6:27 a.m.
Hello
I have a question about live migration when libvirt requires sasl
authentication. I have managed to configure remote access for user nova
with sasl enabled (credentials stored in auth.conf -
https://review.openstack.org/#/c/12706/). It looks like live migration do
not use these credentials at all. What is more it thinks that sasl is not
not configured:
2013-07-01 09:49:09.317+0000: 17997: error :
virNetSASLSessionClientStart:484 : authentication failed: Failed to start
SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs
found)
2013-07-01 09:49:09.317+0000: 17997: error : doPeer2PeerMigrate:2527 :
operation failed: Failed to connect to remote libvirt URI
qemu+tcp://n12c1/system
I execute migration like this:
nova live-migration c923af69-4cb3-46dd-8bd2-871812d7d223 n12c1
Nova.conf:
live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE
Could you please let me know whether nova/libvirt support p2p live
migration with sasl and if so point out what might be misconfigured?
Disabling sasl solves all my problems but I have to configure some
authentication.
I would really appreciate your help.
regards
--
Maciej Gałkiewicz
Shelly Cloud Sp. z o. o., Sysadmin
http://shellycloud.com/, macias(a)shellycloud.com
KRS: 0000440358 REGON: 101504426
2:58 a.m.
On 07/01/2013 01:27 PM, Maciej Gałkiewicz wrote:
Hello
I have a question about live migration when libvirt requires sasl
authentication. I have managed to configure remote access for user nova
with sasl enabled (credentials stored in auth.conf -
https://review.openstack.org/#/c/12706/). It looks like live migration do
not use these credentials at all. What is more it thinks that sasl is not
not configured:
I'd say this is a problem with sasl, nothing else. "No mechanism found"
may mean that libraries for configured mechanism aren't found or unknown
mechanism is being requested. I doubt that access to those libraries
would be a permisison problem, but you might be missing some
cyrus-sasl-* package. What distro are you running on and what
sasl-related packages do you have installed?
2013-07-01 09:49:09.317+0000: 17997: error :
virNetSASLSessionClientStart:484 : authentication failed: Failed to start
SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs
found)
2013-07-01 09:49:09.317+0000: 17997: error : doPeer2PeerMigrate:2527 :
operation failed: Failed to connect to remote libvirt URI
qemu+tcp://n12c1/system
I execute migration like this:
nova live-migration c923af69-4cb3-46dd-8bd2-871812d7d223 n12c1
Nova.conf:
live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE
Could you please let me know whether nova/libvirt support p2p live
migration with sasl and if so point out what might be misconfigured?
Disabling sasl solves all my problems but I have to configure some
authentication.
I would really appreciate your help.
regards
_______________________________________________
libvirt-users mailing list
libvirt-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvirt-users
3:13 a.m.
On 2 July 2013 09:58, Martin Kletzander <mkletzan(a)redhat.com> wrote:
I'd say this is a problem with sasl, nothing else. "No
mechanism found"
may mean that libraries for configured mechanism aren't found or unknown
mechanism is being requested. I doubt that access to those libraries
would be a permisison problem, but you might be missing some
cyrus-sasl-* package. What distro are you running on and what
sasl-related packages do you have installed?
If there is a problem with sasl why I am able to successfully use it for
example through:
virsh -c qemu+tcp://my_remote_server/system list
I am running debian 7.1 (wheezy). Sasl libs:
# dpkg -l | grep sasl
ii libsasl2-2:amd64 2.1.25.dfsg1-6+deb7u1 amd64
Cyrus SASL - authentication abstraction library
ii libsasl2-modules:amd64 2.1.25.dfsg1-6+deb7u1 amd64
Cyrus SASL - pluggable authentication modules
ii sasl2-bin 2.1.25.dfsg1-6+deb7u1 amd64
Cyrus SASL - administration programs for SASL users database
regards
--
Maciej Gałkiewicz
Shelly Cloud Sp. z o. o., Sysadmin
http://shellycloud.com/, macias(a)shellycloud.com
KRS: 0000440358 REGON: 101504426
3:36 a.m.
