[Users] Ovirt Node - tls VM Migration Fails
David Elliott
david.elliott at shazamteam.com
Thu Mar 29 12:47:16 EDT 2012
Thanks for the quick reply
Aside from the manual listen_tls change...
- hardcoded root/admin password inside the live-iso image
- set a dynamic uuid to be generated for libvirtd.conf (our hardware reports
the same across boxes using dmidecode otherwise)
This executes just after ovirt-early starts in
/usr/libexec/ovirt-init-functions.sh
grep -w "^host_uuid" /etc/libvirt/libvirtd.conf || echo host_uid =
\"`uuidgen`\" >> /etc/libvirt/libvirtd.conf
- have been adding these systems using the engine webui /and entering node
password- so don't connect to the server to authenticate certificate
config details below
# ls -l /etc/pki/CA/
-r--r--r--. 1 vdsm kvm 3412 Mar 29 08:39 cacert.pem
drwxr-xr-x. 2 root root 40 Jan 19 16:37 certs
drwxr-xr-x. 2 root root 40 Jan 19 16:37 crl
drwxr-xr-x. 2 root root 40 Jan 19 16:37 newcerts
drwx------. 2 root root 40 Jan 19 16:37 private
# df |grep /etc/pki/vdsm/certs/cacert.pem
/dev/mapper/HostVG-Config 7998 1298 6291
18% /etc/pki/vdsm/certs/cacert.pem
# diff /etc/pki/vdsm/certs/cacert.pem /etc/pki/CA/cacert.pem
# grep -v '^#' /etc/vdsm/vdsm.conf|grep "="
ssl=true
# grep -v '^#' /etc/vdsm-reg/vdsm-reg.conf
[vars]
reg_req_interval = 5
vdsm_conf_file=/etc/vdsm/vdsm.conf
pidfile=/var/run/vdsm-reg.pid
logger_conf=/etc/vdsm-reg/logger.conf
vdc_host_name=ovirt-m-1.shazamteam.com
vdc_host_port=8443
vdc_reg_uri=/OvirtEngineWeb/register
upgrade_iso_file=/data/updates/ovirt-node-image.iso
upgrade_mount_point=/var/run/vdsm/image-update
ticket=
# grep -v '^#' /etc/libvirt/libvirtd.conf |grep '='
listen_tls = 1
listen_tcp = 1
listen_addr="0" # by vdsm
unix_sock_group="kvm" # by vdsm
unix_sock_rw_perms="0770" # by vdsm
auth_unix_rw="sasl" # by vdsm
save_image_format="lzop" # by vdsm
log_outputs="1:file:/var/log/libvirtd.log" # by vdsm
ca_file="/etc/pki/vdsm/certs/cacert.pem" # by vdsm
cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" # by vdsm
key_file="/etc/pki/vdsm/keys/vdsmkey.pem" # by vdsm
# grep -v '^#' /etc/libvirt/qemu.conf |grep -v '^#'|grep =
vnc_listen = "0.0.0.0"
dynamic_ownership=0 # by vdsm
spice_tls=1 # by vdsm
spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" # by vdsm
Cheers,
Dave
-----Original Message-----
From: Doron Fediuck [mailto:dfediuck at redhat.com]
Sent: 29 March 2012 16:51
To: David Elliott
Cc: users at ovirt.org
Subject: Re: [Users] Ovirt Node - tls VM Migration Fails
On 29/03/12 17:23, David Elliott wrote:
> Hi
>
> I'm ovirt node using the latest ovirt-node-iso-2.3.0-1.0.fc16.iso, and
> having a problem with live migration
>
> After fresh install of node
> /etc/libvirt/libvirtd.conf
> listen_tls = 0
> listen_tcp = 1
> # tcp and tls ports are defaults
> # tls_port = "16514"
> #tcp_port = "16509"
>
>
> [root at ovirt-h-6 ~]# netstat -ant |grep -E "16514|16509"
> tcp 0 0 0.0.0.0:16509 0.0.0.0:*
> LISTEN
>
> iptables is set to accept ALL
>
> When migration is attempted - it then tries and fails to use tls
>
> 2012-03-28 18:33:15.566+0000: 1622: error : doPeer2PeerMigrate:2129 :
> operation failed: Failed to connect to remote libvirt URI
> qemu+tls://192.168.192.230/system
>
> - manually configuring a registered/running node with listen_tls = 1,
> migration will then succeed
>
> - editing the live-cd and setting "listen_tls=1" , a fresh install then
has
> some problems
> libvirtd fails to start on install due to a certificate error (which am
> guessing is installed as part of the node registration process with the
> engine)
> "Cannot read CA Certifcate /etc/pki/CA/cacert.pem"
>
> This also causes the setting of hostname/network details to fail during
the
> automated installation; so this seems the wrong way to go
>
> I'm not sure if the problem here is live migration shouldn't be using tls;
> or that the node registration process should set "listen_tls=1" l; but
isn't
>
> Any assistance appreciated
>
> Cheers,
> Dave
>
Let's just verify first what libvirt is saying.
Can you please post the output of:
ls -l /etc/pki/CA/
Also, AFAIR, it should be using
/etc/pki/vdsm/certs/cacert.pem
Can you take a look in the relevant config files (vdsm mostly)
and see how it's defined? Did you happen to manually change it?
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
More information about the Users
mailing list