Bug 773371 - vdsm: when installing vdsm manually in the host and then installing host with web-admin /etc/libvirt/qemu.conf is using spice_tls=1 which causes vm's to fail to run with cert error
Summary: vdsm: when installing vdsm manually in the host and then installing host with...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: vdsm
Version: unspecified
Hardware: x86_64
OS: Linux
urgent
high
Target Milestone: ---
: 3.1
Assignee: Federico Simoncelli
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-11 16:56 UTC by Dafna Ron
Modified: 2012-08-09 08:05 UTC (History)
8 users (show)

Fixed In Version: v4.9.3.3
Doc Type: Bug Fix
Doc Text:
if vdsm is started before it has its keys configured, it configures itself to avoid ssl keys - even vdsm is later installed properly with its keys and certificates. To reconfigure vdsm run /lib/systemd/systemd-vdsmd reconfigure
Clone Of:
Environment:
Last Closed: 2012-08-09 08:05:25 UTC
oVirt Team: ---


Attachments (Terms of Use)
log and config file (665.54 KB, application/x-gzip)
2012-01-11 16:56 UTC, Dafna Ron
no flags Details

Description Dafna Ron 2012-01-11 16:56:26 UTC
Created attachment 552170 [details]
log and config file

Description of problem:

when installing vdsm in server manually and then adding the server as host with web-admin the vm's with spice console fail to run with error:  
libvirtError: internal error process exited while connecting to monitor: do_spice_init: starting 0.10.0
reds_init_ssl: Could not load certificates from /etc/pki/libvirt-spice/server-cert.pem


Moran checked and during install, we skip the configuration since we assume its already configured.
conf file /etc/libvirt/qemu.conf will show  spice_tls=1 # by vdsm
instead of spice_tls_x509_cert_dir"/etc/pki/vdsm/libvirt-spice" 

as result we will try to run vm with cert location: 
spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"

which is the wrong location and vm will fail to run. 

workaround is to run reconfigure vdsm:
/lib/systemd/systemd-vdsmd reconfigure


Version-Release number of selected component (if applicable):

vdsm-4.9.2-0.65.gitf945dc2.fc16.x86_64
libvirt-0.9.6-4.fc16.x86_64

How reproducible:

100%

Steps to Reproduce:
1. install fedora on server and manually install vdsm and libvirt rpm's 
2. create new host in web-admin
3. create and run vm with spice console
  
Actual results:

vm will fail to run

Expected results:

we should be using the correct cert location

Additional info: full vdsm log

Thread-56096::ERROR::2012-01-11 11:40:22,659::vm::550::vm.Vm::(_startUnderlyingVm) vmId=`64240c1f-5b16-4a70-8976-e4dfe9ac9a4c`::The vm start process failed
Traceback (most recent call last):
  File "/usr/share/vdsm/vm.py", line 516, in _startUnderlyingVm
    self._run()
  File "/usr/share/vdsm/libvirtvm.py", line 1158, in _run
    self._connection.createXML(domxml, flags),
  File "/usr/share/vdsm/libvirtconnection.py", line 79, in wrapper
    ret = f(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 2100, in createXML
    if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self)
libvirtError: internal error process exited while connecting to monitor: do_spice_init: starting 0.10.0
reds_init_ssl: Could not load certificates from /etc/pki/libvirt-spice/server-cert.pem

Thread-56096::DEBUG::2012-01-11 11:40:22,667::vm::880::vm.Vm::(setDownStatus) vmId=`64240c1f-5b16-4a70-8976-e4dfe9ac9a4c`::Changed state to Down: internal error process exited while connecting to monitor: do_spice_init: starting 0.10.0
reds_init_ssl: Could not load certificates from /etc/pki/libvirt-spice/server-cert.pem

Dummy-2581::DEBUG::2012-01-11 11:40:22,698::storage_mailbox::637::Storage.Misc.excCmd::(_checkForMail) 'dd if=/rhev/data-center/cf37f4dd-3c33-4594-a561-9824cfc7bc11/mastersd/dom_md/inbox iflag=direct,fullblock count=1 bs=1024000' (cwd None)

Comment 1 Moran Goldboim 2012-01-12 10:59:38 UTC
since there is a workaround on this particular scenario lowering severity to high, Danken- do you think of any other scenarios this issue may pop up?

Comment 2 Federico Simoncelli 2012-01-30 15:11:22 UTC
BZ#773371 Generate the VDSM certificates

VDSM is installed with ssl enabled by default, such configuration
requires the certificates to be generated when they're missing.

Change-Id: I68225e8cd58f6aecc487f570627d76bfe7060b22

http://gerrit.ovirt.org/#change,1012

Comment 3 Dan Kenigsberg 2012-01-30 15:42:47 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
if vdsm is started before it has its keys configured, it configures itself to avoid ssl keys - even vdsm is later installed properly with its keys and certificates.

To reconfigure vdsm run
/lib/systemd/systemd-vdsmd reconfigure

Comment 4 Federico Simoncelli 2012-06-22 10:59:32 UTC
In the ovirt-3.1 branch as: b94937438f4c3a531e4f50e7209e69c5fba6f182

Comment 5 Itamar Heim 2012-08-09 08:05:25 UTC
closing ON_QA bugs as oVirt 3.1 was released:
http://www.ovirt.org/get-ovirt/


Note You need to log in before you can comment on or make changes to this bug.