Created attachment 829279 [details] logs Description of problem: On clean install of hosted engine after confirmation that engine is installed in VM. [ ERROR ] Cannot automatically add the host to the Default cluster: Cannot add Host. SSH authentication failed, verify authentication parameters are correct (Username/Password, public-key etc.) You may refer to the engine.log file for further details. Version-Release number of selected component (if applicable): Red Hat Enterprise Virtualization Manager Version: 3.3.0-0.36.beta1.el6ev How reproducible: 100% Steps to Reproduce: 1. install hosted engine on fresh host (http://www.ovirt.org/Hosted_Engine_Howto#Fresh_Install) Actual results: [ ERROR ] Cannot automatically add the host to the Default cluster: Cannot add Host. SSH authentication failed, verify authentication parameters are correct (Username/Password, public-key etc.) You may refer to the engine.log file for further details. Expected results: working install Additional info: 2013-11-26 14:49:46 DEBUG otopi.plugins.ovirt_hosted_engine_setup.engine.add_host add_host._closeup:371 Cannot add the host to the Default cluster Traceback (most recent call last): File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/ovirt-hosted-engine-setup/engine/add_host.py", line 365, in _closeup override_iptables=True, File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/brokers.py", line 7752, in add headers={"Expect":expect, "Correlation-Id":correlation_id} File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 82, in add return self.request('POST', url, body, headers) File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 112, in request persistent_auth=self._persistent_auth) File "/usr/lib/python2.6/site-packages/ovirtsdk/infrastructure/proxy.py", line 134, in __doRequest persistent_auth=persistent_auth File "/usr/lib/python2.6/site-packages/ovirtsdk/web/connection.py", line 133, in doRequest raise RequestError, response RequestError: ^M status: 409^M reason: Conflict^M detail: Cannot add Host. SSH authentication failed, verify authentication parameters are correct (Username/Password, public-key etc.) You may refer to the engine.log file for further details. 2013-11-26 14:49:46 ERROR otopi.plugins.ovirt_hosted_engine_setup.engine.add_host add_host._closeup:378 Cannot automatically add the host to the Default cluster:
This seems to be a change in rhel 6.5 behavior. The reason is that sshd is unable to access the root authorized_keys which so far had 0600 permissions. It is missing a read permission for others to make it work: [26/11/2013 15:02:26] <doron> Before" [26/11/2013 15:02:29] <doron> -rw-------. 1 root root 409 Nov 26 14:59 /root/.ssh/authorized_keys [26/11/2013 15:02:31] <doron> After: [26/11/2013 15:02:37] <doron> -rw-r--r--. 1 root root 409 Nov 26 14:59 /root/.ssh/authorized_keys [26/11/2013 15:02:42] <doron> now: [26/11/2013 15:02:59] <doron> root@hosted-doron ~]# ssh -i /etc/pki/ovirt-engine/keys/engine_id_rsa root.com [26/11/2013 15:02:59] <doron> Last login: Tue Nov 26 15:00:40 2013 from hosted-doron.redhat.com [26/11/2013 15:02:59] <doron> [root@sla-xxx ~]
type=AVC msg=audit(1385478716.042:4900): avc: denied { read } for pid=32586 comm="sshd" name="authorized_keys" dev=dm-0 ino=3801109 scontext=unconfined_u:sy stem_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
# restorecon -RFv /root restorecon reset /root/.rnd context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:admin_home_t:s0 restorecon reset /root/.lesshst context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:admin_home_t:s0 restorecon reset /root/.Xauthority context unconfined_u:object_r:xauth_home_t:s0->system_u:object_r:xauth_home_t:s0 restorecon reset /root/.bash_history context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:admin_home_t:s0 restorecon reset /root/answerfile context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:admin_home_t:s0 restorecon reset /root/.ssh context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0 restorecon reset /root/.ssh/authorized_keys context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0 restorecon reset /root/.recently-used.xbel context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:admin_home_t:s0 and it works now.
(In reply to Jiri Belka from comment #3) > # restorecon -RFv /root [cut] > restorecon reset /root/.ssh context > unconfined_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0 > restorecon reset /root/.ssh/authorized_keys context > unconfined_u:object_r:admin_home_t:s0->system_u:object_r:ssh_home_t:s0 thanks! so it's a selinux issue not an access mode issue. We'll need to check also AIO plugin for ensuring it's not affected too.
Patches merged on upstream master and 1.0 branches.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0083.html