[Users] migration & missing cert - 3.2 alpha

Alon Bar-Lev alonbl at redhat.com
Sun Dec 16 14:25:34 UTC 2012 


----- Original Message -----
> From: "Alon Bar-Lev" <alonbl at redhat.com>
> To: "Jeff Bailey" <bailey at cs.kent.edu>
> Cc: users at ovirt.org
> Sent: Sunday, December 16, 2012 10:15:17 AM
> Subject: Re: [Users] migration & missing cert - 3.2 alpha
> 
> 
> 
> ----- Original Message -----
> > From: "Jeff Bailey" <bailey at cs.kent.edu>
> > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > Cc: users at ovirt.org
> > Sent: Sunday, December 16, 2012 2:51:21 AM
> > Subject: Re: [Users] migration & missing cert - 3.2 alpha
> > 
> > 
> > On 12/15/2012 5:47 PM, Alon Bar-Lev wrote:
> > >
> > > ----- Original Message -----
> > >> From: "Jeff Bailey" <bailey at cs.kent.edu>
> > >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> > >> Cc: users at ovirt.org
> > >> Sent: Sunday, December 16, 2012 12:39:48 AM
> > >> Subject: Re: [Users] migration & missing cert - 3.2 alpha
> > >>
> > >>
> > >> On 12/15/2012 1:49 PM, Alon Bar-Lev wrote:
> > >>> ----- Original Message -----
> > >>>> From: "Jeff Bailey" <bailey at cs.kent.edu>
> > >>>> To: users at ovirt.org
> > >>>> Sent: Saturday, December 15, 2012 6:28:20 PM
> > >>>> Subject: [Users] migration & missing cert - 3.2 alpha
> > >>>>
> > >>>> Hi,
> > >>>>
> > >>>> I have an F18 Beta + oVirt 3.2 alpha setup with two hosts.
> > >>>>  When
> > >>>> I
> > >>>> try
> > >>>> to migrate from one host to the other I get
> > >>>>
> > >>>> 2012-12-15 15:18:51.381+0000: 1541: error :
> > >>>> virNetTLSContextCheckCertFile:113 :
> > >>>> Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such
> > >>>> file
> > >>>> or
> > >>>> directory
> > >>>>
> > >>>> in libvirtd.log on the source host.  Is that actually where
> > >>>> the
> > >>>> cert
> > >>>> should be and I should try to track down why it's not there or
> > >>>> should
> > >>>> it
> > >>>> be somewhere else?  If it should be somewhere else where would
> > >>>> that
> > >>>> be
> > >>>> configured?  The default location for the client certificates
> > >>>> seems
> > >>>> to
> > >>>> be /etc/pki/libvirt which doesn't exist so even with a cacert
> > >>>> it
> > >>>> still
> > >>>> probably wouldn't work.  Could this be related to the missing
> > >>>> spice
> > >>>> certificates (I manually made the symbolic links for those).
> > >>>>
> > >>>> Thanks,
> > >>>>      Jeff
> > >>> This is interesting...
> > >>>
> > >>> What do you have in both machines at /etc/libvirt/libvirtd.conf
> > >>> in
> > >>> ca_file, cert_file, key_file?
> > >> In /etc/libvirt/libvirtd.conf on both hosts:
> > >>
> > >> ca_file="/etc/pki/vdsm/certs/cacert.pem"
> > >> cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
> > >> key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
> > >>
> > >> It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the
> > >> F18
> > >> updates-testing repository.  Maybe that's the problem.  I'll try
> > >> to
> > >> install a clean F18 beta with the updates-testing repo disabled.
> > > OK... although it seems like libvirtd somehow ignores its own
> > > settings :)
> > 
> > Yes, it seems that way.  I don't know exactly when these
> > certificates
> > are used.  Is it just for libvirt to libvirt communication like
> > when
> > doing a migration?  Does vdsm communicate locally without using
> > TLS?
> > I'm just wondering if it's something special about migration that's
> > not
> > using the right certificate path or is libvirt using the wrong path
> > for
> > everything and the only thing it affects is migration.  Anyway, a
> > clean
> > F18 install with libvirt-0.10.2.1-3.fc18.x86_64 behaves the same
> > way.
> 
> OK, for now you can copy manually the certificates.
> I will check libvirt sources.

It should be fixed in next nightly.

Apparently, vdsm configure libvirt with pki artifacts locations when libvirt is used as server but not when libvirt is used as client.

Thank you for the report!
Alon

> 
> > 
> > >>> As as far as I seen these variables set to /etc/pki/vdsm/*, I
> > >>> did
> > >>> not duplicate these files to libvirtd.
> > >>>
> > >>> I would like to understand why the default libvirt setting are
> > >>> in
> > >>> effect.
> > >>>
> > >>> Regards,
> > >>> Alon
> > >>
> > 
> > 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list