Re: [Users] Certificates and PKI seem to be broken after yum update
As I recommended before, please open a new thread with 'how to rescue storage domain', I hope someone who is familiar with storage domain structure will be able to assist. Your installation seems to be corrupted more than just permissions, certificates, stores. - Original Message - > From: "Chris Smith" > To: "Alon Bar-Lev" , Users@ovirt.org > Sent: Friday, April 19, 2013 3:40:55 AM > Subject: Re: [Users] Certificates and PKI seem to be broken after yum update > > Since I'm not able to reinstall the host from the ovirt-engine web > interface, as another thought I wanted to see if I could bring up a > third host and add it to the cluster. > I have a host Fedora 17 box ready to go but I can't add it to the > cluster. It states that there are no available server in the cluster > to probe the new host. > > What about approaching it from the other direction. Would I be able > to stand up an ovirt-h node on the same hardware and then add it to > ovirt from the host itself, using the setup menu? > > Could it then obtain spm status and bring the storage domain online? > > On Thu, Apr 18, 2013 at 7:20 PM, Chris Smith wrote: > > engine.log attached > > > > On Thu, Apr 18, 2013 at 7:11 PM, Alon Bar-Lev wrote: > >> Need to know precise error, please attach engine.log. > >> > >> > >> - Original Message - > >>> From: "Chris Smith" > >>> To: "Alon Bar-Lev" > >>> Cc: Users@ovirt.org > >>> Sent: Friday, April 19, 2013 2:03:59 AM > >>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum > >>> update > >>> > >>> So as of now, I can put the host into maintenance mode using the > >>> ovirt-engine web interface. I can also try and activate it. It > >>> states that the host was activated. The host never actually comes up > >>> or contends for SPM status, and the data center never actually comes > >>> online. > >>> > >>> If I put the host into maintenance mode and try to reinstall it, it > >>> throws an error and size must be between 0 and 50. > >>> > >>> On Thu, Apr 18, 2013 at 6:51 PM, Alon Bar-Lev wrote: > >>> > I am not sure I understand the status. > >>> > > >>> > Everything is working or not. > >>> > If not, what exactly fails? > >>> > Why do you run it 'again'? > >>> > > >>> > What happens if you reinstall host? Go to maintenance and select > >>> > reinstall? > >>> > > >>> > I cannot understand how all this results from upgrade, something had > >>> > changed, the CA certificate installed on the host is probably not the > >>> > CA > >>> > certificate of the engine. > >>> > > >>> > - Original Message - > >>> >> From: "Chris Smith" > >>> >> To: "Alon Bar-Lev" , Users@ovirt.org > >>> >> Sent: Friday, April 19, 2013 1:45:23 AM > >>> >> Subject: Re: [Users] Certificates and PKI seem to be broken after yum > >>> >> update > >>> >> > >>> >> On Thu, Apr 18, 2013 at 6:44 PM, Chris Smith > >>> >> wrote: > >>> >> > I made a backup of the .truststore, and then followed the steps and > >>> >> > then rebooted both the ovirt-engine and one of the hosts, and > >>> >> > everything worked properly. > >>> >> > > >>> >> > If I run it again, or enter the wrong password it throws an error > >>> >> > about the key store already existing, or that the password was wrong > >>> >> > so I'm pretty sure it's good. > >>> >> > > >>> >> > vdsm.log on the host still shows: > >>> >> > > >>> >> > Traceback (most recent call last): > >>> >> > File "/usr/lib64/python2.7/SocketServer.py", line 582, in > >>> >> > process_request_thread > >>> >> > self.finish_request(request, client_address) > >>> >> > File > >>> >> > "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", > >>> >> > line 66, in finish_request > >>> >> > request.do_handshake() > >>> >> > File "/usr/lib64/python2.7/ssl.
Re: [Users] Certificates and PKI seem to be broken after yum update
Since I'm not able to reinstall the host from the ovirt-engine web interface, as another thought I wanted to see if I could bring up a third host and add it to the cluster. I have a host Fedora 17 box ready to go but I can't add it to the cluster. It states that there are no available server in the cluster to probe the new host. What about approaching it from the other direction. Would I be able to stand up an ovirt-h node on the same hardware and then add it to ovirt from the host itself, using the setup menu? Could it then obtain spm status and bring the storage domain online? On Thu, Apr 18, 2013 at 7:20 PM, Chris Smith wrote: > engine.log attached > > On Thu, Apr 18, 2013 at 7:11 PM, Alon Bar-Lev wrote: >> Need to know precise error, please attach engine.log. >> >> >> - Original Message - >>> From: "Chris Smith" >>> To: "Alon Bar-Lev" >>> Cc: Users@ovirt.org >>> Sent: Friday, April 19, 2013 2:03:59 AM >>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum update >>> >>> So as of now, I can put the host into maintenance mode using the >>> ovirt-engine web interface. I can also try and activate it. It >>> states that the host was activated. The host never actually comes up >>> or contends for SPM status, and the data center never actually comes >>> online. >>> >>> If I put the host into maintenance mode and try to reinstall it, it >>> throws an error and size must be between 0 and 50. >>> >>> On Thu, Apr 18, 2013 at 6:51 PM, Alon Bar-Lev wrote: >>> > I am not sure I understand the status. >>> > >>> > Everything is working or not. >>> > If not, what exactly fails? >>> > Why do you run it 'again'? >>> > >>> > What happens if you reinstall host? Go to maintenance and select >>> > reinstall? >>> > >>> > I cannot understand how all this results from upgrade, something had >>> > changed, the CA certificate installed on the host is probably not the CA >>> > certificate of the engine. >>> > >>> > - Original Message - >>> >> From: "Chris Smith" >>> >> To: "Alon Bar-Lev" , Users@ovirt.org >>> >> Sent: Friday, April 19, 2013 1:45:23 AM >>> >> Subject: Re: [Users] Certificates and PKI seem to be broken after yum >>> >> update >>> >> >>> >> On Thu, Apr 18, 2013 at 6:44 PM, Chris Smith >>> >> wrote: >>> >> > I made a backup of the .truststore, and then followed the steps and >>> >> > then rebooted both the ovirt-engine and one of the hosts, and >>> >> > everything worked properly. >>> >> > >>> >> > If I run it again, or enter the wrong password it throws an error >>> >> > about the key store already existing, or that the password was wrong >>> >> > so I'm pretty sure it's good. >>> >> > >>> >> > vdsm.log on the host still shows: >>> >> > >>> >> > Traceback (most recent call last): >>> >> > File "/usr/lib64/python2.7/SocketServer.py", line 582, in >>> >> > process_request_thread >>> >> > self.finish_request(request, client_address) >>> >> > File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", >>> >> > line 66, in finish_request >>> >> > request.do_handshake() >>> >> > File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake >>> >> > self._sslobj.do_handshake() >>> >> > SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL >>> >> > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >>> >> > >>> >> > engine.log on the host shows: >>> >> > >>> >> > 2013-04-18 18:42:43,632 ERROR >>> >> > [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>> >> > (QuartzScheduler_Worker-68) Failed to decryptData must start with zero >>> >> > 2013-04-18 18:42:43,642 ERROR >>> >> > [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] >>> >> > (QuartzScheduler_Worker-68) XML RPC error in command >>> >> > GetCapabilitiesVDS ( Vds: transporter ), the error was: >>> >> > java.util.concurrent.ExecutionException: >&g
Re: [Users] Certificates and PKI seem to be broken after yum update
