Bug 1034634

Summary: missing certificates generation cause virsh and spice connection to fail
Product: Red Hat Enterprise Virtualization Manager Reporter: Sandro Bonazzola <sbonazzo>
Component: ovirt-hosted-engine-setupAssignee: Yedidyah Bar David <didi>
Status: CLOSED ERRATA QA Contact: movciari
Severity: high Docs Contact:
Priority: high    
Version: 3.3.0CC: adingman, dfediuck, didi, dkline, iheim, jbelka, josh, michele, mkalinin, oschreib, pablo.iranzo, pstehlik, rhodain, sbonazzo, scohen, thunt, tpoitras, vfarias
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, certificate authority certificates were not generated for libvirt. This resulted in a failure to connect to the engine virtual machine using virsh or SPICE during the hosted-engine deployment. Now, the necessary certificates are generated before libvirt is configured for VDSM and users can connect to the engine virtual machine using virsh or SPICE.
Story Points: ---
Clone Of:
: 1073446 (view as bug list) Environment:
Last Closed: 2014-06-09 14:47:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1063576, 1073446, 1078909, 1142926    

Description Sandro Bonazzola 2013-11-26 09:06:57 UTC
On a clean system install, trying to use virsh connection for accessing the shell for installing the OS inside the Self Hosted Engine VM leads to 
 # virsh -c qemu+tls:///Test/system console HostedEngine
 error: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or  directory
 error: failed to connect to the hypervisor

the '/etc/pki/CA/cacert.pem' is created later when the host is added to the manager by ovirt-host-deploy.

We need to provide /etc/pki/CA/cacert.pem before OS installation for allowing virsh to connect to the hypervisor.

Comment 1 Sandro Bonazzola 2013-11-26 09:13:38 UTC
Workaround: http://libvirt.org/remote.html#Remote_TLS_CA

Comment 3 Sandro Bonazzola 2013-12-09 16:19:58 UTC
*** Bug 1034679 has been marked as a duplicate of this bug. ***

Comment 4 Sandro Bonazzola 2013-12-09 16:21:26 UTC
also server and client certificates are missing, causing libvirt not listening on qemu+tls port.

Comment 5 Sandro Bonazzola 2013-12-10 14:12:39 UTC
*** Bug 1035395 has been marked as a duplicate of this bug. ***

Comment 6 Sandro Bonazzola 2013-12-10 14:14:16 UTC
Also  /etc/pki/libvirt-spice cretificates are generated by ovirt-host-deploy at later stage, so when creating cacert.pem hosted-engine --deploy need to take care of these too.

Comment 10 Sandro Bonazzola 2014-01-27 10:05:28 UTC
*** Bug 1056649 has been marked as a duplicate of this bug. ***

Comment 11 Sandro Bonazzola 2014-01-31 13:08:59 UTC
As workaround, perform an all-in-one setup, then execute cleanup and deploy hosted-engine or use VNC connection.

Comment 12 Sandro Bonazzola 2014-01-31 13:09:39 UTC
*** Bug 1058936 has been marked as a duplicate of this bug. ***

Comment 13 Sandro Bonazzola 2014-02-11 08:58:03 UTC
*** Bug 1063576 has been marked as a duplicate of this bug. ***

Comment 15 Yedidyah Bar David 2014-03-10 06:34:06 UTC
*** Bug 1067683 has been marked as a duplicate of this bug. ***

Comment 17 Yedidyah Bar David 2014-03-12 14:47:40 UTC
Moving back to assigned as /etc/pki/libvirt might not exist.

Comment 19 errata-xmlrpc 2014-06-09 14:47:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.