Bug 756136 - ovirtNode: sasl2/libvirt.conf - mech_list
Summary: ovirtNode: sasl2/libvirt.conf - mech_list
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-node
Version: unspecified
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: ---
Assignee: Mike Burns
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 752464
TreeView+ depends on / blocked
 
Reported: 2011-11-22 19:29 UTC by Douglas Schilling Landgraf
Modified: 2016-04-26 17:04 UTC (History)
6 users (show)

Fixed In Version: 2.2.0
Clone Of:
Environment:
Last Closed: 2012-01-05 16:21:46 UTC
oVirt Team: ---
Embargoed:

Attachments (Terms of Use)

Description Douglas Schilling Landgraf 2011-11-22 19:29:39 UTC 
Description of problem:

Hello Mike,

     As we talked over irc today, it will required to verify why ovirt Node set mech_list only to gssapi. I have created this BZ to have we tracking it.

from post scripts/ovirt-functions/recipe/ovirt16-post.ks:
# with libvirt (0.4.0), make sure we we setup gssapi in the mech_list
sasl_conf="/etc/sasl2/libvirt.conf"
ret = os.system('grep -qE "^mech_list: gssapi %s' % sasl_conf)
if ret > 0:
  os.system("sed -i -e 's/^\([[:space:]]*mech_list.*\)/#\1/' %s" % sasl_conf)
  os.system('echo "mech_list: gssapi" >> %s' % sasl_conf)

===========================
However, if we do not enable into the mech_list digest-md5 too, vdsm throw the below exception during the **approval operational**:

vdsm log:
============================================
MainThread::INFO::2011-11-22 05:16:06,790::vdsm::76::vds::(run) VDSM main thread ended. Waiting for 1 other threads...
MainThread::INFO::2011-11-22 05:16:06,792::vdsm::79::vds::(run) <_MainThread(MainThread, started 140463204898560)>
MainThread::INFO::2011-11-22 05:16:06,793::vdsm::79::vds::(run) <Thread(libvirtEventLoop, started daemon 140462990432000)>
MainThread::INFO::2011-11-22 05:16:06,850::vdsm::71::vds::(run) I am the actual vdsm 4.9-0
MainThread::ERROR::2011-11-22 05:16:06,978::vdsm::74::vds::(run) Traceback (most recent call last):
  File "/usr/share/vdsm/vdsm", line 72, in run
    serve_clients(log)
  File "/usr/share/vdsm/vdsm", line 40, in serve_clients
    cif = clientIF.clientIF(log)
  File "/usr/share/vdsm/clientIF.py", line 113, in __init__
  File "/usr/share/vdsm/libvirtconnection.py", line 111, in get
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth
libvirtError: authentication failed: authentication failed

libvirtError: authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) 


Currently, I am using:
===========================
# vi /etc/sasl2/libvirt.conf
mech_list: digest-md5 gssapi


Thanks for all your help!
Comment 1 Douglas Schilling Landgraf 2011-11-23 01:00:56 UTC 
Hello Mike,

      Just a few more comments:

The SASL mechanism configured by default is DIGEST-MD5, which provides a basic username+password style authentication [1] (which vdsm uses). So if you prefer, we can even no set mech_list. However, we might want be compatible with RHEV-H image.

If this helps, from RHEV env:

# cat /etc/redhat-release 
Red Hat Enterprise Virtualization Hypervisor release 6.2 (20111010.2.el6)

# cat /etc/sasl2/libvirt.conf | grep -v '^#\|^$'
mech_list: digest-md5
keytab: /etc/libvirt/krb5.tab
sasldb_path: /etc/libvirt/passwd.db

[1] http://libvirt.org/auth.html 

Thanks!
Comment 2 Mike Burns 2011-11-23 11:50:09 UTC 
Alan,

Do you know why we're updating this to just gssapi?  It's only done for fedora based nodes.
Comment 3 Alan Pevec 2011-11-23 12:09:06 UTC 
Leftover from legacy ovirt-server: it used kerberized remote libvirt access.
You can drop that now.
Comment 4 Mike Burns 2011-11-23 12:27:54 UTC 
http://gerrit.ovirt.org/#change,358
Comment 5 Mike Burns 2011-12-02 15:34:44 UTC 
Patch pushed to master
Note You need to log in before you can comment on or make changes to this bug.