Bug 2079767
Summary: | tls-everywhere (freeipa) setup libvirt/qemu unable to read the vnc key | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Attila Fazekas <afazekas> |
Component: | puppet-tripleo | Assignee: | Bogdan Dobrelya <bdobreli> |
Status: | CLOSED ERRATA | QA Contact: | James Parker <jparker> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | 16.2 (Train) | CC: | alifshit, bdobreli, bshephar, ggrasza, itbrown, jjoyce, jparker, jschluet, lkuchlan, mburns, mdemaced, skovili, slinaber, spower, tvignaud |
Target Milestone: | z3 | Keywords: | Triaged |
Target Release: | 16.2 (Train on RHEL 8.4) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | https://trello.com/c/rwXMXKHV/2480-cixbz2079767ops162securitycomputetriploe-heat-templatephase2freeipa-vnc-cert-issue | ||
Whiteboard: | |||
Fixed In Version: | puppet-tripleo-11.7.0-2.20220405015037.el8ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-06-22 16:06:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Attila Fazekas
2022-04-28 08:21:07 UTC
On the testing env that James had prepared yesterday and ran tempest tests there to see how the proposed fix behaves, there were no signs of Cannot load certificate '/etc/pki/libvirt-vnc/server-cert.pem'. But the similar errors for qemu certs now (for both computes): [heat-admin@compute-1 ~]$ sudo grep -rI 'Cannot load certificate' /var/log/containers/ /var/log/containers/libvirt/libvirtd.log.1:2022-05-04 18:08:06.381+0000: 28953: error : virNetClientProgramDispatchError:172 : internal error: unable to execute QEMU command 'object-add': Cannot load certificate '/etc/pki/qemu/server-cert.pem' & key '/etc/pki/qemu/server-key.pem': Error while reading file. /var/log/containers/libvirt/libvirtd.log.1:2022-05-04 18:08:42.907+0000: 28951: error : virNetClientProgramDispatchError:172 : internal error: unable to execute QEMU command 'object-add': Cannot load certificate '/etc/pki/qemu/server-cert.pem' & key '/etc/pki/qemu/server-key.pem': Error while reading file. /var/log/containers/stdouts/nova_compute.log.1:2022-05-04T18:08:06.411077834+00:00 stderr F libvirt.libvirtError: internal error: unable to execute QEMU command 'object-add': Cannot load certificate '/etc/pki/qemu/server-cert.pem' & key '/etc/pki/qemu/server-key.pem': Error while reading file. /var/log/containers/stdouts/nova_compute.log.1:2022-05-04T18:08:42.918997327+00:00 stderr F libvirt.libvirtError: internal error: unable to execute QEMU command 'object-add': Cannot load certificate '/etc/pki/qemu/server-cert.pem' & key '/etc/pki/qemu/server-key.pem': Error while reading file. [heat-admin@compute-0 ~]$ sudo grep -rI 'Cannot load certificate' /var/log/containers/ /var/log/containers/libvirt/libvirtd.log.1:2022-05-04 18:08:05.947+0000: 29043: error : qemuMonitorJSONCheckErrorFull:418 : internal error: unable to execute QEMU command 'object-add': Cannot load certificate '/etc/pki/qemu/server-cert.pem' & key '/etc/pki/qemu/server-key.pem': Error while reading file. /var/log/containers/libvirt/libvirtd.log.1:2022-05-04 18:08:42.644+0000: 29043: error : qemuMonitorJSONCheckErrorFull:418 : internal error: unable to execute QEMU command 'object-add': Cannot load certificate '/etc/pki/qemu/server-cert.pem' & key '/etc/pki/qemu/server-key.pem': Error while reading file. So I presume the fix might need to be extended to the qemu case as well. And *maybe* for other services touched by https://review.opendev.org/c/openstack/puppet-tripleo/+/822244 ? Testing is complete, the fix should work. Let's have it merged upstream first. If I break permissions for the key file and rerun tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops - it fails as reported. If I manually apply puppet with the fixed manifest, tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops passes. I think we can consider it as PASSing. *** Bug 2083485 has been marked as a duplicate of this bug. *** *** Bug 2093108 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.3 (Train)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:4793 |