Bug 1148712
Summary: | avc denials accessing sanlock socket while deploying hosted engine | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Nikolai Sednev <nsednev> | ||||
Component: | vdsm | Assignee: | Nobody <nobody> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Nikolai Sednev <nsednev> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 3.5.0 | CC: | bazulay, danken, ebenahar, ecohen, gklein, iheim, lpeer, lsurette, michal.skrivanek, nsednev, nsoffer, sbonazzo, stirabos, yeylon | ||||
Target Milestone: | --- | Keywords: | Triaged | ||||
Target Release: | 3.5.0 | Flags: | stirabos:
needinfo-
|
||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | virt | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-11-05 07:36:19 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1067162, 1149634 | ||||||
Attachments: |
|
Description
Nikolai Sednev
2014-10-02 08:02:05 UTC
Can you please attach relevant logs? (vdsm, libvirt, hosted-engine setup) (In reply to Sandro Bonazzola from comment #1) > Can you please attach relevant logs? (vdsm, libvirt, hosted-engine setup) Hi, Can you run the deployment on RHEL6.6 and see the result, components not were installed it seems, as deployment failed. Please try to run on your environment. Oct 13 14:18:09 blue-vdsc yum[7567]: Installed: libvirt-client-0.10.2-46.el6.x86_64 Oct 13 14:18:10 blue-vdsc yum[7567]: Installed: libvirt-python-0.10.2-46.el6.x86_64 Oct 13 14:18:12 blue-vdsc yum[7567]: Installed: libvirt-0.10.2-46.el6.x86_64 Oct 13 14:18:14 blue-vdsc yum[7567]: Installed: libvirt-lock-sanlock-0.10.2-46.el6.x86_64 Oct 13 14:31:12 blue-vdsc kernel: type=1400 audit(1413199872.822:9): avc: denied { connectto } for pid=10791 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c19,c423 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=unix_stream_socket Oct 13 14:31:12 blue-vdsc kernel: type=1400 audit(1413199872.822:10): avc: denied { connectto } for pid=10791 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c19,c423 tcontext=unconfined_u:system_r:sanlock_t:s0-s0:c0.c1023 tclass=unix_stream_socket Oct 13 14:31:12 blue-vdsc kernel: libvirtd[10791]: segfault at fffffffffffffffc ip 00007f6ab56e353c sp 00007f6aaed27938 error 4 in libc-2.12.so[7f6ab5668000+18a000] Oct 13 14:31:13 blue-vdsc vdsm vm.Vm ERROR vmId=`6b4f2645-b464-4ce2-8c48-bbe220221380`::The vm start process failed#012Traceback (most recent call last):#012 File "/usr/share/vdsm/virt/vm.py", line 2266, in _startUnderlyingVm#012 self._run()#012 File "/usr/share/vdsm/virt/vm.py", line 3368, in _run#012 self._connection.createXML(domxml, flags),#012 File "/usr/lib64/python2.6/site-packages/vdsm/libvirtconnection.py", line 111, in wrapper#012 ret = f(*args, **kwargs)#012 File "/usr/lib64/python2.6/site-packages/libvirt.py", line 2709, in createXML#012 if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self)#012libvirtError: Child quit during startup handshake: Input/output error Created attachment 946357 [details]
logs
Reran and sending some logs. Components were used: qemu-kvm-rhev-0.12.1.2-2.448.el6.x86_64 ovirt-hosted-engine-setup-1.2.1-1.el6ev.noarch libvirt-0.10.2-46.el6.x86_64 ovirt-hosted-engine-ha-1.2.2-2.el6ev.noarch sanlock-2.8-1.el6.x86_64 vdsm-4.16.6-1.el6ev.x86_64 Moving to vdsm component. AVC denial on accessing sanlock socket. Not sure if it's a virt or storage issue, starting with virt. Nikolai, could you provide a core dump of the segfaulting libvirt (in another bug)? Oct 13 14:31:12 blue-vdsc kernel: libvirtd[10791]: segfault at fffffffffffffffc ip 00007f6ab56e353c sp 00007f6aaed27938 error 4 in libc-2.12.so[7f6ab5668000+18a000] may be nastier than a missing policy rule. (In reply to Sandro Bonazzola from comment #6) > Moving to vdsm component. AVC denial on accessing sanlock socket. Not sure > if it's a virt or storage issue, starting with virt. This does not look like vdsm issue at all. libvirtd cannot access sanlock socket - that looks like selinux-policy issue. Nikolai, please open selinux-policy bug, and include there the relevant /var/log/audit.log. Note that audit.log is rotated quickly. To find the relevant log, use: xzgrep 'comm="libvirtd" path="/var/run/sanlock/sanlock.sock"' /var/log/audit/audit.log* If