856263 – Fix libvirt auth callback to allow for use of libvirt client auth config files

Bug 856263 - Fix libvirt auth callback to allow for use of libvirt client auth config files

Summary: Fix libvirt auth callback to allow for use of libvirt client auth config files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	2.0 (Folsom)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	snapshot1
Target Release:	2.1
Assignee:	Daniel Berrangé
QA Contact:	Jaroslav Henner
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-11 15:03 UTC by Daniel Berrangé
Modified:	2022-07-09 07:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:	openstack-nova-2012.2.2-8.el6ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-30 21:07:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-16544	0	None	None	None	2022-07-09 07:12:39 UTC
Red Hat Product Errata	RHSA-2013:0208	0	normal	SHIPPED_LIVE	Important: openstack-nova security and bug fix update	2013-01-31 02:04:52 UTC

Description Daniel Berrangé 2012-09-11 15:03:44 UTC

Description of problem:
Due to bugs in the way Nova provides the libvirt openAuth callback, it is not possible to make use of the libvirt client authentication file. This means it is not possible to connect Nova to a libvirtd instance requiring SASL authentication. The fix is here:

  https://review.openstack.org/#/c/12706/

and can be easily backported to either Essex or Folsom as desired.

Comment 1 Yaniv Kaul 2012-09-11 15:09:47 UTC

I'm proposing it to Folsom - that by default Nova would speak to libvirt with creds.
The reason (which is copied from RHEV/oVirt's VDSM) is that people will not (ab)use virsh and confuse nova by doing manipulations 'beneath it' without its knowledge.

Of course, the above request should be filed in a different BZ (for the installer) once this one has been satisfied.

Comment 2 Daniel Berrangé 2012-09-11 16:48:58 UTC

I forgot that GIT master still refers to Folsom, so there's no backport required.

Comment 3 Jaroslav Henner 2012-12-10 14:09:44 UTC

It doesn't seem to be working. I followed the instruction in the commit message, except that I did 
saslpasswd2 -a libvirt nova

instead of 
saslpasswd -a libvirt nova

but it fails:
[root@node-02 libvirt]# rpm -q openstack-nova-compute
openstack-nova-compute-2012.2.1-2.el6ost.noarch

[root@node-02 libvirt]# grep sasl /etc/libvirt/libvirtd.conf
#  - sasl: use SASL infrastructure. The actual auth scheme is then
#          controlled from /etc/sasl2/libvirt.conf. For the TCP
auth_unix_rw = "sasl"
# mechanism in /etc/sasl2/libvirt.conf
# mechanism as well, by using 'sasl' for this option
#sasl_allowed_username_list = ["joe", "fred" ]

[root@node-02 libvirt]# cat ~nova/.config/libvirt 
[credentials-nova]
authname=nova
password=***

