Bug 1057761 - Can't discover iSCSI target
Summary: Can't discover iSCSI target
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 19
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
Whiteboard: storage
: 1070430 (view as bug list)
Depends On: 1025401
Blocks: 1024889
TreeView+ depends on / blocked
Reported: 2014-01-24 18:34 UTC by Vitor de Lima
Modified: 2020-05-20 23:13 UTC (History)
21 users (show)

Fixed In Version: selinux-policy-3.12.1-74.19.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-03-15 15:22:20 UTC
Type: Bug

Attachments (Terms of Use)
audit.log (5.46 MB, text/plain)
2014-02-11 11:00 UTC, Vitor de Lima
no flags Details
audit2allow output (19.22 KB, text/plain)
2014-02-11 11:01 UTC, Vitor de Lima
no flags Details

Description Vitor de Lima 2014-01-24 18:34:14 UTC
Description of problem:
A iSCSI target not discovered due to a permission error in VDSM.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Properly configure a Data Center, Cluster, Host and Storage
2. Create a new VM
3. Try to add an External Direct Lun of the iSCSI type into the VM as a virtual disk
4. Put the address of the iscsi target, the port, the username and the password of where the target is.
5. Click "Discover"

Actual results:
Nothing appears.

Expected results:
The target gets listed in the window.

Additional info:
The VDSM log shows this:
Thread-220::INFO::2014-01-24 16:26:10,761::logUtils::44::dispatcher::(wrapper) Run and protect: discoverSendTargets(con={'connection': '', 'password': '******', 'port': '3260', 'user': 'iscsi'}, options=None)
Thread-220::DEBUG::2014-01-24 16:26:10,762::iscsiadm::92::Storage.Misc.excCmd::(_runCmd) '/usr/bin/sudo -n /usr/sbin/iscsiadm -m discoverydb -t sendtargets -I default -p --op=new' (cwd None)
Thread-220::DEBUG::2014-01-24 16:26:10,791::iscsiadm::92::Storage.Misc.excCmd::(_runCmd) FAILED: <err> = 'iscsiadm: Could not make dir /var/lib/iscsi/send_targets/,3260 err 13\n\niscsiadm: Could not open /var/lib/iscsi/send_targets/,3260: Permission denied\n\niscsiadm: Could not add new discovery record.\n'; <rc> = 6
Thread-220::DEBUG::2014-01-24 16:26:10,792::iscsiadm::92::Storage.Misc.excCmd::(_runCmd) '/usr/bin/sudo -n /usr/sbin/iscsiadm -m iface' (cwd None)
Thread-220::DEBUG::2014-01-24 16:26:10,821::iscsiadm::92::Storage.Misc.excCmd::(_runCmd) SUCCESS: <err> = ''; <rc> = 0
Thread-220::ERROR::2014-01-24 16:26:10,821::hsm::2934::Storage.HSM::(discoverSendTargets) Discovery failed
Traceback (most recent call last):
  File "/usr/share/vdsm/storage/hsm.py", line 2932, in discoverSendTargets
    targets = iscsi.discoverSendTargets(iface, portal, cred)
  File "/usr/share/vdsm/storage/iscsi.py", line 212, in discoverSendTargets
    addIscsiPortal(iface, portal, credentials)
  File "/usr/share/vdsm/storage/iscsi.py", line 183, in addIscsiPortal
    iscsiadm.discoverydb_new(discoverType, iface.name, portalStr)
  File "/usr/share/vdsm/storage/iscsiadm.py", line 177, in discoverydb_new
    raise IscsiDiscoverdbError(rc, out, err)
IscsiDiscoverdbError: (6, [], ['iscsiadm: Could not make dir /var/lib/iscsi/send_targets/,3260 err 13', '', 'iscsiadm: Could not open /var/lib/iscsi/send_targets/,3260: Permission denied', '', 'iscsiadm: Could not add new discovery record.'])
Thread-220::ERROR::2014-01-24 16:26:10,830::dispatcher::67::Storage.Dispatcher.Protect::(run) {'status': {'message': 'Failed discovery of iSCSI targets: "portal=IscsiPortal(hostname=\'\', port=3260), err=(6, [], [\'iscsiadm: Could not make dir /var/lib/iscsi/send_targets/,3260 err 13\', \'\', \'iscsiadm: Could not open /var/lib/iscsi/send_targets/,3260: Permission denied\', \'\', \'iscsiadm: Could not add new discovery record.\'])"', 'code': 475}}

Comment 1 Itamar Heim 2014-01-26 08:11:15 UTC
Setting target release to current version for consideration and review. please
do not push non-RFE bugs to an undefined target release to make sure bugs are
reviewed for relevancy, fix, closure, etc.

Comment 3 Nir Soffer 2014-01-29 08:25:24 UTC
This looks like selinux issue - iscsiadm running as root cannot created directory at /var/lib.

Please try to run the discovery command manually - does it fail with the same error?

    /usr/sbin/iscsiadm -m discoverydb -t sendtargets \
        -I default -p --op=new'

Then try to run selinux in permissive mode - does it fix the issue? If fixed, please check /var/log/messages for selinux warnings.

