On 12/15/2012 5:47 PM, Alon Bar-Lev wrote:
----- Original Message -----
> From: "Jeff Bailey" <bailey(a)cs.kent.edu>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: users(a)ovirt.org
> Sent: Sunday, December 16, 2012 12:39:48 AM
> Subject: Re: [Users] migration & missing cert - 3.2 alpha
>
>
> On 12/15/2012 1:49 PM, Alon Bar-Lev wrote:
>> ----- Original Message -----
>>> From: "Jeff Bailey" <bailey(a)cs.kent.edu>
>>> To: users(a)ovirt.org
>>> Sent: Saturday, December 15, 2012 6:28:20 PM
>>> Subject: [Users] migration & missing cert - 3.2 alpha
>>>
>>> Hi,
>>>
>>> I have an F18 Beta + oVirt 3.2 alpha setup with two hosts. When I
>>> try
>>> to migrate from one host to the other I get
>>>
>>> 2012-12-15 15:18:51.381+0000: 1541: error :
>>> virNetTLSContextCheckCertFile:113 :
>>> Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file
>>> or
>>> directory
>>>
>>> in libvirtd.log on the source host. Is that actually where the
>>> cert
>>> should be and I should try to track down why it's not there or
>>> should
>>> it
>>> be somewhere else? If it should be somewhere else where would
>>> that
>>> be
>>> configured? The default location for the client certificates
>>> seems
>>> to
>>> be /etc/pki/libvirt which doesn't exist so even with a cacert it
>>> still
>>> probably wouldn't work. Could this be related to the missing
>>> spice
>>> certificates (I manually made the symbolic links for those).
>>>
>>> Thanks,
>>> Jeff
>> This is interesting...
>>
>> What do you have in both machines at /etc/libvirt/libvirtd.conf in
>> ca_file, cert_file, key_file?
> In /etc/libvirt/libvirtd.conf on both hosts:
>
> ca_file="/etc/pki/vdsm/certs/cacert.pem"
> cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
> key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
>
> It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the F18
> updates-testing repository. Maybe that's the problem. I'll try to
> install a clean F18 beta with the updates-testing repo disabled.
OK... although it seems like libvirtd somehow ignores its own settings :)
Yes, it seems that way. I don't know exactly when these certificates
are used. Is it just for libvirt to libvirt communication like when
doing a migration? Does vdsm communicate locally without using TLS?
I'm just wondering if it's something special about migration that's not
using the right certificate path or is libvirt using the wrong path for
everything and the only thing it affects is migration. Anyway, a clean
F18 install with libvirt-0.10.2.1-3.fc18.x86_64 behaves the same way.
>> As as far as I seen these variables set to /etc/pki/vdsm/*, I
did
>> not duplicate these files to libvirtd.
>>
>> I would like to understand why the default libvirt setting are in
>> effect.
>>
>> Regards,
>> Alon
>