Wind River Support Network

HomeDefectsOVP-1451
Fixed

OVP-1451 : ovirt-engine fails to set permissions on its /etc files

Created: Dec 16, 2013    Updated: Mar 11, 2016
Resolved Date: Jan 7, 2014
Found In Version: 5.0.1.10
Fix Version: 5.0.1.11,6.0
Severity: Standard
Applicable for: Wind River Linux 5
Component/s: Userspace

Description

The ovirt-engine recipe uses an /etc/default/volatiles file to set
ownership and permissions on files that aren't volatile:
{noformat}

  /etc/default/volatiles/99_ovirt_engine

  d ovirt ovirt 0755 /var/log/ovirt-engine/ none
  d ovirt ovirt 0755 /var/run/ovirt-engine//notifier none
  d ovirt ovirt 0755 /var/lock/ovirt-engine/ none
  d ovirt ovirt 0755 /var/lock/ovirt-engine/ none
  d ovirt ovirt 0755 /var/log/ovirt-engine//notifier none
  d ovirt ovirt 0755 /var/log/ovirt-engine//engine-manage-domains none
  d ovirt ovirt 0755 /var/log/ovirt-engine//host-deploy none
  d ovirt ovirt 0755 /etc/ovirt-engine none
  d ovirt ovirt 0755 /etc/pki/ovirt-engine none
  d ovirt ovirt 0755 /etc/pki/ovirt-engine/certs none
  d ovirt ovirt 0755 /etc/pki/ovirt-engine/keys none
  d ovirt ovirt 0755 /etc/pki/ovirt-engine/requests none
  d ovirt ovirt 0755 /etc/pki/ovirt-engine/private none
  d ovirt ovirt 0755 /var/lib/ovirt-engine/ none
  d ovirt ovirt 0755 /var/lib/ovirt-engine//deployments none
  d ovirt ovirt 0755 /var/lib/ovirt-engine//content none
  f ovirt ovirt 0640 /etc/ovirt-engine/engine.conf none
{noformat}
The populate-volatile.sh script skips files and directories that already
exist, so the ownership and permissions never get set.  Here is output
from populate-volatile.sh with VERBOSE=yes:
{noformat}

  Checking for -/var/log/ovirt-engine/-.
  Creating directory -/var/log/ovirt-engine/-.
  Checking for -/var/run/ovirt-engine//notifier-.
  Creating directory -/var/run/ovirt-engine//notifier-.
  Checking for -/var/lock/ovirt-engine/-.
  Creating directory -/var/lock/ovirt-engine/-.
  Checking for -/var/lock/ovirt-engine/-.
  Creating directory -/var/lock/ovirt-engine/-.
  Target already exists. Skipping.
  Checking for -/var/log/ovirt-engine//notifier-.
  Creating directory -/var/log/ovirt-engine//notifier-.
  Checking for -/var/log/ovirt-engine//engine-manage-domains-.
  Creating directory -/var/log/ovirt-engine//engine-manage-domains-.
  Checking for -/var/log/ovirt-engine//host-deploy-.
  Creating directory -/var/log/ovirt-engine//host-deploy-.
  Checking for -/etc/ovirt-engine-.
  Creating directory -/etc/ovirt-engine-.
  Target already exists. Skipping.
  Checking for -/etc/pki/ovirt-engine-.
  Creating directory -/etc/pki/ovirt-engine-.
  Target already exists. Skipping.
  Checking for -/etc/pki/ovirt-engine/certs-.
  Creating directory -/etc/pki/ovirt-engine/certs-.
  Target already exists. Skipping.
  Checking for -/etc/pki/ovirt-engine/keys-.
  Creating directory -/etc/pki/ovirt-engine/keys-.
  Target already exists. Skipping.
  Checking for -/etc/pki/ovirt-engine/requests-.
  Creating directory -/etc/pki/ovirt-engine/requests-.
  Target already exists. Skipping.
  Checking for -/etc/pki/ovirt-engine/private-.
  Creating directory -/etc/pki/ovirt-engine/private-.
  Target already exists. Skipping.
  Checking for -/var/lib/ovirt-engine/-.
  Creating directory -/var/lib/ovirt-engine/-.
  Target already exists. Skipping.
  Checking for -/var/lib/ovirt-engine//deployments-.
  Creating directory -/var/lib/ovirt-engine//deployments-.
  Checking for -/var/lib/ovirt-engine//content-.
  Creating directory -/var/lib/ovirt-engine//content-.
  Checking for -/etc/ovirt-engine/engine.conf-.
  Creating file -/etc/ovirt-engine/engine.conf-.
  Target already exists. Skipping.
{noformat}
You can see that the permissions are wrong just by running 'ls':
{noformat}

