[Users] Ovirt Node - tls VM Migration Fails

[Doron Fediuck]

On 29/03/12 17:23, David Elliott wrote:
> Hi
> 
> I'm ovirt node using the latest ovirt-node-iso-2.3.0-1.0.fc16.iso, and
> having a problem with live migration
> 
> After fresh install of node 
> /etc/libvirt/libvirtd.conf
> listen_tls = 0
> listen_tcp = 1
> # tcp and tls ports are defaults
> # tls_port = "16514"
> #tcp_port = "16509"
> 
> 
> [root at ovirt-h-6 ~]# netstat -ant |grep -E "16514|16509"
> tcp        0      0 0.0.0.0:16509               0.0.0.0:*
> LISTEN
> 
> iptables is set to accept ALL
> 
> When migration is attempted - it then tries and fails to use tls 
> 
> 2012-03-28 18:33:15.566+0000: 1622: error : doPeer2PeerMigrate:2129 :
> operation failed: Failed to connect to remote libvirt URI
> qemu+tls://192.168.192.230/system
> 
> - manually configuring a registered/running node with listen_tls = 1,
> migration will then succeed
> 
> - editing the live-cd and setting "listen_tls=1" , a fresh install then has
> some problems
> libvirtd fails  to start on install due to a certificate error (which am
> guessing is installed as part of the node registration process with the
> engine)
> "Cannot read CA Certifcate /etc/pki/CA/cacert.pem"
> 
> This also causes the setting of hostname/network details to fail during the
> automated installation; so this seems the wrong way to go
> 
> I'm not sure if the problem here is live migration shouldn't be using tls;
> or that the node registration process should set "listen_tls=1" l; but isn't
> 
> Any assistance appreciated
> 
> Cheers,
> Dave 
> 

Let's just verify first what libvirt is saying.
Can you please post the output of:
ls -l /etc/pki/CA/

Also, AFAIR, it should be using 
/etc/pki/vdsm/certs/cacert.pem

Can you take a look in the relevant config files (vdsm mostly)
and see how it's defined? Did you happen to manually change it?