Need to know precise error, please attach engine.log. - Original Message - > From: "Chris Smith" > To: "Alon Bar-Lev" > Cc: Users@ovirt.org > Sent: Friday, April 19, 2013 2:03:59 AM > Subject: Re: [Users] Certificates and PKI seem to be broken after yum update > > So as of now, I can put the host into maintenance mode using the > ovirt-engine web interface. I can also try and activate it. It > states that the host was activated. The host never actually comes up > or contends for SPM status, and the data center never actually comes > online. > > If I put the host into maintenance mode and try to reinstall it, it > throws an error and size must be between 0 and 50. > > On Thu, Apr 18, 2013 at 6:51 PM, Alon Bar-Lev wrote: > > I am not sure I understand the status. > > > > Everything is working or not. > > If not, what exactly fails? > > Why do you run it 'again'? > > > > What happens if you reinstall host? Go to maintenance and select reinstall? > > > > I cannot understand how all this results from upgrade, something had > > changed, the CA certificate installed on the host is probably not the CA > > certificate of the engine. > > > > - Original Message ----- > >> From: "Chris Smith" > >> To: "Alon Bar-Lev" , Users@ovirt.org > >> Sent: Friday, April 19, 2013 1:45:23 AM > >> Subject: Re: [Users] Certificates and PKI seem to be broken after yum > >> update > >> > >> On Thu, Apr 18, 2013 at 6:44 PM, Chris Smith > >> wrote: > >> > I made a backup of the .truststore, and then followed the steps and > >> > then rebooted both the ovirt-engine and one of the hosts, and > >> > everything worked properly. > >> > > >> > If I run it again, or enter the wrong password it throws an error > >> > about the key store already existing, or that the password was wrong > >> > so I'm pretty sure it's good. > >> > > >> > vdsm.log on the host still shows: > >> > > >> > Traceback (most recent call last): > >> > File "/usr/lib64/python2.7/SocketServer.py", line 582, in > >> > process_request_thread > >> > self.finish_request(request, client_address) > >> > File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", > >> > line 66, in finish_request > >> > request.do_handshake() > >> > File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake > >> > self._sslobj.do_handshake() > >> > SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL > >> > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > >> > > >> > engine.log on the host shows: > >> > > >> > 2013-04-18 18:42:43,632 ERROR > >> > [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] > >> > (QuartzScheduler_Worker-68) Failed to decryptData must start with zero > >> > 2013-04-18 18:42:43,642 ERROR > >> > [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] > >> > (QuartzScheduler_Worker-68) XML RPC error in command > >> > GetCapabilitiesVDS ( Vds: transporter ), the error was: > >> > java.util.concurrent.ExecutionException: > >> > java.lang.reflect.InvocationTargetException, > >> > SunCertPathBuilderException: unable to find valid certification path > >> > to requested target > >> > > >> > > >> > On Thu, Apr 18, 2013 at 4:06 AM, Alon Bar-Lev wrote: > >> >> > >> >> You should ask these question in separate thread so people may pick > >> >> them > >> >> up. > >> >> > >> >> For the .truststore, try to remove it and then execute: > >> >> > >> >> # rm -f /etc/pki/ovirt-engine/.truststore > >> >> # keytool -import -noprompt -trustcacerts -alias cacert -keypass mypass > >> >> -file /etc/pki/ovirt-engine/certs/ca.der -keystore > >> >> /etc/pki/ovirt-engine/.truststore -storepass mypass > >> >> # chown ovirt:ovirt /etc/pki/ovirt-engine/.truststore > >> >> > >> >> It should recreate the truststore with the ca certificate you have. > >> >> > >> >> - Original Message - > >> >>> From: "Chris Smith" > >> >>> To: "Alon Bar-Lev" > >> >>> Cc: Users@ovirt.org >
Re: [Users] Certificates and PKI seem to be broken after yum update
So as of now, I can put the host into maintenance mode using the ovirt-engine web interface. I can also try and activate it. It states that the host was activated. The host never actually comes up or contends for SPM status, and the data center never actually comes online. If I put the host into maintenance mode and try to reinstall it, it throws an error and size must be between 0 and 50. On Thu, Apr 18, 2013 at 6:51 PM, Alon Bar-Lev wrote: > I am not sure I understand the status. > > Everything is working or not. > If not, what exactly fails? > Why do you run it 'again'? > > What happens if you reinstall host? Go to maintenance and select reinstall? > > I cannot understand how all this results from upgrade, something had changed, > the CA certificate installed on the host is probably not the CA certificate > of the engine. > > - Original Message - >> From: "Chris Smith" >> To: "Alon Bar-Lev" , Users@ovirt.org >> Sent: Friday, April 19, 2013 1:45:23 AM >> Subject: Re: [Users] Certificates and PKI seem to be broken after yum update >> >> On Thu, Apr 18, 2013 at 6:44 PM, Chris Smith wrote: >> > I made a backup of the .truststore, and then followed the steps and >> > then rebooted both the ovirt-engine and one of the hosts, and >> > everything worked properly. >> > >> > If I run it again, or enter the wrong password it throws an error >> > about the key store already existing, or that the password was wrong >> > so I'm pretty sure it's good. >> > >> > vdsm.log on the host still shows: >> > >> > Traceback (most recent call last): >> > File "/usr/lib64/python2.7/SocketServer.py", line 582, in >> > process_request_thread >> > self.finish_request(request, client_address) >> > File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", >> > line 66, in finish_request >> > request.do_handshake() >> > File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake >> > self._sslobj.do_handshake() >> > SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL >> > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> > >> > engine.log on the host shows: >> > >> > 2013-04-18 18:42:43,632 ERROR >> > [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >> > (QuartzScheduler_Worker-68) Failed to decryptData must start with zero >> > 2013-04-18 18:42:43,642 ERROR >> > [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] >> > (QuartzScheduler_Worker-68) XML RPC error in command >> > GetCapabilitiesVDS ( Vds: transporter ), the error was: >> > java.util.concurrent.ExecutionException: >> > java.lang.reflect.InvocationTargetException, >> > SunCertPathBuilderException: unable to find valid certification path >> > to requested target >> > >> > >> > On Thu, Apr 18, 2013 at 4:06 AM, Alon Bar-Lev wrote: >> >> >> >> You should ask these question in separate thread so people may pick them >> >> up. >> >> >> >> For the .truststore, try to remove it and then execute: >> >> >> >> # rm -f /etc/pki/ovirt-engine/.truststore >> >> # keytool -import -noprompt -trustcacerts -alias cacert -keypass mypass >> >> -file /etc/pki/ovirt-engine/certs/ca.der -keystore >> >> /etc/pki/ovirt-engine/.truststore -storepass mypass >> >> # chown ovirt:ovirt /etc/pki/ovirt-engine/.truststore >> >> >> >> It should recreate the truststore with the ca certificate you have. >> >> >> >> - Original Message - >> >>> From: "Chris Smith" >> >>> To: "Alon Bar-Lev" >> >>> Cc: Users@ovirt.org >> >>> Sent: Thursday, April 18, 2013 7:18:27 AM >> >>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum >> >>> update >> >>> >> >>> If it would be easier than re-setting up the certificates, I'm also >> >>> willing to just start over and rebuild, but I would like to export the >> >>> VM's I have first. >> >>> One of them is a spacewalk server, another runs DNS, and DHCP for my >> >>> test network, and I have an asterisk server. I would like to avoid >> >>> having to re-create all of them. >> >>> >> >>> The VM's are up and running now, so I could export all of the >> >>&
Re: [Users] Certificates and PKI seem to be broken after yum update
