[Users] migration & missing cert - 3.2 alpha

Jeff Bailey bailey at cs.kent.edu
Sun Dec 16 00:51:21 UTC 2012 

On 12/15/2012 5:47 PM, Alon Bar-Lev wrote:
>
> ----- Original Message -----
>> From: "Jeff Bailey" <bailey at cs.kent.edu>
>> To: "Alon Bar-Lev" <alonbl at redhat.com>
>> Cc: users at ovirt.org
>> Sent: Sunday, December 16, 2012 12:39:48 AM
>> Subject: Re: [Users] migration & missing cert - 3.2 alpha
>>
>>
>> On 12/15/2012 1:49 PM, Alon Bar-Lev wrote:
>>> ----- Original Message -----
>>>> From: "Jeff Bailey" <bailey at cs.kent.edu>
>>>> To: users at ovirt.org
>>>> Sent: Saturday, December 15, 2012 6:28:20 PM
>>>> Subject: [Users] migration & missing cert - 3.2 alpha
>>>>
>>>> Hi,
>>>>
>>>> I have an F18 Beta + oVirt 3.2 alpha setup with two hosts.  When I
>>>> try
>>>> to migrate from one host to the other I get
>>>>
>>>> 2012-12-15 15:18:51.381+0000: 1541: error :
>>>> virNetTLSContextCheckCertFile:113 :
>>>> Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file
>>>> or
>>>> directory
>>>>
>>>> in libvirtd.log on the source host.  Is that actually where the
>>>> cert
>>>> should be and I should try to track down why it's not there or
>>>> should
>>>> it
>>>> be somewhere else?  If it should be somewhere else where would
>>>> that
>>>> be
>>>> configured?  The default location for the client certificates
>>>> seems
>>>> to
>>>> be /etc/pki/libvirt which doesn't exist so even with a cacert it
>>>> still
>>>> probably wouldn't work.  Could this be related to the missing
>>>> spice
>>>> certificates (I manually made the symbolic links for those).
>>>>
>>>> Thanks,
>>>>      Jeff
>>> This is interesting...
>>>
>>> What do you have in both machines at /etc/libvirt/libvirtd.conf in
>>> ca_file, cert_file, key_file?
>> In /etc/libvirt/libvirtd.conf on both hosts:
>>
>> ca_file="/etc/pki/vdsm/certs/cacert.pem"
>> cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
>> key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
>>
>> It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the F18
>> updates-testing repository.  Maybe that's the problem.  I'll try to
>> install a clean F18 beta with the updates-testing repo disabled.
> OK... although it seems like libvirtd somehow ignores its own settings :)

Yes, it seems that way.  I don't know exactly when these certificates 
are used.  Is it just for libvirt to libvirt communication like when 
doing a migration?  Does vdsm communicate locally without using TLS?  
I'm just wondering if it's something special about migration that's not 
using the right certificate path or is libvirt using the wrong path for 
everything and the only thing it affects is migration.  Anyway, a clean 
F18 install with libvirt-0.10.2.1-3.fc18.x86_64 behaves the same way.

>>> As as far as I seen these variables set to /etc/pki/vdsm/*, I did
>>> not duplicate these files to libvirtd.
>>>
>>> I would like to understand why the default libvirt setting are in
>>> effect.
>>>
>>> Regards,
>>> Alon
>>

More information about the Users mailing list