1596712 – corosync-qdevice does not cope with new versions of nss

Bug 1596712 - corosync-qdevice does not cope with new versions of nss

Summary: corosync-qdevice does not cope with new versions of nss

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	corosync-qdevice
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Jan Friesse
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1596721
TreeView+	depends on / blocked

Reported:	2018-06-29 14:14 UTC by Tomas Jelinek
Modified:	2018-08-09 14:48 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-08-09 14:48:56 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tomas Jelinek 2018-06-29 14:14:07 UTC

Description of problem:
The certutil tool shipped in Fedora 29 package nss-tools creates a certificate database in different files than before. Qnetd does not expect that which results in qnetd cannot start after creating its certificate database. There may be other issues as well in both corosync-qnetd and corosync-qdevice as "cert8.db" is hard-coded in corosync-qnetd-certutil.

Version-Release number of selected component (if applicable):
[root@fed28-node3:~]# rpm -q corosync-qnetd
corosync-qnetd-2.91.0-1.fc29.x86_64
[root@fed28-node3:~]# rpm -q corosync-qdevice
corosync-qdevice-2.91.0-1.fc29.x86_64
[root@fed28-node3:~]# rpm -q nss-tools
nss-tools-3.37.3-3.fc29.x86_64


How reproducible:
always, easily


Actual results:
> Creating new certificate database reports several errors:
[root@fed28-node3:~]# corosync-qnetd-certutil -i
Creating /etc/corosync/qnetd/nssdb
Creating new key and cert db
password file contains no data
stat: cannot read file system information for '%u:%g': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/key3.db': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/cert8.db': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/secmod.db': No such file or directory
Creating new noise file /etc/corosync/qnetd/nssdb/noise.txt
Creating new CA


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?


Generating key.  This may take a few moments...

Notice: Trust flag u is set automatically if the private key is present.
QNetd CA certificate is exported as /etc/corosync/qnetd/nssdb/qnetd-cacert.crt

> When running the command again it does not detect the database has been already created:
[root@fed28-node3:~]# corosync-qnetd-certutil -i
Creating new key and cert db
password file contains no data
Invalid password.
certutil: Could not set password for the slot: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
stat: cannot read file system information for '%u:%g': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/key3.db': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/cert8.db': No such file or directory
chmod: cannot access '/etc/corosync/qnetd/nssdb/secmod.db': No such file or directory
Using existing noise file /etc/corosync/qnetd/nssdb/noise.txt
Creating new CA


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?


Generating key.  This may take a few moments...

Notice: Trust flag u is set automatically if the private key is present.
QNetd CA certificate is exported as /etc/corosync/qnetd/nssdb/qnetd-cacert.crt

> List of created files:
[root@fed28-node3:~]# ls -1 /etc/corosync/qnetd/nssdb/
cert9.db
key4.db
noise.txt
pkcs11.txt
pwdfile.txt
qnetd-cacert.crt
serial.txt

> qnetd cannot be started:
[root@fed28-node3:~]# systemctl start corosync-qnetd.service
Job for corosync-qnetd.service failed because the control process exited with error code.
See "systemctl status corosync-qnetd.service" and "journalctl -xe" for details.
[root@fed28-node3:~]# systemctl status corosync-qnetd.service
● corosync-qnetd.service - Corosync Qdevice Network daemon
   Loaded: loaded (/usr/lib/systemd/system/corosync-qnetd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2018-06-29 16:02:56 CEST; 2s ago
     Docs: man:corosync-qnetd
  Process: 28964 ExecStart=/usr/bin/corosync-qnetd -f $COROSYNC_QNETD_OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 28964 (code=exited, status=1/FAILURE)

Jun 29 16:02:56 fed28-node3 systemd[1]: Starting Corosync Qdevice Network daemon...
Jun 29 16:02:56 fed28-node3 corosync-qnetd[28964]: Jun 29 16:02:56 crit    NSS error (-8174): security library: bad database.
Jun 29 16:02:56 fed28-node3 systemd[1]: corosync-qnetd.service: Main process exited, code=exited, status=1/FAILURE
Jun 29 16:02:56 fed28-node3 systemd[1]: corosync-qnetd.service: Failed with result 'exit-code'.
Jun 29 16:02:56 fed28-node3 systemd[1]: Failed to start Corosync Qdevice Network daemon.


Expected results:
corosync-qnetd-certutil should be able to create a certificate database which qnetd can start with.


Additional info:
It works fine with Fedora 27:
[root@fed27-node3:~]# rpm -q corosync-qnetd
corosync-qnetd-2.4.4-1.fc27.x86_64
[root@fed27-node3:~]# rpm -q corosync-qdevice
corosync-qdevice-2.4.4-1.fc27.x86_64
[root@fed27-node3:~]# rpm -q nss-tools
nss-tools-3.36.1-1.0.fc27.x86_64

> No errors when creating new certificate database:
[root@fed27-node3:~]# corosync-qnetd-certutil -i
Creating /etc/corosync/qnetd/nssdb
Creating new key and cert db
password file contains no data
Creating new noise file /etc/corosync/qnetd/nssdb/noise.txt
Creating new CA


Generating key.  This may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?


Generating key.  This may take a few moments...

Notice: Trust flag u is set automatically if the private key is present.
QNetd CA certificate is exported as /etc/corosync/qnetd/nssdb/qnetd-cacert.crt

> Check for an existing database works:
[root@fed27-node3:~]# corosync-qnetd-certutil -i
Certificate database (/etc/corosync/qnetd/nssdb) already exists. Delete it to initialize new db

> These are the files created
[root@fed27-node3:~]# ls -1 /etc/corosync/qnetd/nssdb/
cert8.db
key3.db
noise.txt
pwdfile.txt
qnetd-cacert.crt
secmod.db
serial.txt

> qnetd starts with no issues
[root@fed27-node3:~]# systemctl start corosync-qnetd.service
[root@fed27-node3:~]# systemctl status corosync-qnetd.service
● corosync-qnetd.service - Corosync Qdevice Network daemon
   Loaded: loaded (/usr/lib/systemd/system/corosync-qnetd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-06-29 15:57:49 CEST; 4s ago
     Docs: man:corosync-qnetd
 Main PID: 709 (corosync-qnetd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/corosync-qnetd.service
           └─709 /usr/bin/corosync-qnetd -f

Jun 29 15:57:49 fed27-node3 systemd[1]: Started Corosync Qdevice Network daemon.

Comment 1 Jan Friesse 2018-07-02 11:36:08 UTC

Thank you for the report, its something we have to solve sooner than later.

Comment 2 Jan Friesse 2018-08-09 14:48:56 UTC

Solved by corosync-qdevice-2.92.0 (corosync-qdevice-2.92.0-1.fc29 and corosync-qdevice-2.92.0-1.fc28).

Thank you for the report.

Note You need to log in before you can comment on or make changes to this bug.