I am not sure I understand the status. Everything is working or not. If not, what exactly fails? Why do you run it 'again'? What happens if you reinstall host? Go to maintenance and select reinstall? I cannot understand how all this results from upgrade, something had changed, the CA certificate installed on the host is probably not the CA certificate of the engine. - Original Message - > From: "Chris Smith" > To: "Alon Bar-Lev" , Users@ovirt.org > Sent: Friday, April 19, 2013 1:45:23 AM > Subject: Re: [Users] Certificates and PKI seem to be broken after yum update > > On Thu, Apr 18, 2013 at 6:44 PM, Chris Smith wrote: > > I made a backup of the .truststore, and then followed the steps and > > then rebooted both the ovirt-engine and one of the hosts, and > > everything worked properly. > > > > If I run it again, or enter the wrong password it throws an error > > about the key store already existing, or that the password was wrong > > so I'm pretty sure it's good. > > > > vdsm.log on the host still shows: > > > > Traceback (most recent call last): > > File "/usr/lib64/python2.7/SocketServer.py", line 582, in > > process_request_thread > > self.finish_request(request, client_address) > > File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", > > line 66, in finish_request > > request.do_handshake() > > File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake > > self._sslobj.do_handshake() > > SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL > > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > > > > engine.log on the host shows: > > > > 2013-04-18 18:42:43,632 ERROR > > [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] > > (QuartzScheduler_Worker-68) Failed to decryptData must start with zero > > 2013-04-18 18:42:43,642 ERROR > > [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] > > (QuartzScheduler_Worker-68) XML RPC error in command > > GetCapabilitiesVDS ( Vds: transporter ), the error was: > > java.util.concurrent.ExecutionException: > > java.lang.reflect.InvocationTargetException, > > SunCertPathBuilderException: unable to find valid certification path > > to requested target > > > > > > On Thu, Apr 18, 2013 at 4:06 AM, Alon Bar-Lev wrote: > >> > >> You should ask these question in separate thread so people may pick them > >> up. > >> > >> For the .truststore, try to remove it and then execute: > >> > >> # rm -f /etc/pki/ovirt-engine/.truststore > >> # keytool -import -noprompt -trustcacerts -alias cacert -keypass mypass > >> -file /etc/pki/ovirt-engine/certs/ca.der -keystore > >> /etc/pki/ovirt-engine/.truststore -storepass mypass > >> # chown ovirt:ovirt /etc/pki/ovirt-engine/.truststore > >> > >> It should recreate the truststore with the ca certificate you have. > >> > >> - Original Message - > >>> From: "Chris Smith" > >>> To: "Alon Bar-Lev" > >>> Cc: Users@ovirt.org > >>> Sent: Thursday, April 18, 2013 7:18:27 AM > >>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum > >>> update > >>> > >>> If it would be easier than re-setting up the certificates, I'm also > >>> willing to just start over and rebuild, but I would like to export the > >>> VM's I have first. > >>> One of them is a spacewalk server, another runs DNS, and DHCP for my > >>> test network, and I have an asterisk server. I would like to avoid > >>> having to re-create all of them. > >>> > >>> The VM's are up and running now, so I could export all of the > >>> configurations / backup the file systems, etc. > >>> > >>> Preferably I could export the VM's to an NFS export domain, or a > >>> mounted NFS share so that I can import them to the new storage domain, > >>> after I run engine-cleanup and get everything set back up. Is there > >>> an easy way to do this? Is it possible to create and attach an NFS > >>> export domain directly from the CLI without access to the ovirt > >>> manager without communication between the manager and hosts due to the > >>> pki issue? Can I export the VM's directly from the hosts to a > >>> standard NFS share? > >>> > >>> Is there an equivalent xml and image file for the VM? > >&
Re: [Users] Certificates and PKI seem to be broken after yum update
On Thu, Apr 18, 2013 at 6:44 PM, Chris Smith wrote: > I made a backup of the .truststore, and then followed the steps and > then rebooted both the ovirt-engine and one of the hosts, and > everything worked properly. > > If I run it again, or enter the wrong password it throws an error > about the key store already existing, or that the password was wrong > so I'm pretty sure it's good. > > vdsm.log on the host still shows: > > Traceback (most recent call last): > File "/usr/lib64/python2.7/SocketServer.py", line 582, in > process_request_thread > self.finish_request(request, client_address) > File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", > line 66, in finish_request > request.do_handshake() > File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake > self._sslobj.do_handshake() > SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > > engine.log on the host shows: > > 2013-04-18 18:42:43,632 ERROR > [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] > (QuartzScheduler_Worker-68) Failed to decryptData must start with zero > 2013-04-18 18:42:43,642 ERROR > [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] > (QuartzScheduler_Worker-68) XML RPC error in command > GetCapabilitiesVDS ( Vds: transporter ), the error was: > java.util.concurrent.ExecutionException: > java.lang.reflect.InvocationTargetException, > SunCertPathBuilderException: unable to find valid certification path > to requested target > > > On Thu, Apr 18, 2013 at 4:06 AM, Alon Bar-Lev wrote: >> >> You should ask these question in separate thread so people may pick them up. >> >> For the .truststore, try to remove it and then execute: >> >> # rm -f /etc/pki/ovirt-engine/.truststore >> # keytool -import -noprompt -trustcacerts -alias cacert -keypass mypass >> -file /etc/pki/ovirt-engine/certs/ca.der -keystore >> /etc/pki/ovirt-engine/.truststore -storepass mypass >> # chown ovirt:ovirt /etc/pki/ovirt-engine/.truststore >> >> It should recreate the truststore with the ca certificate you have. >> >> - Original Message - >>> From: "Chris Smith" >>> To: "Alon Bar-Lev" >>> Cc: Users@ovirt.org >>> Sent: Thursday, April 18, 2013 7:18:27 AM >>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum update >>> >>> If it would be easier than re-setting up the certificates, I'm also >>> willing to just start over and rebuild, but I would like to export the >>> VM's I have first. >>> One of them is a spacewalk server, another runs DNS, and DHCP for my >>> test network, and I have an asterisk server. I would like to avoid >>> having to re-create all of them. >>> >>> The VM's are up and running now, so I could export all of the >>> configurations / backup the file systems, etc. >>> >>> Preferably I could export the VM's to an NFS export domain, or a >>> mounted NFS share so that I can import them to the new storage domain, >>> after I run engine-cleanup and get everything set back up. Is there >>> an easy way to do this? Is it possible to create and attach an NFS >>> export domain directly from the CLI without access to the ovirt >>> manager without communication between the manager and hosts due to the >>> pki issue? Can I export the VM's directly from the hosts to a >>> standard NFS share? >>> >>> Is there an equivalent xml and image file for the VM? >>> >>> My storage domain is iscsi and is served out from another server over >>> 4 bonded 1 Gbps copper links. >>> >>> >>> >>> On Wed, Apr 17, 2013 at 11:46 PM, Chris Smith wrote: >>> > I checked the .truststore on the ovirt engine, and it seems fine. >>> > >>> > [root@reliant ovirt-engine]# ls -l .truststore >>> > -rwxr-x---. 1 ovirt ovirt 918 Apr 6 21:56 .truststore >>> > >>> > It's not zero bytes anyway. >>> > >>> > It's also the same size as the .truststore in the ovirt engine backups. >>> > >>> > [root@reliant ovirt-engine-backups]# find ./ -name .truststore -exec ls -l >>> > {} \; >>> > -rwxr-x---. 1 ovirt ovirt 918 Aug 26 2012 >>> > ./ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore >>> > -rwxr-x---. 1 root root 918 Mar 24 12:42 >>> > ./ovirt-engine-2013_03_24_11_15_19/ovirt-engine-20
