Bug 1027236 - pmcd fails to start, nss/cert problems
pmcd fails to start, nss/cert problems
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcp (Show other bugs)
7.0
All Linux
urgent Severity medium
: beta
: ---
Assigned To: Dave Brolley
Miloš Prchlík
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-06 07:11 EST by Tomas Smetana
Modified: 2014-06-18 00:15 EDT (History)
6 users (show)

See Also:
Fixed In Version: pcp-3.8.6-2.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 08:06:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Smetana 2013-11-06 07:11:13 EST
Description of problem:
Ater a fresh installation of pcp the pmcd deamon fails to start.

Version-Release number of selected component (if applicable):
pcp-3.8.6-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. systemctl start pmcd.service

Actual results:
The pmcd deamon is not running, unable to connect...

Expected results:
The daemon is up, accepting connections.

Additional info:
cat /var/log/pcp/pmcd/pmcd.log says:

Log for pmcd on el-7-local started Wed Nov  6 06:34:20 2013

[Wed Nov  6 06:34:20] pmcd(12760) Error: Unable to set NSS export policy: Failure to load dynamic library
[Wed Nov  6 06:34:20] pmcd(12760) Error: pmcd not started due to errors!

Log finished Wed Nov  6 06:34:20 2013
Comment 1 Frank Ch. Eigler 2013-11-06 07:29:27 EST
This appears to be an NSS certificate-database configuration problem.

It seems unfortunate that pmcd fails entirely upon such a problem.  At
worst we should allow communication without SSL/TLS, e.g. over normal
TCP and definitely over local:.

It is also suspicious that we should be initializing nss to the "Export"
suite of ciphers, which probably unnecessarily weakens it.

nss-3.15.2-7.el7.x86_64
pcp-3.8.6-1.el7.x86_64

reproducible on tofan.yyz's rhel7 vm
Comment 2 Frank Ch. Eigler 2013-11-06 07:32:11 EST
See bug #1001841: nss-3.15.2-6 "disable ssl2 and the export cipher suites".
Comment 4 Frank Ch. Eigler 2013-11-06 11:09:31 EST
See also bug #1026677.
Open-coding a version of that nss patch within pcp.
Comment 6 Dave Brolley 2013-11-12 11:40:41 EST
(In reply to Frank Ch. Eigler from comment #1)
> It seems unfortunate that pmcd fails entirely upon such a problem.  At
> worst we should allow communication without SSL/TLS, e.g. over normal
> TCP and definitely over local:.

Opened upstream bug http://oss.sgi.com/bugzilla/show_bug.cgi?id=1035 to track this.
Comment 8 Ludek Smid 2014-06-13 08:06:54 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.