698133 – valid host subject is not passed to the spice-client during migration

Bug 698133 - valid host subject is not passed to the spice-client during migration

Summary: valid host subject is not passed to the spice-client during migration

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.1
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Privoznik
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	700530 703048 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-20 09:34 UTC by Lubos Kocman
Modified:	2011-12-06 11:05 UTC (History)
CC List:	17 users (show)
Fixed In Version:	libvirt-0.9.2-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 11:05:40 UTC
Target Upstream Version:

Attachments	(Terms of Use)
vdsm.log (570.42 KB, text/plain) 2011-05-05 14:41 UTC, Lubos Kocman	no flags	Details
libvirt log from the target (2.87 KB, text/plain) 2011-05-05 14:42 UTC, Lubos Kocman	no flags	Details
libvirt log from the source (3.79 KB, text/plain) 2011-05-05 14:42 UTC, Lubos Kocman	no flags	Details
libvirtd_source.log (3.77 MB, text/plain) 2011-05-17 11:55 UTC, Lubos Kocman	no flags	Details
libvirtd_target.log (176.94 KB, text/plain) 2011-05-17 11:57 UTC, Lubos Kocman	no flags	Details
attach detail setup and migrate command here (2.79 KB, text/plain) 2011-07-20 05:19 UTC, Vivian Bian	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1513	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2011-12-06 01:23:30 UTC

Description Lubos Kocman 2011-04-20 09:34:24 UTC

Description of problem:

If you'll migrate guest in ic114 then spice-client exits during switching hosts with following error message:

1303126299 ERROR [3406:3407] RedPeer::verify_subject: host-subject mismatch

This indicates that invalid or none host-subject is passed to the controller.

Manual connection to the migrated guest works fine (destination node) => No host-subject issue has been raised.

It is caused by not-passing valid host-subject. This can be caused either by vdsm or rhevm itself.


Version-Release number of selected component (if applicable):

spice-client-0.8.0-2.el6.x86_64
vdsm-4.9-61.el6.x86_64
spice-server-0.8.0-1.el6.x86_64
qemu-kvm-0.12.1.2-2.158.el6.x86_64
libvirt-0.8.7-17.el6.x86_64
ic114



How reproducible:

reproducible always


Steps to Reproduce:
1. connect with spice to the 
2.
3.
  
Actual results:

client disconnects with 
1303126299 ERROR [3406:3407] RedPeer::verify_subject: host-subject mismatch

Expected results:

valid host subject will be passed so the session will not be interrupted

Additional info:

Folowing output seems to be producet by connecting to the guest from rhevm after migration. Manual connection still works.

1303291829 INFO [5194:5194] ForeignMenu::ForeignMenu: Creating a foreign menu connection /tmp/SpiceForeignMenu-5194.uds
1303291829 INFO [5194:5194] Controller::Controller: Creating a controller connection /home/lkocman.el6/.spicec/spice-xpi-qQqqHT
1303291829 INFO [5194:5195] RedPeer::connect_unsecure: Trying 10.34.58.5 5901
1303291829 INFO [5194:5195] RedPeer::connect_unsecure: Connect failed: Connection refused (111)
1303291829 WARN [5194:5195] RedChannel::run: failed to connect: Connection refused (111)
1303291829 INFO [5194:5194] main: Spice client terminated (exitcode = 3)

Comment 3 Dan Kenigsberg 2011-04-20 10:57:35 UTC

Please verify that spice migration works on the libvirt level. vdsm never communicate with spice client, and as far as i recall, neither do rhev-m (after invoking spicec).

If that's a regression indeed, could you tell when it was introduced?

Comment 4 Yaniv Kaul 2011-04-28 18:53:37 UTC

*** Bug 700530 has been marked as a duplicate of this bug. ***

Comment 5 Yaniv Kaul 2011-04-28 18:55:04 UTC

(In reply to comment #3)

> If that's a regression indeed, could you tell when it was introduced?

Between RHEV 2.2 and IC114 - it worked in 2.2.
The question is, does it work when the VMs are migrating between RHEL 5.x hosts. I think that'll narrow down the issue a bit.

Comment 6 Dan Kenigsberg 2011-04-28 21:32:46 UTC

(In reply to comment #5)
> (In reply to comment #3)
> 
> > If that's a regression indeed, could you tell when it was introduced?
> 
> Between RHEV 2.2 and IC114 - it worked in 2.2.

I'm pretty sure that spice migration was tested with RHEL6 hosts as well. Hasn't it, Ofer?

Comment 10 Uri Lublin 2011-05-03 13:45:32 UTC

I tested, manually, migration of a VM with a spice client connected (on a single
host).
Works for me.

