[Users] Ovirt Node - tls VM Migration Fails

David Elliott david.elliott at shazamteam.com
Thu Mar 29 16:47:16 UTC 2012


Thanks for the quick reply 

Aside from the manual listen_tls change...
 
- hardcoded root/admin password inside the live-iso image

- set a dynamic uuid to be generated for libvirtd.conf (our hardware reports
the same across boxes using dmidecode otherwise)
This executes just after ovirt-early starts in
/usr/libexec/ovirt-init-functions.sh
grep -w "^host_uuid" /etc/libvirt/libvirtd.conf || echo host_uid =
\"`uuidgen`\" >> /etc/libvirt/libvirtd.conf

- have been adding these systems using the engine webui /and entering node
password- so don't connect to the server to authenticate certificate


config details below

# ls -l /etc/pki/CA/

-r--r--r--. 1 vdsm kvm  3412 Mar 29 08:39 cacert.pem
drwxr-xr-x. 2 root root   40 Jan 19 16:37 certs
drwxr-xr-x. 2 root root   40 Jan 19 16:37 crl
drwxr-xr-x. 2 root root   40 Jan 19 16:37 newcerts
drwx------. 2 root root   40 Jan 19 16:37 private

# df |grep /etc/pki/vdsm/certs/cacert.pem
/dev/mapper/HostVG-Config                          7998     1298       6291
18% /etc/pki/vdsm/certs/cacert.pem

# diff /etc/pki/vdsm/certs/cacert.pem /etc/pki/CA/cacert.pem



# grep -v '^#' /etc/vdsm/vdsm.conf|grep "="
ssl=true


# grep -v '^#' /etc/vdsm-reg/vdsm-reg.conf
[vars]
reg_req_interval = 5
vdsm_conf_file=/etc/vdsm/vdsm.conf
pidfile=/var/run/vdsm-reg.pid
logger_conf=/etc/vdsm-reg/logger.conf
vdc_host_name=ovirt-m-1.shazamteam.com
vdc_host_port=8443
vdc_reg_uri=/OvirtEngineWeb/register
upgrade_iso_file=/data/updates/ovirt-node-image.iso
upgrade_mount_point=/var/run/vdsm/image-update
ticket=

# grep -v '^#' /etc/libvirt/libvirtd.conf |grep '='
listen_tls = 1
listen_tcp = 1
listen_addr="0" # by vdsm
unix_sock_group="kvm" # by vdsm
unix_sock_rw_perms="0770" # by vdsm
auth_unix_rw="sasl" # by vdsm
save_image_format="lzop" # by vdsm
log_outputs="1:file:/var/log/libvirtd.log" # by vdsm
ca_file="/etc/pki/vdsm/certs/cacert.pem" # by vdsm
cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" # by vdsm
key_file="/etc/pki/vdsm/keys/vdsmkey.pem" # by vdsm


# grep -v '^#' /etc/libvirt/qemu.conf |grep -v '^#'|grep =
vnc_listen = "0.0.0.0"
dynamic_ownership=0 # by vdsm
spice_tls=1 # by vdsm
spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" # by vdsm


Cheers,
Dave

-----Original Message-----
From: Doron Fediuck [mailto:dfediuck at redhat.com] 
Sent: 29 March 2012 16:51
To: David Elliott
Cc: users at ovirt.org
Subject: Re: [Users] Ovirt Node - tls VM Migration Fails

On 29/03/12 17:23, David Elliott wrote:
> Hi
> 
> I'm ovirt node using the latest ovirt-node-iso-2.3.0-1.0.fc16.iso, and
> having a problem with live migration
> 
> After fresh install of node 
> /etc/libvirt/libvirtd.conf
> listen_tls = 0
> listen_tcp = 1
> # tcp and tls ports are defaults
> # tls_port = "16514"
> #tcp_port = "16509"
> 
> 
> [root at ovirt-h-6 ~]# netstat -ant |grep -E "16514|16509"
> tcp        0      0 0.0.0.0:16509               0.0.0.0:*
> LISTEN
> 
> iptables is set to accept ALL
> 
> When migration is attempted - it then tries and fails to use tls 
> 
> 2012-03-28 18:33:15.566+0000: 1622: error : doPeer2PeerMigrate:2129 :
> operation failed: Failed to connect to remote libvirt URI
> qemu+tls://192.168.192.230/system
> 
> - manually configuring a registered/running node with listen_tls = 1,
> migration will then succeed
> 
> - editing the live-cd and setting "listen_tls=1" , a fresh install then
has
> some problems
> libvirtd fails  to start on install due to a certificate error (which am
> guessing is installed as part of the node registration process with the
> engine)
> "Cannot read CA Certifcate /etc/pki/CA/cacert.pem"
> 
> This also causes the setting of hostname/network details to fail during
the
> automated installation; so this seems the wrong way to go
> 
> I'm not sure if the problem here is live migration shouldn't be using tls;
> or that the node registration process should set "listen_tls=1" l; but
isn't
> 
> Any assistance appreciated
> 
> Cheers,
> Dave 
> 

Let's just verify first what libvirt is saying.
Can you please post the output of:
ls -l /etc/pki/CA/

Also, AFAIR, it should be using 
/etc/pki/vdsm/certs/cacert.pem

Can you take a look in the relevant config files (vdsm mostly)
and see how it's defined? Did you happen to manually change it?


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________



More information about the Users mailing list