Bug 1027692
Summary: | Unable to start VM - EncryptHostCommunication=false conflicts with secure spice | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Jiri Belka <jbelka> | ||||||
Component: | ovirt-engine | Assignee: | Alon Bar-Lev <alonbl> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||
Severity: | urgent | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 3.3.0 | CC: | acathrow, alonbl, bazulay, emesika, iheim, jbelka, lpeer, michal.skrivanek, pstehlik, Rhev-m-bugs, yeylon | ||||||
Target Milestone: | --- | Keywords: | Triaged | ||||||
Target Release: | 3.4.0 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | infra | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-12-11 12:16:31 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Jiri Belka
2013-11-07 09:57:35 UTC
I cannot find easy way for a workaround. Changing values in conf file is not probably enough, the host stays in Initializing state and I cannot do anything with that... So after struggle I have it in Non-Operational but I can't do anything with that. Itamar / Barak - thoughts on this - did we go too far - should this setting, as RFEd, only be for host communication - hence an Infra bug? I'm inclined to say that the fix should be infra and to only change the engine->vdsm config. (In reply to Andrew Cathrow from comment #4) > I'm inclined to say that the fix should be infra and to only change the > engine->vdsm config. This is pure virt, the execution of a VM is entirely virt. there was a reason this key wasn't public - it was meant to allow developers to work without ssl/certificates before we had the current dev environment. i.e., this key doesn't disable ssl only, it bypsases the certificate generation/handling, so spice can't use ssl as well. read: this disable all host encrypted communication including spice, not just engine-host. so today, it should only changed to false together with SSLEnabled (which also deserves a much better name...). to really allow changing just one of them, then yes, infra need to differentiate between EncryptHostCommunication and certificate generation. the virt aspect should already be covered by setting SSLEnabled=false. jiri - did you try SSLEnabled=false? Created attachment 823364 [details]
engine.log, ovirt-20131113120313-10.34.62.205-13148100.log
No I did not try it. How would I know that? I'm doing what a customer would do, one who requested EncryptHostCommunication being configurable via engine-config.
Result when adding host while having both mentioned knobs set to false on RHEVM (installation failed because "FAILED: conflicting vdsm and libvirt-qemu tls configuration.", host-deploy issue...):
-%-
2013-11-13 11:03:13 DEBUG otopi.plugins.otopi.services.rhel plugin.execute:441 execute-output: ('/sbin/service', 'vdsmd', 'start') stdout:
supervdsm start[ OK ]
vdsm: Running run_init_hooks
vdsm: Running gencerts
vdsm: Running reconfigure_sanlock
vdsm: Running reconfigure_libvirt
checking certs..
libvirt is already configured for vdsm
vdsm: Running prepare_transient_repository
vdsm: Running syslog_available
vdsm: Running nwfilter
vdsm: Running dummybr
vdsm: Running load_needed_modules
vdsm: Running tune_system
vdsm: Running mkdirs
vdsm: Running test_space
vdsm: Running test_lo
vdsm: Running test_conflicting_conf
FAILED: conflicting vdsm and libvirt-qemu tls configuration.
vdsm.conf with ssl=False requires the following changed:
libvirtd.conf: listen_tcp=1, auth_tcp="none",
qemu.conf: spice_tls=0.
vdsm: failed to execute test_conflicting_conf, error code 1
vdsm start[FAILED]
2013-11-13 11:03:13 DEBUG otopi.plugins.otopi.services.rhel plugin.execute:446 execute-output: ('/sbin/service', 'vdsmd', 'start') stderr:
initctl: Job is already running: libvirtd
Traceback (most recent call last):
File "/usr/bin/vdsm-tool", line 143, in <module>
sys.exit(main())
File "/usr/bin/vdsm-tool", line 140, in main
return tool_command[cmd]["command"](*args[1:])
File "/usr/lib64/python2.6/site-packages/vdsm/tool/libvirt_configure.py", line 65, in test_conflict_configurations
File "/usr/lib64/python2.6/site-packages/vdsm/tool/libvirt_configure.py", line 46, in exec_libvirt_configure
RuntimeError: Failed to configure libvirt
2013-11-13 11:03:13 DEBUG otopi.context context._executeMethod:137 method exception
Traceback (most recent call last):
File "/tmp/ovirt-jq8UsKR78D/pythonlib/otopi/context.py", line 127, in _executeMethod
method['method']()
File "/tmp/ovirt-jq8UsKR78D/otopi-plugins/ovirt-host-deploy/vdsm/packages.py", line 217, in _start
self.services.state('vdsmd', True)
File "/tmp/ovirt-jq8UsKR78D/otopi-plugins/otopi/services/rhel.py", line 188, in state
'start' if state else 'stop'
File "/tmp/ovirt-jq8UsKR78D/otopi-plugins/otopi/services/rhel.py", line 96, in _executeServiceCommand
raiseOnError=raiseOnError
File "/tmp/ovirt-jq8UsKR78D/pythonlib/otopi/plugin.py", line 451, in execute
command=args[0],
RuntimeError: Command '/sbin/service' failed to execute
2013-11-13 11:03:13 ERROR otopi.context context._executeMethod:146 Failed to execute stage 'Closing up': Command '/sbin/service' failed to execute
-%-
I got it working with following steps: * install failed * remove host * modify below options * add host -%- # egrep "ssl|listen_tcp|auth_tcp|spice_tls[ \t]+" /etc/libvirt/libvirtd.conf /etc/libvirt/qemu.conf /etc/vdsm/vdsm.conf | grep -v :# /etc/libvirt/libvirtd.conf:listen_tcp = 1 /etc/libvirt/libvirtd.conf:auth_tcp = "none" /etc/libvirt/qemu.conf:spice_tls = 0 /etc/vdsm/vdsm.conf:ssl = false -%- VM has only plain-text spice: -%- # lsof -nPc qemu | grep LISTEN qemu-kvm 15475 qemu 18u IPv4 183586 0t0 TCP *:5900 (LISTEN -%- SPICE console was opened to plain-text spice socket: -%- # tcpdump -i eth0 -n -s 1023 -A -c 10 host 10.34.62.205 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 1023 bytes 12:32:17.745623 IP 10.34.131.48.56301 > 10.34.62.205.vnc-server: Flags [S], seq 1922054203, win 14600, options [mss 1460,sackOK,TS val 239114907 ecr 0,nop,wsca le 7], length 0 E..<..@.@... ".0 ">.....r.8;......9............ .@.......... -%- But to spice client even secure spice port is reported... Why if it does not exist? -%- $ grep -i port .spicec/spice-xpi.log 2013-11-13 12:34:33,359 DEBUG nsPluginInstance::SetPort: 5900 2013-11-13 12:34:33,361 DEBUG nsPluginInstance::SetUsbListenPort: 0 2013-11-13 12:34:33,362 DEBUG nsPluginInstance::SetSecurePort: 65535 -%- See discussion in bug#1026300, the request at bug#1003117 is totally invalid for production, including this one. Hello, I want to clean this as WONTFIX, if anyone has something to say, please speak now. Thanks, |