Bug 1034634 - missing certificates generation cause virsh and spice connection to fail
Summary: missing certificates generation cause virsh and spice connection to fail
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-hosted-engine-setup
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.4.0
Assignee: Yedidyah Bar David
QA Contact: movciari
URL:
Whiteboard: integration
: 1034679 1035395 1056649 1058936 1067683 (view as bug list)
Depends On:
Blocks: 1063576 1073446 rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2013-11-26 09:06 UTC by Sandro Bonazzola
Modified: 2018-12-04 16:32 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, certificate authority certificates were not generated for libvirt. This resulted in a failure to connect to the engine virtual machine using virsh or SPICE during the hosted-engine deployment. Now, the necessary certificates are generated before libvirt is configured for VDSM and users can connect to the engine virtual machine using virsh or SPICE.
Clone Of:
: 1073446 (view as bug list)
Environment:
Last Closed: 2014-06-09 14:47:27 UTC
oVirt Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:0505 normal SHIPPED_LIVE ovirt-hosted-engine-setup bug fix and enhancement update 2014-06-09 18:45:23 UTC
oVirt gerrit 25142 None MERGED packaging: setup: libvirt and system PKI 2020-06-03 10:16:16 UTC
oVirt gerrit 25472 None MERGED packaging: setup: libvirt and system PKI 2020-06-03 10:16:16 UTC
oVirt gerrit 25747 None MERGED packaging: setup: Create /etc/pki/libvirt if not exists 2020-06-03 10:16:16 UTC

Description Sandro Bonazzola 2013-11-26 09:06:57 UTC
On a clean system install, trying to use virsh connection for accessing the shell for installing the OS inside the Self Hosted Engine VM leads to 
 # virsh -c qemu+tls:///Test/system console HostedEngine
 error: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or  directory
 error: failed to connect to the hypervisor

the '/etc/pki/CA/cacert.pem' is created later when the host is added to the manager by ovirt-host-deploy.

We need to provide /etc/pki/CA/cacert.pem before OS installation for allowing virsh to connect to the hypervisor.

Comment 1 Sandro Bonazzola 2013-11-26 09:13:38 UTC
Workaround: http://libvirt.org/remote.html#Remote_TLS_CA

Comment 3 Sandro Bonazzola 2013-12-09 16:19:58 UTC
*** Bug 1034679 has been marked as a duplicate of this bug. ***

Comment 4 Sandro Bonazzola 2013-12-09 16:21:26 UTC
also server and client certificates are missing, causing libvirt not listening on qemu+tls port.

Comment 5 Sandro Bonazzola 2013-12-10 14:12:39 UTC
*** Bug 1035395 has been marked as a duplicate of this bug. ***

Comment 6 Sandro Bonazzola 2013-12-10 14:14:16 UTC
Also  /etc/pki/libvirt-spice cretificates are generated by ovirt-host-deploy at later stage, so when creating cacert.pem hosted-engine --deploy need to take care of these too.

Comment 10 Sandro Bonazzola 2014-01-27 10:05:28 UTC
*** Bug 1056649 has been marked as a duplicate of this bug. ***

Comment 11 Sandro Bonazzola 2014-01-31 13:08:59 UTC
As workaround, perform an all-in-one setup, then execute cleanup and deploy hosted-engine or use VNC connection.

Comment 12 Sandro Bonazzola 2014-01-31 13:09:39 UTC
*** Bug 1058936 has been marked as a duplicate of this bug. ***

Comment 13 Sandro Bonazzola 2014-02-11 08:58:03 UTC
*** Bug 1063576 has been marked as a duplicate of this bug. ***

Comment 15 Yedidyah Bar David 2014-03-10 06:34:06 UTC
*** Bug 1067683 has been marked as a duplicate of this bug. ***

Comment 17 Yedidyah Bar David 2014-03-12 14:47:40 UTC
Moving back to assigned as /etc/pki/libvirt might not exist.

Comment 19 errata-xmlrpc 2014-06-09 14:47:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0505.html


Note You need to log in before you can comment on or make changes to this bug.