Bug 858311 - Nova compute fails to connect to libvirtd on startup
Nova compute fails to connect to libvirtd on startup
Status: CLOSED DUPLICATE of bug 829882
Product: Fedora
Classification: Fedora
Component: openstack-nova (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-18 11:43 EDT by Derek Higgins
Modified: 2012-09-26 20:18 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-26 20:18:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch from Federico Simoncelli (2.62 KB, patch)
2012-09-18 19:21 EDT, Alan Pevec
no flags Details | Diff

  None (edit)
Description Derek Higgins 2012-09-18 11:43:58 EDT
F18 alpha
openstack-nova-compute-2012.2-0.7.f3.fc18.noarch

nova-compute fails to start up, with the following error in the compute.log


Sep 18 13:52:29 f17 nova-compute[7676]: rv = execute(f,*args,**kwargs)
Sep 18 13:52:29 f17 nova-compute[7676]: File "/usr/lib/python2.7/site-packages/eventlet/tpool.py", line 76, in tworker
Sep 18 13:52:29 f17 nova-compute[7676]: rv = meth(*args,**kwargs)
Sep 18 13:52:29 f17 nova-compute[7676]: File "/usr/lib/python2.7/site-packages/nova/virt/libvirt/driver.py", line 382,...onnect
Sep 18 13:52:29 f17 nova-compute[7676]: return libvirt.openAuth(uri, auth, 0)
Sep 18 13:52:29 f17 nova-compute[7676]: File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth
Sep 18 13:52:29 f17 nova-compute[7676]: if ret is None:raise libvirtError('virConnectOpenAuth() failed')
Sep 18 13:52:29 f17 nova-compute[7676]: libvirtError: authentication failed: Authorization requires authentication but...lable.
Sep 18 13:52:29 f17 nova-compute[7676]: 2012-09-18 13:52:29 CRITICAL nova [-] authentication failed: Authorization req...lable.
Sep 18 13:52:29 f17 nova-compute[7676]: authentication failed: Authorization requires authentication but no agent is available.

disabling libvirtd authentication allows nova-compute to connect
Comment 1 Russell Bryant 2012-09-18 11:56:33 EDT
Here is a related recent commit.  The commit message includes information about how to set up libvirt auth with nova.  It may be a matter of updating our instructions with this:


commit 5f9ae51f2f23be8cddcaa21a2798b13530083cde
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Mon Sep 10 14:42:33 2012 +0100

    Fix auth parameter passed to libvirt openAuth() method
    
    The 'auth' parameter for the libvirt 'openAuth' method
    should be a list of 3 values, a list of credential types,
    a function callback and an opaque data value. For unknown
    reasons the libvirt driver is passing the string 'root'
    instead of the function callback.
    
    This causes any attempt to invoke the callback to fail
    with a python exception, which gets swallowed since it
    is called asynchronously from libvirt. The upshot of
    this is that it is not possible to connect Nova to a
    libvirt instance that requires authentication.
    
    Although Nova has no way to provide custom credentials
    to libvirt, it is possible to rely on libvirt's client
    auth file to provide credentials. ALl that is required
    is for the auth callback to return '0' if no credentials
    were asked for.
    
    Fixing the Nova params for openAuth() thus enable use of
    SASL or Kerberos auth+encryption with Nova eg for SASL
    
     # augtool -s set /files/etc/libvirt/libvirtd.conf/auth_unix_rw sasl
     Saved 1 file(s)
    
     # saslpasswd -a libvirt nova
     Password: XYZ
     Again (for verification): XYZ
    
     # su - nova -s /bin/sh
     $ mkdir -p $HOME/.config/libvirt
     $ cat > $HOME/.config/libvirt <<EOF
     [credentials-nova]
     authname=nova
     password=XYZ
    
     [auth-libvirt-localhost]
     credentials=nova
     EOF
    
    Finally just restart libvirtd and nova compute services
    
    Change-Id: I011b406e54728a01eb90a7851ae2b1f536674197
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Comment 2 Daniel Berrange 2012-09-18 12:19:29 EDT
Actually those instructions are only relevant if using SASL for auth. If using policykit, which is the default for Fedora + libvirt, then it should all "just work" without special setup. Nova provides the following polkit rules

/etc/polkit-1/localauthority/50-local.d/50-nova.pkla
Comment 3 Pádraig Brady 2012-09-18 12:36:37 EDT
Note I didn't notice this error in a Fedora 17 VM last night, but I am seeing it with Fedora 18 bare metal today.
Comment 4 Daniel Berrange 2012-09-18 12:43:41 EDT
Oh yay, Polkit dropped support for the .pkla file format in F18 and requires a new .rules format instead :-(

http://davidz25.blogspot.co.uk/2012/06/authorization-rules-in-polkit.html
Comment 5 Mark McLoughlin 2012-09-18 12:45:30 EDT
Right, I just found this:

http://cgit.freedesktop.org/polkit/commit/?id=0f830c76
Comment 6 Alan Pevec 2012-09-18 19:21:08 EDT
Created attachment 614155 [details]
patch from Federico Simoncelli
Comment 7 Pádraig Brady 2012-09-25 09:34:24 EDT
Note the attached file works but not immediately.
I need to investigate what triggers the new policy to be loaded
(polkit restart, libvirtd restart, time, ...)
Comment 9 Alan Pevec 2012-09-26 20:18:10 EDT
(In reply to comment #4)
> Oh yay, Polkit dropped support for the .pkla file format in F18 and requires
> a new .rules format instead :-(

To be fair, Polkit mainter reported this few months ago in bug 829882 we just missed it :-(
Comment 10 Alan Pevec 2012-09-26 20:18:55 EDT

*** This bug has been marked as a duplicate of bug 829882 ***

Note You need to log in before you can comment on or make changes to this bug.