Description of problem: Adding clean host fails, /etc/libvirt/passwd.db is missing thus authentication via socket (auth_unix_rw="sasl") fails. /var/log/libvirt/libvirtd.log ... 2014-07-01 11:43:51.285+0000: 32312: error : remoteDispatchAuthSaslStep:2752 : authentication failed: authentication failed 2014-07-01 11:43:51.285+0000: 32279: error : virNetSocketReadWire:1194 : End of file while reading data: Input/output error 2014-07-01 11:43:51.492+0000: 32311: error : virNetSASLSessionServerStep:614 : authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: no secret in database) 2014-07-01 11:43:51.492+0000: 32311: error : remoteDispatchAuthSaslStep:2752 : authentication failed: authentication failed 2014-07-01 11:43:51.492+0000: 32279: error : virNetSocketReadWire:1194 : End of file while reading data: Input/output error ... # ls -l /etc/libvirt/ total 88 -rw-r--r--. 1 root root 518 May 29 11:21 libvirt.conf -rw-r--r--. 1 root root 13501 Jul 1 13:25 libvirtd.conf -rw-r--r--. 1 root root 12963 Jul 1 11:44 libvirtd.conf.rpmsave -rw-r--r--. 1 root root 1176 May 29 11:21 lxc.conf drwx------. 2 root root 4096 Jul 1 13:24 nwfilter drwx------. 3 root root 4096 May 29 11:21 qemu -rw-r--r--. 1 root root 14929 Jul 1 13:25 qemu.conf -rw-r--r--. 1 root root 14606 Jul 1 11:44 qemu.conf.rpmsave -rw-r--r--. 1 root root 2351 Jul 1 13:25 qemu-sanlock.conf -rw-r--r--. 1 root root 2206 Jul 1 11:44 qemu-sanlock.conf.rpmsave host-deploy*.log ... 2014-07-01 13:24:43 DEBUG otopi.plugins.otopi.packagers.yumpackager yumpackager.verbose:88 Yum Script sink: Checking configuration status... Running configure... Reconfiguration of sanlock is done. Done configuring modules to VDSM. Traceback (most recent call last): File "/usr/bin/vdsm-tool", line 154, in main return tool_command[cmd]["command"](*args) File "/usr/lib64/python2.6/site-packages/vdsm/tool/passwd.py", line 50, in set_saslpasswd stderr=subprocess.PIPE, close_fds=True) File "/usr/lib64/python2.6/subprocess.py", line 642, in __init__ errread, errwrite) File "/usr/lib64/python2.6/subprocess.py", line 1234, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory ... Version-Release number of selected component (if applicable): libvirt-0.10.2-29.el6_5.9.x86_64 vdsm-python-4.16.0-3.git601f786.el6.x86_64 vdsm-python-zombiereaper-4.16.0-3.git601f786.el6.noarch vdsm-xmlrpc-4.16.0-3.git601f786.el6.noarch libvirt-lock-sanlock-0.10.2-29.el6_5.9.x86_64 vdsm-yajsonrpc-4.16.0-3.git601f786.el6.noarch vdsm-4.16.0-3.git601f786.el6.x86_64 libvirt-client-0.10.2-29.el6_5.9.x86_64 libvirt-python-0.10.2-29.el6_5.9.x86_64 vdsm-jsonrpc-4.16.0-3.git601f786.el6.noarch vdsm-cli-4.16.0-3.git601f786.el6.noarch How reproducible: 100% Steps to Reproduce: 1. install clean rhel6 with following packages version [root@dell-r210ii-13 yum.repos.d]# cat [orH]* [ovirt-3.5-qa-latest] name=ovirt-engine 3.5.0 QA Latest build baseurl=ftp://ftp.snt.utwente.nl/pub/software/ovirt/ovirt-3.5-pre/rpm/el6/ enabled=1 gpgcheck=0 [rhel65-optional-brq] name=rhel65-optional-brq baseurl=http://download.englab.brq.redhat.com/pub/rhel/released/RHEL-6/6.5/Server/optional/x86_64/os/ enabled=1 gpgcheck=0 [rhel65-optional-bos] name=rhel65-optional-bos baseurl=http://download.eng.bos.redhat.com/pub/released/RHEL-6/6.5/Server/optional/x86_64/os/ enabled=1 gpgcheck=0 skip_if_unavailable=1 [rhel65-brq] name=rhel65-brq baseurl=http://download.englab.brq.redhat.com/pub/rhel/released/RHEL-6/6.5/Server/x86_64/os/ enabled=1 gpgcheck=0 2. add host into ovirt-3.5-pre setup 3. Actual results: fails Expected results: should work Additional info:
Created attachment 913732 [details] sosreport-LogCollector-20140701135906.7z
Created attachment 913734 [details] /tmp/sosreport-LogCollector-20140701135906.7z.002
workaround: # saslpasswd2 -c -a libvirt vdsm@ovirt Password: Again (for verification): # /etc/init.d/vdsmd restart
Alon - any clue?