("manually" means running qemu-kvm command line from shell, and providing
"__com.redhat_spice_migrate_info" and "migrate" monitor commands directly to qemu-kvm)

spice-server-0.8.0-1.el6.x86_64
spice-client-0.8.0-2.el6.x86_64
qemu-kvm-0.12.1.2-2.160.el6.x86_64

Comment 11 Daniel Berrangé 2011-05-03 14:37:46 UTC

Please provide the /var/log/libvirt/libvirtd.log file for the source and destination hosts covering the time migration was active.

Also please provide the output of

  # certtool -i --infile /etc/pki/libvirt/server-cert.pem

Comment 14 Lubos Kocman 2011-05-05 14:41:14 UTC

Created attachment 497115 [details]
vdsm.log

Comment 15 Lubos Kocman 2011-05-05 14:42:04 UTC

Created attachment 497117 [details]
libvirt log from the target

Comment 16 Lubos Kocman 2011-05-05 14:42:28 UTC

Created attachment 497118 [details]
libvirt log from the source

Comment 17 Daniel Berrangé 2011-05-05 16:36:01 UTC

Those aren't the right logfiles. I want the *libvirtd* logfile from both hosts, not the QEMU logfiles. A RHEVH node normally has these as /var/log/libvirt/libvirtd.log or /var/log/libvirtd.log

Comment 18 Yaniv Kaul 2011-05-09 06:54:23 UTC

*** Bug 703048 has been marked as a duplicate of this bug. ***

Comment 19 Lubos Kocman 2011-05-17 11:55:58 UTC

Created attachment 499321 [details]
libvirtd_source.log

requested /var/log/libvirt/libvirtd.log from the source host during migration migrated guest = WIN7x32-lk

Comment 20 Lubos Kocman 2011-05-17 11:57:55 UTC

Created attachment 499323 [details]
libvirtd_target.log

requested /var/log/libvirt/libvirtd.log from the target host during migration migrated guest = WIN7x32-lk

Comment 21 Daniel Berrangé 2011-05-17 14:47:04 UTC

While testing the same code in upstream libvirt I found a bug in the XPath expression used to extract the TLS subject from XML


+    grap->tlsSubject = virXPathString("string(./graphics/cert[ info='subject']/@value)", ctxt);

should be

+    grap->tlsSubject = virXPathString("string(./graphics/cert[@info='subject']/@value)", ctxt);

Note '@info' instead of 'info'.  This is almost certainly what's causing this bug, because if we don't match the subject when parsing XML, then the SPICE client won't receive any data via the monitor.

Comment 22 Michal Privoznik 2011-05-18 13:06:52 UTC

Pushed upstream:

commit 45b28f7c4f1876c341c97d24c368427c0f26f344
Author: Michal Privoznik <mprivozn>
Date:   Wed May 18 11:57:07 2011 +0200

    qemu: fix typo in spice migration code
    
    This typo caused XPath returning improper value and thus not
    working spice after migration.

v0.9.1-195-g45b28f7

Comment 26 Daniel Veillard 2011-06-23 03:10:24 UTC

This should be fixed by the libvirt-0.9.2-1.el6 rebase

Comment 29 weizhang 2011-07-05 09:06:16 UTC

For code inspection verification it pass on libvirt-0.9.2-1.el6

Comment 31 Vivian Bian 2011-07-12 11:42:08 UTC

Checked this bug 

==== Steps ====

1. install a new guest and configure it with spice graphic framebuffer
2. open the spice client console to access the graphic interface on the source machine 
3. try to migrate the guest to the remote destination machine

==== tested with ====
libvirt-0.9.3-1.el6.x86_64
kernel-2.6.32-164.el6.x86_64
qemu-kvm-0.12.1.2-2.169.el6.x86_64
spice-server-0.8.0-1.el6.x86_64
spice-client-0.8.0-2.el6.x86_64

==== result ====
at step 3, we get the guest migrated to the remote machine , BUT the spice client window get closed . And also we get the following error record in libvirtd.log 

19:22:24.992: 15397: info : libvirt version: 0.9.3, package: 1.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2011-07-04-23:20:52, x86-002.build.bos.redhat.com)
19:22:24.992: 15397: error : qemuDomainExtractTLSSubject:151 : internal error cannot initialize cert object: ASN1 parser: Element was not found.
19:22:24.992: 15397: warning : qemuMigrationPrepareDirect:1386 : Unable to encode migration cookie


==== tested with ====
libvirt-0.8.7-18.el6.x86_64.rpm
kernel-2.6.32-164.el6.x86_64
qemu-kvm-0.12.1.2-2.169.el6.x86_64
spice-server-0.8.0-1.el6.x86_64
spice-client-0.8.0-2.el6.x86_64

==== result ====
at step 3, we can get the spice seemless migration successfully . Spice client window kept open all the time .And there is no error record in libvirtd.log 

So there might me a regression when trying to fix the tls problem for this bug

Comment 32 Dave Allan 2011-07-13 00:33:20 UTC

Vivian, why are you asking Dan Berrange for information?  This BZ is assigned to Michal, he should be your source of information.