  # ls -l /etc/pki/ovirt-engine
  total 60
  -rwxr-xr-x. 1 root  root  1134 Dec 10 20:03 CreateCA.sh
  -rwxr-xr-x. 1 root  root  2537 Dec 10 20:03 SignReq.sh
  lrwxrwxrwx. 1 root  root     6 Dec 16 15:56 apache-ca.pem -> ca.pem
  -rw-r-----. 1 ovirt ovirt 4793 Dec 16 15:56 ca.pem
  -rw-r--r--. 1 root  root   561 Dec 16 15:56 cacert.conf
  -rw-r--r--. 1 root  root   503 Dec 16 15:56 cacert.template
  -rw-r--r--. 1 root  root   555 Dec 16 15:56 cert.conf
  -rw-r--r--. 1 root  root   555 Dec 16 15:56 cert.template
  drwxr-xr-x. 1 root  root   160 Dec 16 15:56 certs
  -rw-r--r--. 1 root  root   225 Dec 16 15:56 database.txt
  -rw-r--r--. 1 root  root    20 Dec 16 15:56 database.txt.attr
  -rw-r--r--. 1 root  root    20 Dec 16 15:56 database.txt.attr.old
  -rw-r--r--. 1 root  root   153 Dec 16 15:56 database.txt.old
  -rwxr-xr-x. 1 root  root  2159 Dec 10 20:03 installCA.sh
  -rwxr-xr-x. 1 root  root  2745 Dec 10 20:03 installCA_dev.sh
  drwxr-xr-x. 1 root  root   120 Dec 16 15:56 keys
  -rw-r--r--. 1 root  root   637 Dec 10 20:03 openssl.conf
  drwxr-x---. 1 ovirt ovirt   60 Dec 16 15:56 private
  drwxr-xr-x. 1 root  root   100 Dec 16 15:56 requests
  -rw-r--r--. 1 root  root     3 Dec 16 15:56 serial.txt
  -rw-r--r--. 1 root  root     3 Dec 16 15:56 serial.txt.old
  # 
{noformat}
This produces fatal errors during node-initiated registration:
{noformat}

  /var/log/ovirt-engine/engine.log

  2013-12-13 03:38:53,494 ERROR [org.ovirt.engine.core.utils.hostinstall.OpenSslCAWrapper] (VdsDeploy) Sign Certificate request failed with exit code 1
  2013-12-13 03:38:53,495 ERROR [org.ovirt.engine.core.utils.hostinstall.OpenSslCAWrapper] (VdsDeploy) Sign Certificate request script errors:
  null/etc/pki/ovirt-engine/SignReq.sh: line 33: grep: command not found
  unable to write certificate
  139823733995176:error:09072007:PEM routines:PEM_write_bio:BUF lib:pem_lib.c:644:
  Using configuration from openssl.conf
  I am unable to access the certs directory
  certs: Permission denied
  unable to write 'random state'

  2013-12-13 03:38:53,496 ERROR [org.ovirt.engine.core.bll.VdsDeploy] (VdsDeploy) Error during deploy dialog: java.lang.RuntimeException: Certificate enrollment failed
          at org.ovirt.engine.core.utils.hostinstall.OpenSslCAWrapper.SignCertificateRequest(OpenSslCAWrapper.java:97) [utils.jar:]
          at org.ovirt.engine.core.bll.VdsDeploy._threadMain(VdsDeploy.java:741) [bll.jar:]
          at org.ovirt.engine.core.bll.VdsDeploy.access$1400(VdsDeploy.java:71) [bll.jar:]
          at org.ovirt.engine.core.bll.VdsDeploy$32.run(VdsDeploy.java:779) [bll.jar:]
          at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_03-icedtea]

  [...]
  2013-12-13 03:40:09,073 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] (pool-3-thread-10) [2f42fc9e] XML RPC error in command GetCapabilitiesVDS ( HostName = donn-gandy.wrs.com ), the error was: java.util.concurrent.ExecutionException: java.lang.reflect.InvocationTargetException, unable to find valid certification path to requested target 
{noformat}

Workaround

Fix the permissions by hand after booting but before node registration.

Steps to Reproduce

.../configure --enable-board=intel-xeon-core --enable-kernel=preempt-rt --enable-rootfs=ovp-ovirt-engine+gdb+nfsd --enable-addons=wr-ovp ...
make all
make usb-image
[boot the engine image]
[create a node image that sets vdc_host_name in vdsm-reg.conf to the engine]
[boot the node image]
[watch the node fail to register]

Other Downloads

Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube