Bug 1063576

Summary: hosted-engine-setup not configuring libvirt correctly
Product: Red Hat Enterprise Virtualization Manager Reporter: thunt
Component: ovirt-hosted-engine-setupAssignee: Yedidyah Bar David <didi>
Status: CLOSED ERRATA QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: high    
Version: 3.3.0CC: aburden, acathrow, didi, gklein, iheim, jbelka, pstehlik, sbonazzo, thunt
Target Milestone: ---Keywords: Reopened
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, certificate authority certificates were not generated for libvirt. This resulted in a failure to connect to the engine virtual machine using virsh or SPICE during the hosted-engine deployment. Now, the necessary certificates are generated before libvirt is configured for VDSM and users can connect to the engine virtual machine using virsh or SPICE.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-09 14:47:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1034634    
Bug Blocks: 1078909, 1142926    

Description thunt 2014-02-11 04:15:48 UTC
Description of problem:
Spiceients can't connect to hypervisor after hosted-engine install

Version-Release number of selected component (if applicable):
3.3.0 (updated as of 10-feb-2014)

How reproducible:
Very

Steps to Reproduce:
1. Install hosted-engine
2. Create VM in RHEV-M using SPICE display
3. Start VM

Actual results:
VM fails to start with libvirt error

Expected results:
VM should start.

Additional info:

The following is a diff between the libvirt configuration after hosted-engine install, and a working libvirt configuration.
< - Working config
> - Config after hosted-engine install
[root@hypervisor3 ~]# diff -rw /tmp/libvirt/ /etc/libvirt/
Only in /etc/libvirt/: libvirt.conf
diff -rw /tmp/libvirt/libvirtd.conf /etc/libvirt/libvirtd.conf
405,411c405,407
< #auth_tcp="none"
< #listen_tcp=1
< #listen_tls=0
< ca_file="/etc/pki/vdsm/certs/cacert.pem"
< cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
< key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
< 
---
> auth_tcp="none"
> listen_tcp=1
> listen_tls=0
diff -rw /tmp/libvirt/qemu.conf /etc/libvirt/qemu.conf
408d407
< spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"

Comment 1 Sandro Bonazzola 2014-02-11 08:58:03 UTC
Thanks for reporting, it's a known issue, closing as duplicate of bug #1034634

*** This bug has been marked as a duplicate of bug 1034634 ***

Comment 2 thunt 2014-02-13 02:35:22 UTC
The behavior I was seeing does not seem to match BZ #1034634, and if they are the same bug, the priority of that should be very high.

In this case the certs are actually being generated and the RHEV-M install completes.

However, RHEV is useless as no VM's can be started until the config files are manually edited to resolve the problems, and if a second hypervisor is added it will go into an error state.

Comment 3 Sandro Bonazzola 2014-02-13 07:50:50 UTC
(In reply to thunt from comment #2)
> The behavior I was seeing does not seem to match BZ #1034634, and if they
> are the same bug, the priority of that should be very high.
> 
> In this case the certs are actually being generated and the RHEV-M install
> completes.

I'll try to reproduce, thanks for the additional info.

Comment 4 Sandro Bonazzola 2014-03-06 15:29:22 UTC
I think that last changes introduced by didi should have fixed this too.
didi, can you confirm?

Comment 5 Yedidyah Bar David 2014-03-09 09:37:30 UTC
(In reply to Sandro Bonazzola from comment #4)
> I think that last changes introduced by didi should have fixed this too.
> didi, can you confirm?

I think so too, but these changes are the fix for BZ #1034634 , and comment #2 implies it's a different issue:

(In reply to thunt from comment #2)
> The behavior I was seeing does not seem to match BZ #1034634, and if they
> are the same bug, the priority of that should be very high.
> 
> In this case the certs are actually being generated and the RHEV-M install
> completes.

Which certs? [1] causes generation/copying of certs (and keys) which I do not think are possible without it. Note that this is unrelated to RHEV-M install/setup.

So I currently think it actually is a duplicate of bug #1034634 .

[1] http://gerrit.ovirt.org/25142

Comment 6 thunt 2014-03-10 14:54:42 UTC
Unfortunately, I no longer have access to an environment to test this as the problem occurred on a now-finished consulting engagement.

What I do remember is that I never had to create or copy certs, so I have to assume that they were created/copied correctly and the issue was with the config files.

Note that I didn't any issues until I actually tried to create a VM with Spice in RHEV-M, so you can close out this bug if:-
- On hosted_engine_1, you can do a hosted-engine install on a clean RHEL6 configuration, and then start a VM and attach to the console.
- On hosted_engine_2, you can do a hosted-engine install for instance 2, and then successfully migrate a VM with Spice to it.

Comment 7 Yedidyah Bar David 2014-03-10 15:48:31 UTC
(In reply to thunt from comment #6)
> Unfortunately, I no longer have access to an environment to test this as the
> problem occurred on a now-finished consulting engagement.

Very well. I still think it's a duplicate of bug #1034634, but will let QA verify that anyway.

> 
> What I do remember is that I never had to create or copy certs, so I have to
> assume that they were created/copied correctly and the issue was with the
> config files.

If you refer to the configuration files detailed in the description, then the process is as follows:

If vdsm-tool is asked to configure libvirt before generating key/cert for it, it will not configure it to use ssl. Otherwise it will. Part of the fix for bug #1034634 was to reverse the order of doing these two actions.

> 
> Note that I didn't any issues until I actually tried to create a VM with
> Spice in RHEV-M, so you can close out this bug if:-
> - On hosted_engine_1, you can do a hosted-engine install on a clean RHEL6
> configuration, and then start a VM and attach to the console.

Not sure if you refer here to the engine's VM, created during deploy, or a "normal" VM created after hosted-engine deploy is finished. I verified the former.

> - On hosted_engine_2, you can do a hosted-engine install for instance 2, and
> then successfully migrate a VM with Spice to it.

I did not verify that one.

Moving to Modified for now and settings 'Depends on: 1034634' - I hope that's enough.

Comment 8 Jiri Belka 2014-04-16 13:05:05 UTC
ok, vdsm-4.14.6-0.1.beta3.el6ev.x86_64 / ovirt-hosted-engine-setup-1.1.2-2.el6ev.noarch

spice works for vm managed by hosted engine.

Comment 10 errata-xmlrpc 2014-06-09 14:47:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0505.html