[auth-libvirt-localhost]
credentials=nova

[root@node-02 libvirt]# /etc/init.d/libvirtd restart
Stopping libvirtd daemon:                                  [  OK  ]
Starting libvirtd daemon:                                  [  OK  ]
[root@node-02 libvirt]# /etc/init.d/openstack-nova-compute restart
Stopping openstack-nova-compute:                           [FAILED]
Starting openstack-nova-compute:                           [  OK  ]
[root@node-02 libvirt]# 2012-12-10 14:03:11 10352 INFO nova.compute.manager [-] Loading compute driver 'libvirt.LibvirtDriver'
...
2012-12-10 14:03:11 10352 DEBUG nova.service [-] compute_manager : nova.compute.manager.ComputeManager wait /usr/lib/python2.6/site-packages/nova/service.py:188
2012-12-10 14:03:11 10352 DEBUG nova.service [-] network_topic : network wait /usr/lib/python2.6/site-packages/nova/service.py:188
2012-12-10 14:03:11 10352 AUDIT nova.service [-] Starting compute node (version 2012.2.1-LOCALBRANCH:LOCALREVISION)
2012-12-10 14:03:11 10352 DEBUG nova.virt.libvirt.driver [-] Connecting to libvirt: qemu:///system _get_connection /usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py:342
2012-12-10 14:03:11 10352 WARNING nova.virt.libvirt.driver [-] Can not handle authentication request for 2 credentials
2012-12-10 14:03:11 10352 CRITICAL nova [-] Can not handle authentication request for 2 credentials
2012-12-10 14:03:11 10352 TRACE nova Traceback (most recent call last):
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 389, in _connect_auth_cb
2012-12-10 14:03:11 10352 TRACE nova     % len(creds))
2012-12-10 14:03:11 10352 TRACE nova NovaException: Can not handle authentication request for 2 credentials
2012-12-10 14:03:11 10352 TRACE nova 
2012-12-10 14:03:11.570+0000: 10263: info : libvirt version: 0.10.2, package: 10.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2012-11-26-12:09:30, x86-022.build.eng.bos.redhat.com)
2012-12-10 14:03:11.570+0000: 10263: error : virNetSocketReadWire:1184 : End of file while reading data: Input/output error
2012-12-10 14:03:11 10352 CRITICAL nova [-] authentication failed: Failed to collect auth credentials
2012-12-10 14:03:11 10352 TRACE nova Traceback (most recent call last):
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/bin/nova-compute", line 48, in <module>
2012-12-10 14:03:11 10352 TRACE nova     service.wait()
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/service.py", line 659, in wait
2012-12-10 14:03:11 10352 TRACE nova     _launcher.wait()
...
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/compute/manager.py", line 266, in init_host
2012-12-10 14:03:11 10352 TRACE nova     self.driver.init_host(host=self.host)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 332, in init_host
2012-12-10 14:03:11 10352 TRACE nova     if not self.has_min_version(MIN_LIBVIRT_VERSION):
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 321, in has_min_version
2012-12-10 14:03:11 10352 TRACE nova     libvirt_version = self._conn.getLibVersion()
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 349, in _get_connection
2012-12-10 14:03:11 10352 TRACE nova     self._connect, self.uri, self.read_only)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/eventlet/tpool.py", line 147, in proxy_call
2012-12-10 14:03:11 10352 TRACE nova     rv = execute(f,*args,**kwargs)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/eventlet/tpool.py", line 76, in tworker
2012-12-10 14:03:11 10352 TRACE nova     rv = meth(*args,**kwargs)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib/python2.6/site-packages/nova/virt/libvirt/driver.py", line 403, in _connect
2012-12-10 14:03:11 10352 TRACE nova     return libvirt.openAuth(uri, auth, 0)
2012-12-10 14:03:11 10352 TRACE nova   File "/usr/lib64/python2.6/site-packages/libvirt.py", line 102, in openAuth
2012-12-10 14:03:11 10352 TRACE nova     if ret is None:raise libvirtError('virConnectOpenAuth() failed')
2012-12-10 14:03:11 10352 TRACE nova libvirtError: authentication failed: Failed to collect auth credentials

Comment 4 Nikola Dipanov 2012-12-13 15:48:09 UTC

This seams like the bug is still present after the fix mentioned is introduced (in Folsom).

I will re-assign to Dan to have a closer look as he was working on this already.

Comment 5 Daniel Berrangé 2013-01-15 10:34:13 UTC

You are testing this on RHEL-6, so the configuration path is different. You must use $HOME/.libvirt/auth.conf

Comment 6 Jaroslav Henner 2013-01-23 14:01:00 UTC

Worked:

...
[root@folsom-rhel6 ~]# sasldblistusers2 /etc/libvirt/passwd.db 
nova: userPassword
root: userPassword
[root@folsom-rhel6 ~]# cat ~nova/.libvirt/auth.conf 
[credentials-nova]
authname=nova
password=verybadpass

[auth-libvirt-localhost]
credentials=nova

[root@folsom-rhel6 ~]# /etc/init.d/openstack-nova-compute restart
Stopping openstack-nova-compute:                           [  OK  ]
Starting openstack-nova-compute:                           [  OK  ]

[root@folsom-rhel6 ~]# virsh list
Please enter your authentication name: root
Please enter your password: 
 Id    Name                           State
----------------------------------------------------

[root@folsom-rhel6 ~]#

Comment 8 errata-xmlrpc 2013-01-30 21:07:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0208.html

Note You need to log in before you can comment on or make changes to this bug.