2:51 p.m.
On the server end if you try to start the server with TLS enabled and you
don't have the certs setup, you get a cryptic:
gnutls_certificate_set_x509_trust_file: Error while reading file.
Rather useless the gnutls error message not telling you what file was
missing.
Similarly with virsh:
# ~/usr/bin/virsh --connect qemu://localhost/system list
libvir: Remote error : Error while reading file.
Since GNU TLS doesn't even tell you the actual problem - was it wrong
permissions, or missing file altogether, I decided its better to do an
explicit 'stat' check ahead of time.
So now it gives:
$ ~/usr/bin/virsh --connect qemu://celery.virt.boston.redhat.com/system start demo
libvir: Remote error : Cannot access CA certificate
'/home/berrange/usr/etc/pki/CA/cacert.pem': No such file or directory (2)
Or
$ ~/usr/bin/virsh --connect qemu://celery.virt.boston.redhat.com/system start demo
libvir: Remote error : Cannot access CA certificate
'/home/berrange/usr/etc/pki/CA/cacert.pem': Permission denied (13)
Or in the daemon
# /usr/sbin/libvirtd --listen
Cannot access CA certificate '/home/berrange/usr/etc/pki/CA/cacert.pem': No such
file or directory (2)
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
3:10 p.m.
On Wed, Jul 11, 2007 at 08:51:26PM +0100, Daniel P. Berrange wrote:
On the server end if you try to start the server with TLS enabled and
you
don't have the certs setup, you get a cryptic:
gnutls_certificate_set_x509_trust_file: Error while reading file.
Rather useless the gnutls error message not telling you what file was
missing.
Similarly with virsh:
# ~/usr/bin/virsh --connect qemu://localhost/system list
libvir: Remote error : Error while reading file.
Since GNU TLS doesn't even tell you the actual problem - was it wrong
permissions, or missing file altogether, I decided its better to do an
explicit 'stat' check ahead of time.
So now it gives:
$ ~/usr/bin/virsh --connect qemu://celery.virt.boston.redhat.com/system start demo
libvir: Remote error : Cannot access CA certificate
'/home/berrange/usr/etc/pki/CA/cacert.pem': No such file or directory (2)
Or
$ ~/usr/bin/virsh --connect qemu://celery.virt.boston.redhat.com/system start demo
libvir: Remote error : Cannot access CA certificate
'/home/berrange/usr/etc/pki/CA/cacert.pem': Permission denied (13)
Or in the daemon
# /usr/sbin/libvirtd --listen
Cannot access CA certificate '/home/berrange/usr/etc/pki/CA/cacert.pem': No such
file or directory (2)
All sounds good,
+#define CHECK_CERT(type, file) \
+ do { if (stat(file, &sb) < 0) { \
+ qemudLog (QEMUD_ERR, "Cannot access " type " '%s': %s
(%d)", \
+ file, strerror(errno), errno); \
+ return -1; \
+ } } while (0)
+
Why not make a function instead of this convoluted construct ?
And same in src/remote_internal.c too.
I started writing a shell script which would allow checking the certificates,
and could be extended to generate some of them if needed. But good run-time
error sounds even better !
Daniel
--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard | virtualization library http://libvirt.org/
veillard(a)redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
9:59 a.m.
On Wed, Jul 11, 2007 at 04:10:10PM -0400, Daniel Veillard wrote:
On Wed, Jul 11, 2007 at 08:51:26PM +0100, Daniel P. Berrange wrote:
> On the server end if you try to start the server with TLS enabled and you
> don't have the certs setup, you get a cryptic:
>
> gnutls_certificate_set_x509_trust_file: Error while reading file.
>
> Rather useless the gnutls error message not telling you what file was
> missing.
>
> Similarly with virsh:
>
> # ~/usr/bin/virsh --connect qemu://localhost/system list
> libvir: Remote error : Error while reading file.
>
> Since GNU TLS doesn't even tell you the actual problem - was it wrong
> permissions, or missing file altogether, I decided its better to do an
> explicit 'stat' check ahead of time.
>
> So now it gives:
>
> $ ~/usr/bin/virsh --connect qemu://celery.virt.boston.redhat.com/system start
demo
> libvir: Remote error : Cannot access CA certificate
> '/home/berrange/usr/etc/pki/CA/cacert.pem': No such file or directory (2)
>
> Or
>
> $ ~/usr/bin/virsh --connect qemu://celery.virt.boston.redhat.com/system start
demo
> libvir: Remote error : Cannot access CA certificate
> '/home/berrange/usr/etc/pki/CA/cacert.pem': Permission denied (13)
>
> Or in the daemon
>
> # /usr/sbin/libvirtd --listen
> Cannot access CA certificate '/home/berrange/usr/etc/pki/CA/cacert.pem': No
such file or directory (2)
>
All sounds good,
> +#define CHECK_CERT(type, file) \
> + do { if (stat(file, &sb) < 0) { \
> + qemudLog (QEMUD_ERR, "Cannot access " type "
'%s': %s (%d)", \
> + file, strerror(errno), errno); \
> + return -1; \
> + } } while (0)
> +
Why not make a function instead of this convoluted construct ?
And same in src/remote_internal.c too.
I committed with that suggested change - the compiler will probably
inline the function anyway.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
10:08 a.m.
On Thu, Jul 12, 2007 at 03:59:57PM +0100, Daniel P. Berrange wrote:
On Wed, Jul 11, 2007 at 04:10:10PM -0400, Daniel Veillard wrote:
> > +#define CHECK_CERT(type, file) \
> > + do { if (stat(file, &sb) < 0) {
\
> > + qemudLog (QEMUD_ERR, "Cannot access " type "
'%s': %s (%d)", \
> > + file, strerror(errno), errno); \
> > + return -1; \
> > + } } while (0)
> > +
>
> Why not make a function instead of this convoluted construct ?
> And same in src/remote_internal.c too.
I committed with that suggested change - the compiler will probably
inline the function anyway.
Thanks :-)
Daniel
--
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard | virtualization library http://libvirt.org/
veillard(a)redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
3:33 a.m.
Daniel P. Berrange wrote:
On the server end if you try to start the server with TLS enabled and
you
don't have the certs setup, you get a cryptic:
gnutls_certificate_set_x509_trust_file: Error while reading file.
Rather useless the gnutls error message not telling you what file was
missing.
Similarly with virsh:
# ~/usr/bin/virsh --connect qemu://localhost/system list
libvir: Remote error : Error while reading file.
Since GNU TLS doesn't even tell you the actual problem - was it wrong
permissions, or missing file altogether, I decided its better to do an
explicit 'stat' check ahead of time.
+1
Rich.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
6324
days inactive
6325
days old
4 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Daniel Veillard -
Richard W.M. Jones