[ovirt-users] Stuck at "Enrolling serial console certificate"

Alon Bar-Lev alonbl at redhat.com
Sat Aug 29 17:44:41 UTC 2015



----- Original Message -----
> From: "Sahina Bose" <sabose at redhat.com>
> To: "Juan Hernández" <jhernand at redhat.com>, "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "users" <users at ovirt.org>
> Sent: Tuesday, August 25, 2015 5:40:07 PM
> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console certificate"
> 
> 
> 
> On 08/21/2015 11:02 PM, Juan Hernández wrote:
> > On 08/21/2015 12:22 PM, Sahina Bose wrote:
> >>
> >> On 08/21/2015 03:50 PM, Alon Bar-Lev wrote:
> >>> Interesting.
> >>>
> >>> Please execute manually:
> >>>
> >>> # /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh
> >>> --name=rhsdev9.lab.eng.blr.redhat.com-ssh --host
> >>> --id=rhsdev9.lab.eng.blr.redhat.com
> >>> --principals=rhsdev9.lab.eng.blr.redhat.com --days=1825
> >>
> >> It returns immediately with:
> >> [root at dhcp43-86 ~]#
> >> /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh
> >> --name=rhsdev9.lab.eng.blr.redhat.com-ssh --host
> >> --id=rhsdev9.lab.eng.blr.redhat.com
> >> --principals=rhsdev9.lab.eng.blr.redhat.com --days=1825
> >> Signed host key
> >> /etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh-cert.pub:
> >> id "rhsdev9.lab.eng.blr.redhat.com" serial 0 for
> >> rhsdev9.lab.eng.blr.redhat.com valid from 2015-08-21T02:51:27 to
> >> 2020-08-19T03:51:27
> >>
> >>
> > Check your SELinux log file. Most probably SELinux is blocking some
> > access to the generated files, and then ssh-keygen is asking
> > interactively, and thus blocking for ever.
> 
> 
> Thanks, Juan. I do see some AVC denial errors, but am yet to try with
> SELinux disabled. Will do so and report back.
> 
> /var/log/audit/audit.log:type=AVC msg=audit(1440108177.899:9542): avc:
> denied  { open } for  pid=11827 comm="ssh-keygen"
> path="/tmp/tmp.KlPjsec4X3" dev="dm-0" ino=102401913
> scontext=system_u:system_r:ssh_keygen_t:s0
> tcontext=system_u:object_r:init_tmp_t:s0 tclass=file
> 

hmmmm.... this is bad.... the ssh-keygen should run within same context of caller not switch into different type.
even if switching into different type, it should permit accessing temp files.
will try to figure out what is the right solution (if any).
thanks juan!

I opened [1] for followup.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1258154

> 
> ovirt    11827 11821  0 Aug21 ?        00:00:00 ssh-keygen -s
> /tmp/tmp.KlPjsec4X3 -I rhsdev9.lab.eng.blr.redhat.com -h -V -1h:+1825d
> -n rhsdev9.lab.eng.blr.redhat.com
> /etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh.pub
> 
> 
> 
> >
> >>> let's see what happens.
> >>>
> >>> ----- Original Message -----
> >>>> From: "Sahina Bose" <sabose at redhat.com>
> >>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>> Cc: "users" <users at ovirt.org>
> >>>> Sent: Friday, August 21, 2015 1:15:03 PM
> >>>> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console
> >>>> certificate"
> >>>>
> >>>>
> >>>>
> >>>> On 08/21/2015 02:58 PM, Alon Bar-Lev wrote:
> >>>>> the only thing I can think of is that your engine is out of random, so
> >>>>> it
> >>>>> waits for more to be able to generate a new key.
> >>>>> please while this is happening, execute: "find /" or anything that will
> >>>>> create some activity.
> >>>>> if that's not helping, please send me "ps -efa" output so at least I
> >>>>> see
> >>>>> what is running.
> >>>>> thanks!
> >>>> output of ps -efa
> >>>>
> >>>> http://fpaste.org/257513/44015204/
> >>>>
> >>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Sahina Bose" <sabose at redhat.com>
> >>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>>> Cc: "users" <users at ovirt.org>
> >>>>>> Sent: Friday, August 21, 2015 12:23:11 PM
> >>>>>> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console
> >>>>>> certificate"
> >>>>>>
> >>>>>> Attached engine.log and host-deploy.log
> >>>>>>
> >>>>>>
> >>>>>> On 08/21/2015 02:29 PM, Alon Bar-Lev wrote:
> >>>>>>> Log would be nice.
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Sahina Bose" <sabose at redhat.com>
> >>>>>>>> To: "users" <users at ovirt.org>
> >>>>>>>> Sent: Friday, August 21, 2015 11:27:56 AM
> >>>>>>>> Subject: [ovirt-users] Stuck at "Enrolling serial console
> >>>>>>>> certificate"
> >>>>>>>>
> >>>>>>>> Hi all,
> >>>>>>>>
> >>>>>>>> While installing a host to ovirt-3.6 engine, the host installation
> >>>>>>>> is
> >>>>>>>> stuck at "Enrolling serial console certificate"
> >>>>>>>>
> >>>>>>>> I installed the engine from ovirt-release36, and answered No to
> >>>>>>>> setting
> >>>>>>>> up WebConsole-proxy as well as VM Console proxy on the engine.
> >>>>>>>>
> >>>>>>>> Does anyone know how to debug this?
> >>>>>>>>
> >>>>>>>> thanks
> >>>>>>>> sahina
> >>>>>>>> _______________________________________________
> >>>>>>>> Users mailing list
> >>>>>>>> Users at ovirt.org
> >>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>>>
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> >
> 
> 



More information about the Users mailing list