[Users] Ovirt Node - tls VM Migration Fails
Hi I'm ovirt node using the latest ovirt-node-iso-2.3.0-1.0.fc16.iso, and having a problem with live migration After fresh install of node /etc/libvirt/libvirtd.conf listen_tls = 0 listen_tcp = 1 # tcp and tls ports are defaults # tls_port = "16514" #tcp_port = "16509" [root@ovirt-h-6 ~]# netstat -ant |grep -E "16514|16509" tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN iptables is set to accept ALL When migration is attempted - it then tries and fails to use tls 2012-03-28 18:33:15.566+0000: 1622: error : doPeer2PeerMigrate:2129 : operation failed: Failed to connect to remote libvirt URI qemu+tls://192.168.192.230/system - manually configuring a registered/running node with listen_tls = 1, migration will then succeed - editing the live-cd and setting "listen_tls=1" , a fresh install then has some problems libvirtd fails to start on install due to a certificate error (which am guessing is installed as part of the node registration process with the engine) "Cannot read CA Certifcate /etc/pki/CA/cacert.pem" This also causes the setting of hostname/network details to fail during the automated installation; so this seems the wrong way to go I'm not sure if the problem here is live migration shouldn't be using tls; or that the node registration process should set "listen_tls=1" l; but isn't Any assistance appreciated Cheers, Dave ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
On 29/03/12 17:23, David Elliott wrote:
Hi
I'm ovirt node using the latest ovirt-node-iso-2.3.0-1.0.fc16.iso, and having a problem with live migration
After fresh install of node /etc/libvirt/libvirtd.conf listen_tls = 0 listen_tcp = 1 # tcp and tls ports are defaults # tls_port = "16514" #tcp_port = "16509"
[root@ovirt-h-6 ~]# netstat -ant |grep -E "16514|16509" tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN
iptables is set to accept ALL
When migration is attempted - it then tries and fails to use tls
2012-03-28 18:33:15.566+0000: 1622: error : doPeer2PeerMigrate:2129 : operation failed: Failed to connect to remote libvirt URI qemu+tls://192.168.192.230/system
- manually configuring a registered/running node with listen_tls = 1, migration will then succeed
- editing the live-cd and setting "listen_tls=1" , a fresh install then has some problems libvirtd fails to start on install due to a certificate error (which am guessing is installed as part of the node registration process with the engine) "Cannot read CA Certifcate /etc/pki/CA/cacert.pem"
This also causes the setting of hostname/network details to fail during the automated installation; so this seems the wrong way to go
I'm not sure if the problem here is live migration shouldn't be using tls; or that the node registration process should set "listen_tls=1" l; but isn't
Any assistance appreciated
Cheers, Dave
Let's just verify first what libvirt is saying. Can you please post the output of: ls -l /etc/pki/CA/ Also, AFAIR, it should be using /etc/pki/vdsm/certs/cacert.pem Can you take a look in the relevant config files (vdsm mostly) and see how it's defined? Did you happen to manually change it?
