Bug 856263

Summary: Fix libvirt auth callback to allow for use of libvirt client auth config files
Product: Red Hat OpenStack Reporter: Daniel Berrange <berrange>
Component: openstack-novaAssignee: Daniel Berrange <berrange>
Status: CLOSED ERRATA QA Contact: Jaroslav Henner <jhenner>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0 (Folsom)CC: ndipanov, pbrady
Target Milestone: snapshot1Keywords: Triaged
Target Release: 2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-nova-2012.2.2-8.el6ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-30 16:07:09 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Daniel Berrange 2012-09-11 11:03:44 EDT
Description of problem:
Due to bugs in the way Nova provides the libvirt openAuth callback, it is not possible to make use of the libvirt client authentication file. This means it is not possible to connect Nova to a libvirtd instance requiring SASL authentication. The fix is here:

  https://review.openstack.org/#/c/12706/

and can be easily backported to either Essex or Folsom as desired.
Comment 1 Yaniv Kaul 2012-09-11 11:09:47 EDT
I'm proposing it to Folsom - that by default Nova would speak to libvirt with creds.
The reason (which is copied from RHEV/oVirt's VDSM) is that people will not (ab)use virsh and confuse nova by doing manipulations 'beneath it' without its knowledge.

Of course, the above request should be filed in a different BZ (for the installer) once this one has been satisfied.
Comment 2 Daniel Berrange 2012-09-11 12:48:58 EDT
I forgot that GIT master still refers to Folsom, so there's no backport required.
Comment 3 Jaroslav Henner 2012-12-10 09:09:44 EST
It doesn't seem to be working. I followed the instruction in the commit message, except that I did 
saslpasswd2 -a libvirt nova

instead of 
saslpasswd -a libvirt nova

but it fails:
[root@node-02 libvirt]# rpm -q openstack-nova-compute
openstack-nova-compute-2012.2.1-2.el6ost.noarch

[root@node-02 libvirt]# grep sasl /etc/libvirt/libvirtd.conf
#  - sasl: use SASL infrastructure. The actual auth scheme is then
#          controlled from /etc/sasl2/libvirt.conf. For the TCP
auth_unix_rw = "sasl"
# mechanism in /etc/sasl2/libvirt.conf
# mechanism as well, by using 'sasl' for this option
#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]

[root@node-02 libvirt]# cat ~nova/.config/libvirt 
[credentials-nova]
authname=nova
password=***

[auth-libvirt-localhost]
credentials=nova

[root@node-02 libvirt]# /etc/init.d/libvirtd restart
Stopping libvirtd daemon:                                  [  OK  ]
Starting libvirtd daemon:                                  [  OK  ]
[root@node-02 libvirt]# /etc/init.d/openstack-nova-compute restart
Stopping openstack-nova-compute:                           [FAILED]
Starting openstack-nova-compute:                           [  OK  ]
[root@node-02 libvirt]# 2012-12-10 14:03:11 10352 INFO nova.compute.manager [-] Loading compute driver 'libvirt.LibvirtDriver'
...
2012-12-10 14:03:11 10352 DEBUG nova.service [-] compute_manager : nova.compute.manager.ComputeManager wait /usr/lib/python2.6/site-packages/nova/service.py:188
2012-12-10 14:03:11 10352 DEBUG nova.service [-] network_topic : network wait /usr/lib/python2.6/site-packages/nova/service.py:188
2012-12-10 14:03:11 10352 AUDIT nova.service [-] Starting compute node (version 2012.2.1-LOCALBRANCH:LOCALREVISION)
2012-12-10 14:03:11 10352 DEBUG nova.virt.libvirt.driver [-] Connecting to libvirt: qemu:///system _get_connection /usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py:342
2012-12-10 14:03:11 10352 WARNING nova.virt.libvirt.driver [-] Can not handle authentication request for 2 credentials
2012-12-10 14:03:11 10352 CRITICAL nova [-] Can not handle authentication request for 2 credentials
2012-12-10 14:03:11 10352 TRACE nova Traceback (most recent call last):
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 389, in _connect_auth_cb
2012-12-10 14:03:11 10352 TRACE nova     % len(creds))
2012-12-10 14:03:11 10352 TRACE nova NovaException: Can not handle authentication request for 2 credentials
2012-12-10 14:03:11 10352 TRACE nova 
2012-12-10 14:03:11.570+0000: 10263: info : libvirt version: 0.10.2, package: 10.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2012-11-26-12:09:30, x86-022.build.eng.bos.redhat.com)
2012-12-10 14:03:11.570+0000: 10263: error : virNetSocketReadWire:1184 : End of file while reading data: Input/output error
2012-12-10 14:03:11 10352 CRITICAL nova [-] authentication failed: Failed to collect auth credentials
2012-12-10 14:03:11 10352 TRACE nova Traceback (most recent call last):
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/bin/nova-compute", line 48, in <module>
2012-12-10 14:03:11 10352 TRACE nova     service.wait()
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/service.py", line 659, in wait
2012-12-10 14:03:11 10352 TRACE nova     _launcher.wait()
...
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/compute/manager.py", line 266, in init_host
2012-12-10 14:03:11 10352 TRACE nova     self.driver.init_host(host=self.host)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 332, in init_host
2012-12-10 14:03:11 10352 TRACE nova     if not self.has_min_version(MIN_LIBVIRT_VERSION):
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 321, in has_min_version
2012-12-10 14:03:11 10352 TRACE nova     libvirt_version = self._conn.getLibVersion()
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 349, in _get_connection
2012-12-10 14:03:11 10352 TRACE nova     self._connect, self.uri, self.read_only)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/eventlet/tpool.py", line 147, in proxy_call
2012-12-10 14:03:11 10352 TRACE nova     rv = execute(f,*args,**kwargs)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/eventlet/tpool.py", line 76, in tworker
2012-12-10 14:03:11 10352 TRACE nova     rv = meth(*args,**kwargs)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 403, in _connect
2012-12-10 14:03:11 10352 TRACE nova     return libvirt.openAuth(uri, auth, 0)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib64/python2.6/site-packages/libvirt.py", line 102, in openAuth
2012-12-10 14:03:11 10352 TRACE nova     if ret is None:raise libvirtError('virConnectOpenAuth() failed')
2012-12-10 14:03:11 10352 TRACE nova libvirtError: authentication failed: Failed to collect auth credentials
Comment 4 Nikola Dipanov 2012-12-13 10:48:09 EST
This seams like the bug is still present after the fix mentioned is introduced (in Folsom).

I will re-assign to Dan to have a closer look as he was working on this already.
Comment 5 Daniel Berrange 2013-01-15 05:34:13 EST
You are testing this on RHEL-6, so the configuration path is different. You must use $HOME/.libvirt/auth.conf
Comment 6 Jaroslav Henner 2013-01-23 09:01:00 EST
Worked:

...
[root@folsom-rhel6 ~]# sasldblistusers2 /etc/libvirt/passwd.db 
nova@folsom-rhel6.xxx: userPassword
root@folsom-rhel6.xxx: userPassword
[root@folsom-rhel6 ~]# cat ~nova/.libvirt/auth.conf 
[credentials-nova]
authname=nova
password=verybadpass

[auth-libvirt-localhost]
credentials=nova

[root@folsom-rhel6 ~]# /etc/init.d/openstack-nova-compute restart
Stopping openstack-nova-compute:                           [  OK  ]
Starting openstack-nova-compute:                           [  OK  ]

[root@folsom-rhel6 ~]# virsh list
Please enter your authentication name: root
Please enter your password: 
 Id    Name                           State
----------------------------------------------------

[root@folsom-rhel6 ~]#
Comment 8 errata-xmlrpc 2013-01-30 16:07:09 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0208.html