[Bugs] [Bug 1312809] New: volume not getting exported after setting the option ganesha.enable
bugzilla at redhat.com
bugzilla at redhat.com
Mon Feb 29 09:48:44 UTC 2016
https://bugzilla.redhat.com/show_bug.cgi?id=1312809
Bug ID: 1312809
Summary: volume not getting exported after setting the option
ganesha.enable
Product: Red Hat Enterprise Linux 7
Version: 7.2
Component: selinux-policy
Severity: urgent
Assignee: mgrepl at redhat.com
Reporter: akhakhar at redhat.com
QA Contact: qe-baseos-security at redhat.com
CC: bugs at gluster.org, jthottan at redhat.com,
kkeithle at redhat.com, lvrabec at redhat.com,
mgrepl at redhat.com, mmalik at redhat.com,
ndevos at redhat.com, plautrba at redhat.com,
pvrabec at redhat.com, skoduri at redhat.com,
ssekidde at redhat.com
Depends On: 1311911
+++ This bug was initially created as a clone of Bug #1311911 +++
Description of problem:
volume not getting exported after setting the option ganesha.enable
Version-Release number of selected component (if applicable):
glusterfs-ganesha-3.7.8-1.el7.x86_64
nfs-ganesha-2.2.0-12.el6rhs.x86_64
glusterfs-3.7.8-1.el7.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Setup nfs-ganesha on 4 nodes
2. Create a 2X2 volume.
3. Start the volume
4. set the volume option- ganesha.enable on. it says success, but the volume is
actually not exported
Export file is present
[root at dhcp46-59 ~]# cat /etc/ganesha/exports/export.testvol.conf
# WARNING : Using Gluster CLI will overwrite manual
# changes made to this file. To avoid it, edit the
# file and run ganesha-ha.sh --refresh-config.
EXPORT{
Export_Id= 2 ;
Path = "/testvol";
FSAL {
name = GLUSTER;
hostname="localhost";
volume="testvol";
}
Access_type = RW;
Disable_ACL = true;
Squash="No_root_squash";
Pseudo="/testvol";
Protocols = "3", "4" ;
Transports = "UDP","TCP";
SecType = "sys";
}
Also ganesha.conf file has entry of this config file:
[root at dhcp46-59 ~]# cat /etc/ganesha/ganesha.conf
###################################################
#
# EXPORT
#
# To function, all that is required is an EXPORT
#
# Define the absolute minimal export
#
#EXPORT
#{
# Export Id (mandatory, each EXPORT must have a unique Export_Id)
# Export_Id = 77;
# Exported path (mandatory)
# Path = "/testvol";
# Pseudo Path (required for NFS v4)
# Pseudo = "/testvol";
# Required for access (default is None)
# Could use CLIENT blocks instead
# Access_Type = RW;
# Allow root access
# Squash = No_Root_Squash;
# Security flavor supported
# SecType = "sys";
# Exporting FSAL
# FSAL {
# Name = "GLUSTER";
# Hostname = localhost;
# Volume = "testvol";
# }
#}
#######################################################
#Create this export block in a file which has the following parameters
#in the global part. Or create a separate file with the export block
#and include in the following block.
NFS_Core_Param {
#Use supplied name other tha IP In NSM operations
NSM_Use_Caller_Name = true;
#Copy lock states into "/var/lib/nfs/ganesha" dir
Clustered = false;
#Use a non-privileged port for RQuota
Rquota_Port = 4501;
MNT_Port = 20048;
NLM_Port = 32000;
}
%include "/etc/ganesha/exports/export.vol.conf
But showmount does not show that volume is exported
Actual results:showmount does not show that volume is exported
Expected results: on setting ganesha.enable option volume should get exported
Additional info:
--- Additional comment from Apeksha on 2016-02-25 05:23:18 EST ---
After Restarting the nfs-ganesha service on all the nodes, the volume is
getting exported
--- Additional comment from Jiffin on 2016-02-26 14:10:14 EST ---
IMO the issue may be related to selinux policies, in the audit log the
following logs can found while enable and disabling the ganesha.enable option
type=USER_AVC msg=audit(1456522097.022:4933): pid=902 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
denied { send_msg } for msgtype=method_call
interface=org.ganesha.nfsd.exportmgr member=AddExport dest=org.ganesha.nfsd
spid=10631 tpid=26644 scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon"
sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1456521684.235:4932): pid=902 uid=81 auid=4294967295
ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
denied { send_msg } for msgtype=method_call
interface=org.ganesha.nfsd.exportmgr member=RemoveExport dest=org.ganesha.nfsd
spid=5403 tpid=26644 scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon"
sauid=81 hostname=? addr=? terminal=?