Hi
I'm ovirt node using the latest ovirt-node-iso-2.3.0-1.0.fc16.iso, and having a problem with live migration
After fresh install of node /etc/libvirt/libvirtd.conf listen_tls = 0 listen_tcp = 1 # tcp and tls ports are defaults # tls_port = "16514" #tcp_port = "16509"
[root@ovirt-h-6 ~]# netstat -ant |grep -E "16514|16509" tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN
iptables is set to accept ALL
When migration is attempted - it then tries and fails to use tls
2012-03-28 18:33:15.566+0000: 1622: error : doPeer2PeerMigrate:2129 : operation failed: Failed to connect to remote libvirt URI qemu+tls://192.168.192.230/system
- manually configuring a registered/running node with listen_tls = 1, migration will then succeed
- editing the live-cd and setting "listen_tls=1" , a fresh install then has some problems libvirtd fails to start on install due to a certificate error (which am guessing is installed as part of the node registration process with the engine) "Cannot read CA Certifcate /etc/pki/CA/cacert.pem"
This also causes the setting of hostname/network details to fail during
Thanks for the quick reply Aside from the manual listen_tls change... - hardcoded root/admin password inside the live-iso image - set a dynamic uuid to be generated for libvirtd.conf (our hardware reports the same across boxes using dmidecode otherwise) This executes just after ovirt-early starts in /usr/libexec/ovirt-init-functions.sh grep -w "^host_uuid" /etc/libvirt/libvirtd.conf || echo host_uid = \"`uuidgen`\" >> /etc/libvirt/libvirtd.conf - have been adding these systems using the engine webui /and entering node password- so don't connect to the server to authenticate certificate config details below # ls -l /etc/pki/CA/ -r--r--r--. 1 vdsm kvm 3412 Mar 29 08:39 cacert.pem drwxr-xr-x. 2 root root 40 Jan 19 16:37 certs drwxr-xr-x. 2 root root 40 Jan 19 16:37 crl drwxr-xr-x. 2 root root 40 Jan 19 16:37 newcerts drwx------. 2 root root 40 Jan 19 16:37 private # df |grep /etc/pki/vdsm/certs/cacert.pem /dev/mapper/HostVG-Config 7998 1298 6291 18% /etc/pki/vdsm/certs/cacert.pem # diff /etc/pki/vdsm/certs/cacert.pem /etc/pki/CA/cacert.pem # grep -v '^#' /etc/vdsm/vdsm.conf|grep "=" ssl=true # grep -v '^#' /etc/vdsm-reg/vdsm-reg.conf [vars] reg_req_interval = 5 vdsm_conf_file=/etc/vdsm/vdsm.conf pidfile=/var/run/vdsm-reg.pid logger_conf=/etc/vdsm-reg/logger.conf vdc_host_name=ovirt-m-1.shazamteam.com vdc_host_port=8443 vdc_reg_uri=/OvirtEngineWeb/register upgrade_iso_file=/data/updates/ovirt-node-image.iso upgrade_mount_point=/var/run/vdsm/image-update ticket= # grep -v '^#' /etc/libvirt/libvirtd.conf |grep '=' listen_tls = 1 listen_tcp = 1 listen_addr="0" # by vdsm unix_sock_group="kvm" # by vdsm unix_sock_rw_perms="0770" # by vdsm auth_unix_rw="sasl" # by vdsm save_image_format="lzop" # by vdsm log_outputs="1:file:/var/log/libvirtd.log" # by vdsm ca_file="/etc/pki/vdsm/certs/cacert.pem" # by vdsm cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" # by vdsm key_file="/etc/pki/vdsm/keys/vdsmkey.pem" # by vdsm # grep -v '^#' /etc/libvirt/qemu.conf |grep -v '^#'|grep = vnc_listen = "0.0.0.0" dynamic_ownership=0 # by vdsm spice_tls=1 # by vdsm spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" # by vdsm Cheers, Dave -----Original Message----- From: Doron Fediuck [mailto:dfediuck@redhat.com] Sent: 29 March 2012 16:51 To: David Elliott Cc: users@ovirt.org Subject: Re: [Users] Ovirt Node - tls VM Migration Fails On 29/03/12 17:23, David Elliott wrote: the
automated installation; so this seems the wrong way to go
I'm not sure if the problem here is live migration shouldn't be using tls; or that the node registration process should set "listen_tls=1" l; but isn't
Any assistance appreciated
Cheers, Dave
Let's just verify first what libvirt is saying. Can you please post the output of: ls -l /etc/pki/CA/ Also, AFAIR, it should be using /etc/pki/vdsm/certs/cacert.pem Can you take a look in the relevant config files (vdsm mostly) and see how it's defined? Did you happen to manually change it? ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
participants (2)
-
David Elliott -
Doron Fediuck