Bug 1676704 - Cannot disable VNC Encryption in cluster
Summary: Cannot disable VNC Encryption in cluster
Alias: None
Product: ovirt-host-deploy
Classification: oVirt
Component: Core
Version: 1.8.0
Hardware: Unspecified
OS: Linux
Target Milestone: ovirt-4.3.1
: ---
Assignee: Tomasz Barański
QA Contact: Liran Rotenberg
Depends On:
TreeView+ depends on / blocked
Reported: 2019-02-12 22:05 UTC by Sergey
Modified: 2019-03-01 10:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2019-03-01 10:20:17 UTC
oVirt Team: Virt
rbarry: ovirt-4.3?

Attachments (Terms of Use)
qemu.conf (29.99 KB, text/plain)
2019-02-13 16:11 UTC, Sergey
no flags Details

System ID Private Priority Status Summary Last Updated
oVirt gerrit 97728 0 master MERGED ansible: Enabling VNC TLS does not add block markers 2020-06-16 21:01:40 UTC

Description Sergey 2019-02-12 22:05:19 UTC
Description of problem:
After unchecking "Enable VNC Encryption" in cluster console settings oVirt UI 
shows warning on all hosts in cluster:
"Host needs to be reinstalled as important configuration changes were applied on it."
But after reinstalling hosts VNC Encryption is still enabled, ovirt-host-deploy-ansible log:
2019-02-13 00:08:17,728 p=16592 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-13 00:08:17,759 p=16592 u=ovirt |  skipping: [*ovirthost*] => {
    "changed": false,
    "skip_reason": "Conditional result was False"
2019-02-13 00:08:17,885 p=16592 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-13 00:08:18,545 p=16592 u=ovirt |  ok: [*ovirthost*] => {
    "changed": false

cat /etc/libvirt/qemu.conf | grep vnc_tls
#vnc_tls = 1
# If the path is not provided, but vnc_tls = 1, then the
#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
# ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
#vnc_tls_x509_verify = 1

Version-Release number of selected component (if applicable):
ovirt-host-deploy-common.noarch   1.8.0-1.el7
ovirt-host-deploy-java.noarch     1.8.0-1.el7
python2-ovirt-host-deploy.noarch  1.8.0-1.el7

How reproducible:

Steps to Reproduce:
1. create cluster with checked "Enable VNC Encryption" option
2. add and install host
3. uncheck "Enable VNC Encryption" option
4. reinstall host

Actual results:
VNC Encryption enabled
vnc_tls=1 exists in /etc/libvirt/qemu.conf

Expected results:
VNC Encryption disabled
no vnc_tls=1 in /etc/libvirt/qemu.conf

Additional info:

Comment 1 Tomasz Barański 2019-02-13 10:29:08 UTC
Could you attach the /etc/libvirt/qemu.conf file?

Comment 2 Sergey 2019-02-13 16:11:31 UTC
Created attachment 1534445 [details]

Here it is, before I've disabled vnc_tls manually as a workaround.

Comment 3 Tomasz Barański 2019-02-13 18:15:01 UTC
Thanks, Sergey!

The patch is already on gerrit.

Your workaround is good, but remember to put the host in maintenance mode before changing the config file and restart libvirt so it picks up the change.

Comment 4 Sergey 2019-02-13 18:58:14 UTC
Thanks! It was a new host, so I've already rebooted it.
Found this bug while deploying new cluster.

Comment 5 Liran Rotenberg 2019-02-28 08:23:50 UTC
Verified on:

1. Create cluster with checked "Enable VNC Encryption" option.
2. Add and install host.
3. Check host's qemu config file, set with vnc_tls=1
# cat /etc/libvirt/qemu.conf | grep vnc_tls
4. Uncheck "Enable VNC Encryption" option
5. Reinstall host
6. Check host's qemu config file, set without vnc_tls=1
# cat /etc/libvirt/qemu.conf | grep vnc_tls

After step 3, the host was with VNC encryption set.
In step 6 the block in qemu.conf was removed, disabling VNC encryption.

In the host-deploy log:

2019-02-28 10:05:27,579 p=1732 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - enable TLS] ***
2019-02-28 10:05:27,624 p=1732 u=ovirt |  skipping: [virt-nested-vm13.scl.lab.tlv.redhat.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
2019-02-28 10:05:27,696 p=1732 u=ovirt |  TASK [ovirt-host-deploy-vnc-certificates : Modify qemu config file - disable TLS] ***
2019-02-28 10:05:28,744 p=1732 u=ovirt |  changed: [virt-nested-vm13.scl.lab.tlv.redhat.com] => {
    "changed": true


Block removed

Comment 6 Sandro Bonazzola 2019-03-01 10:20:17 UTC
This bugzilla is included in oVirt 4.3.1 release, published on February 28th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.