this fails, reproduce again and take the current file /var/log/audit/audit.log *** Bug 1150427 has been marked as a duplicate of this bug. *** Please cross-check with https://bugzilla.redhat.com/show_bug.cgi?id=1146529 where it seams that some rules was added for Sanlock on selinux-policy-3.13.1-3.el7 I tried to setup hosted-engine on RHEL7 with selinux-policy-3.13.1-4 but it's still blocked by selinux. time->Wed Oct 15 10:02:37 2014 type=SYSCALL msg=audit(1413360157.163:3312): arch=c000003e syscall=2 success=no exit=-13 a0=7f2a48966410 a1=105002 a2=0 a3=1 items=0 ppid=1 pid=5195 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1413360157.163:3312): avc: denied { read write } for pid=5195 comm="sanlock" name="dm-9" dev="devtmpfs" ino=611495 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_image_t:s0 tclass=blk_file I'm not really sure it's a selinux-policy issue or a labeling problem from vdsm. [root@r70st1 ~]# ls -lZ /dev/dm-9 brw-rw----. vdsm qemu system_u:object_r:svirt_image_t:s0 /dev/dm-9 (In reply to Simone Tiraboschi from comment #11) > I tried to setup hosted-engine on RHEL7 with selinux-policy-3.13.1-4 but > it's still blocked by selinux. > > time->Wed Oct 15 10:02:37 2014 > type=SYSCALL msg=audit(1413360157.163:3312): arch=c000003e syscall=2 > success=no exit=-13 a0=7f2a48966410 a1=105002 a2=0 a3=1 items=0 ppid=1 > pid=5195 auid=4294967295 uid=179 gid=179 euid=179 suid=179 fsuid=179 > egid=179 sgid=179 fsgid=179 tty=(none) ses=4294967295 comm="sanlock" > exe="/usr/sbin/sanlock" subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 > key=(null) > type=AVC msg=audit(1413360157.163:3312): avc: denied { read write } for > pid=5195 comm="sanlock" name="dm-9" dev="devtmpfs" ino=611495 > scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:svirt_image_t:s0 tclass=blk_file This seems to be error when sanlock try to read from /dev/dm-9, and it does not seems to be related to the libvirtd denial. > > I'm not really sure it's a selinux-policy issue or a labeling problem from > vdsm. > [root@r70st1 ~]# ls -lZ /dev/dm-9 > brw-rw----. vdsm qemu system_u:object_r:svirt_image_t:s0 /dev/dm-9 This label works on RHEL 7.0 - not sure if with the selinux policy you tested. If this label does not work, the vm will pause. This cannot cause libvirtd denial. To ensure that this is the case, can you try to apply this patch and test again? http://gerrit.ovirt.org/#/c/33931 I runned it again updating to vdsm-4.16.7-1.el7 from a yesterday build and now vdsm it's able to start the VM over iscsi with sanlock. (In reply to Simone Tiraboschi from comment #13) > I runned it again updating to vdsm-4.16.7-1.el7 from a yesterday build and > now vdsm it's able to start the VM over iscsi with sanlock. So this seem like a duplicate of bug 1127460, or it should depend on it. (In reply to Nir Soffer from comment #14) > (In reply to Simone Tiraboschi from comment #13) > > I runned it again updating to vdsm-4.16.7-1.el7 from a yesterday build and > > now vdsm it's able to start the VM over iscsi with sanlock. > > So this seem like a duplicate of bug 1127460, or it should depend on it. Yes, it's not strictly a duplicate but they could be solved as one. (In reply to Simone Tiraboschi from comment #15) > (In reply to Nir Soffer from comment #14) > > (In reply to Simone Tiraboschi from comment #13) > > > I runned it again updating to vdsm-4.16.7-1.el7 from a yesterday build and > > > now vdsm it's able to start the VM over iscsi with sanlock. > > > > So this seem like a duplicate of bug 1127460, or it should depend on it. > > Yes, it's not strictly a duplicate but they could be solved as one. Why an update was needed to get latest vdsm - hosted engine setup does not require this version? Maybe the spec should be updated? that hosted-engine simply requires vdsm >= 4.16.6 while this has been addressed by vdsm-4.16.7-1.el7 which isn't still officially released, so it's just a matter of time. Hi, Please provide fixed in version field contents and as for current system behaviour, I was able to deploy HE with 3.5, while selinux was set to 0 "setenforce 0" on host running RHEL6.6. proper selinux packages has been released on 6.6.z |