We had also requested to check if se-linux is enabled and any AVCs reported. Can you please get response for those queries as well - From comment#2 * If se-linux is in enforcing mode, check '/var/log/audit.log' for any AVCs when nfs-ganesha is being started - #getenforce #ausearch -m avc -m user_avc -m selinux_err -i -ts recent * Check if there are any errors/warning logged in '/var/log/messages' as well.
Have you checked if rpcbind is listening and allowing connections over IPv6? In comment #6 the output of iptables is shown, but that only applies to IPv4. Use the ip6tables command as well. rpcbind should be listening on port 111, maybe netstat/ss can confirm that too.
With 3.1.3, we have new ganesha conf file which would have been saved as rpmsave under /etc/ganesha. If you look into it, the rquota port is assigned port as 875 and we recommend to setup ganesha using this port number moving forward Conf file will look like this: NFS_Core_Param { #Use supplied name other tha IP In NSM operations NSM_Use_Caller_Name = true; #Copy lock states into "/var/lib/nfs/ganesha" dir Clustered = false; #By default port number '2049' is used for NFS service. #Configure ports for MNT, NLM, RQuota services. #The ports chosen here are from '/etc/sysconfig/nfs' MNT_Port = 20048; NLM_Port = 32803; Rquota_Port = 875; } Can you please try with the same and let us know if you still see the issue. Also, please add the relevant services in firewalld as mentioned in below doc link under 7.2.4 NFS-Ganesha section: http://jenkinscat.gsslab.pnq.redhat.com:8080/view/Gluster/job/doc-Red_Hat_Gluster_Storage-3.1.3-Administration_Guide%20%28html-single%29/lastBuild/artifact/tmp/en-US/html-single/index.html#sect-NFS_Ganesha
I tried reproducing this issue with other port than 875, i can see the same issue with AVC denials for unreserved_port in audit.log ganesha.conf: NFS_Core_Param { #Use supplied name other tha IP In NSM operations NSM_Use_Caller_Name = true; #Copy lock states into "/var/lib/nfs/ganesha" dir Clustered = false; #By default port number '2049' is used for NFS service. #Configure ports for MNT, NLM, RQuota services. #The ports chosen here are from '/etc/sysconfig/nfs' MNT_Port = 20048; NLM_Port = 32803; Rquota_Port = 8750; } from ganesha logs: 18/07/2016 07:43:52 : epoch 1a100000 : dhcp43-208.lab.eng.blr.redhat.com : ganesha.nfsd-30912[main] Bind_sockets_V6 :DISP :WARN :Cannot bind RQUOTA udp6 socket, error 13 (Permission denied) 18/07/2016 07:43:52 : epoch 1a100000 : dhcp43-208.lab.eng.blr.redhat.com : ganesha.nfsd-30912[main] Bind_sockets :DISP :FATAL :Error binding to V6 interface. Cannot continue. Following AVC's in audit.log: type=AVC msg=audit(1468842120.174:587): avc: denied { name_bind } for pid=30640 comm="ganesha.nfsd" src=8750 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket type=AVC msg=audit(1468842120.146:611): avc: denied { name_bind } for pid=30335 comm="ganesha.nfsd" src=8750 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket type=AVC msg=audit(1468842120.138:635): avc: denied { name_bind } for pid=29146 comm="ganesha.nfsd" src=8750 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket type=AVC msg=audit(1468842120.176:610): avc: denied { name_bind } for pid=29790 comm="ganesha.nfsd" src=8750 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket Below bug has been filed to track it: https://bugzilla.redhat.com/show_bug.cgi?id=1357508
Workaround to proceed ahead is as mentioned in comment 9.
As mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1357508#c1, this issue is fixed in 7.3 Since the recommended settings for 3.1.3 is as mentioned in comment 9 and which will work fine, Do you think we need to have a fix for this in 7.2 as well? Please confirm and based on that, i will update the corresponding selinux bug.
Hello Shashank, The customer did not try the workaround yet.
Hi, Do we have any updates on this (as mentioned in comment 12)?
Any Updates on this? There is a dependent bug on selinux team (https://bugzilla.redhat.com/show_bug.cgi?id=1357508), which is fixed for 7.3 and they want to close it. So if we want a fix for 7.2.z, we need to update that bug. Can you please confirm the same?
I see that the customer case attached is in CLOSED state. The required fix in selinux-policy is already merged in 7.3. Based on these, proposing this bug to 3.2.0 release. QE can re-verify this bug once RHEL 7.3 GA is available.
Usually we get a fix backported to RHEL Z-stream (7.2 Z-stream in this case) from Lukas (lvrabec) He can tell us which, if any, Z-stream fix is available.
The avc mentioned is not seen with latest builds based on RHEL7.3 and nfs-ganesha starts successfully. Marking the BZ verified. (On RHEL7.3) selinux-policy-3.13.1-102.el7_3.4.noarch selinux-policy-targeted-3.13.1-102.el7_3.4.noarch nfs-ganesha-2.4.1-1.el7rhgs.x86_64 nfs-ganesha-gluster-2.4.1-1.el7rhgs.x86_64
Hi Soumya, I have edited the doc text further. Let me know if this looks ok.
Hi Bhavana, The changes look good to me.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0493.html