Bug 858311 - Nova compute fails to connect to libvirtd on startup
Summary: Nova compute fails to connect to libvirtd on startup
Keywords:
Status: CLOSED DUPLICATE of bug 829882
Alias: None
Product: Fedora
Classification: Fedora
Component: openstack-nova
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-18 15:43 UTC by Derek Higgins
Modified: 2012-09-27 00:18 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-27 00:18:55 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
patch from Federico Simoncelli (2.62 KB, patch)
2012-09-18 23:21 UTC, Alan Pevec 		no flags Details | Diff
View All

Description Derek Higgins 2012-09-18 15:43:58 UTC 
F18 alpha
openstack-nova-compute-2012.2-0.7.f3.fc18.noarch

nova-compute fails to start up, with the following error in the compute.log


Sep 18 13:52:29 f17 nova-compute[7676]: rv = execute(f,*args,**kwargs)
Sep 18 13:52:29 f17 nova-compute[7676]: File "/usr/lib/python2.7/site-packages/eventlet/tpool.py", line 76, in tworker
Sep 18 13:52:29 f17 nova-compute[7676]: rv = meth(*args,**kwargs)
Sep 18 13:52:29 f17 nova-compute[7676]: File "/usr/lib/python2.7/site-packages/nova/virt/libvirt/driver.py", line 382,...onnect
Sep 18 13:52:29 f17 nova-compute[7676]: return libvirt.openAuth(uri, auth, 0)
Sep 18 13:52:29 f17 nova-compute[7676]: File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth
Sep 18 13:52:29 f17 nova-compute[7676]: if ret is None:raise libvirtError('virConnectOpenAuth() failed')
Sep 18 13:52:29 f17 nova-compute[7676]: libvirtError: authentication failed: Authorization requires authentication but...lable.
Sep 18 13:52:29 f17 nova-compute[7676]: 2012-09-18 13:52:29 CRITICAL nova [-] authentication failed: Authorization req...lable.
Sep 18 13:52:29 f17 nova-compute[7676]: authentication failed: Authorization requires authentication but no agent is available.

disabling libvirtd authentication allows nova-compute to connect
Comment 1 Russell Bryant 2012-09-18 15:56:33 UTC 
Here is a related recent commit.  The commit message includes information about how to set up libvirt auth with nova.  It may be a matter of updating our instructions with this:


commit 5f9ae51f2f23be8cddcaa21a2798b13530083cde
Author: Daniel P. Berrange <berrange>
Date:   Mon Sep 10 14:42:33 2012 +0100

    Fix auth parameter passed to libvirt openAuth() method
    
    The 'auth' parameter for the libvirt 'openAuth' method
    should be a list of 3 values, a list of credential types,
    a function callback and an opaque data value. For unknown
    reasons the libvirt driver is passing the string 'root'
    instead of the function callback.
    
    This causes any attempt to invoke the callback to fail
    with a python exception, which gets swallowed since it
    is called asynchronously from libvirt. The upshot of
    this is that it is not possible to connect Nova to a
    libvirt instance that requires authentication.
    
    Although Nova has no way to provide custom credentials
    to libvirt, it is possible to rely on libvirt's client
    auth file to provide credentials. ALl that is required
    is for the auth callback to return '0' if no credentials
    were asked for.
    
    Fixing the Nova params for openAuth() thus enable use of
    SASL or Kerberos auth+encryption with Nova eg for SASL
    
     # augtool -s set /files/etc/libvirt/libvirtd.conf/auth_unix_rw sasl
     Saved 1 file(s)
    
     # saslpasswd -a libvirt nova
     Password: XYZ
     Again (for verification): XYZ
    
     # su - nova -s /bin/sh
     $ mkdir -p $HOME/.config/libvirt
     $ cat > $HOME/.config/libvirt <<EOF
     [credentials-nova]
     authname=nova
     password=XYZ
    
     [auth-libvirt-localhost]
     credentials=nova
     EOF
    
    Finally just restart libvirtd and nova compute services
    
    Change-Id: I011b406e54728a01eb90a7851ae2b1f536674197
    Signed-off-by: Daniel P. Berrange <berrange>
Comment 2 Daniel Berrangé 2012-09-18 16:19:29 UTC 
Actually those instructions are only relevant if using SASL for auth. If using policykit, which is the default for Fedora + libvirt, then it should all "just work" without special setup. Nova provides the following polkit rules

/etc/polkit-1/localauthority/50-local.d/50-nova.pkla
Comment 3 Pádraig Brady 2012-09-18 16:36:37 UTC 
Note I didn't notice this error in a Fedora 17 VM last night, but I am seeing it with Fedora 18 bare metal today.
Comment 4 Daniel Berrangé 2012-09-18 16:43:41 UTC 
Oh yay, Polkit dropped support for the .pkla file format in F18 and requires a new .rules format instead :-(

http://davidz25.blogspot.co.uk/2012/06/authorization-rules-in-polkit.html
Comment 5 Mark McLoughlin 2012-09-18 16:45:30 UTC 
Right, I just found this:

http://cgit.freedesktop.org/polkit/commit/?id=0f830c76
Comment 6 Alan Pevec 2012-09-18 23:21:08 UTC 
Created attachment 614155 [details]
patch from Federico Simoncelli
Comment 7 Pádraig Brady 2012-09-25 13:34:24 UTC 
Note the attached file works but not immediately.
I need to investigate what triggers the new policy to be loaded
(polkit restart, libvirtd restart, time, ...)
Comment 8 Alan Pevec 2012-09-26 15:52:50 UTC 
http://pkgs.fedoraproject.org/cgit/openstack-nova.git/commit/?id=6c35007725038049d0331261cee45a02dc68ca2f
Comment 9 Alan Pevec 2012-09-27 00:18:10 UTC 
(In reply to comment #4)
> Oh yay, Polkit dropped support for the .pkla file format in F18 and requires
> a new .rules format instead :-(

To be fair, Polkit mainter reported this few months ago in bug 829882 we just missed it :-(
Comment 10 Alan Pevec 2012-09-27 00:18:55 UTC 

*** This bug has been marked as a duplicate of bug 829882 ***
Note You need to log in before you can comment on or make changes to this bug.