F18 alpha openstack-nova-compute-2012.2-0.7.f3.fc18.noarch nova-compute fails to start up, with the following error in the compute.log Sep 18 13:52:29 f17 nova-compute[7676]: rv = execute(f,*args,**kwargs) Sep 18 13:52:29 f17 nova-compute[7676]: File "/usr/lib/python2.7/site-packages/eventlet/tpool.py", line 76, in tworker Sep 18 13:52:29 f17 nova-compute[7676]: rv = meth(*args,**kwargs) Sep 18 13:52:29 f17 nova-compute[7676]: File "/usr/lib/python2.7/site-packages/nova/virt/libvirt/driver.py", line 382,...onnect Sep 18 13:52:29 f17 nova-compute[7676]: return libvirt.openAuth(uri, auth, 0) Sep 18 13:52:29 f17 nova-compute[7676]: File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth Sep 18 13:52:29 f17 nova-compute[7676]: if ret is None:raise libvirtError('virConnectOpenAuth() failed') Sep 18 13:52:29 f17 nova-compute[7676]: libvirtError: authentication failed: Authorization requires authentication but...lable. Sep 18 13:52:29 f17 nova-compute[7676]: 2012-09-18 13:52:29 CRITICAL nova [-] authentication failed: Authorization req...lable. Sep 18 13:52:29 f17 nova-compute[7676]: authentication failed: Authorization requires authentication but no agent is available. disabling libvirtd authentication allows nova-compute to connect
Here is a related recent commit. The commit message includes information about how to set up libvirt auth with nova. It may be a matter of updating our instructions with this: commit 5f9ae51f2f23be8cddcaa21a2798b13530083cde Author: Daniel P. Berrange <berrange> Date: Mon Sep 10 14:42:33 2012 +0100 Fix auth parameter passed to libvirt openAuth() method The 'auth' parameter for the libvirt 'openAuth' method should be a list of 3 values, a list of credential types, a function callback and an opaque data value. For unknown reasons the libvirt driver is passing the string 'root' instead of the function callback. This causes any attempt to invoke the callback to fail with a python exception, which gets swallowed since it is called asynchronously from libvirt. The upshot of this is that it is not possible to connect Nova to a libvirt instance that requires authentication. Although Nova has no way to provide custom credentials to libvirt, it is possible to rely on libvirt's client auth file to provide credentials. ALl that is required is for the auth callback to return '0' if no credentials were asked for. Fixing the Nova params for openAuth() thus enable use of SASL or Kerberos auth+encryption with Nova eg for SASL # augtool -s set /files/etc/libvirt/libvirtd.conf/auth_unix_rw sasl Saved 1 file(s) # saslpasswd -a libvirt nova Password: XYZ Again (for verification): XYZ # su - nova -s /bin/sh $ mkdir -p $HOME/.config/libvirt $ cat > $HOME/.config/libvirt <<EOF [credentials-nova] authname=nova password=XYZ [auth-libvirt-localhost] credentials=nova EOF Finally just restart libvirtd and nova compute services Change-Id: I011b406e54728a01eb90a7851ae2b1f536674197 Signed-off-by: Daniel P. Berrange <berrange>
Actually those instructions are only relevant if using SASL for auth. If using policykit, which is the default for Fedora + libvirt, then it should all "just work" without special setup. Nova provides the following polkit rules /etc/polkit-1/localauthority/50-local.d/50-nova.pkla
Note I didn't notice this error in a Fedora 17 VM last night, but I am seeing it with Fedora 18 bare metal today.
Oh yay, Polkit dropped support for the .pkla file format in F18 and requires a new .rules format instead :-( http://davidz25.blogspot.co.uk/2012/06/authorization-rules-in-polkit.html
Right, I just found this: http://cgit.freedesktop.org/polkit/commit/?id=0f830c76
Created attachment 614155 [details] patch from Federico Simoncelli
Note the attached file works but not immediately. I need to investigate what triggers the new policy to be loaded (polkit restart, libvirtd restart, time, ...)
http://pkgs.fedoraproject.org/cgit/openstack-nova.git/commit/?id=6c35007725038049d0331261cee45a02dc68ca2f
(In reply to comment #4) > Oh yay, Polkit dropped support for the .pkla file format in F18 and requires > a new .rules format instead :-( To be fair, Polkit mainter reported this few months ago in bug 829882 we just missed it :-(
*** This bug has been marked as a duplicate of bug 829882 ***