Bug 1027236

Summary: pmcd fails to start, nss/cert problems
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Smetana <tsmetana>
Component: pcpAssignee: Dave Brolley <brolley>
Status: CLOSED CURRENTRELEASE QA Contact: Miloš Prchlík <mprchlik>
Severity: medium Docs Contact:
Priority: urgent    
Version: 7.0CC: fche, mbenitez, mgoodwin, mprchlik, nathans, sct
Target Milestone: betaKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pcp-3.8.6-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:06:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Smetana 2013-11-06 12:11:13 UTC 
Description of problem:
Ater a fresh installation of pcp the pmcd deamon fails to start.

Version-Release number of selected component (if applicable):
pcp-3.8.6-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. systemctl start pmcd.service

Actual results:
The pmcd deamon is not running, unable to connect...

Expected results:
The daemon is up, accepting connections.

Additional info:
cat /var/log/pcp/pmcd/pmcd.log says:

Log for pmcd on el-7-local started Wed Nov  6 06:34:20 2013

[Wed Nov  6 06:34:20] pmcd(12760) Error: Unable to set NSS export policy: Failure to load dynamic library
[Wed Nov  6 06:34:20] pmcd(12760) Error: pmcd not started due to errors!

Log finished Wed Nov  6 06:34:20 2013
Comment 1 Frank Ch. Eigler 2013-11-06 12:29:27 UTC 
This appears to be an NSS certificate-database configuration problem.

It seems unfortunate that pmcd fails entirely upon such a problem.  At
worst we should allow communication without SSL/TLS, e.g. over normal
TCP and definitely over local:.

It is also suspicious that we should be initializing nss to the "Export"
suite of ciphers, which probably unnecessarily weakens it.

nss-3.15.2-7.el7.x86_64
pcp-3.8.6-1.el7.x86_64

reproducible on tofan.yyz's rhel7 vm
Comment 2 Frank Ch. Eigler 2013-11-06 12:32:11 UTC 
See bug #1001841: nss-3.15.2-6 "disable ssl2 and the export cipher suites".
Comment 4 Frank Ch. Eigler 2013-11-06 16:09:31 UTC 
See also bug #1026677.
Open-coding a version of that nss patch within pcp.
Comment 6 Dave Brolley 2013-11-12 16:40:41 UTC 
(In reply to Frank Ch. Eigler from comment #1)
> It seems unfortunate that pmcd fails entirely upon such a problem.  At
> worst we should allow communication without SSL/TLS, e.g. over normal
> TCP and definitely over local:.

Opened upstream bug http://oss.sgi.com/bugzilla/show_bug.cgi?id=1035 to track this.
Comment 8 Ludek Smid 2014-06-13 12:06:54 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.