Bug 1752113

Summary: Hosted-Engine will not deploy if SSH access is not enabled for the root user.
Product: Red Hat Enterprise Virtualization Manager Reporter: Robert McSwain <rmcswain>
Component: ovirt-hosted-engine-setupAssignee: Yedidyah Bar David <didi>
Status: CLOSED ERRATA QA Contact: Petr Kubica <pkubica>
Severity: high Docs Contact:
Priority: high    
Version: 4.3.5CC: cshao, didi, lsurette, mperina, pelauter, slopezle, stirabos, weiwang
Target Milestone: ovirt-4.4.0Flags: lsvaty: testing_plan_complete-
Target Release: 4.4.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: cockpit-ovirt-0.14.2 ovirt-hosted-engine-setup-2.4.4 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-04 13:27:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert McSwain 2019-09-13 17:33:36 UTC 
Issue:

Hosted-Engine will not deploy if SSH access is not enabled for the root user.

Logs:


Do you want to enable ssh access for the root user (yes, no, without-password) [yes]: no
...
ESC[0;31m[ ERROR ]ESC[0m fatal: [localhost -> D7-Manager]: FAILED! => {"changed": false, "elapsed": 185, "msg": "timed out waiting for ping module test success: Invalid/incorrect password: FIPS mode initialized\r\nWarning: Permanently add
ed 'd7-manager,192.168.222.4' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again."}
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Set destination directory path]
ESC[92m[ INFO  ]ESC[0m ok: [localhost -> localhost]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Create destination directory]
ESC[92m[ INFO  ]ESC[0m changed: [localhost -> localhost]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : include_tasks]
ESC[92m[ INFO  ]ESC[0m ok: [localhost]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Find the local appliance image]
ESC[92m[ INFO  ]ESC[0m ok: [localhost -> localhost]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Set local_vm_disk_path]
ESC[92m[ INFO  ]ESC[0m ok: [localhost -> localhost]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Give the vm time to flush dirty buffers]
ESC[92m[ INFO  ]ESC[0m ok: [localhost -> localhost]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Copy engine logs]
ESC[92m[ INFO  ]ESC[0m changed: [localhost]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Get local VM dir path]
ESC[92m[ INFO  ]ESC[0m ok: [localhost -> D7-Manager]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Remove local vm dir]
ESC[92m[ INFO  ]ESC[0m changed: [localhost -> localhost]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Remove temporary entry in /etc/hosts for the local VM]
ESC[92m[ INFO  ]ESC[0m changed: [localhost -> localhost]
ESC[92m[ INFO  ]ESC[0m TASK [ovirt.hosted_engine_setup : Notify the user about a failure]
ESC[0;31m[ ERROR ]ESC[0m fatal: [localhost -> D7-Manager]: FAILED! => {"changed": false, "msg": "There was a failure deploying the engine on the local engine VM. The system may not be provisioned according to the playbook results: please check the logs for the issue, fix accordingly or re-deploy from scratch.\n"}
ESC[0;31m[ ERROR ]ESC[0m Failed to execute stage 'Closing up': Failed executing ansible-playbook
...
ESC[0;31m[ ERROR ]ESC[0m fatal: [localhost -> D7-Manager]: FAILED! => {"changed": false, "elapsed": 185, "msg": "timed out waiting for ping module test success: Invalid/incorrect password: FIPS mode initialized\r\nWarning: Permanently add
ed 'd7-manager,192.168.222.4' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again."}


Expected Behavior: 
hosted-engine shouldn't offer an option which could fail out due to selecting it / simply changing the behavior to disable root SSH after the hosted engine deployment is successful 

Observed Behavior:
hosted-engine options available in the installer succeed
Comment 1 Martin Perina 2019-09-18 19:39:49 UTC 
This is known requirement since forever, RHV Manager requires root SSH access to hypervisor hosts to be able to perform management tasks of hypervisors. We have an RFE to use privileged non-root user, but this is not planned for RHV 4.4. So suggesting either to close wontfix or mark as duplicate of this RFE.
Comment 2 Simone Tiraboschi 2019-09-19 08:42:36 UTC 
I think that this is specific to the engine VM and not really on host side.

