Fixed
Created: Dec 16, 2013
Updated: Mar 11, 2016
Resolved Date: Jan 7, 2014
Found In Version: 5.0.1.10
Fix Version: 5.0.1.11,6.0
Severity: Standard
Applicable for: Wind River Linux 5
Component/s: Userspace
The ovirt-engine recipe uses an /etc/default/volatiles file to set
ownership and permissions on files that aren't volatile:
{noformat}
/etc/default/volatiles/99_ovirt_engine
d ovirt ovirt 0755 /var/log/ovirt-engine/ none
d ovirt ovirt 0755 /var/run/ovirt-engine//notifier none
d ovirt ovirt 0755 /var/lock/ovirt-engine/ none
d ovirt ovirt 0755 /var/lock/ovirt-engine/ none
d ovirt ovirt 0755 /var/log/ovirt-engine//notifier none
d ovirt ovirt 0755 /var/log/ovirt-engine//engine-manage-domains none
d ovirt ovirt 0755 /var/log/ovirt-engine//host-deploy none
d ovirt ovirt 0755 /etc/ovirt-engine none
d ovirt ovirt 0755 /etc/pki/ovirt-engine none
d ovirt ovirt 0755 /etc/pki/ovirt-engine/certs none
d ovirt ovirt 0755 /etc/pki/ovirt-engine/keys none
d ovirt ovirt 0755 /etc/pki/ovirt-engine/requests none
d ovirt ovirt 0755 /etc/pki/ovirt-engine/private none
d ovirt ovirt 0755 /var/lib/ovirt-engine/ none
d ovirt ovirt 0755 /var/lib/ovirt-engine//deployments none
d ovirt ovirt 0755 /var/lib/ovirt-engine//content none
f ovirt ovirt 0640 /etc/ovirt-engine/engine.conf none
{noformat}
The populate-volatile.sh script skips files and directories that already
exist, so the ownership and permissions never get set. Here is output
from populate-volatile.sh with VERBOSE=yes:
{noformat}
Checking for -/var/log/ovirt-engine/-.
Creating directory -/var/log/ovirt-engine/-.
Checking for -/var/run/ovirt-engine//notifier-.
Creating directory -/var/run/ovirt-engine//notifier-.
Checking for -/var/lock/ovirt-engine/-.
Creating directory -/var/lock/ovirt-engine/-.
Checking for -/var/lock/ovirt-engine/-.
Creating directory -/var/lock/ovirt-engine/-.
Target already exists. Skipping.
Checking for -/var/log/ovirt-engine//notifier-.
Creating directory -/var/log/ovirt-engine//notifier-.
Checking for -/var/log/ovirt-engine//engine-manage-domains-.
Creating directory -/var/log/ovirt-engine//engine-manage-domains-.
Checking for -/var/log/ovirt-engine//host-deploy-.
Creating directory -/var/log/ovirt-engine//host-deploy-.
Checking for -/etc/ovirt-engine-.
Creating directory -/etc/ovirt-engine-.
Target already exists. Skipping.
Checking for -/etc/pki/ovirt-engine-.
Creating directory -/etc/pki/ovirt-engine-.
Target already exists. Skipping.
Checking for -/etc/pki/ovirt-engine/certs-.
Creating directory -/etc/pki/ovirt-engine/certs-.
Target already exists. Skipping.
Checking for -/etc/pki/ovirt-engine/keys-.
Creating directory -/etc/pki/ovirt-engine/keys-.
Target already exists. Skipping.
Checking for -/etc/pki/ovirt-engine/requests-.
Creating directory -/etc/pki/ovirt-engine/requests-.
Target already exists. Skipping.
Checking for -/etc/pki/ovirt-engine/private-.
Creating directory -/etc/pki/ovirt-engine/private-.
Target already exists. Skipping.
Checking for -/var/lib/ovirt-engine/-.
Creating directory -/var/lib/ovirt-engine/-.
Target already exists. Skipping.
Checking for -/var/lib/ovirt-engine//deployments-.
Creating directory -/var/lib/ovirt-engine//deployments-.
Checking for -/var/lib/ovirt-engine//content-.
Creating directory -/var/lib/ovirt-engine//content-.
Checking for -/etc/ovirt-engine/engine.conf-.
Creating file -/etc/ovirt-engine/engine.conf-.
Target already exists. Skipping.
{noformat}
You can see that the permissions are wrong just by running 'ls':
{noformat}
# ls -l /etc/pki/ovirt-engine
total 60
-rwxr-xr-x. 1 root root 1134 Dec 10 20:03 CreateCA.sh
-rwxr-xr-x. 1 root root 2537 Dec 10 20:03 SignReq.sh
lrwxrwxrwx. 1 root root 6 Dec 16 15:56 apache-ca.pem -> ca.pem
-rw-r-----. 1 ovirt ovirt 4793 Dec 16 15:56 ca.pem
-rw-r--r--. 1 root root 561 Dec 16 15:56 cacert.conf
-rw-r--r--. 1 root root 503 Dec 16 15:56 cacert.template
-rw-r--r--. 1 root root 555 Dec 16 15:56 cert.conf
-rw-r--r--. 1 root root 555 Dec 16 15:56 cert.template
drwxr-xr-x. 1 root root 160 Dec 16 15:56 certs
-rw-r--r--. 1 root root 225 Dec 16 15:56 database.txt
-rw-r--r--. 1 root root 20 Dec 16 15:56 database.txt.attr
-rw-r--r--. 1 root root 20 Dec 16 15:56 database.txt.attr.old
-rw-r--r--. 1 root root 153 Dec 16 15:56 database.txt.old
-rwxr-xr-x. 1 root root 2159 Dec 10 20:03 installCA.sh
-rwxr-xr-x. 1 root root 2745 Dec 10 20:03 installCA_dev.sh
drwxr-xr-x. 1 root root 120 Dec 16 15:56 keys
-rw-r--r--. 1 root root 637 Dec 10 20:03 openssl.conf
drwxr-x---. 1 ovirt ovirt 60 Dec 16 15:56 private
drwxr-xr-x. 1 root root 100 Dec 16 15:56 requests
-rw-r--r--. 1 root root 3 Dec 16 15:56 serial.txt
-rw-r--r--. 1 root root 3 Dec 16 15:56 serial.txt.old
#
{noformat}
This produces fatal errors during node-initiated registration:
{noformat}
/var/log/ovirt-engine/engine.log
2013-12-13 03:38:53,494 ERROR [org.ovirt.engine.core.utils.hostinstall.OpenSslCAWrapper] (VdsDeploy) Sign Certificate request failed with exit code 1
2013-12-13 03:38:53,495 ERROR [org.ovirt.engine.core.utils.hostinstall.OpenSslCAWrapper] (VdsDeploy) Sign Certificate request script errors:
null/etc/pki/ovirt-engine/SignReq.sh: line 33: grep: command not found
unable to write certificate
139823733995176:error:09072007:PEM routines:PEM_write_bio:BUF lib:pem_lib.c:644:
Using configuration from openssl.conf
I am unable to access the certs directory
certs: Permission denied
unable to write 'random state'
2013-12-13 03:38:53,496 ERROR [org.ovirt.engine.core.bll.VdsDeploy] (VdsDeploy) Error during deploy dialog: java.lang.RuntimeException: Certificate enrollment failed
at org.ovirt.engine.core.utils.hostinstall.OpenSslCAWrapper.SignCertificateRequest(OpenSslCAWrapper.java:97) [utils.jar:]
at org.ovirt.engine.core.bll.VdsDeploy._threadMain(VdsDeploy.java:741) [bll.jar:]
at org.ovirt.engine.core.bll.VdsDeploy.access$1400(VdsDeploy.java:71) [bll.jar:]
at org.ovirt.engine.core.bll.VdsDeploy$32.run(VdsDeploy.java:779) [bll.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_03-icedtea]
[...]
2013-12-13 03:40:09,073 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand] (pool-3-thread-10) [2f42fc9e] XML RPC error in command GetCapabilitiesVDS ( HostName = donn-gandy.wrs.com ), the error was: java.util.concurrent.ExecutionException: java.lang.reflect.InvocationTargetException, unable to find valid certification path to requested target
{noformat}
Fix the permissions by hand after booting but before node registration.
.../configure --enable-board=intel-xeon-core --enable-kernel=preempt-rt --enable-rootfs=ovp-ovirt-engine+gdb+nfsd --enable-addons=wr-ovp ...
make all
make usb-image
[boot the engine image]
[create a node image that sets vdc_host_name in vdsm-reg.conf to the engine]
[boot the node image]
[watch the node fail to register]