Bug 856263
| Summary: | Fix libvirt auth callback to allow for use of libvirt client auth config files | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Daniel Berrangé <berrange> |
| Component: | openstack-nova | Assignee: | Daniel Berrangé <berrange> |
| Status: | CLOSED ERRATA | QA Contact: | Jaroslav Henner <jhenner> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.0 (Folsom) | CC: | ndipanov, pbrady |
| Target Milestone: | snapshot1 | Keywords: | Triaged |
| Target Release: | 2.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-nova-2012.2.2-8.el6ost | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-01-30 21:07:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Daniel Berrangé
2012-09-11 15:03:44 UTC
I'm proposing it to Folsom - that by default Nova would speak to libvirt with creds. The reason (which is copied from RHEV/oVirt's VDSM) is that people will not (ab)use virsh and confuse nova by doing manipulations 'beneath it' without its knowledge. Of course, the above request should be filed in a different BZ (for the installer) once this one has been satisfied. I forgot that GIT master still refers to Folsom, so there's no backport required. It doesn't seem to be working. I followed the instruction in the commit message, except that I did saslpasswd2 -a libvirt nova instead of saslpasswd -a libvirt nova but it fails: [root@node-02 libvirt]# rpm -q openstack-nova-compute openstack-nova-compute-2012.2.1-2.el6ost.noarch [root@node-02 libvirt]# grep sasl /etc/libvirt/libvirtd.conf # - sasl: use SASL infrastructure. The actual auth scheme is then # controlled from /etc/sasl2/libvirt.conf. For the TCP auth_unix_rw = "sasl" # mechanism in /etc/sasl2/libvirt.conf # mechanism as well, by using 'sasl' for this option #sasl_allowed_username_list = ["joe", "fred" ] [root@node-02 libvirt]# cat ~nova/.config/libvirt [credentials-nova] authname=nova password=*** [auth-libvirt-localhost] credentials=nova [root@node-02 libvirt]# /etc/init.d/libvirtd restart Stopping libvirtd daemon: [ OK ] Starting libvirtd daemon: [ OK ] [root@node-02 libvirt]# /etc/init.d/openstack-nova-compute restart Stopping openstack-nova-compute: [FAILED] Starting openstack-nova-compute: [ OK ] [root@node-02 libvirt]# 2012-12-10 14:03:11 10352 INFO nova.compute.manager [-] Loading compute driver 'libvirt.LibvirtDriver' ... 2012-12-10 14:03:11 10352 DEBUG nova.service [-] compute_manager : nova.compute.manager.ComputeManager wait /usr/lib/python2.6/site-packages/nova/service.py:188 2012-12-10 14:03:11 10352 DEBUG nova.service [-] network_topic : network wait /usr/lib/python2.6/site-packages/nova/service.py:188 2012-12-10 14:03:11 10352 AUDIT nova.service [-] Starting compute node (version 2012.2.1-LOCALBRANCH:LOCALREVISION) 2012-12-10 14:03:11 10352 DEBUG nova.virt.libvirt.driver [-] Connecting to libvirt: qemu:///system _get_connection /usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py:342 2012-12-10 14:03:11 10352 WARNING nova.virt.libvirt.driver [-] Can not handle authentication request for 2 credentials 2012-12-10 14:03:11 10352 CRITICAL nova [-] Can not handle authentication request for 2 credentials 2012-12-10 14:03:11 10352 TRACE nova Traceback (most recent call last): 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 389, in _connect_auth_cb 2012-12-10 14:03:11 10352 TRACE nova % len(creds)) 2012-12-10 14:03:11 10352 TRACE nova NovaException: Can not handle authentication request for 2 credentials 2012-12-10 14:03:11 10352 TRACE nova 2012-12-10 14:03:11.570+0000: 10263: info : libvirt version: 0.10.2, package: 10.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2012-11-26-12:09:30, x86-022.build.eng.bos.redhat.com) 2012-12-10 14:03:11.570+0000: 10263: error : virNetSocketReadWire:1184 : End of file while reading data: Input/output error 2012-12-10 14:03:11 10352 CRITICAL nova [-] authentication failed: Failed to collect auth credentials 2012-12-10 14:03:11 10352 TRACE nova Traceback (most recent call last): 2012-12-10 14:03:11 10352 TRACE nova File "/usr/bin/nova-compute", line 48, in <module> 2012-12-10 14:03:11 10352 TRACE nova service.wait() 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib/python2.6/site-packages/nova/service.py", line 659, in wait 2012-12-10 14:03:11 10352 TRACE nova _launcher.wait() ... 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib/python2.6/site-packages/nova/compute/manager.py", line 266, in init_host 2012-12-10 14:03:11 10352 TRACE nova self.driver.init_host(host=self.host) 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 332, in init_host 2012-12-10 14:03:11 10352 TRACE nova if not self.has_min_version(MIN_LIBVIRT_VERSION): 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 321, in has_min_version 2012-12-10 14:03:11 10352 TRACE nova libvirt_version = self._conn.getLibVersion() 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 349, in _get_connection 2012-12-10 14:03:11 10352 TRACE nova self._connect, self.uri, self.read_only) 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib/python2.6/site-packages/eventlet/tpool.py", line 147, in proxy_call 2012-12-10 14:03:11 10352 TRACE nova rv = execute(f,*args,**kwargs) 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib/python2.6/site-packages/eventlet/tpool.py", line 76, in tworker 2012-12-10 14:03:11 10352 TRACE nova rv = meth(*args,**kwargs) 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 403, in _connect 2012-12-10 14:03:11 10352 TRACE nova return libvirt.openAuth(uri, auth, 0) 2012-12-10 14:03:11 10352 TRACE nova File "/usr/lib64/python2.6/site-packages/libvirt.py", line 102, in openAuth 2012-12-10 14:03:11 10352 TRACE nova if ret is None:raise libvirtError('virConnectOpenAuth() failed') 2012-12-10 14:03:11 10352 TRACE nova libvirtError: authentication failed: Failed to collect auth credentials This seams like the bug is still present after the fix mentioned is introduced (in Folsom). I will re-assign to Dan to have a closer look as he was working on this already. You are testing this on RHEL-6, so the configuration path is different. You must use $HOME/.libvirt/auth.conf Worked: ... [root@folsom-rhel6 ~]# sasldblistusers2 /etc/libvirt/passwd.db nova: userPassword root: userPassword [root@folsom-rhel6 ~]# cat ~nova/.libvirt/auth.conf [credentials-nova] authname=nova password=verybadpass [auth-libvirt-localhost] credentials=nova [root@folsom-rhel6 ~]# /etc/init.d/openstack-nova-compute restart Stopping openstack-nova-compute: [ OK ] Starting openstack-nova-compute: [ OK ] [root@folsom-rhel6 ~]# virsh list Please enter your authentication name: root Please enter your password: Id Name State ---------------------------------------------------- [root@folsom-rhel6 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0208.html |