[Users] migration & missing cert - 3.2 alpha

Alon Bar-Lev alonbl at redhat.com
Sun Dec 16 08:15:17 UTC 2012 


----- Original Message -----
> From: "Jeff Bailey" <bailey at cs.kent.edu>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: users at ovirt.org
> Sent: Sunday, December 16, 2012 2:51:21 AM
> Subject: Re: [Users] migration & missing cert - 3.2 alpha
> 
> 
> On 12/15/2012 5:47 PM, Alon Bar-Lev wrote:
> >
> > ----- Original Message -----
> >> From: "Jeff Bailey" <bailey at cs.kent.edu>
> >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >> Cc: users at ovirt.org
> >> Sent: Sunday, December 16, 2012 12:39:48 AM
> >> Subject: Re: [Users] migration & missing cert - 3.2 alpha
> >>
> >>
> >> On 12/15/2012 1:49 PM, Alon Bar-Lev wrote:
> >>> ----- Original Message -----
> >>>> From: "Jeff Bailey" <bailey at cs.kent.edu>
> >>>> To: users at ovirt.org
> >>>> Sent: Saturday, December 15, 2012 6:28:20 PM
> >>>> Subject: [Users] migration & missing cert - 3.2 alpha
> >>>>
> >>>> Hi,
> >>>>
> >>>> I have an F18 Beta + oVirt 3.2 alpha setup with two hosts.  When
> >>>> I
> >>>> try
> >>>> to migrate from one host to the other I get
> >>>>
> >>>> 2012-12-15 15:18:51.381+0000: 1541: error :
> >>>> virNetTLSContextCheckCertFile:113 :
> >>>> Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such
> >>>> file
> >>>> or
> >>>> directory
> >>>>
> >>>> in libvirtd.log on the source host.  Is that actually where the
> >>>> cert
> >>>> should be and I should try to track down why it's not there or
> >>>> should
> >>>> it
> >>>> be somewhere else?  If it should be somewhere else where would
> >>>> that
> >>>> be
> >>>> configured?  The default location for the client certificates
> >>>> seems
> >>>> to
> >>>> be /etc/pki/libvirt which doesn't exist so even with a cacert it
> >>>> still
> >>>> probably wouldn't work.  Could this be related to the missing
> >>>> spice
> >>>> certificates (I manually made the symbolic links for those).
> >>>>
> >>>> Thanks,
> >>>>      Jeff
> >>> This is interesting...
> >>>
> >>> What do you have in both machines at /etc/libvirt/libvirtd.conf
> >>> in
> >>> ca_file, cert_file, key_file?
> >> In /etc/libvirt/libvirtd.conf on both hosts:
> >>
> >> ca_file="/etc/pki/vdsm/certs/cacert.pem"
> >> cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
> >> key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
> >>
> >> It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the
> >> F18
> >> updates-testing repository.  Maybe that's the problem.  I'll try
> >> to
> >> install a clean F18 beta with the updates-testing repo disabled.
> > OK... although it seems like libvirtd somehow ignores its own
> > settings :)
> 
> Yes, it seems that way.  I don't know exactly when these certificates
> are used.  Is it just for libvirt to libvirt communication like when
> doing a migration?  Does vdsm communicate locally without using TLS?
> I'm just wondering if it's something special about migration that's
> not
> using the right certificate path or is libvirt using the wrong path
> for
> everything and the only thing it affects is migration.  Anyway, a
> clean
> F18 install with libvirt-0.10.2.1-3.fc18.x86_64 behaves the same way.

OK, for now you can copy manually the certificates.
I will check libvirt sources.

> 
> >>> As as far as I seen these variables set to /etc/pki/vdsm/*, I did
> >>> not duplicate these files to libvirtd.
> >>>
> >>> I would like to understand why the default libvirt setting are in
> >>> effect.
> >>>
> >>> Regards,
> >>> Alon
> >>
> 
>

More information about the Users mailing list