Bug 1291161
Summary: | Engine grants invalid certificate if host clock is restarted prior installation | ||||||
---|---|---|---|---|---|---|---|
Product: | [oVirt] ovirt-node | Reporter: | Artyom <alukiano> | ||||
Component: | legacy-ovirt-node-plugin-vdsm | Assignee: | Fabian Deutsch <fdeutsch> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Ying Cui <ycui> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | --- | CC: | alonbl, alukiano, bugs, cshao, dguo, fdeutsch, gklein, huzhao, mburman, oourfali, ycui | ||||
Target Milestone: | --- | Flags: | oourfali:
ovirt-3.6.z?
rule-engine: planning_ack? rule-engine: devel_ack? rule-engine: testing_ack? |
||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | node | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-12-22 11:46:43 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Artyom
2015-12-14 07:55:33 UTC
This appears on Node, but doesn't seem to be a node specific problem, as this can also happen on RHEL hosts. We cannot wait for NTP to sync the host time. Prior to ovirt-host-deploy we attempted copying time from from Engine to the host. Also, we made our certificate is valid few hours into the past, so reasonably out-of-sync hosts can be added. Would reintroducing one of these hacks make sense? (In reply to Dan Kenigsberg from comment #2) > We cannot wait for NTP to sync the host time. > > Prior to ovirt-host-deploy we attempted copying time from from Engine to the > host. > > Also, we made our certificate is valid few hours into the past, so > reasonably out-of-sync hosts can be added. > > Would reintroducing one of these hacks make sense? Engine grant a valid certificate based on engine clock minus one day. Host-deploy still sync clock if it is out of sync. This one time sync is useless, as after reboot you will probably be out of sync once again... but still we do this. Instead of attaching irrelevant sos reports, please attach host-deploy log, so we can probably see the above. I opened bug on RHEV-H and problem that I have libvirtd service failed to start before I add host to any engine, so not host-deploy.log there is no sense in starting libvirt pre-deploy, nor am I sure how /etc/pki/vdsm/certs/vdsmcert.pem was created. back to ovirt-node, I suggest to close it as NOTABUG. libvirtd is started by default on Node, which can cause this problem. because it is an issue, but appearing not to often I'm closing this bug. Please reopen if you encounter this problem often. For me it happen pretty often, for example from five RHEV-H installation it can happen twice. It also can create additional problem if you want to run automation on RHEV-H. Can we just add some additional hook on network setup, that will regenerate libvirt certificate? Can we consider setting the certificate validity, 1 day before the current date? This can easily workaround this kind of problem. Artyom, have you got an idea why the host is initially so out of sync? Does the DHCP server also provide NTP servers? Do not really know, maybe RHEV-H use some default time zone? Yes DHCP server also provide NTP. |