Bug 756136

Summary: ovirtNode: sasl2/libvirt.conf - mech_list
Product: [Retired] oVirt Reporter: Douglas Schilling Landgraf <dougsland>
Component: ovirt-nodeAssignee: Mike Burns <mburns>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, apevec, jboggs, mburns, ovirt-bugs, ovirt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: 2.2.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-05 16:21:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 752464    

Description Douglas Schilling Landgraf 2011-11-22 19:29:39 UTC 
Description of problem:

Hello Mike,

     As we talked over irc today, it will required to verify why ovirt Node set mech_list only to gssapi. I have created this BZ to have we tracking it.

from post scripts/ovirt-functions/recipe/ovirt16-post.ks:
# with libvirt (0.4.0), make sure we we setup gssapi in the mech_list
sasl_conf="/etc/sasl2/libvirt.conf"
ret = os.system('grep -qE "^mech_list: gssapi %s' % sasl_conf)
if ret > 0:
  os.system("sed -i -e 's/^\([[:space:]]*mech_list.*\)/#\1/' %s" % sasl_conf)
  os.system('echo "mech_list: gssapi" >> %s' % sasl_conf)

===========================
However, if we do not enable into the mech_list digest-md5 too, vdsm throw the below exception during the **approval operational**:

vdsm log:
============================================
MainThread::INFO::2011-11-22 05:16:06,790::vdsm::76::vds::(run) VDSM main thread ended. Waiting for 1 other threads...
MainThread::INFO::2011-11-22 05:16:06,792::vdsm::79::vds::(run) <_MainThread(MainThread, started 140463204898560)>
MainThread::INFO::2011-11-22 05:16:06,793::vdsm::79::vds::(run) <Thread(libvirtEventLoop, started daemon 140462990432000)>
MainThread::INFO::2011-11-22 05:16:06,850::vdsm::71::vds::(run) I am the actual vdsm 4.9-0
MainThread::ERROR::2011-11-22 05:16:06,978::vdsm::74::vds::(run) Traceback (most recent call last):
  File "/usr/share/vdsm/vdsm", line 72, in run
    serve_clients(log)
  File "/usr/share/vdsm/vdsm", line 40, in serve_clients
    cif = clientIF.clientIF(log)
  File "/usr/share/vdsm/clientIF.py", line 113, in __init__
  File "/usr/share/vdsm/libvirtconnection.py", line 111, in get
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth
libvirtError: authentication failed: authentication failed

libvirtError: authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) 


Currently, I am using:
===========================
# vi /etc/sasl2/libvirt.conf
mech_list: digest-md5 gssapi


Thanks for all your help!
Comment 1 Douglas Schilling Landgraf 2011-11-23 01:00:56 UTC 
Hello Mike,

      Just a few more comments:

The SASL mechanism configured by default is DIGEST-MD5, which provides a basic username+password style authentication [1] (which vdsm uses). So if you prefer, we can even no set mech_list. However, we might want be compatible with RHEV-H image.

If this helps, from RHEV env:

# cat /etc/redhat-release 
Red Hat Enterprise Virtualization Hypervisor release 6.2 (20111010.2.el6)

# cat /etc/sasl2/libvirt.conf | grep -v '^#\|^$'
mech_list: digest-md5
keytab: /etc/libvirt/krb5.tab
sasldb_path: /etc/libvirt/passwd.db

[1] http://libvirt.org/auth.html 

Thanks!
Comment 2 Mike Burns 2011-11-23 11:50:09 UTC 
Alan,

Do you know why we're updating this to just gssapi?  It's only done for fedora based nodes.
Comment 3 Alan Pevec 2011-11-23 12:09:06 UTC 
Leftover from legacy ovirt-server: it used kerberized remote libvirt access.
You can drop that now.
Comment 4 Mike Burns 2011-11-23 12:27:54 UTC 
http://gerrit.ovirt.org/#change,358
Comment 5 Mike Burns 2011-12-02 15:34:44 UTC 
Patch pushed to master