Comment 34 Michal Privoznik 2011-07-14 11:56:11 UTC

Yes. It was a regression but it should be fixed in 0.9.3-2

https://www.redhat.com/archives/libvir-list/2011-July/msg00413.html

Please try again with the recent build.

Comment 35 Vivian Bian 2011-07-18 11:55:08 UTC

Hi Michal ,
Today , we tried bug https://bugzilla.redhat.com/show_bug.cgi?id=698133
And as we mentioned before , on our side , we haven't got this bug reproduced even with the old buggy version of libvirt .


But now , with this bug moved to ON_QA , we get following result , please confirm , if it is the regression caused by incomplete patch , or it is another new regression bug . Btw, please confirm , if there are something missed in the steps we tried to reproduce this bug with libvirt only .

[steps]
1. install a new guest and configure it with spice graphic framebuffer
2. open the spice client console to access the graphic interface on the source
machine
3. try to migrate the guest to the remote destination machine

[results]
libvirt-0.9.3-3.el6.x86_64

at step 3, we get the guest migrated to the remote machine , BUT the spice
client window get closed . And also we get the following error record in
libvirtd.log

16:22:24.992: 15397: info : libvirt version: 0.9.3, package: 3.el6 (Red Hat,
Inc. <http://bugzilla.redhat.com/bugzilla>, 2011-07-13-23:20:52,
x86-002.build.bos.redhat.com)
16:22:24.992: 15397: error : qemuDomainExtractTLSSubject:151 : internal error
cannot initialize cert object: ASN1 parser: Element was not found.
16:22:24.992: 15397: warning : qemuMigrationPrepareDirect:1386 : Unable to
encode migration cookie

# spicec -h 10.66.4.220 -p 5900 -s 5901 --host-subject "C=IL,L=Raanana,O=Red Hat,CN=my server" --ca-file /etc/pki/libvirt-spice/ca-cert.pem --secure-channels main --enable-channels all -w redhat
Warning: no factory for 8
ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect: Connection refused


libvirt-devel-0.9.3-1.el6.x86_64.rpm

The same with libvirt-0.9.3-3.el6.x86_64.rpm


libvirt-0.8.7-18.el6.x86_64.rpm
15:14:32.757: 7695: warning : qemudStartVMDaemon:3336 : Executing /usr/libexec/qemu-kvm
15:14:32.764: 7695: warning : qemudStartVMDaemon:3346 : Executing done /usr/libexec/qemu-kvm

And the spicec monitor didn't get disconnected .
# spicec -h 10.66.4.220 -p 5900 -s 5901 --host-subject "C=IL,L=Raanana,O=Red Hat,CN=my server" --ca-file /etc/pki/libvirt-spice/ca-cert.pem --secure-channels main --enable-channels all -w redhat
Warning: no factory for 8
Warning: no factory for 8


Thanks
Vivian

Comment 36 Vivian Bian 2011-07-20 05:19:25 UTC

Created attachment 513916 [details]
attach detail setup and migrate command here

Comment 37 Vivian Bian 2011-07-20 12:35:57 UTC

tested with libvirt-0.9.3-6.el6.x86_64

With the same steps as comment 36 , with ssl spice client connection didn't get cut . And there is no error msg in libvirtd.log and messages log .

Comment 38 Lubos Kocman 2011-07-20 13:00:45 UTC

Can't help you with verification:

got following problem:

1311166702 INFO [26756:26756] Application::switch_host: host=hyper03.spice.lab.eng.brq.redhat.com port=5906 sport=5907
1311166703 INFO [26756:26757] RedPeer::connect_unsecure: Trying 10.34.58.4 5907
1311166703 INFO [26756:26757] RedPeer::connect_unsecure: Connect failed: Connection refused (111)
1311166703 WARN [26756:26757] RedChannel::run: failed to connect: Connection refused (111)
1311166703 INFO [26756:26756] main: Spice client terminated (exitcode = 3)

seems like spice gets an order to migrate to a new host, but vm was not migrated at all.

Haven't you changed anything that could change behaviour to this?

libvirt-0.9.3-3.el6.x86_64
qemu-kvm-0.12.1.2-2.169.el6.x86_64

Comment 39 Michal Privoznik 2011-07-20 13:08:15 UTC

Lubos, please try again butwith -6 build. It fixes some serious TLS issues.

Comment 42 Vivian Bian 2011-07-25 03:02:52 UTC

tested with libvirt-0.9.3-7.el6.x86_64

guest with spice graphical framebuffer could be migrated successfully . And there is no host subject error record in the libvirtd.log and messages . Spice client can keep connecting , we got the seamless migration . 

So set bug status to VERIFIED

Comment 45 errata-xmlrpc 2011-12-06 11:05:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1513.html

Note You need to log in before you can comment on or make changes to this bug.