[libvirt-users] nova-compute, libvirt and authentication
Hello I have a question about live migration when libvirt requires sasl authentication. I have managed to configure remote access for user nova with sasl enabled (credentials stored in auth.conf - https://review.openstack.org/#/c/12706/). It looks like live migration do not use these credentials at all. What is more it thinks that sasl is not not configured: 2013-07-01 09:49:09.317+0000: 17997: error : virNetSASLSessionClientStart:484 : authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) 2013-07-01 09:49:09.317+0000: 17997: error : doPeer2PeerMigrate:2527 : operation failed: Failed to connect to remote libvirt URI qemu+tcp://n12c1/system I execute migration like this: nova live-migration c923af69-4cb3-46dd-8bd2-871812d7d223 n12c1 Nova.conf: live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE Could you please let me know whether nova/libvirt support p2p live migration with sasl and if so point out what might be misconfigured? Disabling sasl solves all my problems but I have to configure some authentication. I would really appreciate your help. regards -- Maciej Gałkiewicz Shelly Cloud Sp. z o. o., Sysadmin http://shellycloud.com/, macias@shellycloud.com KRS: 0000440358 REGON: 101504426
On 07/01/2013 01:27 PM, Maciej Gałkiewicz wrote:
Hello
I have a question about live migration when libvirt requires sasl authentication. I have managed to configure remote access for user nova with sasl enabled (credentials stored in auth.conf - https://review.openstack.org/#/c/12706/). It looks like live migration do not use these credentials at all. What is more it thinks that sasl is not not configured:
I'd say this is a problem with sasl, nothing else. "No mechanism found" may mean that libraries for configured mechanism aren't found or unknown mechanism is being requested. I doubt that access to those libraries would be a permisison problem, but you might be missing some cyrus-sasl-* package. What distro are you running on and what sasl-related packages do you have installed?
2013-07-01 09:49:09.317+0000: 17997: error : virNetSASLSessionClientStart:484 : authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) 2013-07-01 09:49:09.317+0000: 17997: error : doPeer2PeerMigrate:2527 : operation failed: Failed to connect to remote libvirt URI qemu+tcp://n12c1/system
I execute migration like this: nova live-migration c923af69-4cb3-46dd-8bd2-871812d7d223 n12c1
Nova.conf: live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE
Could you please let me know whether nova/libvirt support p2p live migration with sasl and if so point out what might be misconfigured? Disabling sasl solves all my problems but I have to configure some authentication.
I would really appreciate your help.
regards
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
On 2 July 2013 09:58, Martin Kletzander <mkletzan@redhat.com> wrote:
I'd say this is a problem with sasl, nothing else. "No mechanism found" may mean that libraries for configured mechanism aren't found or unknown mechanism is being requested. I doubt that access to those libraries would be a permisison problem, but you might be missing some cyrus-sasl-* package. What distro are you running on and what sasl-related packages do you have installed?
If there is a problem with sasl why I am able to successfully use it for example through: virsh -c qemu+tcp://my_remote_server/system list I am running debian 7.1 (wheezy). Sasl libs: # dpkg -l | grep sasl ii libsasl2-2:amd64 2.1.25.dfsg1-6+deb7u1 amd64 Cyrus SASL - authentication abstraction library ii libsasl2-modules:amd64 2.1.25.dfsg1-6+deb7u1 amd64 Cyrus SASL - pluggable authentication modules ii sasl2-bin 2.1.25.dfsg1-6+deb7u1 amd64 Cyrus SASL - administration programs for SASL users database regards -- Maciej Gałkiewicz Shelly Cloud Sp. z o. o., Sysadmin http://shellycloud.com/, macias@shellycloud.com KRS: 0000440358 REGON: 101504426
On 07/02/2013 10:13 AM, Maciej Gałkiewicz wrote:
On 2 July 2013 09:58, Martin Kletzander <mkletzan@redhat.com> wrote:
I'd say this is a problem with sasl, nothing else. "No mechanism found" may mean that libraries for configured mechanism aren't found or unknown mechanism is being requested. I doubt that access to those libraries would be a permisison problem, but you might be missing some cyrus-sasl-* package. What distro are you running on and what sasl-related packages do you have installed?
