Bug 1672587

Summary: VNC encryption is true on host after upgrade causing "Unsupported security types: 19"
Product: [oVirt] ovirt-engine Reporter: Liran Rotenberg <lrotenbe>
Component: BLL.VirtAssignee: Tomasz Barański <tbaransk>
Status: CLOSED CURRENTRELEASE QA Contact: Liran Rotenberg <lrotenbe>
Severity: high Docs Contact:
Priority: urgent    
Version: 4.3.0CC: bugs, gshereme, mavital, ratamir, rbarry, Rhev-m-bugs, tbaransk
Target Milestone: ovirt-4.3.1Keywords: Regression
Target Release: ---Flags: rule-engine: ovirt-4.3+
rule-engine: blocker+
rule-engine: devel_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.3.1.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-01 10:20:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
host_deploy_log none

Description Liran Rotenberg 2019-02-05 11:34:49 UTC
Description of problem:
On existing cluster, when upgrading to 4.3, the cluster's VNC encryption is false.
But, on hosts, they configured with VNC encryption.

In the DB, 
select vnc_encryption_enabled from vds_dynamic where vds_id=<your host id>;

Will result with false flag on the hosts.

In the host /etc/libvirt/qemu.conf
vnc_tls=1
vnc_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-vnc"

This will result NoVNC to break - https://bugzilla.redhat.com/show_bug.cgi?id=1659155

The user is not aware to the encryption, remote-viewer needs additional configuration - in this state it will open and immediate close.

Version-Release number of selected component (if applicable):
ovirt-engine-4.3.0-0.8.rc2.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Upgrade the host from 4.2 to 4.3.

Actual results:
VNC encryption is set on the host while the cluster set False to VNC encryption.

Expected results:
VNC encryption to be set as the cluster.

Additional info:
From the engine, host-deploy, ovirt-host-mgmt-ansible log:
2019-02-05 13:25:28,278 p=60013 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-05 13:25:28,757 p=60013 u=ovirt |  changed: [ocelot06.qa.lab.tlv.redhat.com] => {
    "changed": true
}

MSG:

Block inserted

2019-02-05 13:25:28,800 p=60013 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-05 13:25:28,812 p=60013 u=ovirt |  skipping: [ocelot06.qa.lab.tlv.redhat.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
}

Comment 1 Liran Rotenberg 2019-02-05 11:40:18 UTC
Created attachment 1527121 [details]
host_deploy_log

Comment 3 Tomasz Barański 2019-02-05 11:50:22 UTC
There is a workaround until the bug is fixed:

1. Comment out `vnc_tls=1` in /etc/libvirt/qemu.conf (or change it to vnc_tls=0).
2. Restart the host
   (actually, what is strictly necessary is restarting libvirt and all affected VMs. Restarting the host might just be easier).

Comment 7 Ryan Barry 2019-02-07 11:53:47 UTC
Greg was faster, but definitely able to be verified with nightlies

Comment 8 Liran Rotenberg 2019-02-12 08:11:37 UTC
Verified on:
ovirt-engine-4.3.0.5-0.0.master.20190210112640.git53b60e3.el7.noarch

Steps:
1. Create a cluster with un-upgraded host, VNC encryption disabled.
2. Check the host qemu.conf for vnc_tls
# less /etc/libvirt/qemu.conf | grep vnc_tls
3. Check for update from the UI.
4. Upgrade the host from UI.
5. Check the host qemu.conf for vnc_tls
# less /etc/libvirt/qemu.conf | grep vnc_tls
6. Check host-deploy log for TLS conditions.

Results:
In step 2, qemu.conf is without vnc_tls=1, it's commented as it should be.
In step 5, the result is the same as step 2, as expected.
From step 6:
2019-02-12 09:35:07,419 p=24786 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-12 09:35:07,434 p=24786 u=ovirt |  skipping: [ocelot03.qa.lab.tlv.redhat.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
}
2019-02-12 09:35:07,476 p=24786 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-12 09:35:07,990 p=24786 u=ovirt |  ok: [ocelot03.qa.lab.tlv.redhat.com] => {
    "changed": false
}

Comment 9 Sandro Bonazzola 2019-03-01 10:20:17 UTC
This bugzilla is included in oVirt 4.3.1 release, published on February 28th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.