<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Ok, Just to bring this to a close I have instigated a BOLO for my database as it isn’t anywhere to be found on the publisher.<div class=""><br class=""></div><div class="">Rebuild time…….</div><div class=""><br class=""></div><div class="">Thanks for the responses and suggestions but even the database gods with their vast amounts of “pixie dust” and root access of course couldn’t find it.</div><div class=""><br class=""></div><div class=""><br class=""><div class="">
<div class="">Andy</div><div class=""><a href="mailto:andy.carse@gmail.com" class="">andy.carse@gmail.com</a></div><div class=""><br class=""></div><br class="Apple-interchange-newline">
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On 2 Mar 2016, at 21:52, Ryan Ratliff (rratliff) <<a href="mailto:rratliff@cisco.com" class="">rratliff@cisco.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
You’ll notice the vmtools upgrade will fail if you upgrade ESXi to a version that includes the 10240 build (<a href="https://packages.vmware.com/tools/versions" class="">https://packages.vmware.com/tools/versions</a>).
<div class="">Let it ride on the older vmtools (that won’t kill your system) until a COP file is out to fix the selinux policy.</div>
<div class=""><br class="">
<div class="">-Ryan </div>
<br class="">
<div class="">
<div class="">On Mar 2, 2016, at 2:42 PM, Andy Carse <<a href="mailto:andy.carse@gmail.com" class="">andy.carse@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" style="font-family: LucidaGrande; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<div class="">
<div class="">Esxi version is 5.5.0 Build 2068190 so that doesn't match.<br class="">
</div>
I don't remember it upgrading vmtools during the upgrade and the in the events it says upgrade vmtools which I'll refrain from at the moment.<br class="">
</div>
From the cli it only has utils vmtools refresh which is not very helpful if your trying to work out what version is currently running.<br class="">
<br class="">
</div>
<div class="gmail_extra" style="font-family: LucidaGrande; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<br class="">
<div class="gmail_quote">On 2 March 2016 at 19:16, Brian V<span class="Apple-converted-space"> </span><span dir="ltr" class=""><<a href="mailto:bvanbens@gmail.com" target="_blank" class="">bvanbens@gmail.com</a>></span><span class="Apple-converted-space"> </span>wrote:<br class="">
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex;">
<div bgcolor="#FFFFFF" text="#000000" class="">Noticing your upgrade version is 10.5.2.13900<br class="">
could it be related to the new bug with vmware tools that fills the disk.<br class="">
<font face="Calibri" size="2" class=""><span class=""><br class="">
new sev2 bug with 9 TAC cases attached to it already <u class=""></u><u class=""></u></span></font><p class="MsoNormal"><font face="Calibri" size="2" class=""><span class=""><u class=""></u> <u class=""></u></span></font><font face="Calibri" size="2" class=""><span class="">VMware Tools 10.0 update fails on CUCM 10.5/11.0 with selinux denials<u class=""></u><u class=""></u></span></font></p><p class="MsoNormal"><font face="Calibri" size="2" class=""><span class="">CSCux90747<u class=""></u><u class=""></u></span></font></p>
<b class=""><font face="Calibri" size="2" class=""><span class="">Symptom:</span></font></b><br class=""><p class="MsoNormal"><font face="Calibri" size="2" class=""><span class="">VMware Tools upgrade fails due to various Selinux denials. VI-Client indicates tools status as Not running, Not Installed.<br class="">
<br class="">
The following selinux denial is seen in System Logs (messages) when VMtools update attempt fails either via VI-client initiated automatic update or Automatic Update that takes place during boot up as long as VM Setting "Check and upgrade VMware Tools before
each power on" is checked.<br class="">
<br class="">
Feb 25 20:20:18 cucm-pub user 3 setroubleshoot: SELinux is preventing /usr/bin/perl from create access on the directory /var/lib/. For complete SELinux messages. run sealert -l 84003ecc-5de4-4e59-9ab8-1e7a28225c18<br class="">
<br class="">
The following selinux denials is seen in System Logs (messages) when Vmtools update to 10.0 version or above is successful after putting System OS Security to Permissive mode followed by Update of Tools and then putting System OS Security back to Enforcing
mode.<br class="">
<br class="">
Feb 22 16:34:23 cucm-pub user 3 setroubleshoot: SELinux is preventing /usr/lib/vmware-caf/pme/bin/ManagementAgentHost from read access on the directory requests. For complete SELinux messages. run sealert -l 76069c58-d7be-482f-8391-4eb94d51ecd9<br class="">
Feb 22 16:34:23 cucm-pub user 3 setroubleshoot: SELinux is preventing /usr/lib/vmware-caf/pme/bin/ManagementAgentHost from read access on the directory requests. For complete SELinux messages. run sealert -l 76069c58-d7be-482f-8391-4eb94d51ecd9<br class="">
Feb 22 16:34:24 cucm-pub user 3 setroubleshoot: SELinux is preventing CThreadUtils::s from write access on the directory output. For complete SELinux messages. run sealert -l 9e71ec6f-cd83-43a5-8564-14f66e77e4ff<br class="">
Feb 22 16:34:24 cucm-pub user 3 setroubleshoot: SELinux is preventing /usr/lib/vmware-caf/pme/bin/ManagementAgentHost from read access on the directory providerReg. For complete SELinux messages. run sealert -l 76069c58-d7be-482f-8391-4eb94d51ecd9<br class="">
Feb 22 16:34:25 cucm-pub user 3 setroubleshoot: SELinux is preventing CThreadUtils::s from write access on the directory output. For complete SELinux messages. run sealert -l 9e71ec6f-cd83-43a5-8564-14f66e77e4ff<br class="">
