Bug 1063576 - hosted-engine-setup not configuring libvirt correctly
Summary: hosted-engine-setup not configuring libvirt correctly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-hosted-engine-setup
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.4.0
Assignee: Yedidyah Bar David
QA Contact: Jiri Belka
URL:
Whiteboard: integration
Depends On: 1034634
Blocks: rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2014-02-11 04:15 UTC by thunt
Modified: 2014-09-18 12:24 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, certificate authority certificates were not generated for libvirt. This resulted in a failure to connect to the engine virtual machine using virsh or SPICE during the hosted-engine deployment. Now, the necessary certificates are generated before libvirt is configured for VDSM and users can connect to the engine virtual machine using virsh or SPICE.
Clone Of:
Environment:
Last Closed: 2014-06-09 14:47:52 UTC
oVirt Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:0505 normal SHIPPED_LIVE ovirt-hosted-engine-setup bug fix and enhancement update 2014-06-09 18:45:23 UTC

Description thunt 2014-02-11 04:15:48 UTC
Description of problem:
Spiceients can't connect to hypervisor after hosted-engine install

Version-Release number of selected component (if applicable):
3.3.0 (updated as of 10-feb-2014)

How reproducible:
Very

Steps to Reproduce:
1. Install hosted-engine
2. Create VM in RHEV-M using SPICE display
3. Start VM

Actual results:
VM fails to start with libvirt error

Expected results:
VM should start.

Additional info:

The following is a diff between the libvirt configuration after hosted-engine install, and a working libvirt configuration.
< - Working config
> - Config after hosted-engine install
[root@hypervisor3 ~]# diff -rw /tmp/libvirt/ /etc/libvirt/
Only in /etc/libvirt/: libvirt.conf
diff -rw /tmp/libvirt/libvirtd.conf /etc/libvirt/libvirtd.conf
405,411c405,407
< #auth_tcp="none"
< #listen_tcp=1
< #listen_tls=0
< ca_file="/etc/pki/vdsm/certs/cacert.pem"
< cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
< key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
< 
---
> auth_tcp="none"
> listen_tcp=1
> listen_tls=0
diff -rw /tmp/libvirt/qemu.conf /etc/libvirt/qemu.conf
408d407
< spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice"

Comment 1 Sandro Bonazzola 2014-02-11 08:58:03 UTC
Thanks for reporting, it's a known issue, closing as duplicate of bug #1034634

*** This bug has been marked as a duplicate of bug 1034634 ***

Comment 2 thunt 2014-02-13 02:35:22 UTC
The behavior I was seeing does not seem to match BZ #1034634, and if they are the same bug, the priority of that should be very high.

In this case the certs are actually being generated and the RHEV-M install completes.

However, RHEV is useless as no VM's can be started until the config files are manually edited to resolve the problems, and if a second hypervisor is added it will go into an error state.

Comment 3 Sandro Bonazzola 2014-02-13 07:50:50 UTC
(In reply to thunt from comment #2)
> The behavior I was seeing does not seem to match BZ #1034634, and if they
> are the same bug, the priority of that should be very high.
> 
> In this case the certs are actually being generated and the RHEV-M install
> completes.

I'll try to reproduce, thanks for the additional info.

Comment 4 Sandro Bonazzola 2014-03-06 15:29:22 UTC
I think that last changes introduced by didi should have fixed this too.
didi, can you confirm?

Comment 5 Yedidyah Bar David 2014-03-09 09:37:30 UTC
(In reply to Sandro Bonazzola from comment #4)
> I think that last changes introduced by didi should have fixed this too.
> didi, can you confirm?

I think so too, but these changes are the fix for BZ #1034634 , and comment #2 implies it's a different issue:

(In reply to thunt from comment #2)
> The behavior I was seeing does not seem to match BZ #1034634, and if they
> are the same bug, the priority of that should be very high.
> 
> In this case the certs are actually being generated and the RHEV-M install
> completes.

Which certs? [1] causes generation/copying of certs (and keys) which I do not think are possible without it. Note that this is unrelated to RHEV-M install/setup.

So I currently think it actually is a duplicate of bug #1034634 .

[1] http://gerrit.ovirt.org/25142

Comment 6 thunt 2014-03-10 14:54:42 UTC
Unfortunately, I no longer have access to an environment to test this as the problem occurred on a now-finished consulting engagement.

What I do remember is that I never had to create or copy certs, so I have to assume that they were created/copied correctly and the issue was with the config files.

Note that I didn't any issues until I actually tried to create a VM with Spice in RHEV-M, so you can close out this bug if:-
- On hosted_engine_1, you can do a hosted-engine install on a clean RHEL6 configuration, and then start a VM and attach to the console.
- On hosted_engine_2, you can do a hosted-engine install for instance 2, and then successfully migrate a VM with Spice to it.

Comment 7 Yedidyah Bar David 2014-03-10 15:48:31 UTC
(In reply to thunt from comment #6)
> Unfortunately, I no longer have access to an environment to test this as the
> problem occurred on a now-finished consulting engagement.

Very well. I still think it's a duplicate of bug #1034634, but will let QA verify that anyway.

> 
> What I do remember is that I never had to create or copy certs, so I have to
> assume that they were created/copied correctly and the issue was with the
> config files.

If you refer to the configuration files detailed in the description, then the process is as follows:

If vdsm-tool is asked to configure libvirt before generating key/cert for it, it will not configure it to use ssl. Otherwise it will. Part of the fix for bug #1034634 was to reverse the order of doing these two actions.

> 
> Note that I didn't any issues until I actually tried to create a VM with
> Spice in RHEV-M, so you can close out this bug if:-
> - On hosted_engine_1, you can do a hosted-engine install on a clean RHEL6
> configuration, and then start a VM and attach to the console.

Not sure if you refer here to the engine's VM, created during deploy, or a "normal" VM created after hosted-engine deploy is finished. I verified the former.

> - On hosted_engine_2, you can do a hosted-engine install for instance 2, and
> then successfully migrate a VM with Spice to it.

I did not verify that one.

Moving to Modified for now and settings 'Depends on: 1034634' - I hope that's enough.

Comment 8 Jiri Belka 2014-04-16 13:05:05 UTC
ok, vdsm-4.14.6-0.1.beta3.el6ev.x86_64 / ovirt-hosted-engine-setup-1.1.2-2.el6ev.noarch

spice works for vm managed by hosted engine.

Comment 10 errata-xmlrpc 2014-06-09 14:47:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0505.html


Note You need to log in before you can comment on or make changes to this bug.