Bug 1560598
| Summary: | virt-who-0.19-8.el7_4 fails to validate server certificate when running on RHV Host 4.1 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Pablo Hess <phess> |
| Component: | virt-who | Assignee: | Kevin Howell <khowell> |
| Status: | CLOSED ERRATA | QA Contact: | Eko <hsun> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.4 | CC: | frank.toth, khowell, ktordeur, ltsai, paolo.airaldi, wpinheir, wpoteat, yanpliu, yuefliu |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:47:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Additional info on virt-who confs. The issue was seen with virt-who confs *not* pointing to a host: ===[/etc/virt-who.d/rhvh.example.com.conf]=== [rhvh.example.com] type=vdsm hypervisor_id=hostname ===[end]=== Idea: Maybe the lack of a "server=rhvh.example.com" directive in there causes virt-who to automatically use its own IP address instead of hostname when communicating with its local vdsm? Hi,
It's the new jsonrpc connectivity function which causing the issue. It uses socket.getaddrinfo, from the STOMP lib, which returns with the IP and port of the host.
The /usr/lib/python2.7/site-packages/virtwho/virt/vdsm/stomp.py has it's connect function which calls the socket.getaddrinfo and pass the IP and port to the socket.connect which will use IP for the connectivity instead of host name. socket.connect resolves hostnames with both IP V4 and IP V6 addresses anyway.
This small change in stomp.py simply replaces the IP address to original hostname if the IP resolves the same host name:
175a176,177
> if self.host == socket.gethostbyaddr(addr[0])[0]:
> addr = (self.host, addr[1])
It won't break the code if the original call was with IP but it won't work without PTR record.
# rpm -qa virt-who
virt-who-0.19-8.el7_4.noarch
# cat /etc/virt-who.d/test.conf
[test]
type=vdsm
hypervisor_id=hostname
# virt-who -o
2018-04-13 12:49:19,034 INFO: Using configuration "test" ("vdsm" mode)
2018-04-13 12:49:19,034 INFO: Using reporter_id='test.example.com-b47d244a49764f43a32ce8191fa2ce1c'
2018-04-13 12:49:19,182 INFO: Report for config "test" gathered, placing in datastore
2018-04-13 12:49:20,134 INFO: Sending update in guests lists for config "test": 11 guests found
Regards,
Frank
Actually this change in stomp.py is better just to be 100% sure to avoid issues when the original host was an IP address:
175a176,177
> if self.host == socket.gethostbyaddr(addr[0])[0] and self.host != addr[0]:
> addr = (self.host, addr[1])
> Actually this change in stomp.py is better just to be 100% sure to avoid issues when the original host was an IP address
Thanks for digging into this Frank! Actually, I don't think we need to check whether or not the resolved IP matches the hostname or not, since internally M2Crypto is already doing this. We can simply always pass the hostname into self.socket.connect when using M2Crypto. I'll open a PR for this upstream shortly.
I just upgraded a hypervisor to the latest image and the issue is solved. The image has virt-who-0.21.5-1.el7.noarch so it has been fixed at some point. Having the same error on virt-who-0.21.7-1.el7_5.noarch # cat virt-who-config-1.conf [b06.lab.ltsai.com] server=b06.lab.ltsai.com type=vdsm hypervisor_id=hostname WrongHost: Peer certificate commonName does not match host, expected 192.168.0.210, got b06.lab.ltsai.com virt-who-0.22.2-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e4647711f8 virt-who-0.22.2-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5b67a9c2f virt-who-0.22.2-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e4647711f8 virt-who-0.22.2-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5b67a9c2f Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3169 |
Description of problem: RHV 4.1 node running virt-who locally and reporting to Satellite 6.2. virt-who-0.19-7 works as expected, retrieves host-to-guest mapping and sends it over to Satellite. virt-who-0.19-8, however, cannot retrieve host-to-guest mapping and instead throws: WrongHost: Peer certificate commonName does not match host, expected 10.1.2.3, got rhvh.example.com Version-Release number of selected component (if applicable): RHV Host 4.1 virt-who-0.19-8.el7_4 How reproducible: Everytime Steps to Reproduce: 1. Deploy virt-who to RHV 4.1 host 2. Run the virt-who service or call 'virt-who -o -d' 3. Actual results: (from virt-who output) 2018-03-21 19:26:06,941 [INFO] @main.py:183 - Using configuration "rhvh.example.com" ("vdsm" mode) 2018-03-21 19:26:06,942 [INFO] @main.py:185 - Using reporter_id='rhvh.example.com-a75789f82a744e2e9060a5da1e3850b9' 2018-03-21 19:26:07,033 [ERROR] @virt.py:389 - Thread 'rhvh.example.com' fails with exception: WrongHost: Peer certificate commonName does not match host, expected 10.1.2.3, got rhvh.example.com 2018-03-21 19:26:07,034 [INFO] @virt.py:885 - Report for config "rhvh.example.com" gathered, placing in datastore 2018-03-21 19:26:07,034 [INFO] @virt.py:408 - Waiting 3600 seconds before performing action again 'rhvh.example.com' 2018-03-21 20:26:12,404 [ERROR] @virt.py:389 - Thread 'rhvh.example.com' fails with exception: WrongHost: Peer certificate commonName does not match host, expected 10.1.2.3, got rhvh.example.com 2018-03-21 20:26:12,404 [INFO] @virt.py:885 - Report for config "rhvh.example.com" gathered, placing in datastore 2018-03-21 20:26:12,406 [INFO] @virt.py:408 - Waiting 3600 seconds before performing action again 'rhvh.example.com' Expected results: virt-who works and collects guest-to-host mapping info and sends it to Satellite. Additional info: virt-who-0.19-7.el7_4 works fine with the exact same virt-who config files, so the workaround for the customer was to simply 'yum downgrade virt-who-0.19-7.el7_4' and stick to that version.