(In reply to Oved Ourfali from comment #4) > Alon - any clue? no.... this should be taken care of by vdsm-tool configure.
Root cause: vdsm assumes that saslpasswd2 is /sbin/saslpasswd2 and on some machines (I guess, RHEL6.5 at least) it is /usr/sbin/saslpasswd2
[root@puma11 ~]# cat /usr/lib64/python2.6/site-packages/vdsm/constants.py | grep saslp EXT_SASLPASSWD2 = '/sbin/saslpasswd2' another workaround: create symlink /sbin/saslpasswd2 pointing to /usr/sbin/saslpasswd2 before you try to install vdsm
IMHO it should use PATH from OS and not to hard-code path to commands.
(In reply to Jiri Belka from comment #8) > IMHO it should use PATH from OS and not to hard-code path to commands. I fully agree! but hard to convince people here that sysadmin knows how to set path better than developers.
Then have a file with ovirt/rhevm related PATH and include it :)
Alon, I remember you were in favor of letting the builder set the path to utilities; not that you'd like to see autoconf and all of its full paths dropped. We started using full path due to security-based concern (who knows who set the path for rpm -e), but I must admit that it was never very strong. I wonder what's the specific reason that made /usr/sbin/saslpasswd2 disappear from the build environment (or to be there previously).
I guess it never has been, and got the default: configure.ac:AC_PATH_PROG([SASLPASSWD2_PATH], [saslpasswd2], [/sbin/saslpasswd2]) Better to set default to /usr/sbin as the chance of it to work is higher. And yes, I am against of using full path in scripts, I am unsure what the security benefit is... as I can always add LD_PRELOAD and modify whatever you may try to override. As Jiri wrote, you can always drop the full path and override the system path if required in single script that is sourced by all, this is what we are doing in engine-setup for example... search the utilities in our own designated path (that can be overridden by sysadmin if he likes so).
Probably you should add: BuildRequires: cyrus-sasl-lib or based on your notation (which I do not like): BuildRequires: /usr/sbin/saslpasswd2
Some discussion about full path[1], I can probably find more, as I always mention this... and remove whenever I can, unless a specific utility should be customized. Using full path is bad for example the move of /sbin/ip into /bin/ip was impossible for these that hardcoded/config detected the location. [1] http://gerrit.ovirt.org/#/c/14826/7/vdsm/init/init_mkdirs.sh,cm
*** Bug 1115283 has been marked as a duplicate of this bug. ***
*** Bug 1121561 has been marked as a duplicate of this bug. ***
Will this get backported to 3.4.3? Quite a show stopper if 3.4.3 is shipping a buggy version.
already replied on that question somewhere. no its not, its relevant only since commit http://gerrit.ovirt.org/27298 (merged since 3.5 only) which changes this (lib/vdsm/tool/passwd.py): 2014-04-30 14:29:36 +0300 38) script = [constants.EXT_SASLPASSWD2, '-p', '-a', 'libvirt', instead of hardcoded path. the constant was wrong long time again, but we didn't use it
I updated a node manually with latest VDSM rpm's from 3.5-pre repo and things are working now. Thanks!
ok, no problem found. a clean host was added into ovirt 3.5-pre setup without problem. # grep -RI saslpasswd2 /usr/lib64/python2.6/site-packages/vdsm /usr/lib64/python2.6/site-packages/vdsm/constants.py:EXT_SASLPASSWD2 = '/usr/sbin/saslpasswd2' # grep -lRI saslpasswd2 /usr/lib64/python2.6/site-packages/vdsm | xargs rpm -qf vdsm-python-4.16.1-0.gita4d9abf.el6.x86_64
oVirt 3.5 has been released and should include the fix for this issue.