Bug 1273252 - iscsi not working on 4.2.3, Unable to mount iscsi volumes.
iscsi not working on 4.2.3, Unable to mount iscsi volumes.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
: 1277262 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-20 00:14 EDT by Daniel Rowe
Modified: 2015-11-26 22:53 EST (History)
19 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-128.21.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-26 22:53:41 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Rowe 2015-10-20 00:14:57 EDT
Description of problem:

After updating to 4.2.3-200 from the 4.1.* kernel my iscsi vouumes will not mount.

Take ages to boot no mounts mounted and running systemctl iscsi restart just hangs.

Booting to 4.1.10-200 and all is well.

Version-Release number of selected component (if applicable):

4.2.3-200

I seem to have a lot of issue with iscsi on Fedora and updates breaking things.

How reproducible:

Everytime.

Steps to Reproduce:
1. Boot into 4.2.3-200
2. Not iscsi volumes mounted.
3. Boot into 4.1.10-200
4. All is well

Actual results:

Cant mount iscsi volumes/filesystems.

Expected results:

Works as it does in 4.1.10-200
Comment 1 Josh Boyer 2015-10-20 09:08:51 EDT
This might be a duplicate of bug 1271812.  We have a patch in Fedora git for that, but it has not made it into a build yet.
Comment 2 Mebus 2015-11-01 12:20:05 EST
I can confirm this. This is what happened to me on the 4.2.3-200 Kernel:

8 root@fbox # iscsiadm -m discovery -t sendtargets -p 192.168.1.10
iscsiadm: got read error (-1/104), daemon died?
iscsiadm: got read error (-1/104), daemon died?
iscsiadm: Cannot perform discovery. Initiatorname required.
iscsiadm: Could not perform SendTargets discovery: could not communicate to iscsid
18 root@fbox # 

It works with the 4.1.10-200 kernel.

Mebus
Comment 3 Josh Boyer 2015-11-02 09:06:28 EST
Please try the 4.2.5 update in updates-testing.
Comment 4 Josh Boyer 2015-11-02 15:36:49 EST
*** Bug 1277262 has been marked as a duplicate of this bug. ***
Comment 5 Chris Egolf 2015-11-04 00:44:07 EST
The 4.2.5 kernel in updates-testing didn't fix this problem for me, but upgrading to Fedora 23 resolved the issue on several machines.
Comment 6 Josh Boyer 2015-11-04 10:20:37 EST

*** This bug has been marked as a duplicate of bug 1271812 ***
Comment 7 Justin M. Forbes 2015-11-04 14:36:18 EST
There is no difference in the F23 and F22 kernels for iscsi. I am guessing this is something that was addressed in the iscsi-initiator-utils update for F23, and simply needs to be brought back to F22? Reopening and reassigning.
Comment 8 Chris Leech 2015-11-04 20:07:11 EST
There's something happening with the selinux-policy from 3.13.1-122 to 3.13.1-128.18, I haven't narrowed it down to an exact build but there's not much change specific to iSCSI.

> audit2why -b

type=AVC msg=audit(1446685101.879:315): avc:  denied  { create } for  pid=1004 comm="iscsid" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1446685101.884:317): avc:  denied  { create } for  pid=1008 comm="iscsid" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1446685101.889:319): avc:  denied  { create } for  pid=1012 comm="iscsid" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1446685101.894:321): avc:  denied  { create } for  pid=1016 comm="iscsid" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1446685101.898:323): avc:  denied  { create } for  pid=1020 comm="iscsid" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
Comment 9 Daniel Rowe 2015-11-05 06:25:19 EST
Sorry took time to test but the later kernel has not fixed it. Booting into 4.2.5 and iscsi is not working.
Comment 10 John Florian 2015-11-06 17:46:45 EST
I can also confirm this with:
iscsi-initiator-utils-6.2.0.873-25.gitc9d830b.fc22.x86_64
kernel-4.2.5-201.fc22.x86_64.

# iscsiadm --mode discovery --type sendtargets --portal 172.16.7.3
iscsiadm: got read error (-1/104), daemon died?
iscsiadm: Could not scan /sys/class/iscsi_transport.
iscsiadm: got read error (-1/104), daemon died?
iscsiadm: Cannot perform discovery. Initiatorname required.
iscsiadm: Could not perform SendTargets discovery: could not communicate to iscsid

Meanwhile, the journal captured:

... systemd[1]: Listening on Open-iSCSI iscsid Socket.
... systemd[1]: Starting Open-iSCSI iscsid Socket.
... systemd[1]: Listening on Open-iSCSI iscsiuio Socket.
... polkitd[1059]: Unregistered Authentication Agent for unix-process:1515:17960 (system bus name :1.14, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
... systemd[1]: Starting Open-iSCSI...
... iscsid[1520]: iSCSI logger with pid=1521 started!
... audit[1522]: <audit-1400> avc:  denied  { create } for  pid=1522 comm="iscsid" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=0
... iscsid[1521]: iSCSI daemon with pid=1522 started!
... iscsid[1521]: can not create NETLINK_ISCSI socket
... systemd[1]: Failed to read PID from file /var/run/iscsid.pid: Invalid argument
... systemd[1]: Failed to start Open-iSCSI.
... systemd[1]: Unit iscsid.service entered failed state.
... systemd[1]: iscsid.service failed.
... audit[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=iscsid comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Comment 11 Torbjorn Jansson 2015-11-08 04:06:36 EST
not sure if it is relevant to this bug or not but kernel 4.2.5-201.fc22.x86_64 works with the ms iscsi initiator.
but initially during my testing it didn't work very well because for some reason targetcli didn't load the config at boot, so i was doing the testing against a blank unconfigured targetcli

that made me think it was still broken when it really wasn't.
Comment 13 Fedora Update System 2015-11-20 08:12:10 EST
selinux-policy-3.13.1-128.21.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
Comment 14 Daniel Rowe 2015-11-20 20:25:11 EST
I have install the above test packages from koji and it has fixed the issue. I am now running the 4.2.6-200 with iscsi volumes mounted on F22.

Thanks.
Comment 15 Fedora Update System 2015-11-21 12:51:15 EST
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
Comment 16 Fedora Update System 2015-11-26 22:52:11 EST
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.