Bug 1474444 - libvirtError: error from service: CheckAuthorization: Did not receive a reply.
Summary: libvirtError: error from service: CheckAuthorization: Did not receive a reply.
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Linux
Target Milestone: beta
: 12.0 (Pike)
Assignee: Ollie Walsh
QA Contact: Archit Modi
Depends On:
TreeView+ depends on / blocked
Reported: 2017-07-24 15:42 UTC by Waldemar Znoinski
Modified: 2019-09-09 13:52 UTC (History)
18 users (show)

Fixed In Version: puppet-tripleo-7.2.1-0.20170807233007.4600842.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 21:43:17 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
OpenStack gerrit 479816 0 None MERGED Use normal socket file permissions instead of polkit 2020-11-24 17:30:28 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Description Waldemar Znoinski 2017-07-24 15:42:09 UTC
Description of problem:
When restarting a openstack-nova-compute service on a OSP12 overcloud compute node the service does not come back up.

Version-Release number of selected component (if applicable):
openstack-nova-api.noarch             1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-common.noarch          1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-compute.noarch         1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-conductor.noarch       1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-console.noarch         1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-migration.noarch       1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-novncproxy.noarch      1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-placement-api.noarch   1:16.0.0-0.20170715065420.be20530.el7ost
openstack-nova-scheduler.noarch       1:16.0.0-0.20170715065420.be20530.el7ost

How reproducible:

Steps to Reproduce:
1. run on compute node:
systemctl restart openstack-nova-compute


Actual results:
systemctl status openstack-nova-compute
returns status: "Active: activating "

Expected results:
status: active (running)

Additional info:

[root@compute-1 nova]# systemctl status libvirtd
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2017-07-23 00:46:49 UTC; 1 day 14h ago
     Docs: man:libvirtd(8)
 Main PID: 19015 (libvirtd)
   CGroup: /system.slice/libvirtd.service
           └─19015 /usr/sbin/libvirtd

Jul 24 15:36:53 compute-1.redhat.local libvirtd[19015]: 2017-07-24 15:36:53.303+0000: 19022: error : virDBusCall:1570 : error from service: CheckAuthorization: Did not receive a reply. Possible causes include: the remote application di...
Jul 24 15:36:53 compute-1.redhat.local libvirtd[19015]: 2017-07-24 15:36:53.307+0000: 19015: error : virNetSocketReadWire:1808 : End of file while reading data: Input/output error

audit.log doesn't show any information regarding libvirt(d) allowed nor denied

Comment 4 Ollie Walsh 2017-07-31 11:42:25 UTC
I've reproduced this:

[root@overcloud-novacompute-1 heat-admin]# sudo -u nova virsh -c qemu:///system
error: failed to connect to the hypervisor
error: error from service: CheckAuthorization: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

It seems that the change in https://review.rdoproject.org/r/7580 breaks polkit auth in libvirt until the service is restarted:

[root@overcloud-novacompute-1 heat-admin]# systemctl restart libvirtd
[root@overcloud-novacompute-1 heat-admin]# sudo -u nova virsh -c qemu:///system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # 

This will no longer be an issue when https://review.openstack.org/479816 merges, as polkit auth will no longer be used.

Comment 6 Ollie Walsh 2017-08-03 10:35:18 UTC
https://review.openstack.org/479816 merged upstream

Comment 12 errata-xmlrpc 2017-12-13 21:43:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.