Re: [Users] Certificates and PKI seem to be broken after yum update
You should ask these question in separate thread so people may pick them up. For the .truststore, try to remove it and then execute: # rm -f /etc/pki/ovirt-engine/.truststore # keytool -import -noprompt -trustcacerts -alias cacert -keypass mypass -file /etc/pki/ovirt-engine/certs/ca.der -keystore /etc/pki/ovirt-engine/.truststore -storepass mypass # chown ovirt:ovirt /etc/pki/ovirt-engine/.truststore It should recreate the truststore with the ca certificate you have. - Original Message - > From: "Chris Smith" > To: "Alon Bar-Lev" > Cc: Users@ovirt.org > Sent: Thursday, April 18, 2013 7:18:27 AM > Subject: Re: [Users] Certificates and PKI seem to be broken after yum update > > If it would be easier than re-setting up the certificates, I'm also > willing to just start over and rebuild, but I would like to export the > VM's I have first. > One of them is a spacewalk server, another runs DNS, and DHCP for my > test network, and I have an asterisk server. I would like to avoid > having to re-create all of them. > > The VM's are up and running now, so I could export all of the > configurations / backup the file systems, etc. > > Preferably I could export the VM's to an NFS export domain, or a > mounted NFS share so that I can import them to the new storage domain, > after I run engine-cleanup and get everything set back up. Is there > an easy way to do this? Is it possible to create and attach an NFS > export domain directly from the CLI without access to the ovirt > manager without communication between the manager and hosts due to the > pki issue? Can I export the VM's directly from the hosts to a > standard NFS share? > > Is there an equivalent xml and image file for the VM? > > My storage domain is iscsi and is served out from another server over > 4 bonded 1 Gbps copper links. > > > > On Wed, Apr 17, 2013 at 11:46 PM, Chris Smith wrote: > > I checked the .truststore on the ovirt engine, and it seems fine. > > > > [root@reliant ovirt-engine]# ls -l .truststore > > -rwxr-x---. 1 ovirt ovirt 918 Apr 6 21:56 .truststore > > > > It's not zero bytes anyway. > > > > It's also the same size as the .truststore in the ovirt engine backups. > > > > [root@reliant ovirt-engine-backups]# find ./ -name .truststore -exec ls -l > > {} \; > > -rwxr-x---. 1 ovirt ovirt 918 Aug 26 2012 > > ./ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore > > -rwxr-x---. 1 root root 918 Mar 24 12:42 > > ./ovirt-engine-2013_03_24_11_15_19/ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore > > > > I haven't looked at the installCA.sh script yet. > > > > On Mon, Apr 8, 2013 at 2:58 AM, Alon Bar-Lev wrote: > >> This error means that the /etc/pki/ovirt-engine/.truststore is unreadable > >> or does not contain the /etc/pki/ovirt-engine/ca.pem certificate. > >> > >> Unfortunately, the pki administration is weak in current implementation, > >> you can trace the installation script and checkout the calls to > >> installCA.sh to how to reproduce, please note that password are encrypted > >> in database using the private key locate in .keystore so if you are to > >> re-generate anything remember to keep the engine private key. > >> > >> However, if you succeed in login, the remaining problem you have is the > >> .truststore permissions and/or content. > >> > >> Regards, > >> Alon Bar-Lev. > >> > >> - Original Message - > >>> From: "Chris Smith" > >>> To: "Alon Bar-Lev" > >>> Cc: Users@ovirt.org > >>> Sent: Monday, April 8, 2013 9:46:46 AM > >>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum > >>> update > >>> > >>> After setting the .keystore owner and group owner to ovirt, and > >>> rebooting, I now have a new error in engine.log > >>> > >>> 2013-04-08 02:39:16,787 ERROR > >>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] > >>> (QuartzScheduler_Worker-95) Failed to decryptData must start with zero > >>> 2013-04-08 02:39:16,845 ERROR > >>> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] > >>> (QuartzScheduler_Worker-95) XML RPC error in command > >>> GetCapabilitiesVDS ( Vds: transporter ), the error was: > >>> java.util.concurrent.ExecutionException: > >>> java.lang.reflect.InvocationTargetException, > >>> SunCertPathBuilderException: unable to find valid certification path >
Re: [Users] Certificates and PKI seem to be broken after yum update
If it would be easier than re-setting up the certificates, I'm also willing to just start over and rebuild, but I would like to export the VM's I have first. One of them is a spacewalk server, another runs DNS, and DHCP for my test network, and I have an asterisk server. I would like to avoid having to re-create all of them. The VM's are up and running now, so I could export all of the configurations / backup the file systems, etc. Preferably I could export the VM's to an NFS export domain, or a mounted NFS share so that I can import them to the new storage domain, after I run engine-cleanup and get everything set back up. Is there an easy way to do this? Is it possible to create and attach an NFS export domain directly from the CLI without access to the ovirt manager without communication between the manager and hosts due to the pki issue? Can I export the VM's directly from the hosts to a standard NFS share? Is there an equivalent xml and image file for the VM? My storage domain is iscsi and is served out from another server over 4 bonded 1 Gbps copper links. On Wed, Apr 17, 2013 at 11:46 PM, Chris Smith wrote: > I checked the .truststore on the ovirt engine, and it seems fine. > > [root@reliant ovirt-engine]# ls -l .truststore > -rwxr-x---. 1 ovirt ovirt 918 Apr 6 21:56 .truststore > > It's not zero bytes anyway. > > It's also the same size as the .truststore in the ovirt engine backups. > > [root@reliant ovirt-engine-backups]# find ./ -name .truststore -exec ls -l {} > \; > -rwxr-x---. 1 ovirt ovirt 918 Aug 26 2012 > ./ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore > -rwxr-x---. 1 root root 918 Mar 24 12:42 > ./ovirt-engine-2013_03_24_11_15_19/ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore > > I haven't looked at the installCA.sh script yet. > > On Mon, Apr 8, 2013 at 2:58 AM, Alon Bar-Lev wrote: >> This error means that the /etc/pki/ovirt-engine/.truststore is unreadable or >> does not contain the /etc/pki/ovirt-engine/ca.pem certificate. >> >> Unfortunately, the pki administration is weak in current implementation, you >> can trace the installation script and checkout the calls to installCA.sh to >> how to reproduce, please note that password are encrypted in database using >> the private key locate in .keystore so if you are to re-generate anything >> remember to keep the engine private key. >> >> However, if you succeed in login, the remaining problem you have is the >> .truststore permissions and/or content. >> >> Regards, >> Alon Bar-Lev. >> >> ----- Original Message ----- >>> From: "Chris Smith" >>> To: "Alon Bar-Lev" >>> Cc: Users@ovirt.org >>> Sent: Monday, April 8, 2013 9:46:46 AM >>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum update >>> >>> After setting the .keystore owner and group owner to ovirt, and >>> rebooting, I now have a new error in engine.log >>> >>> 2013-04-08 02:39:16,787 ERROR >>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>> (QuartzScheduler_Worker-95) Failed