[LU-14581] el8.3/lu2.14 cannot mount mgs with selinux enabled Created: 04/Apr/21 Updated: 04/Apr/21 |
|
| Status: | Open |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor |
| Reporter: | Dominique Martinet | Assignee: | WC Triage |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||
| Severity: | 3 | ||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||
| Description |
|
I just tried setting up a test server on el8 and took a bit of time to realize selinux was the problem, even if set to permissive. Setting selinux to disabled allowed me to mount the server normally.
The problem seems to be that selinux thinks there is no xattr support and throws the baby with the water? Might be relevant: I've only tested with a loop mount, it might work with real devices.
Here are the traces I have; happy to provide more if required: # rm -f mgt && truncate -s 50M mgt && mkfs.lustre --mgs mgt # mount -t lustre -o loop ./mgt /mnt/lustre/mgt/ mount.lustre: mount /dev/loop0 at /mnt/lustre/mgt failed: Operation not supported # dmesg | tail [ 100.138808] LDISKFS-fs (loop0): mounted filesystem with ordered data mode. Opts: user_xattr,errors=remount-ro,no_mbcache,nodelalloc [ 101.210730] SELinux: (dev lustre, type lustre) has no xattr support [ 101.236892] Lustre: server umount MGS complete # (nothing obvious in lctl dk as the umount was not initiated from lustre code) # bpftrace -e 'kprobe:server_put_super { printf("umount: %s\n", kstack); }' Attaching 1 probe... umount: server_put_super+1 generic_shutdown_super+108 kill_anon_super+20 deactivate_locked_super+52 mount_fs+308 vfs_kern_mount.part.35+84 do_mount+508 ksys_mount+182 __x64_sys_mount+33 do_syscall_64+91 entry_SYSCALL_64_after_hwframe+101 # cd /usr/src/debug/kernel-4.18.0-240.15.1.el8_3/linux-4.18.0-240.15.1.el8_3.x86_64/ # vim -t mount_fs ... struct dentry * mount_fs(struct file_system_type *type, int flags, const char *name, void *data) { ... error = security_sb_kern_mount(sb, flags, secdata); if (error) goto out_sb; ... out_sb: dput(root); deactivate_locked_super(sb); ... So the selinux message in dmesg was a real hard error and not a safe-to-ignore warning as I'm used to... I didn't look further into why selinux thinks there is no xattr support, but quick tracing shows selinux_sb_kern_mount() is called twice - once for osd_mount for the actual ldiskfs device which works, and once more for the actual lustre layer mount call which I guess is probably expected not to have xattrs, so I guess selinux got a bit more strict lately, or a policy change? I'm not sure policies can make the difference between the "lustre" server mount and the "lustre" client mount unfortunately. |
| Comments |
| Comment by Dominique Martinet [ 04/Apr/21 ] |
|
I just recalled there's a lustre_tgt mount type now, that works with selinux enabled. Is that a known issue? Would it be possible for the server code to detect we're mounting a target and adjust the type internally so selinux applies the right things™?
(note my report title says mgs but this applies to all server types) |