Red Hat Bugzilla – Bug 858311
Nova compute fails to connect to libvirtd on startup
Last modified: 2012-09-26 20:18:55 EDT
nova-compute fails to start up, with the following error in the compute.log
Sep 18 13:52:29 f17 nova-compute: rv = execute(f,*args,**kwargs)
Sep 18 13:52:29 f17 nova-compute: File "/usr/lib/python2.7/site-packages/eventlet/tpool.py", line 76, in tworker
Sep 18 13:52:29 f17 nova-compute: rv = meth(*args,**kwargs)
Sep 18 13:52:29 f17 nova-compute: File "/usr/lib/python2.7/site-packages/nova/virt/libvirt/driver.py", line 382,...onnect
Sep 18 13:52:29 f17 nova-compute: return libvirt.openAuth(uri, auth, 0)
Sep 18 13:52:29 f17 nova-compute: File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth
Sep 18 13:52:29 f17 nova-compute: if ret is None:raise libvirtError('virConnectOpenAuth() failed')
Sep 18 13:52:29 f17 nova-compute: libvirtError: authentication failed: Authorization requires authentication but...lable.
Sep 18 13:52:29 f17 nova-compute: 2012-09-18 13:52:29 CRITICAL nova [-] authentication failed: Authorization req...lable.
Sep 18 13:52:29 f17 nova-compute: authentication failed: Authorization requires authentication but no agent is available.
disabling libvirtd authentication allows nova-compute to connect
Here is a related recent commit. The commit message includes information about how to set up libvirt auth with nova. It may be a matter of updating our instructions with this:
Author: Daniel P. Berrange <firstname.lastname@example.org>
Date: Mon Sep 10 14:42:33 2012 +0100
Fix auth parameter passed to libvirt openAuth() method
The 'auth' parameter for the libvirt 'openAuth' method
should be a list of 3 values, a list of credential types,
a function callback and an opaque data value. For unknown
reasons the libvirt driver is passing the string 'root'
instead of the function callback.
This causes any attempt to invoke the callback to fail
with a python exception, which gets swallowed since it
is called asynchronously from libvirt. The upshot of
this is that it is not possible to connect Nova to a
libvirt instance that requires authentication.
Although Nova has no way to provide custom credentials
to libvirt, it is possible to rely on libvirt's client
auth file to provide credentials. ALl that is required
is for the auth callback to return '0' if no credentials
were asked for.
Fixing the Nova params for openAuth() thus enable use of
SASL or Kerberos auth+encryption with Nova eg for SASL
# augtool -s set /files/etc/libvirt/libvirtd.conf/auth_unix_rw sasl
Saved 1 file(s)
# saslpasswd -a libvirt nova
Again (for verification): XYZ
# su - nova -s /bin/sh
$ mkdir -p $HOME/.config/libvirt
$ cat > $HOME/.config/libvirt <<EOF
Finally just restart libvirtd and nova compute services
Signed-off-by: Daniel P. Berrange <email@example.com>
Actually those instructions are only relevant if using SASL for auth. If using policykit, which is the default for Fedora + libvirt, then it should all "just work" without special setup. Nova provides the following polkit rules
Note I didn't notice this error in a Fedora 17 VM last night, but I am seeing it with Fedora 18 bare metal today.
Oh yay, Polkit dropped support for the .pkla file format in F18 and requires a new .rules format instead :-(
Right, I just found this:
Created attachment 614155 [details]
patch from Federico Simoncelli
Note the attached file works but not immediately.
I need to investigate what triggers the new policy to be loaded
(polkit restart, libvirtd restart, time, ...)
(In reply to comment #4)
> Oh yay, Polkit dropped support for the .pkla file format in F18 and requires
> a new .rules format instead :-(
To be fair, Polkit mainter reported this few months ago in bug 829882 we just missed it :-(
*** This bug has been marked as a duplicate of bug 829882 ***