Now engine-setup is executed on the engine VM via ovirt-ansible-engine-setup ansible role and so we definitively need ssh access to the engine VM at least in the boot stage.

The real issue is that on the setup text UI we still have this question:
Do you want to enable ssh access for the root user (yes, no, without-password) [yes]:

and if the user chooses no the setup is definitively going to fail to to the lack of ssh needed for ansible (in the past engine-setup was executed via cloud-init and so ssh wasn't really needed).

We have two options:
1. keep the question, always enable ssh on the engine VM and eventually de-configure it at the end of the setup if not needed anymore
2. drop the question and let the user manually disable ssh as a day-1 operation if not needed anymore
Comment 3 Robert McSwain 2019-09-24 17:05:46 UTC 
I would say the following option is a better user experience:

1. keep the question, always enable ssh on the engine VM and eventually de-configure it at the end of the setup if not needed anymore

Asking a question that will ultimately lead to failure if the user chooses 'No' is a problematic setup design, so changing the wording from 

"Do you want to enable ssh access for the root user (yes, no, without-password) [yes]: "

to 

"Do you want to disable ssh access for the root user after RHV-M installation completes (yes, no, without-password) [no]: "

which would function the same way as it does currently, but would allow the user to not have the setup fail but still allow for the functionality of disabling root ssh access.

Additionally, the error message shown on failure is a confusing and technically incorrect given access is blocked but not because of any incorrect password user input :

ERROR ][0m fatal: [localhost -> D7-Manager]: FAILED! => {"changed": false, "elapsed": 185, "msg": "timed out waiting for ping module test success: Invalid/incorrect password: FIPS mode initialized\r\nWarning: Permanently added 'rhvmanager,192.168.1.4' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again."}
Comment 4 Sandro Bonazzola 2019-09-25 07:25:13 UTC 
comment #3 looks good to me. I would add a warning that after root access will be disabled for ssh in order to login as root you'll need to use serial console instead.
Comment 5 Yedidyah Bar David 2020-01-02 11:23:06 UTC 
Seems like Simone already merged a patch for this bug. Need to check if this is enough.
Comment 6 Simone Tiraboschi 2020-01-02 11:56:48 UTC 
We still have to merge https://gerrit.ovirt.org/103702 and https://gerrit.ovirt.org/103721 in order to consume it.
Comment 7 Yedidyah Bar David 2020-01-05 10:40:15 UTC 
(In reply to Simone Tiraboschi from comment #6)
> We still have to merge https://gerrit.ovirt.org/103702 and
> https://gerrit.ovirt.org/103721 in order to consume it.

OK, thanks. I guess I need 3 bugs (ovirt-hosted-engine-setup (current), ovirt-ansible-hosted-engine-setup, cockpit-ovirt).
Comment 8 Yedidyah Bar David 2020-02-05 09:28:46 UTC 
All patches merged, moving to modified.

ovirt-ansible-hosted-engine-setup: Main patch. With it, deploy should succeed.

The other two patches are not needed to make deploy succeed, but without them, root ssh access will not be blocked eventually. One is for ovirt-hosted-engine-setup, affects only CLI, other is for cockpit-ovirt, affects only cockpit web UI.

QE: Please verify both cockpit and cli.

I verified (before merging) only "no root access", didn't try "without-password". Perhaps try both.

If you choose "no", you can still login from the console. 'hosted-engine --console' didn't work for (worth another bug, I guess, didn't open one yet). '--add-console-password --password=XXX' and then vncviewer (via an ssh tunnel, in my case) worked.
Comment 10 Petr Kubica 2020-04-27 07:58:24 UTC 
Verified in ovirt-hosted-engine-setup-2.4.4-1.el8ev.noarch

SSH is available but cannot login as root (which is correct)
Comment 14 errata-xmlrpc 2020-08-04 13:27:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV RHEL Host (ovirt-host) 4.4), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:3246
Comment 15 Sandra 2020-11-23 23:26:08 UTC 
Inside the host, if you avoid the Strict Host Key validation this way:

 cat .ssh/config 
Host hosted engine FQDN
    StrictHostKeyChecking no

The execution is completed successfully, and you can proceed to the next step.