| Summary: | Engine sends invalid VM config to vdsm when SSL is disabled | ||
|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Adam Litke <alitke> |
| Component: | ovirt-engine-core | Assignee: | lpeer <lpeer> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | acathrow, bazulay, iheim, michal.skrivanek, ofrenkel, shavivi, ykaul |
| Target Milestone: | --- | Keywords: | EasyFix |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | infra virt | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-13 08:13:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Adam Litke
2012-01-24 16:14:30 UTC
There should not be any relationship between enabling/disabling SSL between Engine and VDSM, and Spice's usage of SSL. If there is one, it's a bug by itself. I have mixed feelings about this one: per original description 1. if user configures conflict configs - there could be consequences 2. it would be nice if engine wouldn't treat these as conflicting. per kaul comment 3. mostly, no ssl is used with InstallVds=false, which skips boot strapping, which skips certificate generation. we don't support spice encryption without certificates. Adam - were the hosts boot strapped via engine? No. We installed these hosts ourselves according to the document posted here: http://ovirt.org/wiki/Installing_ovirt-engine_from_rpm. Even in the case of misconfiguration, ovirt-engine should not be sending vdsm a configuration that it cannot properly parse. From my reading of the vdsm code, it is simply not valid for the 'spiceSecureChannels' dictionary element to be set to 'true'. It should either be not present or a comma-separated string. I'd be curious where 'true' is even coming from. actually, it doesn't seem to based on the code:
from:
./backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/CreateVDSCommand.java:
if (Config.<Boolean> GetValue(ConfigValues.SSLEnabled)) {
mCreateInfo.add(VdsProperties.spiceSslCipherSuite, Config.<String>
GetValue(ConfigValues.CipherSuite));
mCreateInfo.add(VdsProperties.SpiceSecureChannels,
Config.<String> GetValue(ConfigValues.SpiceSecureChannels));
}
so it does try to only send them when SSL is enabled.
so a quick way to check would be to add:
else
xxx = "";
are you sure vdsm is not the one assuming true if this is not sent?
The vdsm log shows the dictionary that is passed to it by engine, and it contains 'spiceSecureChannels': 'true'. Is it possible that engine could be setting some default properties elsewhere? (In reply to comment #5) > The vdsm log shows the dictionary that is passed to it by engine, and it > contains 'spiceSecureChannels': 'true'. Is it possible that engine could be > setting some default properties elsewhere? setting the value to true is fine, vdsm use this line: for channel in self.conf['spiceSecureChannels'].split(','): and in python when splitting a single string like 'true' to list produce a list: x = 'true'.split(',') print x >>> ['true'] Hi Adam,
in your vdc_options table the value of SpiceSecureChannels suppose to be 'smain,sinputs' (version 'general'), is it 'true' in your case?
also take a look at the SSLEnabled value, it suppose to be false in your version (3.1?)
according to the create VM code the only reference to SpiceSecureChannels is in this snippet:
// send cipher suite and spice secure channels parameters only if ssl
// enabled.
if (Config.<Boolean> GetValue(ConfigValues.SSLEnabled)) {
createInfo.add(VdsProperties.spiceSslCipherSuite,
Config.<String> GetValue(ConfigValues.CipherSuite));
createInfo.add(VdsProperties.SpiceSecureChannels,
Config.<String> GetValue(ConfigValues.SpiceSecureChannels));
}
which say if SSLEnable we are adding the CipherSuite and the SpiceSecureChannels.
So please check you database and let me know
Here is my DB configuration. Note that I changed SpiceSecureChannels to '' as suggested by a developer on IRC to work around the problem). SSLEnabled: true SpiceSecureChannels: '' (In reply to comment #8) > Here is my DB configuration. Note that I changed SpiceSecureChannels to '' as > suggested by a developer on IRC to work around the problem). > > SSLEnabled: true > SpiceSecureChannels: '' ok, so this is the problem the ssl is not disabled then ovirt sends the SpiceSecureChannels which is '' (and must be 'smain,sinputs' for libvirt) you can set the SSLEnabled to false or update the SpiceSecureChannels to 'smain,sinputs' (which is a good idea anyway) Ok. So I guess the final question is how those config variables got to an invalid state. This could be due to the way we disabled SSL but I am not sure. Is there any effort underway to alleviate the need for administrators to reconfigure the engine via DB queries (perhaps an engine-admin helper program or a Firefox style about:config interface)? (In reply to comment #10) > Ok. So I guess the final question is how those config variables got to an > invalid state. This could be due to the way we disabled SSL but I am not sure. the SpiceSecureChannels was changed by you (as suggested by a developer on IRC), the SSLEnabled is the default installation, so if you didn't change it in the install process this is a valid value. > > Is there any effort underway to alleviate the need for administrators to > reconfigure the engine via DB queries (perhaps an engine-admin helper program > or a Firefox style about:config interface)? there is a tool called: ovirt-config, the tool enable you to query the database for values and update them Closing old bugs. If this issue is still relevant/important in current version, please re-open the bug. |