See https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html

Which system is this? are you using latest selinux packages? Please provide the output of "rpm -qa | grep selinux"

Comment 4 Vitor de Lima 2014-02-05 16:01:40 UTC
The output of "rpm -qa | grep selinux":


Running the command manually works ok.

Setting selinux to permissive fix this.

Comment 5 Nir Soffer 2014-02-05 20:14:47 UTC
Yaniv, can you check this issue?

Comment 6 Yaniv Bronhaim 2014-02-06 08:08:40 UTC
Check bug 694256, it seems quite the same to me. Check what policies are required and open bug for selinux-policy if that's the case.

Comment 7 Nir Soffer 2014-02-08 22:59:16 UTC
Dan, do you know this issue with selinux policy? Do you know how a workaround it other then using permissive mode?

Comment 8 Antoni Segura Puimedon 2014-02-10 14:57:19 UTC

Could you please do:
grep iscsiadm /var/log/audit/audit.log | audit2allow -M iscsiadm.pol
semodule -i iscsiadm.pp

Then setenforce 1. Then try again. If that works, we should move the bug to
selinux-policy and having an attachment of /var/log/audit/audit.log would be
very helpful for that.

Comment 9 Vitor de Lima 2014-02-11 11:00:32 UTC
Created attachment 861768 [details]

Comment 10 Vitor de Lima 2014-02-11 11:01:08 UTC
Created attachment 861769 [details]
audit2allow output

Comment 11 Vitor de Lima 2014-02-11 11:32:23 UTC

The audit2allow command failed, I've attached the output in a file. The audit.log was attached too.

Comment 12 Dan Kenigsberg 2014-02-11 11:58:32 UTC

type=AVC msg=audit(1391611792.808:5745): avc:  denied  { create } for  pid=10045 comm="iscsiadm" name="st_config" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:iscsi_var_lib_t:s0 tclass=file

libsepol.context_from_record: user system_u is not defined

Comment 13 Miroslav Grepl 2014-02-11 16:09:02 UTC
commit 7bb6be6b0944bec39badd804a9e329d08bca14f1
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Feb 11 17:08:23 2014 +0100

    Allow iscsid to manage iscsi lib files

Comment 14 Ayal Baron 2014-02-12 06:29:16 UTC
(In reply to Miroslav Grepl from comment #13)
> commit 7bb6be6b0944bec39badd804a9e329d08bca14f1
> Author: Miroslav Grepl <mgrepl@redhat.com>
> Date:   Tue Feb 11 17:08:23 2014 +0100
>     Allow iscsid to manage iscsi lib files

where is this patch? is there a bug to track it?

Comment 15 Ayal Baron 2014-02-12 06:30:10 UTC
(In reply to Ayal Baron from comment #14)
> (In reply to Miroslav Grepl from comment #13)
> > commit 7bb6be6b0944bec39badd804a9e329d08bca14f1
> > Author: Miroslav Grepl <mgrepl@redhat.com>
> > Date:   Tue Feb 11 17:08:23 2014 +0100
> > 
> >     Allow iscsid to manage iscsi lib files
> where is this patch? is there a bug to track it?

Miroslav, if *this* is the bug then assign to yourself?


Comment 16 Jonas Israelsson 2014-02-14 09:18:46 UTC
BZ 1011193

Comment 17 Sandro Bonazzola 2014-02-24 08:21:13 UTC
This bug is blocking oVirt 3.4.0 final release. ETA for fixing it?

Comment 18 Miroslav Grepl 2014-02-24 08:57:08 UTC
Changes have been back ported to F19.

could you do a new F19 build with these changes.

Comment 19 Nir Soffer 2014-02-24 09:00:55 UTC
(In reply to Sandro Bonazzola from comment #17)
> This bug is blocking oVirt 3.4.0 final release. ETA for fixing it?

This is selinux bug, we can do nothing about it until selinux fix is available.

Comment 20 Lukas Vrabec 2014-02-24 12:12:21 UTC
yes, I'll do it today

Comment 21 Fedora Update System 2014-02-24 13:16:50 UTC
selinux-policy-3.12.1-74.19.fc19 has been submitted as an update for Fedora 19.

Comment 22 Nir Soffer 2014-02-24 15:06:48 UTC
Can you verify that the submmited package (see comment 21) solve your issue?

Comment 23 Douglas Schilling Landgraf 2014-02-25 01:31:30 UTC
(In reply to Nir Soffer from comment #22)
> Can you verify that the submmited package (see comment 21) solve your issue?

I have tested here and can confirm with selinux-policy/selinux target 3.12.1-74.19 the error is gone. The funny thing is that the error only shows using ovirt-engine via VDSM, if I try to execute the same command via shell it works (as already reported in the comment #4). Anyway, the error is gone. Added karma to package.

Comment 24 Fedora Update System 2014-02-25 07:45:28 UTC
Package selinux-policy-3.12.1-74.19.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.19.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 25 Amador Pahim 2014-03-06 10:40:10 UTC
*** Bug 1070430 has been marked as a duplicate of this bug. ***

Comment 26 Fedora Update System 2014-03-15 15:22:20 UTC
selinux-policy-3.12.1-74.19.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.