Bug 1596721

Summary: pcs is unable to setup new qnetd and add it to a cluster
Product: [Fedora] Fedora Reporter: Tomas Jelinek <tojeline>
Component: pcsAssignee: Tomas Jelinek <tojeline>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: high    
Version: 29CC: anprice, cfeist, idevat, jpokorny, omular, tojeline
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcs-0.10.0.alpha.6-1.fc29 pcs-0.10.2-1.fc30 pcs-0.10.2-1.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-27 00:54:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1596712    
Bug Blocks:    

Description Tomas Jelinek 2018-06-29 14:28:05 UTC 
Due to changes in nss-tools package pcs is now unable to setup new qnetd and add it to a cluster. This is partially caused by issues in corosync-qnetd-certutil which pcs uses, partially by pcs itself as it hard-codes "cert8.db" filename in a few places.

# rpm -q corosync-qnetd
corosync-qnetd-2.91.0-1.fc29.x86_64
# rpm -q corosync-qdevice
corosync-qdevice-2.91.0-1.fc29.x86_64
# rpm -q nss-tools
nss-tools-3.37.3-3.fc29.x86_64

[root@fed28-node3:~]# pcs qdevice setup model net
Quorum device 'net' initialized

[root@fed28-node1:~]# pcs quorum device add model net host=fed28-node3 algorithm=ffsplit 
Setting up qdevice certificates on nodes...
Error: fed28-node1: Error: Unable to initialize quorum device 'net': password file contains no data
Invalid password.
certutil: Could not set password for the slot: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
chown: cannot access '/etc/corosync/qdevice/net/nssdb/key3.db': No such file or directory
chown: cannot access '/etc/corosync/qdevice/net/nssdb/cert8.db': No such file or directory
chown: cannot access '/etc/corosync/qdevice/net/nssdb/secmod.db': No such file or directory
chmod: cannot access '/etc/corosync/qdevice/net/nssdb/key3.db': No such file or directory
chmod: cannot access '/etc/corosync/qdevice/net/nssdb/cert8.db': No such file or directory
chmod: cannot access '/etc/corosync/qdevice/net/nssdb/secmod.db': No such file or directory
certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Creating new key and cert db
Using existing noise file /etc/corosync/qdevice/net/nssdb/noise.txt
Importing CA, use --skip-offline to override
Error: fed28-node2: Error: Unable to initialize quorum device 'net': password file contains no data
Invalid password.
certutil: Could not set password for the slot: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
chown: cannot access '/etc/corosync/qdevice/net/nssdb/key3.db': No such file or directory
chown: cannot access '/etc/corosync/qdevice/net/nssdb/cert8.db': No such file or directory
chown: cannot access '/etc/corosync/qdevice/net/nssdb/secmod.db': No such file or directory
chmod: cannot access '/etc/corosync/qdevice/net/nssdb/key3.db': No such file or directory
chmod: cannot access '/etc/corosync/qdevice/net/nssdb/cert8.db': No such file or directory
chmod: cannot access '/etc/corosync/qdevice/net/nssdb/secmod.db': No such file or directory
certutil: could not decode certificate: SEC_ERROR_REUSED_ISSUER_AND_SERIAL: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Creating new key and cert db
Using existing noise file /etc/corosync/qdevice/net/nssdb/noise.txt
Importing CA, use --skip-offline to override
Error: Errors have occurred, therefore pcs is unable to continue

[root@fed28-node3:~]# pcs qdevice destroy net
Stopping quorum device...
quorum device stopped
quorum device disabled
Quorum device 'net' configuration files removed
[root@fed28-node3:~]# pcs qdevice setup model net
Error: Quorum device 'net' has been already initialized
Comment 1 Jan Kurik 2018-08-14 09:56:32 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 2 Tomas Jelinek 2018-08-15 13:34:48 UTC 
Fixed in https://github.com/ClusterLabs/pcs/commit/f2be0aa53c7762931730371375fec2f89b3365d1
Comment 3 Fedora Update System 2019-06-17 08:45:46 UTC 
FEDORA-2019-6f8b8534a2 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6f8b8534a2
Comment 4 Fedora Update System 2019-06-17 18:17:25 UTC 
pcs-0.10.2-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6f8b8534a2
Comment 5 Fedora Update System 2019-06-17 20:12:05 UTC 
pcs-0.10.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8864b0c71a
Comment 6 Fedora Update System 2019-06-27 00:54:41 UTC 
pcs-0.10.2-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2019-06-28 05:20:45 UTC 
pcs-0.10.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.