'? > packages will most likely include a proper .service file. > > > The last patch addresses the XENSTORED_TRACE issue. But SELinux will > most likely still not work. > > Possible ways to handle launching xenstored and SELinux: > > - do nothing > pro: - no Xen source changes required > con: - possible unhappy users who build from source and still have > SELinux enabled At this stage I prefer this and just have in the release notes the work-around documented. > > - use newly added wrapper > pro: - XENSTORED_TRACE boolean is handled > con: - the wrapper may have the very same issue as the current > launching with sh -c 'exec xenstored'. But maybe there is a >way to mark the new wrapper script as "this is the native >xenstored". Someone familiar with SELinux may be able to >answer this. > > - Use ExecStart=@XENSTORED@ > pro: - socket passing will most likely work > con: - All options have to be passed in XENSTORED_ARGS, a new variable > which is not yet mentioned in the sysconfig file. >- Switching xenstored requires a private copy of >xenstored.service in /etc/systemd instead of adjusting the >XENSTORED= variable in the sysconfig file. > > - Use ExecStart=/usr/bin/env $XENSTORED > pro: - $XENSTORED can be set in sysconfig file > con: - may have the same socket issue as starting via shell >- XENSTORED_TRACE boolean is not handled > > > I will be offline until 2015-01-07, so any further adjustments to this > series has to be done by someone else. > > > Good luck! > > Olaf > > > Olaf Hering (7): > tools/hotplug: remove SELinux options from var-lib-xenstored.mount > tools/hotplug: remove XENSTORED_ROOTDIR from xenstored.service > tools/hotplug: xendomains.service depends on network > tools/hotplug: use xencommons as EnvironmentFile in > xenconsoled.service > tools/hotplug: use XENCONSOLED_TRACE in xenconsoled.service > tools/hotplug: remove EnvironmentFile from > xen-qemu-dom0-disk-backend.service > tools/hotplug: add wrapper to start xenstored > > .gitignore| 1 + > tools/configure | 3 ++- > tools/configure.ac| 1 + > tools/hotplug/Linux/Makefile | 2 ++ > tools/hotplug/Linux/init.d/xencommons.in | 6 -- > tools/hotplug/Linux/systemd/var-lib-xenstored.mount.in| 4 +--- > tools/hotplug/Linux/systemd/xen-qemu-dom0-disk-backend.service.in | 1 - > tools/hotplug/Linux/systemd/xenconsoled.service.in| 6 +++--- > tools/hotplug/Linux/systemd/xendomains.service.in | 2 ++ > tools/hotplug/Linux/systemd/xenstored.service.in | 6 ++ > tools/hotplug/Linux/xenstored.sh.in | 6 ++ > 11 files changed, 24 insertions(+), 14 deletions(-) > create mode 100644 tools/hotplug/Linux/xenstored.sh.in > ___ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
