Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1034634 - missing certificates generation cause virsh and spice connection to fail
Summary: missing certificates generation cause virsh and spice connection to fail
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-hosted-engine-setup
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.4.0
Assignee: Yedidyah Bar David
QA Contact: movciari
URL:
Whiteboard: integration
: 1034679 1035395 1056649 1058936 1067683 (view as bug list)
Depends On:
Blocks: 1063576 1073446 rhev3.4beta 1142926
TreeView+ depends on / blocked
 
Reported: 2013-11-26 09:06 UTC by Sandro Bonazzola
Modified: 2018-12-04 16:32 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, certificate authority certificates were not generated for libvirt. This resulted in a failure to connect to the engine virtual machine using virsh or SPICE during the hosted-engine deployment. Now, the necessary certificates are generated before libvirt is configured for VDSM and users can connect to the engine virtual machine using virsh or SPICE.
Clone Of:
: 1073446 (view as bug list)
Environment:
Last Closed: 2014-06-09 14:47:27 UTC
oVirt Team: ---


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:0505 normal SHIPPED_LIVE ovirt-hosted-engine-setup bug fix and enhancement update 2014-06-09 18:45:23 UTC
oVirt gerrit 25142 None None None Never
oVirt gerrit 25472 None None None Never
oVirt gerrit 25747 None None None Never

Description Sandro Bonazzola 2013-11-26 09:06:57 UTC
On a clean system install, trying to use virsh connection for accessing the shell for installing the OS inside the Self Hosted Engine VM leads to 
 # virsh -c qemu+tls:///Test/system console HostedEngine
 error: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or  directory
 error: failed to connect to the hypervisor

the '/etc/pki/CA/cacert.pem' is created later when the host is added to the manager by ovirt-host-deploy.

We need to provide /etc/pki/CA/cacert.pem before OS installation for allowing virsh to connect to the hypervisor.

Comment 1 Sandro Bonazzola 2013-11-26 09:13:38 UTC
Workaround: http://libvirt.org/remote.html#Remote_TLS_CA

Comment 3 Sandro Bonazzola 2013-12-09 16:19:58 UTC
*** Bug 1034679 has been marked as a duplicate of this bug. ***

Comment 4 Sandro Bonazzola 2013-12-09 16:21:26 UTC
also server and client certificates are missing, causing libvirt not listening on qemu+tls port.

Comment 5 Sandro Bonazzola 2013-12-10 14:12:39 UTC
*** Bug 1035395 has been marked as a duplicate of this bug. ***

Comment 6 Sandro Bonazzola 2013-12-10 14:14:16 UTC
Also  /etc/pki/libvirt-spice cretificates are generated by ovirt-host-deploy at later stage, so when creating cacert.pem hosted-engine --deploy need to take care of these too.

Comment 10 Sandro Bonazzola 2014-01-27 10:05:28 UTC
*** Bug 1056649 has been marked as a duplicate of this bug. ***

Comment 11 Sandro Bonazzola 2014-01-31 13:08:59 UTC
As workaround, perform an all-in-one setup, then execute cleanup and deploy hosted-engine or use VNC connection.

Comment 12 Sandro Bonazzola 2014-01-31 13:09:39 UTC
*** Bug 1058936 has been marked as a duplicate of this bug. ***

Comment 13 Sandro Bonazzola 2014-02-11 08:58:03 UTC
*** Bug 1063576 has been marked as a duplicate of this bug. ***

Comment 15 Yedidyah Bar David 2014-03-10 06:34:06 UTC
*** Bug 1067683 has been marked as a duplicate of this bug. ***

Comment 17 Yedidyah Bar David 2014-03-12 14:47:40 UTC
Moving back to assigned as /etc/pki/libvirt might not exist.

Comment 19 errata-xmlrpc 2014-06-09 14:47:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0505.html


Note You need to log in before you can comment on or make changes to this bug.