If there is a problem with sasl why I am able to successfully use it for example through: virsh -c qemu+tcp://my_remote_server/system list
I couldn't know you were able to do that. Since I presume you are using the same server and client to check that, I must fallback to default questions like "SELinux?". Or some OpenStack config which I (unfortunately) know almost nothing about. Last thing that occurs on my mind is whether you are able to reproduce that purely with python bindings (in case there's a problem).
I am running debian 7.1 (wheezy). Sasl libs: # dpkg -l | grep sasl ii libsasl2-2:amd64 2.1.25.dfsg1-6+deb7u1 amd64 Cyrus SASL - authentication abstraction library ii libsasl2-modules:amd64 2.1.25.dfsg1-6+deb7u1 amd64 Cyrus SASL - pluggable authentication modules ii sasl2-bin 2.1.25.dfsg1-6+deb7u1 amd64 Cyrus SASL - administration programs for SASL users database
Unfortunately I can't see what mechanisms are available from this list, but if virsh works the problem is somewhere else. Martin
On 2 July 2013 10:36, Martin Kletzander <mkletzan@redhat.com> wrote:
I couldn't know you were able to do that. Since I presume you are using the same server and client to check that, I must fallback to default questions like "SELinux?". Or some OpenStack config which I (unfortunately) know almost nothing about. Last thing that occurs on my mind is whether you are able to reproduce that purely with python bindings (in case there's a problem).
By same server and client you mean same machine? If so it is not true. I am using two machines for tests. There is no SELinux or other security mechanism which may interrupt. I could try to reproduce it with python but some example would be nice. regards -- Maciej Gałkiewicz Shelly Cloud Sp. z o. o., Sysadmin http://shellycloud.com/, macias@shellycloud.com KRS: 0000440358 REGON: 101504426
On 07/02/2013 10:43 AM, Maciej Gałkiewicz wrote:
On 2 July 2013 10:36, Martin Kletzander <mkletzan@redhat.com> wrote:
I couldn't know you were able to do that. Since I presume you are using the same server and client to check that, I must fallback to default questions like "SELinux?". Or some OpenStack config which I (unfortunately) know almost nothing about. Last thing that occurs on my mind is whether you are able to reproduce that purely with python bindings (in case there's a problem).
By same server and client you mean same machine? If so it is not true. I am using two machines for tests. There is no SELinux or other security mechanism which may interrupt. I could try to reproduce it with python but some example would be nice.
I meant that when using virsh, the server you were connecting to (the machine) was the same one *to* which you have problem connecting with nova and, respectively, that the machine you were running virsh on is the same one you have problems *from* using nova. Martin
On Mon, Jul 01, 2013 at 01:27:24PM +0200, Maciej Gałkiewicz wrote:
Hello
I have a question about live migration when libvirt requires sasl authentication. I have managed to configure remote access for user nova with sasl enabled (credentials stored in auth.conf - https://review.openstack.org/#/c/12706/). It looks like live migration do not use these credentials at all. What is more it thinks that sasl is not not configured:
2013-07-01 09:49:09.317+0000: 17997: error : virNetSASLSessionClientStart:484 : authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) 2013-07-01 09:49:09.317+0000: 17997: error : doPeer2PeerMigrate:2527 : operation failed: Failed to connect to remote libvirt URI qemu+tcp://n12c1/system
I execute migration like this: nova live-migration c923af69-4cb3-46dd-8bd2-871812d7d223 n12c1
Nova.conf: live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE
Could you please let me know whether nova/libvirt support p2p live migration with sasl and if so point out what might be misconfigured? Disabling sasl solves all my problems but I have to configure some authentication.
Hmm, so Nova uses migrateToURI, which means that the source libvirtd connects directly to the destination libvirtd. Looking at the code though, it seems to be using virConnectOpen(), which means that all the authentication callbacks are disabled. Since no auth callback is present, SASL doesn't find any mechanisms, and thus auth fails. So I think this is a flaw in the QEMU migration code, which should instead use virConnectOpenAuth(). The only workaround you have in the shorterm is to configure libvirtd to use TLS + x509 certificates for security and then setup a whitelist of TLS cert distinguished names in libvirtd.conf to control which servers can connect to each other Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Daniel P. Berrange -
Maciej Gałkiewicz -
Martin Kletzander