to decryptData must start with zero >>> 2013-04-08 02:39:16,845 ERROR >>> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] >>> (QuartzScheduler_Worker-95) XML RPC error in command >>> GetCapabilitiesVDS ( Vds: transporter ), the error was: >>> java.util.concurrent.ExecutionException: >>> java.lang.reflect.InvocationTargetException, >>> SunCertPathBuilderException: unable to find valid certification path >>> to requested target >>> >>> Are there other files that may have been affected that I can also >>> correct ownership or permissions on? >>> >>> On the host side, I get certificate unknown in vdsm.log >>> >>> File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake >>> self._sslobj.do_handshake() >>> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL >>> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >>> Thread-757809::ERROR::2013-04-08 >>> 02:44:05,424::SecureXMLRPCServer::73::root::(handle_error) client >>> ('172.16.23.8', 54489) >>> Traceback (most recent call last): >>> File "/usr/lib64/python2.7/SocketServer.py", line 582, in >>> process_request_thread >>> self.finish_request(request, client_address) >>> File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", >>> line 66, in finish_request >>> request.do_handshake() >>> File "/usr/lib64/python2.7/ssl.py
Re: [Users] Certificates and PKI seem to be broken after yum update
I checked the .truststore on the ovirt engine, and it seems fine. [root@reliant ovirt-engine]# ls -l .truststore -rwxr-x---. 1 ovirt ovirt 918 Apr 6 21:56 .truststore It's not zero bytes anyway. It's also the same size as the .truststore in the ovirt engine backups. [root@reliant ovirt-engine-backups]# find ./ -name .truststore -exec ls -l {} \; -rwxr-x---. 1 ovirt ovirt 918 Aug 26 2012 ./ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore -rwxr-x---. 1 root root 918 Mar 24 12:42 ./ovirt-engine-2013_03_24_11_15_19/ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore I haven't looked at the installCA.sh script yet. On Mon, Apr 8, 2013 at 2:58 AM, Alon Bar-Lev wrote: > This error means that the /etc/pki/ovirt-engine/.truststore is unreadable or > does not contain the /etc/pki/ovirt-engine/ca.pem certificate. > > Unfortunately, the pki administration is weak in current implementation, you > can trace the installation script and checkout the calls to installCA.sh to > how to reproduce, please note that password are encrypted in database using > the private key locate in .keystore so if you are to re-generate anything > remember to keep the engine private key. > > However, if you succeed in login, the remaining problem you have is the > .truststore permissions and/or content. > > Regards, > Alon Bar-Lev. > > - Original Message - >> From: "Chris Smith" >> To: "Alon Bar-Lev" >> Cc: Users@ovirt.org >> Sent: Monday, April 8, 2013 9:46:46 AM >> Subject: Re: [Users] Certificates and PKI seem to be broken after yum update >> >> After setting the .keystore owner and group owner to ovirt, and >> rebooting, I now have a new error in engine.log >> >> 2013-04-08 02:39:16,787 ERROR >> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >> (QuartzScheduler_Worker-95) Failed to decryptData must start with zero >> 2013-04-08 02:39:16,845 ERROR >> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] >> (QuartzScheduler_Worker-95) XML RPC error in command >> GetCapabilitiesVDS ( Vds: transporter ), the error was: >> java.util.concurrent.ExecutionException: >> java.lang.reflect.InvocationTargetException, >> SunCertPathBuilderException: unable to find valid certification path >> to requested target >> >> Are there other files that may have been affected that I can also >> correct ownership or permissions on? >> >> On the host side, I get certificate unknown in vdsm.log >> >> File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake >> self._sslobj.do_handshake() >> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> Thread-757809::ERROR::2013-04-08 >> 02:44:05,424::SecureXMLRPCServer::73::root::(handle_error) client >> ('172.16.23.8', 54489) >> Traceback (most recent call last): >> File "/usr/lib64/python2.7/SocketServer.py", line 582, in >> process_request_thread >> self.finish_request(request, client_address) >> File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", >> line 66, in finish_request >> request.do_handshake() >> File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake >> self._sslobj.do_handshake() >> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown >> >> Is there a procedure for just re-establishing PKI and certs for the >> engine and hosts? >> >> On Sun, Apr 7, 2013 at 4:58 AM, Alon Bar-Lev wrote: >> > >> > OK... you are running a very old version of engine (3.1). >> > >> > The upgrade did not upgraded into 3.2, so nothing as far as I know should >> > have been changed. >> > >> > But the .keystore permissions is owned by root now, so some other package >> > (maybe selinux-policy) changed permissions... >> > >> > The simplest way to test is to: >> > # cp -a /etc/pki/ovirt-engine /etc/pki/ovirt-engine.backup1 >> > # chown -R ovirt:ovirt /etc/pki/ovirt-engine >> > >> > But if that file permissions was changed, I can only assume other files >> > were also changes... >> > >> > Regards, >> > Alon >> > >> > - Original Message - >> >> From: "Chris Smith" >> >> To: "Alon Bar-Lev" >> >> Cc: Users@ovirt.org >> >> Sent: Sunday, April 7, 2013 11:51:17 AM >> >> Subject: Re: [Users] Certificates and PKI seem to be broken afte
Re: [Users] Certificates and PKI seem to be broken after yum update
This error means that the /etc/pki/ovirt-engine/.truststore is unreadable or does not contain the /etc/pki/ovirt-engine/ca.pem certificate. Unfortunately, the pki administration is weak in current implementation, you can trace the installation script and checkout the calls to installCA.sh to how to reproduce, please note that password are encrypted in database using the private key locate in .keystore so if you are to re-generate anything remember to keep the engine private key. However, if you succeed in login, the remaining problem you have is the .truststore permissions and/or content. Regards, Alon Bar-Lev. - Original Message - > From: "Chris Smith" > To: "Alon Bar-Lev" > Cc: Users@ovirt.org > Sent: Monday, April 8, 2013 9:46:46 AM > Subject: Re: [Users] Certificates and PKI seem to be broken after yum update > > After setting the .keystore owner and group owner to ovirt, and > rebooting, I now have a new error in engine.log > > 2013-04-08 02:39:16,787 ERROR > [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] > (QuartzScheduler_Worker-95) Failed to decryptData must start with zero > 2013-04-08 02:39:16,845 ERROR > [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] > (QuartzScheduler_Worker-95) XML RPC error in command > GetCapabilitiesVDS ( Vds: transporter ), the error was: > java.util.concurrent.ExecutionException: > java.lang.reflect.InvocationTargetException, > SunCertPathBuilderException: unable to find valid certification path > to requested target > > Are there other files that may have been affected that I can also > correct ownership or permissions on? > > On the host side, I get certificate unknown in vdsm.log > > File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake > self._sslobj.do_handshake() > SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > Thread-757809::ERROR::2013-04-08 > 02:44:05,424::SecureXMLRPCServer::73::root::(handle_error) client > ('172.16.23.8', 54489) > Traceback (most recent call last): > File "/usr/lib64/python2.7/SocketServer.py", line 582, in > process_request_thread > self.finish_request(request, client_address) > File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", > line 66, in finish_request > request.do_handshake() > File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake > self._sslobj.do_handshake() > SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > > Is there a procedure for just re-establishing PKI and certs for the > engine and hosts? > > On Sun, Apr 7, 2013 at 4:58 AM, Alon Bar-Lev wrote: > > > > OK... you are running a very old version of engine (3.1). > > > > The upgrade did not upgraded into 3.2, so nothing as far as I know should > > have been changed. > > > > But the .keystore permissions is owned by root now, so some other package > > (maybe selinux-policy) changed permissions... > > > > The simplest way to test is to: > > # cp -a /etc/pki/ovirt-engine /etc/pki/ovirt-engine.backup1 > > # chown -R ovirt:ovirt /etc/pki/ovirt-engine > > > > But if that file permissions was changed, I can only assume other files > > were also changes... > > > > Regards, > > Alon > > > > - Original Message - > >> From: "Chris Smith" > >> To: "Alon Bar-Lev" > >> Cc: Users@ovirt.org > >> Sent: Sunday, April 7, 2013 11:51:17 AM > >> Subject: Re: [Users] Certificates and PKI seem to be broken after yum > >> update > >> > >> I did a yum update and rebooted. > >> > >> engine-upgrade was run on 24-March > >> > >> When run now, it states that there are no updates available. > >> > >> [root@reliant ~]# engine-upgrade > >> Loaded plugins: versionlock > >> Checking for updates... (This may take several minutes) > >> No updates available > >> > >> > >> [root@reliant ovirt-engine]# cat > >> ovirt-engine-upgrade_2013_03_24_12_04_06.log > >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing > >> pgpass file, fetching DB host value > >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing > >> pgpass file, fetching DB port value > >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing > >> pgpass file, fetching DB admin value > >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::302::root:: Yum list updates > &
Re: [Users] Certificates and PKI seem to be broken after yum update
After setting the .keystore owner and group owner to ovirt, and rebooting, I now have a new error in engine.log 2013-04-08 02:39:16,787 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (QuartzScheduler_Worker-95) Failed to decryptData must start with zero 2013-04-08 02:39:16,845 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] (QuartzScheduler_Worker-95) XML RPC error in command GetCapabilitiesVDS ( Vds: transporter ), the error was: java.util.concurrent.ExecutionException: java.lang.reflect.InvocationTargetException, SunCertPathBuilderException: unable to find valid certification path to requested target Are there other files that may have been affected that I can also correct ownership or permissions on? On the host side, I get certificate unknown in vdsm.log File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake self._sslobj.do_handshake() SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown Thread-757809::ERROR::2013-04-08 02:44:05,424::SecureXMLRPCServer::73::root::(handle_error) client ('172.16.23.8', 54489) Traceback (most recent call last): File "/usr/lib64/python2.7/SocketServer.py", line 582, in process_request_thread self.finish_request(request, client_address) File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py", line 66, in finish_request request.do_handshake() File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake self._sslobj.do_handshake() SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown Is there a procedure for just re-establishing PKI and certs for the engine and hosts? On Sun, Apr 7, 2013 at 4:58 AM, Alon Bar-Lev wrote: > > OK... you are running a very old version of engine (3.1). > > The upgrade did not upgraded into 3.2, so nothing as far as I know should > have been changed. > > But the .keystore permissions is owned by root now, so some other package > (maybe selinux-policy) changed permissions... > > The simplest way to test is to: > # cp -a /etc/pki/ovirt-engine /etc/pki/ovirt-engine.backup1 > # chown -R ovirt:ovirt /etc/pki/ovirt-engine > > But if that file permissions was changed, I can only assume other files were > also changes... > > Regards, > Alon > > - Original Message - >> From: "Chris Smith" >> To: "Alon Bar-Lev" >> Cc: Users@ovirt.org >> Sent: Sunday, April 7, 2013 11:51:17 AM >> Subject: Re: [Users] Certificates and PKI seem to be broken after yum update >> >> I did a yum update and rebooted. >> >> engine-upgrade was run on 24-March >> >> When run now, it states that there are no updates available. >> >> [root@reliant ~]# engine-upgrade >> Loaded plugins: versionlock >> Checking for updates... (This may take several minutes) >> No updates available >> >> >> [root@reliant ovirt-engine]# cat ovirt-engine-upgrade_2013_03_24_12_04_06.log >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing >> pgpass file, fetching DB host value >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing >> pgpass file, fetching DB port value >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing >> pgpass file, fetching DB admin value >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::302::root:: Yum list updates >> started >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::273::root:: Yum unlock started >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::285::root:: Yum unlock >> completed successfully >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::308::root:: Getting list >> of packages to upgrade >> 2013-03-24 12:04:27::DEBUG::engine-upgrade::260::root:: Yum lock started >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing >> command --> '/bin/rpm -q ovirt-engine' >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = >> ovirt-engine-3.1.0-4.fc17.noarch >> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr = >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0 >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing >> command --> '/bin/rpm -q ovirt-engine-backend' >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = >> ovirt-engine-backend-3.1.0-4.fc17.noarch >> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr = >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0 >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing >> command --> '/bin/rpm -q ovirt-engine-config
Re: [Users] Certificates and PKI seem to be broken after yum update
OK... you are running a very old version of engine (3.1). The upgrade did not upgraded into 3.2, so nothing as far as I know should have been changed. But the .keystore permissions is owned by root now, so some other package (maybe selinux-policy) changed permissions... The simplest way to test is to: # cp -a /etc/pki/ovirt-engine /etc/pki/ovirt-engine.backup1 # chown -R ovirt:ovirt /etc/pki/ovirt-engine But if that file permissions was changed, I can only assume other files were also changes... Regards, Alon - Original Message - > From: "Chris Smith" > To: "Alon Bar-Lev" > Cc: Users@ovirt.org > Sent: Sunday, April 7, 2013 11:51:17 AM > Subject: Re: [Users] Certificates and PKI seem to be broken after yum update > > I did a yum update and rebooted. > > engine-upgrade was run on 24-March > > When run now, it states that there are no updates available. > > [root@reliant ~]# engine-upgrade > Loaded plugins: versionlock > Checking for updates... (This may take several minutes) > No updates available > > > [root@reliant ovirt-engine]# cat ovirt-engine-upgrade_2013_03_24_12_04_06.log > 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing > pgpass file, fetching DB host value > 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing > pgpass file, fetching DB port value > 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing > pgpass file, fetching DB admin value > 2013-03-24 12:04:07::DEBUG::engine-upgrade::302::root:: Yum list updates > started > 2013-03-24 12:04:07::DEBUG::engine-upgrade::273::root:: Yum