Bug 1672587 - VNC encryption is true on host after upgrade causing "Unsupported security types: 19"
Summary: VNC encryption is true on host after upgrade causing "Unsupported security ty...
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.3.1
: ---
Assignee: Tomasz Barański
QA Contact: Liran Rotenberg
Depends On:
TreeView+ depends on / blocked
Reported: 2019-02-05 11:34 UTC by Liran Rotenberg
Modified: 2019-03-01 10:20 UTC (History)
7 users (show)

Fixed In Version: ovirt-engine-
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-03-01 10:20:17 UTC
oVirt Team: Virt
rule-engine: ovirt-4.3+
rule-engine: blocker+
rule-engine: devel_ack+

Attachments (Terms of Use)
host_deploy_log (137.58 KB, text/plain)
2019-02-05 11:40 UTC, Liran Rotenberg
no flags Details

System ID Private Priority Status Summary Last Updated
oVirt gerrit 97582 0 'None' MERGED core: VNC encryption is always turned ON at upgrade 2021-01-08 05:38:37 UTC

Internal Links: 1826431

Description Liran Rotenberg 2019-02-05 11:34:49 UTC
Description of problem:
On existing cluster, when upgrading to 4.3, the cluster's VNC encryption is false.
But, on hosts, they configured with VNC encryption.

In the DB, 
select vnc_encryption_enabled from vds_dynamic where vds_id=<your host id>;

Will result with false flag on the hosts.

In the host /etc/libvirt/qemu.conf

This will result NoVNC to break - https://bugzilla.redhat.com/show_bug.cgi?id=1659155

The user is not aware to the encryption, remote-viewer needs additional configuration - in this state it will open and immediate close.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Upgrade the host from 4.2 to 4.3.

Actual results:
VNC encryption is set on the host while the cluster set False to VNC encryption.

Expected results:
VNC encryption to be set as the cluster.

Additional info:
From the engine, host-deploy, ovirt-host-mgmt-ansible log:
2019-02-05 13:25:28,278 p=60013 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-05 13:25:28,757 p=60013 u=ovirt |  changed: [ocelot06.qa.lab.tlv.redhat.com] => {
    "changed": true


Block inserted

2019-02-05 13:25:28,800 p=60013 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-05 13:25:28,812 p=60013 u=ovirt |  skipping: [ocelot06.qa.lab.tlv.redhat.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"

Comment 1 Liran Rotenberg 2019-02-05 11:40:18 UTC
Created attachment 1527121 [details]

Comment 3 Tomasz Barański 2019-02-05 11:50:22 UTC
There is a workaround until the bug is fixed:

1. Comment out `vnc_tls=1` in /etc/libvirt/qemu.conf (or change it to vnc_tls=0).
2. Restart the host
   (actually, what is strictly necessary is restarting libvirt and all affected VMs. Restarting the host might just be easier).

Comment 7 Ryan Barry 2019-02-07 11:53:47 UTC
Greg was faster, but definitely able to be verified with nightlies

Comment 8 Liran Rotenberg 2019-02-12 08:11:37 UTC
Verified on:

1. Create a cluster with un-upgraded host, VNC encryption disabled.
2. Check the host qemu.conf for vnc_tls
# less /etc/libvirt/qemu.conf | grep vnc_tls
3. Check for update from the UI.
4. Upgrade the host from UI.
5. Check the host qemu.conf for vnc_tls
# less /etc/libvirt/qemu.conf | grep vnc_tls
6. Check host-deploy log for TLS conditions.

In step 2, qemu.conf is without vnc_tls=1, it's commented as it should be.
In step 5, the result is the same as step 2, as expected.
From step 6:
2019-02-12 09:35:07,419 p=24786 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-12 09:35:07,434 p=24786 u=ovirt |  skipping: [ocelot03.qa.lab.tlv.redhat.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
2019-02-12 09:35:07,476 p=24786 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-12 09:35:07,990 p=24786 u=ovirt |  ok: [ocelot03.qa.lab.tlv.redhat.com] => {
    "changed": false

Comment 9 Sandro Bonazzola 2019-03-01 10:20:17 UTC
This bugzilla is included in oVirt 4.3.1 release, published on February 28th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.