<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Noticing your upgrade version is 10.5.2.13900<br>
could it be related to the new bug with vmware tools that fills the
disk.<br>
<font color="black" size="2" face="Calibri"><span
style="font-size:10.5pt;font-family:"Calibri",sans-serif;mso-fareast-font-family:
"Times
New Roman";color:black"><br>
new sev2 bug with 9 TAC cases attached to it
already <o:p></o:p></span></font>
<p class="MsoNormal"><font color="black" size="2" face="Calibri"><span
style="font-size:10.5pt;font-family:"Calibri",sans-serif;mso-fareast-font-family:
"Times
New Roman";color:black"><o:p> </o:p></span></font><font
color="black" size="2" face="Calibri"><span
style="font-size:10.5pt;font-family:"Calibri",sans-serif;mso-fareast-font-family:
"Times
New Roman";color:black">VMware Tools 10.0 update fails on
CUCM 10.5/11.0
with selinux denials<o:p></o:p></span></font>
</p>
<p class="MsoNormal"><font color="black" size="2" face="Calibri"><span
style="font-size:10.5pt;font-family:"Calibri",sans-serif;mso-fareast-font-family:
"Times
New Roman";color:black">CSCux90747<o:p></o:p></span></font></p>
<b><font color="black" size="2" face="Calibri"><span
style="font-size:10.5pt;font-family:"Calibri",sans-serif;mso-fareast-font-family:
"Times
New Roman";color:black;font-weight:bold">Symptom:</span></font></b><br>
<p class="MsoNormal"><font color="black" size="2" face="Calibri"><span
style="font-size:10.5pt;font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times
New Roman";color:black">
VMware Tools upgrade fails due to various Selinux denials.
VI-Client indicates
tools status as Not running, Not Installed.<br>
<br>
The following selinux denial is seen in System Logs (messages)
when VMtools
update attempt fails either via VI-client initiated automatic
update or
Automatic Update that takes place during boot up as long as VM
Setting
"Check and upgrade VMware Tools before each power on" is
checked.<br>
<br>
Feb 25 20:20:18 cucm-pub user 3 setroubleshoot: SELinux is
preventing
/usr/bin/perl from create access on the directory /var/lib/.
For complete
SELinux messages. run sealert -l
84003ecc-5de4-4e59-9ab8-1e7a28225c18<br>
<br>
The following selinux denials is seen in System Logs
(messages) when Vmtools
update to 10.0 version or above is successful after putting
System OS Security
to Permissive mode followed by Update of Tools and then
putting System OS
Security back to Enforcing mode.<br>
<br>
Feb 22 16:34:23 cucm-pub user 3 setroubleshoot: SELinux is
preventing
/usr/lib/vmware-caf/pme/bin/ManagementAgentHost from read
access on the
directory requests. For complete SELinux messages. run sealert
-l
76069c58-d7be-482f-8391-4eb94d51ecd9<br>
Feb 22 16:34:23 cucm-pub user 3 setroubleshoot: SELinux is
preventing
/usr/lib/vmware-caf/pme/bin/ManagementAgentHost from read
access on the
directory requests. For complete SELinux messages. run sealert
-l
76069c58-d7be-482f-8391-4eb94d51ecd9<br>
Feb 22 16:34:24 cucm-pub user 3 setroubleshoot: SELinux is
preventing
CThreadUtils::s from write access on the directory output. For
complete SELinux
messages. run sealert -l 9e71ec6f-cd83-43a5-8564-14f66e77e4ff<br>
Feb 22 16:34:24 cucm-pub user 3 setroubleshoot: SELinux is
preventing
/usr/lib/vmware-caf/pme/bin/ManagementAgentHost from read
access on the
directory providerReg. For complete SELinux messages. run
sealert -l
76069c58-d7be-482f-8391-4eb94d51ecd9<br>
Feb 22 16:34:25 cucm-pub user 3 setroubleshoot: SELinux is
preventing CThreadUtils::s
from write access on the directory output. For complete
SELinux messages. run
sealert -l 9e71ec6f-cd83-43a5-8564-14f66e77e4ff<br>