I ran the wrapper script (/usr/libexec/dbus-send.sh) used by cli from the
terminal with necessary parameters, the volume got exported.
for example
/usr/libexec/ganesha/dbus-send.sh /etc/ganesha/ <on/off> <volume name>
--- Additional comment from Apeksha on 2016-02-29 04:45:27 EST ---
**Steps when selinux was in enforcing mode
[root at dhcp46-59 ~]# getenforce
Enforcing
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]# gluster v create rs 10.70.46.59:/root/brick2 force
volume create: rs: success: please start the volume to access data
[root at dhcp46-59 ~]# gluster v start rs
volume start: rs: success
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]# #gluster v set rs ganesha.enable on
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]# grep -i "avc" /var/log/audit/audit.log
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]# gluster v set rs ganesha.enable on
volume set: success
[root at dhcp46-59 ~]# grep -i "avc" /var/log/audit/audit.log
type=USER_AVC msg=audit(1456767046.846:5613): pid=902 uid=81
auid=4294967295 ses=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied {
send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr
member=AddExport dest=org.ganesha.nfsd spid=1613 tpid=26644
scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
[root at dhcp46-59 ~]# cat /var/log/audit/audit.log | audit2allow
#============= glusterd_t ==============
allow glusterd_t initrc_t:dbus send_msg;
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]# showmount -e localhost
Export list for localhost:
/sample (everyone)
[root at dhcp46-59 ~]#
**Steps when selinux is in permissive mode
[root at dhcp46-59 ~]# setenforce 0
[root at dhcp46-59 ~]# gluster v create rs1 10.70.46.59:/root/brick3 force
volume create: rs1: success: please start the volume to access data
[root at dhcp46-59 ~]# gluster v start rs1
volume start: rs1: success
[root at dhcp46-59 ~]# gluster v set rs1 ganesha.enable on
volume set: success
[root at dhcp46-59 ~]# showmount -e localhost
Export list for localhost:
/sample (everyone)
/rs1 (everyone)
[root at dhcp46-59 ~]# grep -i "avc" /var/log/audit/audit.log
type=USER_AVC msg=audit(1456767046.846:5613): pid=902 uid=81
auid=4294967295 ses=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied {
send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr
member=AddExport dest=org.ganesha.nfsd spid=1613 tpid=26644
scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1456767084.524:5622): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce
notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'
type=USER_AVC msg=audit(1456767110.891:5623): pid=902 uid=81
auid=4294967295 ses=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied {
send_msg } for msgtype=signal interface=org.ganesha.nfsd.exportmgr
member=AddExport dest=org.ganesha.nfsd spid=2540 tpid=26644
scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
[root at dhcp46-59 ~]# cat /var/log/audit/audit.log | audit2allow
#============= glusterd_t ==============
allow glusterd_t initrc_t:dbus send_msg;
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]#
[root at dhcp46-59 ~]# rpm -qa | grep selinux-policy
selinux-policy-3.13.1-60.el7_2.3.noarch
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
[root at dhcp46-59 ~]#
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1311911
[Bug 1311911] volume not getting exported after setting the option
ganesha.enable
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6emyk8wtrH&a=cc_unsubscribe
More information about the Bugs
mailing list