|Summary:||missing certificates generation cause virsh and spice connection to fail|
|Product:||Red Hat Enterprise Virtualization Manager||Reporter:||Sandro Bonazzola <sbonazzo>|
|Component:||ovirt-hosted-engine-setup||Assignee:||Yedidyah Bar David <didi>|
|Status:||CLOSED ERRATA||QA Contact:||movciari|
|Version:||3.3.0||CC:||adingman, dfediuck, didi, dkline, iheim, jbelka, josh, michele, mkalinin, oschreib, pablo.iranzo, pstehlik, rhodain, sbonazzo, scohen, thunt, tpoitras, vfarias|
|Target Milestone:||---||Keywords:||Triaged, ZStream|
|Fixed In Version:||Doc Type:||Bug Fix|
Previously, certificate authority certificates were not generated for libvirt. This resulted in a failure to connect to the engine virtual machine using virsh or SPICE during the hosted-engine deployment. Now, the necessary certificates are generated before libvirt is configured for VDSM and users can connect to the engine virtual machine using virsh or SPICE.
|:||1073446 (view as bug list)||Environment:|
|Last Closed:||2014-06-09 14:47:27 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
|Bug Blocks:||1063576, 1073446, 1078909, 1142926|
Description Sandro Bonazzola 2013-11-26 09:06:57 UTC
On a clean system install, trying to use virsh connection for accessing the shell for installing the OS inside the Self Hosted Engine VM leads to # virsh -c qemu+tls:///Test/system console HostedEngine error: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory error: failed to connect to the hypervisor the '/etc/pki/CA/cacert.pem' is created later when the host is added to the manager by ovirt-host-deploy. We need to provide /etc/pki/CA/cacert.pem before OS installation for allowing virsh to connect to the hypervisor.
Comment 1 Sandro Bonazzola 2013-11-26 09:13:38 UTC
Comment 3 Sandro Bonazzola 2013-12-09 16:19:58 UTC
*** Bug 1034679 has been marked as a duplicate of this bug. ***
Comment 4 Sandro Bonazzola 2013-12-09 16:21:26 UTC
also server and client certificates are missing, causing libvirt not listening on qemu+tls port.
Comment 5 Sandro Bonazzola 2013-12-10 14:12:39 UTC
*** Bug 1035395 has been marked as a duplicate of this bug. ***
Comment 6 Sandro Bonazzola 2013-12-10 14:14:16 UTC
Also /etc/pki/libvirt-spice cretificates are generated by ovirt-host-deploy at later stage, so when creating cacert.pem hosted-engine --deploy need to take care of these too.
Comment 10 Sandro Bonazzola 2014-01-27 10:05:28 UTC
*** Bug 1056649 has been marked as a duplicate of this bug. ***
Comment 11 Sandro Bonazzola 2014-01-31 13:08:59 UTC
As workaround, perform an all-in-one setup, then execute cleanup and deploy hosted-engine or use VNC connection.
Comment 12 Sandro Bonazzola 2014-01-31 13:09:39 UTC
*** Bug 1058936 has been marked as a duplicate of this bug. ***
Comment 13 Sandro Bonazzola 2014-02-11 08:58:03 UTC
*** Bug 1063576 has been marked as a duplicate of this bug. ***
Comment 15 Yedidyah Bar David 2014-03-10 06:34:06 UTC
*** Bug 1067683 has been marked as a duplicate of this bug. ***
Comment 17 Yedidyah Bar David 2014-03-12 14:47:40 UTC
Moving back to assigned as /etc/pki/libvirt might not exist.
Comment 19 errata-xmlrpc 2014-06-09 14:47:27 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0505.html