<br>
Under these conditions where VMtools 10.0 is running with CUCM
10.X or 11.X,
Putting OS Security mode back to enforcing will inevitably
lead to:<br>
<br>
1. All available virtual memory is consumed by
settroubleshootd because of
continuous selinux denials<br>
2. vmware-caf logs consume 100% of the active partition due to
selinux denying
log rotation (logs are in /usr/lib/vmware-caf/pme/bin).<br>
<br>
<b><span style="font-weight:bold">Conditions:</span></b><br>
Problem is seen after Upgrading to latest builds of ESXi 5.5
or 6.0 builds
greater than 3248547 which bundles 10240 (10.0.0) version of
VMware Tools and
brings in a new vmware-caf functionality.<br>
<br>
<b><span style="font-weight:bold">Workaround:</span></b><br>
DO NOT UPDATE Vmware tools to version 10240 (10.0.0) or above
if you are
running CUCM 10.x or 11.X<br>
<br>
If you have already attempted an earlier acceptable workaround
to Update VMware
tools to version 10.0 or above and restored OS Security mode
to enforcing, you
may observe a flooding of selinux denials in System messages
logs.<br>
<br>
Under these condition the System will run out memory due to
excessive
setroubleshootd logging and eventually the run out of Active
Root Partition
which may prevent further access to Platform CLI and/or
ability to create
Remote support account to recover from this condition.<br>
<br>
!!! This is extremely important !!! If you must keep selinux
in enforcing mode
all the time due to security concerns, do NOT upgrade to ESXi
6.0 and/or
attempt to update vmtools install<br>
<br>
If you have already attempted an earlier workaround to Update
VMware tools to
version 10.0 or above Revert OS Security mode to permissive
via (utils os
secure permissive) immediately and contact TAC for recovery
options.<br>
<br>
<b><span style="font-weight:bold">Further Problem Description:</span></b><br>
Put OS Security back to enforcing mode only if you are
absolutely sure that you
are Updating VMware Tools to a version below 10.0. For
reference look at this
VMware tools version mapping doc to correlate your ESXi Host
builds to bundled
vmtools versions.</span></font></p>
<br>
<br>
<div class="moz-cite-prefix">On 3/2/2016 11:12 AM, Andy Carse wrote:<br>
</div>
<blockquote
cite="mid:CAJS_s=-ZskQ-=Ek9uy3ZdeQrBZ6QFxZ+R=2x-eGqvhk9Euar4Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>I thought I was home and dry with this
upgrade, but it would seem that the gods
have deserted me.<br>
<br>
</div>
I upgraded to 10.5.2.13900-12 after some issue
with GBNP, everything seemed ok.<br>
</div>
This morning I've come in to find that the
database on the publisher won't start.<br>
</div>
So I've tried <br>
1. reboot of the cluster (its not gone live yet)
no change.<br>
</div>
<div>2. Utils service start A Cisco DB<br>
</div>
2. tried dbreplication stop on the subs, then the
publisher.<br>
</div>
dbreplication dropddmindb on the subs<br>
</div>
dbreplication dropadmindb on the pub<br>
</div>
<div>The pub comes back with "DropAdminDB cannot be
executed on standalone or Cores cluster"<br>
</div>
<br>
</div>
I can't even web to ccmadmin on the pub and I forgot to
carry out the "Golden Rule" of taking a backup soon after
the upgrade.<br>
</div>
If I try to RTM that also fails......<br>
<br>
</div>
Is it time for a start from scratch moment?<br>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
<div><br clear="all">
<div>
<div>
<div>
<div><br>
-- <br>
<div class="gmail_signature">Rgds Andy<br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cisco-voip mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
</blockquote>
<br>
</body>
</html>