After the previous two days debugging, Simo Sorce suggested that I need to tell the OS to show all AVCs, some are hidden by default.
SE Linux for CentOS Part 3
Reply
Author Archives: Adam Young
SE Linux for CentOS Continued
Trying to troubleshoot the issues from Yesterday’s SELinux errors.
Continue reading
SELinux for Kubevirt on Centos
Without disabling SELinux enforcement, an attempt to deploy a VM generates the following audit message:
type=AVC msg=audit(1504194626.938:877): avc: denied { transition } for pid=9574 comm="libvirtd" path="/usr/local/bin/qemu-system-x86_64" dev="dm-19" ino=31526884 scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:svirt_tcg_t:s0:c408,c741 tclass=process |
Running this through audit2allow provides a little more visibility into the problem:
#============= spc_t ============== #!!!! The file '/usr/local/bin/qemu-system-x86_64' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /usr/local/bin/qemu-system-x86_64 allow spc_t svirt_tcg_t:process transition; |
This is probably due to running as much of the virtualization machinery in containers. /usr/local/bin/qemu-system-x86_64 comes from inside the libvirt container. It does not exist on the base OS filesystem. Thus, just running restorecon won’t do much.
Deploying Kubevirt on Origin Master
Now that I have a functional OpenShift Origin built from source, I need to deploy KubeVirt on top of it.
Here are my notes. This is rough, and not production quality yet, but should get you started.
Running OpenShift Origin built from source
Kubernetes is moving from Third Party Resources to the Aggregated API Server. In order to work with this and continue to deploy on OpenShift Origin, we need to move from working with the shipped and stable version that is in Fedora 26 to the development version in git. Here are my notes to get it up and running.
Customizing the KubeVirt Manifests
My cloud may not look like your cloud. The contract between the application deployment and the Kubernetes installation is a set of manifest files that guide Kubernetes in selecting, naming, and exposing resources. In order to make the generation of the Manifests sane in KubeVirt, we’ve provided a little bit of build system support.
Docker without sudo on Centos 7
I have been geting prepped to build the OpenShift origin codebase on Centos 7. I started from a fairly minimal VM which did not have docker or Development Tools installed. Once I thought I had all the prerequisites, I kicked off the build and got
Cannot connect to the Docker daemon. Is the docker daemon running on this host? |
This seems to be due to the fact that the ayoung user does not have permissions to read/write on the domain socket. /var/run/docker.sock
Bonding two Ethernet devices
In my continued investigations of networking stuff, I came across the question “How do you bond two ethernet devices together?”  While I did this years ago on RHEL3, I have pretty much forgotten how, so I decided to research and relearn this.
Enabling an Ethernet connection on Centos7
I recently created a new Centos VM. When it booted, I noticed it did not have a working ethernet connection. So, I started playing with things, and got it working. Here are my notes:
What is minishift ssh anyway?
The documentation says that to access a minishift-deployed VM you can use `minishift ssh` to log in, but what if you want to use other tooling (like Ansible) to get in there? How can you use standard ssh commands to connect?