Bug 1672587 - VNC encryption is true on host after upgrade causing "Unsupported security types: 19"
Summary: VNC encryption is true on host after upgrade causing "Unsupported security ty...
Status: VERIFIED
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt   
(Show other bugs)
Version: 4.3.0
Hardware: Unspecified Unspecified
urgent
high vote
Target Milestone: ovirt-4.3.1
: ---
Assignee: Tomasz Barański
QA Contact: Liran Rotenberg
URL:
Whiteboard:
Keywords: Regression
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-05 11:34 UTC by Liran Rotenberg
Modified: 2019-02-20 10:59 UTC (History)
7 users (show)

Fixed In Version: ovirt-engine-4.3.1.1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Virt
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt-4.3+
rule-engine: blocker+
rule-engine: devel_ack+


Attachments (Terms of Use)
host_deploy_log (137.58 KB, text/plain)
2019-02-05 11:40 UTC, Liran Rotenberg
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 97582 master MERGED core: VNC encryption is always turned ON at upgrade 2019-02-06 13:21 UTC

Description Liran Rotenberg 2019-02-05 11:34:49 UTC
Description of problem:
On existing cluster, when upgrading to 4.3, the cluster's VNC encryption is false.
But, on hosts, they configured with VNC encryption.

In the DB, 
select vnc_encryption_enabled from vds_dynamic where vds_id=<your host id>;

Will result with false flag on the hosts.

In the host /etc/libvirt/qemu.conf
vnc_tls=1
vnc_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-vnc"

This will result NoVNC to break - https://bugzilla.redhat.com/show_bug.cgi?id=1659155

The user is not aware to the encryption, remote-viewer needs additional configuration - in this state it will open and immediate close.

Version-Release number of selected component (if applicable):
ovirt-engine-4.3.0-0.8.rc2.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Upgrade the host from 4.2 to 4.3.

Actual results:
VNC encryption is set on the host while the cluster set False to VNC encryption.

Expected results:
VNC encryption to be set as the cluster.

Additional info:
From the engine, host-deploy, ovirt-host-mgmt-ansible log:
2019-02-05 13:25:28,278 p=60013 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-05 13:25:28,757 p=60013 u=ovirt |  changed: [ocelot06.qa.lab.tlv.redhat.com] => {
    "changed": true
}

MSG:

Block inserted

2019-02-05 13:25:28,800 p=60013 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-05 13:25:28,812 p=60013 u=ovirt |  skipping: [ocelot06.qa.lab.tlv.redhat.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
}

Comment 1 Liran Rotenberg 2019-02-05 11:40 UTC
Created attachment 1527121 [details]
host_deploy_log

Comment 3 Tomasz Barański 2019-02-05 11:50:22 UTC
There is a workaround until the bug is fixed:

1. Comment out `vnc_tls=1` in /etc/libvirt/qemu.conf (or change it to vnc_tls=0).
2. Restart the host
   (actually, what is strictly necessary is restarting libvirt and all affected VMs. Restarting the host might just be easier).

Comment 7 Ryan Barry 2019-02-07 11:53:47 UTC
Greg was faster, but definitely able to be verified with nightlies

Comment 8 Liran Rotenberg 2019-02-12 08:11:37 UTC
Verified on:
ovirt-engine-4.3.0.5-0.0.master.20190210112640.git53b60e3.el7.noarch

Steps:
1. Create a cluster with un-upgraded host, VNC encryption disabled.
2. Check the host qemu.conf for vnc_tls
# less /etc/libvirt/qemu.conf | grep vnc_tls
3. Check for update from the UI.
4. Upgrade the host from UI.
5. Check the host qemu.conf for vnc_tls
# less /etc/libvirt/qemu.conf | grep vnc_tls
6. Check host-deploy log for TLS conditions.

Results:
In step 2, qemu.conf is without vnc_tls=1, it's commented as it should be.
In step 5, the result is the same as step 2, as expected.
From step 6:
2019-02-12 09:35:07,419 p=24786 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-12 09:35:07,434 p=24786 u=ovirt |  skipping: [ocelot03.qa.lab.tlv.redhat.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
}
2019-02-12 09:35:07,476 p=24786 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-12 09:35:07,990 p=24786 u=ovirt |  ok: [ocelot03.qa.lab.tlv.redhat.com] => {
    "changed": false
}


Note You need to log in before you can comment on or make changes to this bug.