Bug 1070430 - Cannot connect host to iSCSI storage domain. Access denied by selinux.
Summary: Cannot connect host to iSCSI storage domain. Access denied by selinux.
Keywords:
Status: CLOSED DUPLICATE of bug 1057761
Alias: None
Product: oVirt
Classification: Retired
Component: vdsm
Version: 3.4
Hardware: All
OS: Linux
urgent
medium
Target Milestone: ---
: 3.4.0
Assignee: Dan Kenigsberg
QA Contact: Gil Klein
URL:
Whiteboard: storage
Depends On:
Blocks: 1024889
TreeView+ depends on / blocked
 
Reported: 2014-02-26 20:05 UTC by Amador Pahim
Modified: 2016-02-10 19:01 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-06 10:40:10 UTC
oVirt Team: Storage
Embargoed:

Attachments (Terms of Use)

Description Amador Pahim 2014-02-26 20:05:42 UTC 
Description of problem:

Adding a new host, it cannot be connected to iSCSI storage domain. "Events" message:

 The error message for connection 192.168.25.118 iqn.2012-07.com.lenovoemc:storage.ix2-73.rhev (LUN 35005907fb354dc85) returned by VDSM was: Failed to setup iSCSI subsystem

vdsm.log:

Thread-44::DEBUG::2014-02-26 16:57:57,704::BindingXMLRPC::233::vds::(wrapper) client [192.168.25.120] flowID [2a7db17d]
Thread-44::INFO::2014-02-26 16:57:57,704::logUtils::44::dispatcher::(wrapper) Run and protect: connectStorageServer(domType=3, spUUID='00000002-0002-0002-0002-000000000002', conList=[{'connection': '192.168.25.118', 'iqn': 'iqn.2012-07.com.lenovoemc:storage.ix2-73.rhev', 
'portal': '1', 'user': '', 'password': '******', 'id': '63f33299-ba0c-4b4e-8926-dad37d0ee520', 'port': '3260'}], options=None)
Thread-44::DEBUG::2014-02-26 16:57:57,705::iscsiadm::92::Storage.Misc.excCmd::(_runCmd) '/usr/bin/sudo -n /sbin/iscsiadm -m node -T iqn.2012-07.com.lenovoemc:storage.ix2-73.rhev -I default -p 192.168.25.118:3260 --op=new' (cwd None)
Thread-44::DEBUG::2014-02-26 16:57:57,718::iscsiadm::92::Storage.Misc.excCmd::(_runCmd) FAILED: <err> = 'iscsiadm: Could not make /var/lib/iscsi/nodes/iqn.2012-07.com.lenovoemc:storage.ix2-73.rhev: Permission denied\n\niscsiadm: Error while adding record: encountered iSCS
I database failure\n'; <rc> = 6
Thread-44::DEBUG::2014-02-26 16:57:57,719::iscsiadm::92::Storage.Misc.excCmd::(_runCmd) '/usr/bin/sudo -n /sbin/iscsiadm -m iface' (cwd None)
Thread-44::DEBUG::2014-02-26 16:57:57,732::iscsiadm::92::Storage.Misc.excCmd::(_runCmd) SUCCESS: <err> = ''; <rc> = 0
Thread-44::ERROR::2014-02-26 16:57:57,732::hsm::2363::Storage.HSM::(connectStorageServer) Could not connect to storageServer
Traceback (most recent call last):
  File "/usr/share/vdsm/storage/hsm.py", line 2360, in connectStorageServer
    conObj.connect()
  File "/usr/share/vdsm/storage/storageServer.py", line 359, in connect
    iscsi.addIscsiNode(self._iface, self._target, self._cred)
  File "/usr/share/vdsm/storage/iscsi.py", line 149, in addIscsiNode
    iscsiadm.node_new(iface.name, portalStr, targetName)
  File "/usr/share/vdsm/storage/iscsiadm.py", line 240, in node_new
    raise IscsiNodeError(rc, out, err)
IscsiNodeError: (6, [], ['iscsiadm: Could not make /var/lib/iscsi/nodes/iqn.2012-07.com.lenovoemc:storage.ix2-73.rhev: Permission denied', '', 'iscsiadm: Error while adding record: encountered iSCSI database failure'])
Thread-44::DEBUG::2014-02-26 16:57:57,732::hsm::2382::Storage.HSM::(connectStorageServer) knownSDs: {f8cb1f28-028a-4f82-a82d-815e99a74ec0: storage.nfsSD.findDomain}
Thread-44::INFO::2014-02-26 16:57:57,733::logUtils::47::dispatcher::(wrapper) Run and protect: connectStorageServer, Return response: {'statuslist': [{'status': 465, 'id': '63f33299-ba0c-4b4e-8926-dad37d0ee520'}]}


Version-Release number of selected component (if applicable):

 ovirt-engine-3.4.0-0.7.beta2.fc19.noarch
 vdsm-4.14.1-103.git167536b.fc19.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install ovirt from scratch
2. Add first host
3. Add an iSCSI storage domain

Additional info:

Workaround:

# setenforce 0
Comment 1 Sandro Bonazzola 2014-03-04 09:28:29 UTC 
This is an automated message.
Re-targeting all non-blocker bugs still open on 3.4.0 to 3.4.1.
Comment 2 Amador Pahim 2014-03-05 16:23:30 UTC 
Prerelease also affected: vdsm-4.14.3-0.fc19.x86_64
Comment 3 Amador Pahim 2014-03-05 16:32:21 UTC 
(In reply to Sandro Bonazzola from comment #1)
> This is an automated message.
> Re-targeting all non-blocker bugs still open on 3.4.0 to 3.4.1.

Hi Sandro. This one seems like a blocker. Can we keep the target to 3.4.0? I just updated 3.4.0 tracker (BZ#1024889), including this one in "Depends On" field.
Comment 4 Dan Kenigsberg 2014-03-05 21:42:19 UTC 
Amador, which version of selinux-policy do you have installed? This bug seems like a dup or a twin of bug 1057761 solved by selinux-policy-3.12.1-74.19.fc19. Isn't it so, Lukas?
Comment 5 Lukas Vrabec 2014-03-05 22:53:15 UTC 
Dan, I agree.

Amador could you tell us your version of selinux-policy?
Comment 6 Sandro Bonazzola 2014-03-06 06:56:56 UTC 
(In reply to Amador Pahim from comment #3)
> (In reply to Sandro Bonazzola from comment #1)
> > This is an automated message.
> > Re-targeting all non-blocker bugs still open on 3.4.0 to 3.4.1.
> 
> Hi Sandro. This one seems like a blocker. Can we keep the target to 3.4.0? I
> just updated 3.4.0 tracker (BZ#1024889), including this one in "Depends On"
> field.

re-targeting to 3.4.0, please answer to needinfo request as soon as possible, since this bug seems a duplicate of a fixed bug.
Comment 7 Amador Pahim 2014-03-06 10:40:10 UTC 
(In reply to Dan Kenigsberg from comment #4)
> Amador, which version of selinux-policy do you have installed? This bug
> seems like a dup or a twin of bug 1057761 solved by
> selinux-policy-3.12.1-74.19.fc19. Isn't it so, Lukas?

Affected version:
# rpm -qa selinux-policy
selinux-policy-3.12.1-74.18.fc19.noarch

Indeed selinux-policy-3.12.1-74.19.fc19.noarch.rpm fixed the issue. Closing as duplicate.

*** This bug has been marked as a duplicate of bug 1057761 ***
Note You need to log in before you can comment on or make changes to this bug.