On Mon, Oct 15, 2012 at 05:55:03AM -0400, Federico Simoncelli wrote: > ----- Original Message ----- > > From: "Dan Kenigsberg" <dan...@redhat.com> > > To: "Mike Burns" <mbu...@redhat.com> > > Cc: "Federico Simoncelli" <fsimo...@redhat.com>, users@ovirt.org > > Sent: Monday, October 15, 2012 11:02:45 AM > > Subject: Re: [Users] Can't start a VM - sanlock permission denied > > > > On Sun, Oct 14, 2012 at 09:53:51PM -0400, Mike Burns wrote: > > > On Sun, 2012-10-14 at 19:11 -0400, Federico Simoncelli wrote: > > > > ----- Original Message ----- > > > > > From: "Alexandre Santos" <santosa...@gmail.com> > > > > > To: "Dan Kenigsberg" <dan...@redhat.com> > > > > > Cc: "Haim Ateya" <hat...@redhat.com>, users@ovirt.org, > > > > > "Federico Simoncelli" <fsimo...@redhat.com> > > > > > Sent: Sunday, October 14, 2012 7:23:36 PM > > > > > Subject: Re: [Users] Can't start a VM - sanlock permission > > > > > denied > > > > > > > > > > 2012/10/13 Dan Kenigsberg < dan...@redhat.com > > > > > > > > > > > On Sat, Oct 13, 2012 at 11:25:37AM +0100, Alexandre Santos > > > > > wrote: > > > > > > Hi, > > > > > > after getting to the oVirt Node console (F2) I figured out > > > > > > that > > > > > > selinux > > > > > > wasn't allowing the sanlock, so I entered the setsebool > > > > > > virt_use_sanlock 1 > > > > > > and the problem is fixed. > > > > > > > > > > Which version of vdsm is istalled on your node? and which > > > > > selinux-policy? sanlock should work out-of-the-box. > > > > > > > > > > > > > > > vdsm-4.10.0-10.fc17 > > > > > > > > > > on /etc/sysconfig/selinux > > > > > SELINUX=enforcing > > > > > SELINUXTYPE=targeted > > > > > > > > As far as I understand the selinux policies for the ovirt-node > > > > are set > > > > by recipe/common-post.ks (in the ovirt-node repo): > > > > > > > > semanage boolean -m -S targeted -F /dev/stdin << \EOF_semanage > > > > allow_execstack=0 > > > > virt_use_nfs=1 > > > > EOF_semanage > > > > > > > > We should update it with what vdsm is currently setting: > > > > > > > > virt_use_sanlock=1 > > > > sanlock_use_nfs=1 > > > > > > > > > > Shouldn't vdsm be setting these if they're needed? > > > > It should - I'd like to know which vdsm version was it, and why this > > was skipped. > > The version was 4.10.0-10.fc17 and what I thought (but I didn't test yesterday > night) is that the ovirt-node was overriding what we were setting. > Anyway this is not the case. > > > > I can certainly set > > > the values, but IMO, if vdsm needs it, vdsm should set it. > > > > virt_use_nfs=1 made it into the node. Maybe there was a good reason > > for it that applies to virt_use_sanlock as well. (I really hate to > > persist the policy files, and dislike the idea of setting virt_use_sanlock > > every time vdsmd starts - it's slooooow). > > We set them when we install vdsm (not when the service starts) so they should > be good to go in the iso.
oops, I've forgot about "BZ#832199: move selinux from init to spec" in http://gerrit.ovirt.org/5600 . > It might be a glitch during the vdsm package > installation, it could be something like semanage taking the boolean from the > host where the iso is built rather than the root where the package is > installed. > > Do we have the iso build logs? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users