Bug 1474444 - libvirtError: error from service: CheckAuthorization: Did not receive a reply.
libvirtError: error from service: CheckAuthorization: Did not receive a reply.
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo (Show other bugs)
12.0 (Pike)
Unspecified Linux
high Severity high
: beta
: 12.0 (Pike)
Assigned To: Ollie Walsh
Archit Modi
: AutomationBlocker, TestBlocker, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-24 11:42 EDT by Waldemar Znoinski
Modified: 2018-02-05 14:10 EST (History)
19 users (show)

See Also:
Fixed In Version: puppet-tripleo-7.2.1-0.20170807233007.4600842.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-13 16:43:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 479816 None None None 2017-07-31 07:42 EDT

  None (edit)
Description Waldemar Znoinski 2017-07-24 11:42:09 EDT
Description of problem:
When restarting a openstack-nova-compute service on a OSP12 overcloud compute node the service does not come back up.


Version-Release number of selected component (if applicable):
openstack-nova-api.noarch             1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-common.noarch          1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-compute.noarch         1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-conductor.noarch       1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-console.noarch         1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-migration.noarch       1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-novncproxy.noarch      1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-placement-api.noarch   1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-scheduler.noarch       1:16.0.0-0.20170715065420.be20530.el7ost



How reproducible:
always

Steps to Reproduce:
1. run on compute node:
systemctl restart openstack-nova-compute

2. 
3.

Actual results:
systemctl status openstack-nova-compute
returns status: "Active: activating "




Expected results:
status: active (running)


Additional info:

[root@compute-1 nova]# systemctl status libvirtd
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2017-07-23 00:46:49 UTC; 1 day 14h ago
     Docs: man:libvirtd(8)
           http://libvirt.org
 Main PID: 19015 (libvirtd)
   CGroup: /system.slice/libvirtd.service
           └─19015 /usr/sbin/libvirtd

Jul 24 15:36:53 compute-1.redhat.local libvirtd[19015]: 2017-07-24 15:36:53.303+0000: 19022: error : virDBusCall:1570 : error from service: CheckAuthorization: Did not receive a reply. Possible causes include: the remote application di...
Jul 24 15:36:53 compute-1.redhat.local libvirtd[19015]: 2017-07-24 15:36:53.307+0000: 19015: error : virNetSocketReadWire:1808 : End of file while reading data: Input/output error


audit.log doesn't show any information regarding libvirt(d) allowed nor denied
Comment 4 Ollie Walsh 2017-07-31 07:42:25 EDT
I've reproduced this:

[root@overcloud-novacompute-1 heat-admin]# sudo -u nova virsh -c qemu:///system
error: failed to connect to the hypervisor
error: error from service: CheckAuthorization: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.


It seems that the change in https://review.rdoproject.org/r/7580 breaks polkit auth in libvirt until the service is restarted:

[root@overcloud-novacompute-1 heat-admin]# systemctl restart libvirtd
[root@overcloud-novacompute-1 heat-admin]# sudo -u nova virsh -c qemu:///system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # 


This will no longer be an issue when https://review.openstack.org/479816 merges, as polkit auth will no longer be used.
Comment 6 Ollie Walsh 2017-08-03 06:35:18 EDT
https://review.openstack.org/479816 merged upstream
Comment 12 errata-xmlrpc 2017-12-13 16:43:17 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.