Bug 1596712

Summary: corosync-qdevice does not cope with new versions of nss
Product: [Fedora] Fedora Reporter: Tomas Jelinek <tojeline>
Component: corosync-qdeviceAssignee: Jan Friesse <jfriesse>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: jfriesse
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-09 14:48:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1596721    

Description Tomas Jelinek 2018-06-29 14:14:07 UTC 
Description of problem:
The certutil tool shipped in Fedora 29 package nss-tools creates a certificate database in different files than before. Qnetd does not expect that which results in qnetd cannot start after creating its certificate database. There may be other issues as well in both corosync-qnetd and corosync-qdevice as "cert8.db" is hard-coded in corosync-qnetd-certutil.

Version-Release number of selected component (if applicable):
[root@fed28-node3:~]# rpm -q corosync-qnetd
corosync-qnetd-2.91.0-1.fc29.x86_64
[root@fed28-node3:~]# rpm -q corosync-qdevice
corosync-qdevice-2.91.0-1.fc29.x86_64
[root@fed28-node3:~]# rpm -q nss-tools
nss-tools-3.37.3-3.fc29.x86_64


How reproducible:
always, easily


Actual results:
> Creating new certificate database reports several errors:
[root@fed28-node3:~]# corosync-qnetd-certutil -i
Creating /etc/corosync/qnetd/nssdb
Creating new key and cert db
password file contains no data
stat: cannot read file system information for '%u:%g': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/key3.db': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/cert8.db': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/secmod.db': No such file or directory
Creating new noise file /etc/corosync/qnetd/nssdb/noise.txt
Creating new CA


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?


Generating key.  This may take a few moments...

Notice: Trust flag u is set automatically if the private key is present.
QNetd CA certificate is exported as /etc/corosync/qnetd/nssdb/qnetd-cacert.crt

> When running the command again it does not detect the database has been already created:
[root@fed28-node3:~]# corosync-qnetd-certutil -i
Creating new key and cert db
password file contains no data
Invalid password.
certutil: Could not set password for the slot: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
stat: cannot read file system information for '%u:%g': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/key3.db': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/cert8.db': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/secmod.db': No such file or directory
Using existing noise file /etc/corosync/qnetd/nssdb/noise.txt
Creating new CA


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?


Generating key.  This may take a few moments...

Notice: Trust flag u is set automatically if the private key is present.
QNetd CA certificate is exported as /etc/corosync/qnetd/nssdb/qnetd-cacert.crt

> List of created files:
[root@fed28-node3:~]# ls -1 /etc/corosync/qnetd/nssdb/
cert9.db
key4.db
noise.txt
pkcs11.txt
pwdfile.txt
qnetd-cacert.crt
serial.txt

> qnetd cannot be started:
[root@fed28-node3:~]# systemctl start corosync-qnetd.service
Job for corosync-qnetd.service failed because the control process exited with error code.
See "systemctl status corosync-qnetd.service" and "journalctl -xe" for details.
[root@fed28-node3:~]# systemctl status corosync-qnetd.service
● corosync-qnetd.service - Corosync Qdevice Network daemon
   Loaded: loaded (/usr/lib/systemd/system/corosync-qnetd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2018-06-29 16:02:56 CEST; 2s ago
     Docs: man:corosync-qnetd
  Process: 28964 ExecStart=/usr/bin/corosync-qnetd -f $COROSYNC_QNETD_OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 28964 (code=exited, status=1/FAILURE)

Jun 29 16:02:56 fed28-node3 systemd[1]: Starting Corosync Qdevice Network daemon...
Jun 29 16:02:56 fed28-node3 corosync-qnetd[28964]: Jun 29 16:02:56 crit    NSS error (-8174): security library: bad database.
Jun 29 16:02:56 fed28-node3 systemd[1]: corosync-qnetd.service: Main process exited, code=exited, status=1/FAILURE
Jun 29 16:02:56 fed28-node3 systemd[1]: corosync-qnetd.service: Failed with result 'exit-code'.
Jun 29 16:02:56 fed28-node3 systemd[1]: Failed to start Corosync Qdevice Network daemon.


Expected results:
corosync-qnetd-certutil should be able to create a certificate database which qnetd can start with.


Additional info:
It works fine with Fedora 27:
[root@fed27-node3:~]# rpm -q corosync-qnetd
corosync-qnetd-2.4.4-1.fc27.x86_64
[root@fed27-node3:~]# rpm -q corosync-qdevice
corosync-qdevice-2.4.4-1.fc27.x86_64
[root@fed27-node3:~]# rpm -q nss-tools
nss-tools-3.36.1-1.0.fc27.x86_64

> No errors when creating new certificate database:
[root@fed27-node3:~]# corosync-qnetd-certutil -i
Creating /etc/corosync/qnetd/nssdb
Creating new key and cert db
password file contains no data
Creating new noise file /etc/corosync/qnetd/nssdb/noise.txt
Creating new CA


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?


Generating key.  This may take a few moments...

Notice: Trust flag u is set automatically if the private key is present.
QNetd CA certificate is exported as /etc/corosync/qnetd/nssdb/qnetd-cacert.crt

> Check for an existing database works:
[root@fed27-node3:~]# corosync-qnetd-certutil -i
Certificate database (/etc/corosync/qnetd/nssdb) already exists. Delete it to initialize new db

> These are the files created
[root@fed27-node3:~]# ls -1 /etc/corosync/qnetd/nssdb/
cert8.db
key3.db
noise.txt
pwdfile.txt
qnetd-cacert.crt
secmod.db
serial.txt

> qnetd starts with no issues
[root@fed27-node3:~]# systemctl start corosync-qnetd.service
[root@fed27-node3:~]# systemctl status corosync-qnetd.service
● corosync-qnetd.service - Corosync Qdevice Network daemon
   Loaded: loaded (/usr/lib/systemd/system/corosync-qnetd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-06-29 15:57:49 CEST; 4s ago
     Docs: man:corosync-qnetd
 Main PID: 709 (corosync-qnetd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/corosync-qnetd.service
           └─709 /usr/bin/corosync-qnetd -f

Jun 29 15:57:49 fed27-node3 systemd[1]: Started Corosync Qdevice Network daemon.
Comment 1 Jan Friesse 2018-07-02 11:36:08 UTC 
Thank you for the report, its something we have to solve sooner than later.
Comment 2 Jan Friesse 2018-08-09 14:48:56 UTC 
Solved by corosync-qdevice-2.92.0 (corosync-qdevice-2.92.0-1.fc29 and corosync-qdevice-2.92.0-1.fc28).

Thank you for the report.