Re: CentOS 8 Ussuri can't launch instance /usr/libexec/qemu-kvm: Permission denied
First of all thanks a lot for the quick reply.
I just checked and it seems that the package is really not available for centos8 from the upstream repo:
https://centos.pkgs.org/8/centos-appstream-x86_64/podman-1.6.4-15.module_el8...
When you say it should be available via rdo, does this mean I have to add or use a different repo when deploying undercloud / overcloud? I have followed the tripleo guide to deploy it:
https://docs.openstack.org/tripleo-docs/latest/
And is there a way to disable selinux on all overcloud nodes by default? I guess it is the default to disable it?
Cheers,
Oliver
Am 19. Oktober 2020 um 15:29 schrieb Alex Schultz aschultz@redhat.com:
On Mon, Oct 19, 2020 at 7:09 AM Oliver Weinmann oliver.weinmann@me.com wrote:
Hi all,
I have successfully deployed the overcloud many many times, but this time I have a strange behaviour. Whenever I try to launch an instance it fails. I checked the logs on the compute node and saw this error:
Failed to build and run instance: libvirt.libvirtError: internal error: process exited while connecting to monitor: libvirt: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied
googling led me to the solution to disable selinux:
setenforce 0
I have not made this change persistent yet, as I would like to know why I'm facing this issue right now. What is actually the default for the overcloud nodes SeLinux? Enforcing, permissive or disabled? I build the ipa and overcloud image myself as I had to include drivers. Is this maybe the reason why SeLinux is now enabled, but is actually disabled when using the default ipa images?
From a TripleO perspective, we do not officially support selinux enabled when running with CentOS. In theory it should work, however it is very dependent on versions. I think you're likely running into an issue with the correct version of podman which is likely causing this. We've had some issues as of late which require a very specific version of podman in order to work correctly with nova compute when running with selinux enabled. You need 1.6.4-15 or higher which I don't think is available with centos8. It should be available via RDO.
Related: https://review.opendev.org/#/c/736173/
Thanks and Best Regards, Oliver
On Mon, Oct 19, 2020 at 7:59 AM Oliver Weinmann oliver.weinmann@me.com wrote:
First of all thanks a lot for the quick reply.
I just checked and it seems that the package is really not available for centos8 from the upstream repo:
https://centos.pkgs.org/8/centos-appstream-x86_64/podman-1.6.4-15.module_el8...
When you say it should be available via rdo, does this mean I have to add or use a different repo when deploying undercloud / overcloud? I have followed the tripleo guide to deploy it:
I thought we shipped it, maybe we don't because we run with selinux disabled so it doesn't show up in CI.
https://docs.openstack.org/tripleo-docs/latest/
And is there a way to disable selinux on all overcloud nodes by default? I guess it is the default to disable it?
Set the following in an environment file as part of the deployment:
parameter_defaults: SELinuxMode: permissive
Cheers, Oliver
Am 19. Oktober 2020 um 15:29 schrieb Alex Schultz aschultz@redhat.com:
On Mon, Oct 19, 2020 at 7:09 AM Oliver Weinmann oliver.weinmann@me.com wrote:
Hi all,
I have successfully deployed the overcloud many many times, but this time I have a strange behaviour. Whenever I try to launch an instance it fails. I checked the logs on the compute node and saw this error:
Failed to build and run instance: libvirt.libvirtError: internal error: process exited while connecting to monitor: libvirt: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied
googling led me to the solution to disable selinux:
setenforce 0
I have not made this change persistent yet, as I would like to know why I'm facing this issue right now. What is actually the default for the overcloud nodes SeLinux? Enforcing, permissive or disabled? I build the ipa and overcloud image myself as I had to include drivers. Is this maybe the reason why SeLinux is now enabled, but is actually disabled when using the default ipa images?
From a TripleO perspective, we do not officially support selinux enabled when running with CentOS. In theory it should work, however it is very dependent on versions. I think you're likely running into an issue with the correct version of podman which is likely causing this. We've had some issues as of late which require a very specific version of podman in order to work correctly with nova compute when running with selinux enabled. You need 1.6.4-15 or higher which I don't think is available with centos8. It should be available via RDO.
Related: https://review.opendev.org/#/c/736173/
Thanks and Best Regards,
Oliver
participants (2)
-
Alex Schultz
-
Oliver Weinmann