Description of problem: When we Install engine on a fc28 machine and we try to install a websocket proxy on a separate machine, the process fails with a: M2Crypto.X509.X509Error: no start line after a little testing found that when we try to install websocket proxy we execute the following commend on the engine machine: /usr/share/ovirt-engine/bin/pki-enroll-request.sh \ --name=websocket-proxy-vm-17-42.eng.lab.tlv.redhat.com \ --subject="$(openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -subject | sed 's;subject= \(/C=[^/]*/O=[^/]*\)/.*;\1;')/CN=vm-17-42.eng.lab.tlv.redhat.com" apparently the output of openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -subject has changed in fc28, and it is: subject=C = US, O = eng.lab.tlv.redhat.com, CN = vm-17-35.eng.lab.tlv.redhat.com.19970 instead of: subject= /C=US/O=eng.lab.tlv.redhat.com/CN=didi-centos7.eng.lab.tlv.redhat.com.16482 therefor the sed parsing doesn't work. we need to change pki-enroll-request.sh so that if a subject is not provided it takes it from: openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -text which is the same How reproducible: Steps to Reproduce: 1. install engine on fc28 machine with no websocket proxy. 2. follow https://www.ovirt.org/documentation/install-guide/appe-Installing_the_Websocket_Proxy_on_a_different_host/
re-targeting to 4.3.1 since this BZ has not been proposed as blocker for 4.3.0. If you think this bug should block 4.3.0 please re-target and set blocker flag.
Asaf can you check if this is still an issue on 4.4 / fc30?
Sure, I'll check it.
I got the folowing errors when trying to install ovirt-engine on fc30: Error: Problem: conflicting requests - nothing provides ovirt-iso-uploader >= 4.1.0 needed by ovirt-engine-4.4.0-0.0.master.20191126091403.gitd7c8019fefd.fc30.noarch - nothing provides ovirt-engine-api-explorer needed by ovirt-engine-4.4.0-0.0.master.20191126091403.gitd7c8019fefd.fc30.noarch - nothing provides python2-dnf-plugins-extras-versionlock needed by ovirt-engine-4.4.0-0.0.master.20191126091403.gitd7c8019fefd.fc30.noarch - nothing provides ovirt-iso-uploader >= 4.1.0 needed by ovirt-engine-4.4.0-0.0.master.20191211094249.gitfe6ccc6fdc6.fc30.noarch - nothing provides ovirt-engine-api-explorer needed by ovirt-engine-4.4.0-0.0.master.20191211094249.gitfe6ccc6fdc6.fc30.noarch - nothing provides python2-dnf-plugins-extras-versionlock needed by ovirt-engine-4.4.0-0.0.master.20191211094249.gitfe6ccc6fdc6.fc30.noarch - nothing provides ovirt-iso-uploader >= 4.1.0 needed by ovirt-engine-4.4.0-0.0.master.20191217230828.git692dadf69fb.fc30.noarch - nothing provides ovirt-engine-api-explorer needed by ovirt-engine-4.4.0-0.0.master.20191217230828.git692dadf69fb.fc30.noarch - nothing provides python2-dnf-plugins-extras-versionlock needed by ovirt-engine-4.4.0-0.0.master.20191217230828.git692dadf69fb.fc30.noarch - nothing provides ovirt-iso-uploader >= 4.1.0 needed by ovirt-engine-4.4.0-0.0.master.20191219095956.gitf56695ee98e.fc30.noarch - nothing provides ovirt-engine-api-explorer needed by ovirt-engine-4.4.0-0.0.master.20191219095956.gitf56695ee98e.fc30.noarch - nothing provides python2-dnf-plugins-extras-versionlock needed by ovirt-engine-4.4.0-0.0.master.20191219095956.gitf56695ee98e.fc30.noarch - nothing provides ovirt-iso-uploader >= 4.1.0 needed by ovirt-engine-4.4.0-0.0.master.20191219143016.git65c2ffb07fe.fc30.noarch - nothing provides ovirt-engine-api-explorer needed by ovirt-engine-4.4.0-0.0.master.20191219143016.git65c2ffb07fe.fc30.noarch - nothing provides python2-dnf-plugins-extras-versionlock needed by ovirt-engine-4.4.0-0.0.master.20191219143016.git65c2ffb07fe.fc30.noarch - nothing provides ovirt-iso-uploader >= 4.1.0 needed by ovirt-engine-4.4.0-0.0.master.20191225102030.git2685a042144.fc30.noarch - nothing provides ovirt-engine-api-explorer needed by ovirt-engine-4.4.0-0.0.master.20191225102030.git2685a042144.fc30.noarch (try to add '--skip-broken' to skip uninstallable packages) I'm not able to verify it until these errors are resolved.
