Bug 1672587 - VNC encryption is true on host after upgrade causing "Unsupported security types: 19"
Summary: VNC encryption is true on host after upgrade causing "Unsupported security ty...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
urgent
high vote
Target Milestone: ovirt-4.3.1
: ---
Assignee: Tomasz Barański
QA Contact: Liran Rotenberg
URL:
Whiteboard:
Keywords: Regression
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-05 11:34 UTC by Liran Rotenberg
Modified: 2019-03-01 10:20 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-03-01 10:20:17 UTC
rule-engine: ovirt-4.3+
rule-engine: blocker+
rule-engine: devel_ack+


Attachments (Terms of Use)
host_deploy_log (137.58 KB, text/plain)
2019-02-05 11:40 UTC, Liran Rotenberg
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 97582 master MERGED core: VNC encryption is always turned ON at upgrade 2019-02-06 13:21 UTC

Description Liran Rotenberg 2019-02-05 11:34:49 UTC
Description of problem:
On existing cluster, when upgrading to 4.3, the cluster's VNC encryption is false.
But, on hosts, they configured with VNC encryption.

In the DB, 
select vnc_encryption_enabled from vds_dynamic where vds_id=<your host id>;

Will result with false flag on the hosts.

In the host /etc/libvirt/qemu.conf
vnc_tls=1
vnc_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-vnc"

This will result NoVNC to break - https://bugzilla.redhat.com/show_bug.cgi?id=1659155

The user is not aware to the encryption, remote-viewer needs additional configuration - in this state it will open and immediate close.

Version-Release number of selected component (if applicable):
ovirt-engine-4.3.0-0.8.rc2.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Upgrade the host from 4.2 to 4.3.

Actual results:
VNC encryption is set on the host while the cluster set False to VNC encryption.

Expected results:
VNC encryption to be set as the cluster.

Additional info:
From the engine, host-deploy, ovirt-host-mgmt-ansible log:
2019-02-05 13:25:28,278 p=60013 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-05 13:25:28,757 p=60013 u=ovirt |  changed: [ocelot06.qa.lab.tlv.redhat.com] => {
    "changed": true
}

MSG:

Block inserted

2019-02-05 13:25:28,800 p=60013 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-05 13:25:28,812 p=60013 u=ovirt |  skipping: [ocelot06.qa.lab.tlv.redhat.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
}

Comment 1 Liran Rotenberg 2019-02-05 11:40 UTC
Created attachment 1527121 [details]
host_deploy_log

Comment 3 Tomasz Barański 2019-02-05 11:50:22 UTC
There is a workaround until the bug is fixed:

1. Comment out `vnc_tls=1` in /etc/libvirt/qemu.conf (or change it to vnc_tls=0).
2. Restart the host
   (actually, what is strictly necessary is restarting libvirt and all affected VMs. Restarting the host might just be easier).

Comment 7 Ryan Barry 2019-02-07 11:53:47 UTC
Greg was faster, but definitely able to be verified with nightlies

Comment 8 Liran Rotenberg 2019-02-12 08:11:37 UTC
Verified on:
ovirt-engine-4.3.0.5-0.0.master.20190210112640.git53b60e3.el7.noarch

Steps:
1. Create a cluster with un-upgraded host, VNC encryption disabled.
2. Check the host qemu.conf for vnc_tls
# less /etc/libvirt/qemu.conf | grep vnc_tls
3. Check for update from the UI.
4. Upgrade the host from UI.
5. Check the host qemu.conf for vnc_tls
# less /etc/libvirt/qemu.conf | grep vnc_tls
6. Check host-deploy log for TLS conditions.

Results:
In step 2, qemu.conf is without vnc_tls=1, it's commented as it should be.
In step 5, the result is the same as step 2, as expected.
From step 6:
2019-02-12 09:35:07,419 p=24786 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-12 09:35:07,434 p=24786 u=ovirt |  skipping: [ocelot03.qa.lab.tlv.redhat.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
}
2019-02-12 09:35:07,476 p=24786 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-12 09:35:07,990 p=24786 u=ovirt |  ok: [ocelot03.qa.lab.tlv.redhat.com] => {
    "changed": false
}

Comment 9 Sandro Bonazzola 2019-03-01 10:20:17 UTC
This bugzilla is included in oVirt 4.3.1 release, published on February 28th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.