<br class="">
Under these conditions where VMtools 10.0 is running with CUCM 10.X or 11.X, Putting OS Security mode back to enforcing will inevitably lead to:<br class="">
<br class="">
1. All available virtual memory is consumed by settroubleshootd because of continuous selinux denials<br class="">
2. vmware-caf logs consume 100% of the active partition due to selinux denying log rotation (logs are in /usr/lib/vmware-caf/pme/bin).<br class="">
<br class="">
<b class=""><span style="font-weight: bold;" class="">Conditions:</span></b><br class="">
Problem is seen after Upgrading to latest builds of ESXi 5.5 or 6.0 builds greater than 3248547 which bundles 10240 (10.0.0) version of VMware Tools and brings in a new vmware-caf functionality.<br class="">
<br class="">
<b class=""><span style="font-weight: bold;" class="">Workaround:</span></b><br class="">
DO NOT UPDATE Vmware tools to version 10240 (10.0.0) or above if you are running CUCM 10.x or 11.X<br class="">
<br class="">
If you have already attempted an earlier acceptable workaround to Update VMware tools to version 10.0 or above and restored OS Security mode to enforcing, you may observe a flooding of selinux denials in System messages logs.<br class="">
<br class="">
Under these condition the System will run out memory due to excessive setroubleshootd logging and eventually the run out of Active Root Partition which may prevent further access to Platform CLI and/or ability to create Remote support account to recover from
this condition.<br class="">
<br class="">
!!! This is extremely important !!! If you must keep selinux in enforcing mode all the time due to security concerns, do NOT upgrade to ESXi 6.0 and/or attempt to update vmtools install<br class="">
<br class="">
If you have already attempted an earlier workaround to Update VMware tools to version 10.0 or above Revert OS Security mode to permissive via (utils os secure permissive) immediately and contact TAC for recovery options.<br class="">
<br class="">
<b class=""><span style="font-weight: bold;" class="">Further Problem Description:</span></b><br class="">
Put OS Security back to enforcing mode only if you are absolutely sure that you are Updating VMware Tools to a version below 10.0. For reference look at this VMware tools version mapping doc to correlate your ESXi Host builds to bundled vmtools versions.</span></font></p>
<div class="">
<div class="h5"><br class="">
<br class="">
<div class="">On 3/2/2016 11:12 AM, Andy Carse wrote:<br class="">
</div>
</div>
</div>
<blockquote type="cite" class="">
<div class="">
<div class="h5">
<div dir="ltr" class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">I thought I was home and dry with this upgrade, but it would seem that the gods have deserted me.<br class="">
<br class="">
</div>
I upgraded to 10.5.2.13900-12 after some issue with GBNP, everything seemed ok.<br class="">
</div>
This morning I've come in to find that the database on the publisher won't start.<br class="">
</div>
So I've tried<span class="Apple-converted-space"> </span><br class="">
1. reboot of the cluster (its not gone live yet) no change.<br class="">
</div>
<div class="">2. Utils service start A Cisco DB<br class="">
</div>
2. tried dbreplication stop on the subs, then the publisher.<br class="">
</div>
dbreplication dropddmindb on the subs<br class="">
</div>
dbreplication dropadmindb on the pub<br class="">
</div>
<div class="">The pub comes back with "DropAdminDB cannot be executed on standalone or Cores cluster"<br class="">
</div>
<span class="Apple-converted-space"> </span><br class="">
</div>
I can't even web to ccmadmin on the pub and I forgot to carry out the "Golden Rule" of taking a backup soon after the upgrade.<br class="">
</div>
If I try to RTM that also fails......<br class="">
<br class="">
</div>
Is it time for a start from scratch moment?<br class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class=""><br class="">
<div class=""><br clear="all" class="">
<div class="">
<div class="">
<div class="">
<div class=""><br class="">
--<span class="Apple-converted-space"> </span><br class="">
<div class="">Rgds Andy<br class="">
<br class="">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
<fieldset class=""></fieldset><br class="">
</div>
</div>
<span class="">
<pre class="">_______________________________________________
cisco-voip mailing list
<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank" class="">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
</span></blockquote>
<br class="">
</div>
</blockquote>
</div>
<br class="">
<br clear="all" class="">
<br class="">
--<span class="Apple-converted-space"> </span><br class="">
<div class="gmail_signature">Rgds Andy<br class="">
<br class="">
</div>
</div>
<span style="font-family: LucidaGrande; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: LucidaGrande; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<span style="font-family: LucidaGrande; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">cisco-voip
mailing list</span><br style="font-family: LucidaGrande; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<a href="mailto:cisco-voip@puck.nether.net" style="font-family: LucidaGrande; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">cisco-voip@puck.nether.net</a><br style="font-family: LucidaGrande; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" style="font-family: LucidaGrande; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">https://puck.nether.net/mailman/listinfo/cisco-voip</a></div>
</div>
<br class="">
</div>
</div>
</div></blockquote></div><br class=""></div></body></html>