----- Original Message -----
From: "Sahina Bose" <sabose(a)redhat.com>
To: "Juan Hernández" <jhernand(a)redhat.com>, "Alon Bar-Lev"
<alonbl(a)redhat.com>
Cc: "users" <users(a)ovirt.org>
Sent: Tuesday, August 25, 2015 5:40:07 PM
Subject: Re: [ovirt-users] Stuck at "Enrolling serial console certificate"
On 08/21/2015 11:02 PM, Juan Hernández wrote:
> On 08/21/2015 12:22 PM, Sahina Bose wrote:
>>
>> On 08/21/2015 03:50 PM, Alon Bar-Lev wrote:
>>> Interesting.
>>>
>>> Please execute manually:
>>>
>>> # /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh
>>> --name=rhsdev9.lab.eng.blr.redhat.com-ssh --host
>>> --id=rhsdev9.lab.eng.blr.redhat.com
>>> --principals=rhsdev9.lab.eng.blr.redhat.com --days=1825
>>
>> It returns immediately with:
>> [root@dhcp43-86 ~]#
>> /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh
>> --name=rhsdev9.lab.eng.blr.redhat.com-ssh --host
>> --id=rhsdev9.lab.eng.blr.redhat.com
>> --principals=rhsdev9.lab.eng.blr.redhat.com --days=1825
>> Signed host key
>> /etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh-cert.pub:
>> id "rhsdev9.lab.eng.blr.redhat.com" serial 0 for
>>
rhsdev9.lab.eng.blr.redhat.com valid from 2015-08-21T02:51:27 to
>> 2020-08-19T03:51:27
>>
>>
> Check your SELinux log file. Most probably SELinux is blocking some
> access to the generated files, and then ssh-keygen is asking
> interactively, and thus blocking for ever.
Thanks, Juan. I do see some AVC denial errors, but am yet to try with
SELinux disabled. Will do so and report back.
/var/log/audit/audit.log:type=AVC msg=audit(1440108177.899:9542): avc:
denied { open } for pid=11827 comm="ssh-keygen"
path="/tmp/tmp.KlPjsec4X3" dev="dm-0" ino=102401913
scontext=system_u:system_r:ssh_keygen_t:s0
tcontext=system_u:object_r:init_tmp_t:s0 tclass=file
hmmmm.... this is bad.... the ssh-keygen should run within same context of caller not
switch into different type.
even if switching into different type, it should permit accessing temp files.
will try to figure out what is the right solution (if any).
thanks juan!
I opened [1] for followup.
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1258154
ovirt 11827 11821 0 Aug21 ? 00:00:00 ssh-keygen -s
/tmp/tmp.KlPjsec4X3 -I
rhsdev9.lab.eng.blr.redhat.com -h -V -1h:+1825d
-n
rhsdev9.lab.eng.blr.redhat.com
/etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh.pub
>
>>> let's see what happens.
>>>
>>> ----- Original Message -----
>>>> From: "Sahina Bose" <sabose(a)redhat.com>
>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>>> Cc: "users" <users(a)ovirt.org>
>>>> Sent: Friday, August 21, 2015 1:15:03 PM
>>>> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console
>>>> certificate"
>>>>
>>>>
>>>>
>>>> On 08/21/2015 02:58 PM, Alon Bar-Lev wrote:
>>>>> the only thing I can think of is that your engine is out of random,
so
>>>>> it
>>>>> waits for more to be able to generate a new key.
>>>>> please while this is happening, execute: "find /" or
anything that will
>>>>> create some activity.
>>>>> if that's not helping, please send me "ps -efa" output
so at least I
>>>>> see
>>>>> what is running.
>>>>> thanks!
>>>> output of ps -efa
>>>>
>>>>
http://fpaste.org/257513/44015204/
>>>>
>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Sahina Bose" <sabose(a)redhat.com>
>>>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>>>>> Cc: "users" <users(a)ovirt.org>
>>>>>> Sent: Friday, August 21, 2015 12:23:11 PM
>>>>>> Subject: Re: [ovirt-users] Stuck at "Enrolling serial
console
>>>>>> certificate"
>>>>>>
>>>>>> Attached engine.log and host-deploy.log
>>>>>>
>>>>>>
>>>>>> On 08/21/2015 02:29 PM, Alon Bar-Lev wrote:
>>>>>>> Log would be nice.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Sahina Bose" <sabose(a)redhat.com>
>>>>>>>> To: "users" <users(a)ovirt.org>
>>>>>>>> Sent: Friday, August 21, 2015 11:27:56 AM
>>>>>>>> Subject: [ovirt-users] Stuck at "Enrolling serial
console
>>>>>>>> certificate"
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> While installing a host to ovirt-3.6 engine, the host
installation
>>>>>>>> is
>>>>>>>> stuck at "Enrolling serial console
certificate"
>>>>>>>>
>>>>>>>> I installed the engine from ovirt-release36, and
answered No to
>>>>>>>> setting
>>>>>>>> up WebConsole-proxy as well as VM Console proxy on the
engine.
>>>>>>>>
>>>>>>>> Does anyone know how to debug this?
>>>>>>>>
>>>>>>>> thanks
>>>>>>>> sahina
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users(a)ovirt.org
>>>>>>>>
http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>>
http://lists.ovirt.org/mailman/listinfo/users
>>
>