Re: [Users] migration & missing cert - 3.2 alpha

From: "Jeff Bailey" <bailey(a)cs.kent.edu&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; Cc: users(a)ovirt.org Sent: Sunday, December 16, 2012 2:51:21 AM Subject: Re: [Users] migration & missing cert - 3.2 alpha On 12/15/2012 5:47 PM, Alon Bar-Lev wrote: > > ----- Original Message ----- >> From: "Jeff Bailey" <bailey(a)cs.kent.edu&gt; >> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >> Cc: users(a)ovirt.org >> Sent: Sunday, December 16, 2012 12:39:48 AM >> Subject: Re: [Users] migration & missing cert - 3.2 alpha >> >> >> On 12/15/2012 1:49 PM, Alon Bar-Lev wrote: >>> ----- Original Message ----- >>>> From: "Jeff Bailey" <bailey(a)cs.kent.edu&gt; >>>> To: users(a)ovirt.org >>>> Sent: Saturday, December 15, 2012 6:28:20 PM >>>> Subject: [Users] migration & missing cert - 3.2 alpha >>>> >>>> Hi, >>>> >>>> I have an F18 Beta + oVirt 3.2 alpha setup with two hosts. When >>>> I >>>> try >>>> to migrate from one host to the other I get >>>> >>>> 2012-12-15 15:18:51.381+0000: 1541: error : >>>> virNetTLSContextCheckCertFile:113 : >>>> Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such >>>> file >>>> or >>>> directory >>>> >>>> in libvirtd.log on the source host. Is that actually where the >>>> cert >>>> should be and I should try to track down why it's not there or >>>> should >>>> it >>>> be somewhere else? If it should be somewhere else where would >>>> that >>>> be >>>> configured? The default location for the client certificates >>>> seems >>>> to >>>> be /etc/pki/libvirt which doesn't exist so even with a cacert it >>>> still >>>> probably wouldn't work. Could this be related to the missing >>>> spice >>>> certificates (I manually made the symbolic links for those). >>>> >>>> Thanks, >>>> Jeff >>> This is interesting... >>> >>> What do you have in both machines at /etc/libvirt/libvirtd.conf >>> in >>> ca_file, cert_file, key_file? >> In /etc/libvirt/libvirtd.conf on both hosts: >> >> ca_file="/etc/pki/vdsm/certs/cacert.pem" >> cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" >> key_file="/etc/pki/vdsm/keys/vdsmkey.pem" >> >> It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the >> F18 >> updates-testing repository. Maybe that's the problem. I'll try >> to >> install a clean F18 beta with the updates-testing repo disabled. > OK... although it seems like libvirtd somehow ignores its own > settings :) Yes, it seems that way. I don't know exactly when these certificates are used. Is it just for libvirt to libvirt communication like when doing a migration? Does vdsm communicate locally without using TLS? I'm just wondering if it's something special about migration that's not using the right certificate path or is libvirt using the wrong path for everything and the only thing it affects is migration. Anyway, a clean F18 install with libvirt-0.10.2.1-3.fc18.x86_64 behaves the same way.

>>> As as far as I seen these variables set to /etc/pki/vdsm/*, I did >>> not duplicate these files to libvirtd. >>> >>> I would like to understand why the default libvirt setting are in >>> effect. >>> >>> Regards, >>> Alon >>