unlock started > 2013-03-24 12:04:07::DEBUG::engine-upgrade::285::root:: Yum unlock > completed successfully > 2013-03-24 12:04:07::DEBUG::engine-upgrade::308::root:: Getting list > of packages to upgrade > 2013-03-24 12:04:27::DEBUG::engine-upgrade::260::root:: Yum lock started > 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing > command --> '/bin/rpm -q ovirt-engine' > 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = > ovirt-engine-3.1.0-4.fc17.noarch > > 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr = > 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0 > 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing > command --> '/bin/rpm -q ovirt-engine-backend' > 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = > ovirt-engine-backend-3.1.0-4.fc17.noarch > > 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr = > 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0 > 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing > command --> '/bin/rpm -q ovirt-engine-config' > 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = > ovirt-engine-config-3.1.0-4.fc17.noarch > > 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr = > 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0 > 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing > command --> '/bin/rpm -q ovirt-engine-genericapi' > 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = > ovirt-engine-genericapi-3.1.0-4.fc17.noarch > > 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr = > 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0 > 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing > command --> '/bin/rpm -q ovirt-engine-notification-service' > 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = > ovirt-engine-notification-service-3.1.0-4.fc17.noarch > > 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr = > 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0 > 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing > command --> '/bin/rpm -q ovirt-engine-restapi' > 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = > ovirt-engine-restapi-3.1.0-4.fc17.noarch > > 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr = > 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0 > 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing > command --> '/bin/rpm -q ovirt-engine-tools-common' > 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = > ovirt-engine-tools-common-3.1.0-4.fc17.noarch > > 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr = > 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0 > 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing > command --> '/bin/rpm -q ovirt-engine-userportal' > 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output = > ovirt-engine-use
Re: [Users] Certificates and PKI seem to be broken after yum update
grade::320::root:: No packages marked for update 2013-03-24 12:04:28::DEBUG::engine-upgrade::324::root:: Installed packages: 2013-03-24 12:04:28::DEBUG::engine-upgrade::325::root:: ['ovirt-engine-3.1.0-4.fc17.noarch', 'ovirt-engine-backend-3.1.0-4.fc17.noarch', 'ovirt-engine-config-3.1.0-4.fc17.noarch', 'ovirt-engine-dbscripts-3.1.0-4.fc17.noarch', 'ovirt-engine-genericapi-3.1.0-4.fc17.noarch', 'ovirt-engine-notification-service-3.1.0-4.fc17.noarch', 'ovirt-engine-restapi-3.1.0-4.fc17.noarch', 'ovirt-engine-setup-3.1.0-4.fc17.noarch', 'ovirt-engine-tools-common-3.1.0-4.fc17.noarch', 'ovirt-engine-userportal-3.1.0-4.fc17.noarch', 'ovirt-engine-webadmin-portal-3.1.0-4.fc17.noarch', 'ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch', 'ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch', 'ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch', 'vdsm-bootstrap-4.10.0-13.fc17.noarch'] 2013-03-24 12:04:28::DEBUG::engine-upgrade::327::root:: Yum list updated completed successfully 2013-03-24 12:04:28::DEBUG::engine-upgrade::609::root:: No updates available Here's what's installed. [root@reliant yum.repos.d]# yum list installed | grep ovirt ovirt-engine.noarch3.1.0-4.fc17 @ovirt-stable ovirt-engine-backend.noarch3.1.0-4.fc17 @ovirt-stable ovirt-engine-cli.noarch3.2.0.5-1.fc17 @updates ovirt-engine-config.noarch 3.1.0-4.fc17 @ovirt-stable ovirt-engine-dbscripts.noarch 3.1.0-4.fc17 @ovirt-stable ovirt-engine-genericapi.noarch 3.1.0-4.fc17 @ovirt-stable ovirt-engine-notification-service.noarch 3.1.0-4.fc17 @ovirt-stable ovirt-engine-restapi.noarch3.1.0-4.fc17 @ovirt-stable ovirt-engine-sdk.noarch3.2.0.2-1.fc17 @updates ovirt-engine-setup.noarch 3.1.0-4.fc17 @ovirt-stable ovirt-engine-tools-common.noarch 3.1.0-4.fc17 @ovirt-stable ovirt-engine-userportal.noarch 3.1.0-4.fc17 @ovirt-stable ovirt-engine-webadmin-portal.noarch3.1.0-4.fc17 @ovirt-stable ovirt-image-uploader.noarch3.1.0-0.git9c42c8.fc17 @ovirt-stable ovirt-iso-uploader.noarch 3.1.0-0.git1841d9.fc17 @ovirt-stable ovirt-log-collector.noarch 3.1.0-0.git10d719.fc17 @ovirt-stable ovirt-release-fedora.noarch4-2 @/ovirt-release-fedora.noarch On Sun, Apr 7, 2013 at 2:16 AM, Alon Bar-Lev wrote: > How exactly did you upgrade? > > Usually yum upgrade will not touch ovirt-engine packages as it is in yum > version lock. > From which version to which version have you upgraded? > Have you run engine-upgrade utility? > If you did not, please run it. > If you did, please attach logs from > /var/log/ovirt-engine/ovirt-engine-upgrade* > > Thanks! > > - Original Message - >> From: "Chris Smith" >> To: Users@ovirt.org >> Sent: Sunday, April 7, 2013 5:09:46 AM >> Subject: [Users] Certificates and PKI seem to be broken after yum update >> >> I have lost the ability to manage the hosts or VM's using ovirt >> engine web interface after performing yum update on the ovirt-engine >> host, and on one Fedora 17 host. The data center is offline, and I >> can't place the hosts into maintenance mode. I don't think that there >> are any actions I can perform in the web interface at all. >> >> From the logs it seems that PKI is broken between the engine and the hosts. >> >> I am wondering how I can restore or re-generate all of the >> certificates and get the hosts communicating with the ovirt-engine >> again so that I can bring the data center back online. >> >> I found this page which deals with changing the engine hostname, and >> thus re-creating the certificates and keystore on the ovirt-engine >> node, and was wondering if this could help. Could I follow this >> process but keep the same hostname for the ovirt-engine node? >> >> http://wiki.ovirt.org/How_to_change_engine_host_name >> >> Currently I have 3 VM's running on two hosts. The VM's are up, but I >> can't do anything with them in ovirt-engine. >> >> >> Here's the latest activity from engine.log from the ovirt-engine node: >> >> 2013-04-06 21:58:47,472 ERROR >> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >> (QuartzScheduler_Worker-61) Failed to >> decryptjava.io.FileNotFoundException: /etc/pki/ovirt-engine/.keystore >> (Permission denied) >> 2013-04-06 21:58:47,478 ERROR >> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >> (QuartzScheduler_Worker-
Re: [Users] Certificates and PKI seem to be broken after yum update
