Hide Forgot
Description of problem: When SSL connections to vdsm are disabled, ovirt-engine produces an invalid VM definition which results in VM creation failure. Instead of 'spiceSecureChannels': '', 'spiceSecureChannels': 'true' appears in the config. This causes the error: libvirtError: internal error unknown spice channel name rue This is because vdsm expects nothing or a comma-separated list, not the value 'true'. Version-Release number of selected component (if applicable): ovirt-engine-3.0.0_0001-1.2.fc16.x86_64 How reproducible: Easy to reproduce Steps to Reproduce: 1. Set up ovirt-engine and vdsm for unsecured connections. 2. In the webadmin UI, create a new VM and boot it. 3. If it starts fine the first time, power it off and back on again. Actual results: Error appears in the webadmin UI: "unknown spice channel name rue" Expected results: The VM starts without errors. Additional info: As a temporary workaround, manually changing the engine DB works around the problem. psql -U postgres engine -c "update vdc_options set option_value='' where option_name = 'SpiceSecureChannels';"
There should not be any relationship between enabling/disabling SSL between Engine and VDSM, and Spice's usage of SSL. If there is one, it's a bug by itself.
I have mixed feelings about this one: per original description 1. if user configures conflict configs - there could be consequences 2. it would be nice if engine wouldn't treat these as conflicting. per kaul comment 3. mostly, no ssl is used with InstallVds=false, which skips boot strapping, which skips certificate generation. we don't support spice encryption without certificates. Adam - were the hosts boot strapped via engine?
No. We installed these hosts ourselves according to the document posted here: http://ovirt.org/wiki/Installing_ovirt-engine_from_rpm. Even in the case of misconfiguration, ovirt-engine should not be sending vdsm a configuration that it cannot properly parse. From my reading of the vdsm code, it is simply not valid for the 'spiceSecureChannels' dictionary element to be set to 'true'. It should either be not present or a comma-separated string. I'd be curious where 'true' is even coming from.
actually, it doesn't seem to based on the code: from: ./backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/CreateVDSCommand.java: if (Config.<Boolean> GetValue(ConfigValues.SSLEnabled)) { mCreateInfo.add(VdsProperties.spiceSslCipherSuite, Config.<String> GetValue(ConfigValues.CipherSuite)); mCreateInfo.add(VdsProperties.SpiceSecureChannels, Config.<String> GetValue(ConfigValues.SpiceSecureChannels)); } so it does try to only send them when SSL is enabled. so a quick way to check would be to add: else xxx = ""; are you sure vdsm is not the one assuming true if this is not sent?
The vdsm log shows the dictionary that is passed to it by engine, and it contains 'spiceSecureChannels': 'true'. Is it possible that engine could be setting some default properties elsewhere?
(In reply to comment #5) > The vdsm log shows the dictionary that is passed to it by engine, and it > contains 'spiceSecureChannels': 'true'. Is it possible that engine could be > setting some default properties elsewhere? setting the value to true is fine, vdsm use this line: for channel in self.conf['spiceSecureChannels'].split(','): and in python when splitting a single string like 'true' to list produce a list: x = 'true'.split(',') print x >>> ['true']
Hi Adam, in your vdc_options table the value of SpiceSecureChannels suppose to be 'smain,sinputs' (version 'general'), is it 'true' in your case? also take a look at the SSLEnabled value, it suppose to be false in your version (3.1?) according to the create VM code the only reference to SpiceSecureChannels is in this snippet: // send cipher suite and spice secure channels parameters only if ssl // enabled. if (Config.<Boolean> GetValue(ConfigValues.SSLEnabled)) { createInfo.add(VdsProperties.spiceSslCipherSuite, Config.<String> GetValue(ConfigValues.CipherSuite)); createInfo.add(VdsProperties.SpiceSecureChannels, Config.<String> GetValue(ConfigValues.SpiceSecureChannels)); } which say if SSLEnable we are adding the CipherSuite and the SpiceSecureChannels. So please check you database and let me know
Here is my DB configuration. Note that I changed SpiceSecureChannels to '' as suggested by a developer on IRC to work around the problem). SSLEnabled: true SpiceSecureChannels: ''
(In reply to comment #8) > Here is my DB configuration. Note that I changed SpiceSecureChannels to '' as > suggested by a developer on IRC to work around the problem). > > SSLEnabled: true > SpiceSecureChannels: '' ok, so this is the problem the ssl is not disabled then ovirt sends the SpiceSecureChannels which is '' (and must be 'smain,sinputs' for libvirt) you can set the SSLEnabled to false or update the SpiceSecureChannels to 'smain,sinputs' (which is a good idea anyway)
Ok. So I guess the final question is how those config variables got to an invalid state. This could be due to the way we disabled SSL but I am not sure. Is there any effort underway to alleviate the need for administrators to reconfigure the engine via DB queries (perhaps an engine-admin helper program or a Firefox style about:config interface)?
(In reply to comment #10) > Ok. So I guess the final question is how those config variables got to an > invalid state. This could be due to the way we disabled SSL but I am not sure. the SpiceSecureChannels was changed by you (as suggested by a developer on IRC), the SSLEnabled is the default installation, so if you didn't change it in the install process this is a valid value. > > Is there any effort underway to alleviate the need for administrators to > reconfigure the engine via DB queries (perhaps an engine-admin helper program > or a Firefox style about:config interface)? there is a tool called: ovirt-config, the tool enable you to query the database for values and update them
Closing old bugs. If this issue is still relevant/important in current version, please re-open the bug.