Checked on CentOS8, WebSocket Proxy deployment fails on: [ INFO ] Signing the WebSocket Proxy certificate on the engine server [ ERROR ] Failed to sign WebSocket Proxy certificate on engine server Trying again... [ ERROR ] Failed to sign WebSocket Proxy certificate on engine server Trying again... [ ERROR ] Failed to sign WebSocket Proxy certificate on engine server Trying again... : [ ERROR ] Failed to sign WebSocket Proxy certificate on engine server [ ERROR ] Failed to execute stage 'Environment customization': HTTP Error 500: Internal Server Error [ INFO ] Stage: Clean up With the same issue as described: 2020-05-10 03:59:58,532-0400 DEBUG otopi.plugins.ovirt_engine_common.base.remote_engine.remote_engine_root_ssh remote_engine_root_ssh.execute_on_engine:187 Executing on remote engine engine8.asrachmani.com: /usr/share/ovirt-engine/bin/pk i-enroll-request.sh \ --name=websocket-proxy-websoket.asrachmani.com \ --subject="$(openssl x509 -in /etc/pki/ovirt-engine/ca.pem -noout -subject | sed 's;subject= \(/C=[^/]*/O=[^/]*\)/.*;\1;')/CN=websoket.asrachmani.com" 2020-05-10 03:59:59,545-0400 DEBUG otopi.plugins.ovirt_engine_common.base.remote_engine.remote_engine_root_ssh remote_engine_root_ssh.copy_from_engine:231 Copying data from remote engine engine8.asrachmani.com:/etc/pki/ovirt-engine/certs/ websocket-proxy-websoket.asrachmani.com.cer 2020-05-10 03:59:59,577-0400 ERROR otopi.plugins.ovirt_engine_common.base.remote_engine.remote_engine remote_engine._enroll_cert_auto_ssh:263 Error while trying to sign WebSocket Proxy certificate 2020-05-10 03:59:59,578-0400 DEBUG otopi.plugins.ovirt_engine_common.base.remote_engine.remote_engine remote_engine._enroll_cert_auto_ssh:266 Error signing cert Traceback (most recent call last): File "/usr/share/ovirt-engine/setup/ovirt_engine_setup/remote_engine.py", line 243, in _enroll_cert_auto_ssh remote_name=self._remote_name, File "/usr/share/ovirt-engine/setup/ovirt_engine_setup/remote_engine.py", line 72, in copy_from_engine file_name=file_name, File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-common/base/remote_engine/remote_engine_root_ssh.py", line 238, in copy_from_engine f = sf.open(file_name, 'r') File "/usr/lib/python3.6/site-packages/paramiko/sftp_client.py", line 372, in open t, msg = self._request(CMD_OPEN, filename, imode, attrblock) File "/usr/lib/python3.6/site-packages/paramiko/sftp_client.py", line 813, in _request return self._read_response(num) File "/usr/lib/python3.6/site-packages/paramiko/sftp_client.py", line 865, in _read_response self._convert_status(msg) File "/usr/lib/python3.6/site-packages/paramiko/sftp_client.py", line 894, in _convert_status raise IOError(errno.ENOENT, text) FileNotFoundError: [Errno 2] No such file 2020-05-10 03:59:59,579-0400 INFO otopi.plugins.ovirt_engine_common.base.remote_engine.remote_engine remote_engine._enroll_cert_auto_ssh:276 WebSocket Proxy certificate signed successfully
QE: Reproduction/Verification steps: 1. Setup engine (only) on machine A 2. Setup websocket-proxy (and soon, can try also with grafana) on machine B 3. When asked about how to do stuff on the engine machine A, please try both 'ssh' and 'manual files'. Make sure everything works well - that setup succeeds, websocket-proxy is up and usable, etc.
Moving back to MODIFIED since no released build contains this fix.
*** Bug 1626064 has been marked as a duplicate of this bug. ***
Verified on: ovirt-engine-4.4.1.7-0.3.el8ev.noarch ovirt-engine-websocket-proxy-4.4.1.7-0.3.el8ev.noarch Steps: 1. Installed engine without websocket on engine A 2. Installed websocket on engine B using ssh interface 3. Trusted the engine A certificate in the browser 4. Accessed a noVNC console in engine A Results No errors on installation, websocket noVNC console working as expected Additional Info: "manual_files" mode of access fails, but the issue is being addressed here already: https://bugzilla.redhat.com/show_bug.cgi?id=1855221
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1855249
This bugzilla is included in oVirt 4.4.1 release, published on July 8th 2020. Since the problem described in this bug report should be resolved in oVirt 4.4.1 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.