How exactly did you upgrade? Usually yum upgrade will not touch ovirt-engine packages as it is in yum version lock. >From which version to which version have you upgraded? Have you run engine-upgrade utility? If you did not, please run it. If you did, please attach logs from /var/log/ovirt-engine/ovirt-engine-upgrade* Thanks! - Original Message - > From: "Chris Smith" > To: Users@ovirt.org > Sent: Sunday, April 7, 2013 5:09:46 AM > Subject: [Users] Certificates and PKI seem to be broken after yum update > > I have lost the ability to manage the hosts or VM's using ovirt > engine web interface after performing yum update on the ovirt-engine > host, and on one Fedora 17 host. The data center is offline, and I > can't place the hosts into maintenance mode. I don't think that there > are any actions I can perform in the web interface at all. > > From the logs it seems that PKI is broken between the engine and the hosts. > > I am wondering how I can restore or re-generate all of the > certificates and get the hosts communicating with the ovirt-engine > again so that I can bring the data center back online. > > I found this page which deals with changing the engine hostname, and > thus re-creating the certificates and keystore on the ovirt-engine > node, and was wondering if this could help. Could I follow this > process but keep the same hostname for the ovirt-engine node? > > http://wiki.ovirt.org/How_to_change_engine_host_name > > Currently I have 3 VM's running on two hosts. The VM's are up, but I > can't do anything with them in ovirt-engine. > > > Here's the latest activity from engine.log from the ovirt-engine node: > > 2013-04-06 21:58:47,472 ERROR > [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] > (QuartzScheduler_Worker-61) Failed to > decryptjava.io.FileNotFoundException: /etc/pki/ovirt-engine/.keystore > (Permission denied) > 2013-04-06 21:58:47,478 ERROR > [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] > (QuartzScheduler_Worker-62) Can't load keystore from file > "/etc/pki/ovirt-engine/.keystore".: java.io.FileNotFoundException: > /etc/pki/ovirt-engine/.keystore (Permission denied) > at java.io.FileInputStream.open(Native Method) > [rt.jar:1.7.0_09-icedtea] > at java.io.FileInputStream.(FileInputStream.java:138) > [rt.jar:1.7.0_09-icedtea] > at > > org.ovirt.engine.core.engineencryptutils.EncryptionUtils.getKeyStore(EncryptionUtils.java:214) > [engine-encryptutils.jar:] > at > > org.ovirt.engine.core.engineencryptutils.EncryptionUtils.decrypt(EncryptionUtils.java:139) > [engine-encryptutils.jar:] > at > > org.ovirt.engine.core.dao.VdsStaticDAODbFacadeImpl.decryptPassword(VdsStaticDAODbFacadeImpl.java:139) > [engine-dal.jar:] > at > > org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:253) > [engine-dal.jar:] > at > > org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:169) > [engine-dal.jar:] > at > > org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:92) > [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] > at > > org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:653) > [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] > at > > org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:591) > [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] > at > > org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:641) > [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] > at > > org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:670) > [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] > at > > org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:702) > [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] > at > > org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.executeCallInternal(PostgresDbEngineDialect.java:155) > [engine-dal.jar:] > at > > org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.doExecute(PostgresDbEngineDialect.java:121) > [engine-dal.jar:] > at > > org.springframework.jdbc.core.simple.SimpleJdbcCall.execute(SimpleJdbcCall.java:164) > [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] > at > > org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeImpl(Simpl
[Users] Certificates and PKI seem to be broken after yum update
I have lost the ability to manage the hosts or VM's using ovirt engine web interface after performing yum update on the ovirt-engine host, and on one Fedora 17 host. The data center is offline, and I can't place the hosts into maintenance mode. I don't think that there are any actions I can perform in the web interface at all. >From the logs it seems that PKI is broken between the engine and the hosts. I am wondering how I can restore or re-generate all of the certificates and get the hosts communicating with the ovirt-engine again so that I can bring the data center back online. I found this page which deals with changing the engine hostname, and thus re-creating the certificates and keystore on the ovirt-engine node, and was wondering if this could help. Could I follow this process but keep the same hostname for the ovirt-engine node? http://wiki.ovirt.org/How_to_change_engine_host_name Currently I have 3 VM's running on two hosts. The VM's are up, but I can't do anything with them in ovirt-engine. Here's the latest activity from engine.log from the ovirt-engine node: 2013-04-06 21:58:47,472 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (QuartzScheduler_Worker-61) Failed to decryptjava.io.FileNotFoundException: /etc/pki/ovirt-engine/.keystore (Permission denied) 2013-04-06 21:58:47,478 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (QuartzScheduler_Worker-62) Can't load keystore from file "/etc/pki/ovirt-engine/.keystore".: java.io.FileNotFoundException: /etc/pki/ovirt-engine/.keystore (Permission denied) at java.io.FileInputStream.open(Native Method) [rt.jar:1.7.0_09-icedtea] at java.io.FileInputStream.(FileInputStream.java:138) [rt.jar:1.7.0_09-icedtea] at org.ovirt.engine.core.engineencryptutils.EncryptionUtils.getKeyStore(EncryptionUtils.java:214) [engine-encryptutils.jar:] at org.ovirt.engine.core.engineencryptutils.EncryptionUtils.decrypt(EncryptionUtils.java:139) [engine-encryptutils.jar:] at org.ovirt.engine.core.dao.VdsStaticDAODbFacadeImpl.decryptPassword(VdsStaticDAODbFacadeImpl.java:139) [engine-dal.jar:] at org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:253) [engine-dal.jar:] at org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:169) [engine-dal.jar:] at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:92) [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:653) [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:591) [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:641) [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:670) [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:702) [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] at org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.executeCallInternal(PostgresDbEngineDialect.java:155) [engine-dal.jar:] at org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.doExecute(PostgresDbEngineDialect.java:121) [engine-dal.jar:] at org.springframework.jdbc.core.simple.SimpleJdbcCall.execute(SimpleJdbcCall.java:164) [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02] at org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeImpl(SimpleJdbcCallsHandler.java:124) [engine-dal.jar:] at org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadAndReturnMap(SimpleJdbcCallsHandler.java:75) [engine-dal.jar:] at org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadList(SimpleJdbcCallsHandler.java:66) [engine-dal.jar:] at org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeRead(SimpleJdbcCallsHandler.java:58) [engine-dal.jar:] at org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(VdsDAODbFacadeImpl.java:36) [engine-dal.jar:] at org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(VdsDAODbFacadeImpl.java:31) [engine-dal.jar:] at org.ovirt.engine.core.vdsbroker.VdsManager$1.runInTransaction(VdsManager.java:219) [engine-vdsbroker.jar:] at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInSuppressed(TransactionSupport.java:168) [engine-utils.jar:] at org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInScope(TransactionSupport.java:107) [engine-utils.jar:] at org.ovirt.engine.core.vdsbroker.VdsManager.OnTimer(VdsManager.java:215) [engine-vdsbroker.jar:] at sun.reflect.GeneratedMethodAccessor13.invoke(Unknown Source)