Re: iscsi.service: Unit cannot be reloaded because it is inactive.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you.
The problem was that I must turn on the iSCSI Shared Storage before of other nodes.




On Thursday, April 8, 2021, 12:20:39 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: 







On Wed, Apr 7, 2021 at 7:38 PM Jason Long <hack3rcon@xxxxxxxxx> wrote:
> Sorry, problem not solved.
> When I restarted my servers, then that problem appeared again. Thus, is it a bug?
Which problem reappeared? Are there any AVC/USER_AVC denials?

>  
> 
> 
> 
> 
> 
> On Wednesday, April 7, 2021, 09:40:35 PM GMT+4:30, Jason Long <hack3rcon@xxxxxxxxx> wrote: 
> 
> 
> 
> 
> 
> Thanks.
> The problem was that I forgot to open port 3260/tcp on my node1 and node2. I opened that port on my nodes and result is:
> 
> Full List of Resources:
>     * Resource Group: apache:
>     * httpd_fs    (ocf::heartbeat:Filesystem):     Started
>     * httpd_vip    (ocf::heartbeat:IPaddr2):        Started
>     * httpd_ser    (ocf::heartbeat:apache):        Started
> 
> 
> 
> 
> 
> 
> On Wednesday, April 7, 2021, 08:50:33 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: 
> 
> 
> 
> 
> 
> 
> 
> On Wed, Apr 7, 2021 at 5:39 PM Jason Long <hack3rcon@xxxxxxxxx> wrote:
>> Thank you.
>> I'm using Fedora Server 33 and the output of your command is:
>> 
>> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
>> ----
>> type=AVC msg=audit(04/07/2021 20:00:30.231:144) : avc:  denied  { name_bind } for  pid=693 comm=unbound-anchor src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0 
> This should be fixed soon:
> https://bugzilla.redhat.com/show_bug.cgi?id=1935101
> 
>>  
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On Tuesday, April 6, 2021, 02:37:59 PM GMT+4:30, Zdenek Pytela <zpytela@xxxxxxxxxx> wrote: 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On Sun, Apr 4, 2021 at 12:56 PM Jason Long <hack3rcon@xxxxxxxxx> wrote:
>>> Hello,
>>> I'm using Fedora Server as an iSCSI Shared Storage. When I rebooted my server then the "iscsi.service" couldn't load:
>>> 
>>> [root@node3 ~]# systemctl status iscsi.service 
>>> ● iscsi.service - Login and scanning of iSCSI devices
>>>      Loaded: loaded (/usr/lib/systemd/system/iscsi.service; enabled; vendor preset: enabled)
>>>      Active: inactive (dead)
>>>   Condition: start condition failed at Sat 2021-04-03 18:49:08 +0430; 2s ago
>>>              └─ ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes was not met
>>>        Docs: man:iscsiadm(8)
>>>              man:iscsid(8)
>>> 
>>> 
>>> 
>>> 
>>> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.
>>> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
>>> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
>>> Apr 03 18:49:08 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.
>>> 
>>> 
>>> SELinux is enabled on my Fedora Server:
>>> 
>>> # sestatus 
>>> SELinux status:                 enabled
>>> SELinuxfs mount:                /sys/fs/selinux
>>> SELinux root directory:         /etc/selinux
>>> Loaded policy name:             targeted
>>> Current mode:                   enforcing
>>> Mode from config file:          enforcing
>>> Policy MLS status:              enabled
>>> Policy deny_unknown status:     allowed
>>> Memory protection checking:     actual (secure)
>>> Max kernel policy version:      33
>>> 
>>> [root@node3 ~]# ps -eZ | grep iscsid_t
>>> [root@node3 ~]# 
>>> 
>>> And when I looked at the log, then I saw below errors:
>>> 
>>> # dmesg -H -l err
>>> [Apr 4 15:05] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
>>> [  +0.000009] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
>>> [  +9.037994] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
>>> [  +0.000014] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
>>> [  +0.000798] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value
>>> [  +0.000004] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value
>>> 
>>> How can I configure SELinux for an iSCSI Shared Storage?
>> Hi,
>> 
>> Do you have any indication it was SELinux blocking some access? Can you look for AVCs in the audit log? Which Fedora version it is?
>> 
>>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
>> 
>> 
>>>  
>>> Thank you.
>>> 
>>> _______________________________________________
>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>>> 
>> 
>> 
>> -- 
>> 
>> Zdenek Pytela
>> Security SELinux team

> 
>> 
>> 
>> _______________________________________________
>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>> 
>> 
> 
> 
> -- 
> 
> Zdenek Pytela
> Security SELinux team
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
> 
> 


-- 

Zdenek Pytela
Security SELinux team

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux