
Hi, While running a test case of adding hosts on ovirt system tests there was a failure while the following command was executed: vdsm-tool configure --force On libvirtd log I found this error: 2021-12-17 00:11:41.753+0000: 28031: error : virNetTLSContextNew:732 : Unable to generate diffie-hellman parameters: Error in public key generation. How would you suggest to debug this failure? attaching libvirtd & journalctl logs libvirt version: 7.10.0, package: 1.module_el8.6.0+1046+bd8eec5e Thanks, Dana The error from host deploy log: "2021-12-17 01":"11":"45 CET - fatal":[ ost-basic-suite-master-host-0 ]:"FAILED! =>"{ "changed":true, "cmd":[ "vdsm-tool", "configure", "--force" ], "delta":"0:00:06.908971", "end":"2021-12-17 01:11:42.815057", "msg":"non-zero return code", "rc":1, "start":"2021-12-17 01:11:35.906086", "stderr":"Error: ServiceOperationError: _systemctlStart failed\nb'Job for libvirtd.service failed because a fatal signal was delivered causing the control process to dump core.\\nSee \"systemctl status libvirtd.service\" and \"journalctl -xe\" for details.\\n' ", "stderr_lines":[ "Error: ServiceOperationError: _systemctlStart failed", "b'Job for libvirtd.service failed because a fatal signal was delivered causing the control process to dump core.\\nSee \"systemctl status libvirtd.service\" and \"journalctl -xe\" for details.\\n' " ], "stdout":"\nChecking configuration status...\n\nlvm is configured for vdsm\nCurrent revision of multipath.conf detected, preserving\nlibvirt is already configured for vdsm\nSUCCESS: ssl configured to true. No conflicts\nsanlock is configured for vdsm\nManaged volume database is already configured\n\nRunning configure...\nReconfiguration of libvirt is done.\nReconfiguration of passwd is done.", "stdout_lines":[ "", "Checking configuration status...", "", "lvm is configured for vdsm", "Current revision of multipath.conf detected, preserving", "libvirt is already configured for vdsm", "SUCCESS: ssl configured to true. No conflicts", "sanlock is configured for vdsm", "Managed volume database is already configured", "", "Running configure...", "Reconfiguration of libvirt is done.", "Reconfiguration of passwd is done." ] }

On 12/20/21 11:34, Dana Elfassy wrote:
Hi, While running a test case of adding hosts on ovirt system tests there was a failure while the following command was executed: vdsm-tool configure --force
On libvirtd log I found this error:
2021-12-17 00:11:41.753+0000: 28031: error : virNetTLSContextNew:732 : Unable to generate diffie-hellman parameters: Error in public key generation.
This is the code on that line: err = gnutls_dh_params_init(&ctxt->dhParams); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to initialize diffie-hellman parameters: %s"), gnutls_strerror(err)); goto error; } err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to generate diffie-hellman parameters: %s"), gnutls_strerror(err)); goto error; } gnutls_certificate_set_dh_params(ctxt->x509cred, ctxt->dhParams); More specific, it's gnutls_dh_params_generate2() that fails. I suspect it's because DH_BITS is defined as following: #define DH_BITS 2048 which might be too short for system policy. If you're able, you can try the following patch: diff --git i/src/rpc/virnettlscontext.c w/src/rpc/virnettlscontext.c index 1a3dd92676..3ab9f6c4ce 100644 --- i/src/rpc/virnettlscontext.c +++ w/src/rpc/virnettlscontext.c @@ -717,16 +717,20 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert, * once a day, once a week or once a month. Depending on the * security requirements. */ if (isServer) { + unsigned int bits = 0; + + bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH); + err = gnutls_dh_params_init(&ctxt->dhParams); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to initialize diffie-hellman parameters: %s"), gnutls_strerror(err)); goto error; } - err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS); + err = gnutls_dh_params_generate2(ctxt->dhParams, bits); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to generate diffie-hellman parameters: %s"), gnutls_strerror(err)); If it helps, I can post it for review. Michal

Thanks, Is it possible that you create an rpm with this fix so I can use it on the test runs and try to reproduce? On Tue, Dec 21, 2021 at 11:02 AM Michal Prívozník <mprivozn@redhat.com> wrote:
On 12/20/21 11:34, Dana Elfassy wrote:
Hi, While running a test case of adding hosts on ovirt system tests there was a failure while the following command was executed: vdsm-tool configure --force
On libvirtd log I found this error:
2021-12-17 00:11:41.753+0000: 28031: error : virNetTLSContextNew:732 : Unable to generate diffie-hellman parameters: Error in public key generation.
This is the code on that line:
err = gnutls_dh_params_init(&ctxt->dhParams); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to initialize diffie-hellman parameters: %s"), gnutls_strerror(err)); goto error; } err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to generate diffie-hellman parameters: %s"), gnutls_strerror(err)); goto error; }
gnutls_certificate_set_dh_params(ctxt->x509cred, ctxt->dhParams);
More specific, it's gnutls_dh_params_generate2() that fails. I suspect it's because DH_BITS is defined as following:
#define DH_BITS 2048
which might be too short for system policy. If you're able, you can try the following patch:
diff --git i/src/rpc/virnettlscontext.c w/src/rpc/virnettlscontext.c index 1a3dd92676..3ab9f6c4ce 100644 --- i/src/rpc/virnettlscontext.c +++ w/src/rpc/virnettlscontext.c @@ -717,16 +717,20 @@ static virNetTLSContext *virNetTLSContextNew(const char *cacert, * once a day, once a week or once a month. Depending on the * security requirements. */ if (isServer) { + unsigned int bits = 0; + + bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_HIGH); + err = gnutls_dh_params_init(&ctxt->dhParams); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to initialize diffie-hellman parameters: %s"), gnutls_strerror(err)); goto error; } - err = gnutls_dh_params_generate2(ctxt->dhParams, DH_BITS); + err = gnutls_dh_params_generate2(ctxt->dhParams, bits); if (err < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to generate diffie-hellman parameters: %s"), gnutls_strerror(err));
If it helps, I can post it for review.
Michal

sorry, I missed your last reply I didn't reproduce it yet, but fedora rpm would be great. just in case thanks On Thu, Dec 23, 2021 at 7:04 AM Michal Prívozník <mprivozn@redhat.com> wrote:
On 12/22/21 08:44, Dana Elfassy wrote:
Thanks, Is it possible that you create an rpm with this fix so I can use it on the test runs and try to reproduce?
Oh, sure. Is fedora rpm fine?
Michal

On 1/10/22 13:04, Dana Elfassy wrote:
sorry, I missed your last reply I didn't reproduce it yet, but fedora rpm would be great. just in case thanks
Here you go: https://koji.fedoraproject.org/koji/buildinfo?buildID=1867760 Michal

On 1/10/22 15:08, Michal Prívozník wrote:
On 1/10/22 13:04, Dana Elfassy wrote:
sorry, I missed your last reply I didn't reproduce it yet, but fedora rpm would be great. just in case thanks
Here you go:
Ooops, wrong link. This one is correct: https://koji.fedoraproject.org/koji/taskinfo?taskID=81062331 Michal

In the last one I don't see a link to download the RPM, can you check? On Mon, Jan 10, 2022 at 4:10 PM Michal Prívozník <mprivozn@redhat.com> wrote:
On 1/10/22 15:08, Michal Prívozník wrote:
On 1/10/22 13:04, Dana Elfassy wrote:
sorry, I missed your last reply I didn't reproduce it yet, but fedora rpm would be great. just in case thanks
Here you go:
Ooops, wrong link. This one is correct:
https://koji.fedoraproject.org/koji/taskinfo?taskID=81062331
Michal

On 1/11/22 11:13, Dana Elfassy wrote:
In the last one I don't see a link to download the RPM, can you check?
You have to click on the arch you are interested in, for instance x86_64 is the following link: https://koji.fedoraproject.org/koji/taskinfo?taskID=81062428 And if you don't want to download all rpms by hand you can use koji: koji download-task 81062428 Just replace the task ID with the one you want to download. The example will download rpms for x86_64. Michal
participants (2)
-
Dana Elfassy
-
Michal Prívozník