On 07/02/2013 10:13 AM, Maciej Gałkiewicz wrote:
On 2 July 2013 09:58, Martin Kletzander <mkletzan(a)redhat.com>
wrote:
> I'd say this is a problem with sasl, nothing else. "No mechanism
found"
> may mean that libraries for configured mechanism aren't found or unknown
> mechanism is being requested. I doubt that access to those libraries
> would be a permisison problem, but you might be missing some
> cyrus-sasl-* package. What distro are you running on and what
> sasl-related packages do you have installed?
>
If there is a problem with sasl why I am able to successfully use it for
example through:
virsh -c qemu+tcp://my_remote_server/system list
I couldn't know you were able to do that. Since I presume you are using
the same server and client to check that, I must fallback to default
questions like "SELinux?". Or some OpenStack config which I
(unfortunately) know almost nothing about. Last thing that occurs on my
mind is whether you are able to reproduce that purely with python
bindings (in case there's a problem).
I am running debian 7.1 (wheezy). Sasl libs:
# dpkg -l | grep sasl
ii libsasl2-2:amd64 2.1.25.dfsg1-6+deb7u1 amd64
Cyrus SASL - authentication abstraction library
ii libsasl2-modules:amd64 2.1.25.dfsg1-6+deb7u1 amd64
Cyrus SASL - pluggable authentication modules
ii sasl2-bin 2.1.25.dfsg1-6+deb7u1 amd64
Cyrus SASL - administration programs for SASL users database
Unfortunately I can't see what mechanisms are available from this list,
but if virsh works the problem is somewhere else.
Martin
3:43 a.m.
On 2 July 2013 10:36, Martin Kletzander <mkletzan(a)redhat.com> wrote:
I couldn't know you were able to do that. Since I presume you
are using
the same server and client to check that, I must fallback to default
questions like "SELinux?". Or some OpenStack config which I
(unfortunately) know almost nothing about. Last thing that occurs on my
mind is whether you are able to reproduce that purely with python
bindings (in case there's a problem).
By same server and client you mean same machine? If so it is not true. I am
using two machines for tests. There is no SELinux or other security
mechanism which may interrupt. I could try to reproduce it with python but
some example would be nice.
regards
--
Maciej Gałkiewicz
Shelly Cloud Sp. z o. o., Sysadmin
http://shellycloud.com/, macias(a)shellycloud.com
KRS: 0000440358 REGON: 101504426
4:22 a.m.
On 07/02/2013 10:43 AM, Maciej Gałkiewicz wrote:
On 2 July 2013 10:36, Martin Kletzander <mkletzan(a)redhat.com>
wrote:
> I couldn't know you were able to do that. Since I presume you are using
> the same server and client to check that, I must fallback to default
> questions like "SELinux?". Or some OpenStack config which I
> (unfortunately) know almost nothing about. Last thing that occurs on my
> mind is whether you are able to reproduce that purely with python
> bindings (in case there's a problem).
By same server and client you mean same machine? If so it is not true. I am
using two machines for tests. There is no SELinux or other security
mechanism which may interrupt. I could try to reproduce it with python but
some example would be nice.
I meant that when using virsh, the server you were connecting to (the
machine) was the same one *to* which you have problem connecting with
nova and, respectively, that the machine you were running virsh on is
the same one you have problems *from* using nova.
Martin
4:40 a.m.
On Mon, Jul 01, 2013 at 01:27:24PM +0200, Maciej Gałkiewicz wrote:
Hello
I have a question about live migration when libvirt requires sasl
authentication. I have managed to configure remote access for user nova
with sasl enabled (credentials stored in auth.conf -
https://review.openstack.org/#/c/12706/). It looks like live migration do
not use these credentials at all. What is more it thinks that sasl is not
not configured:
2013-07-01 09:49:09.317+0000: 17997: error :
virNetSASLSessionClientStart:484 : authentication failed: Failed to start
SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs
found)
2013-07-01 09:49:09.317+0000: 17997: error : doPeer2PeerMigrate:2527 :
operation failed: Failed to connect to remote libvirt URI
qemu+tcp://n12c1/system
I execute migration like this:
nova live-migration c923af69-4cb3-46dd-8bd2-871812d7d223 n12c1
Nova.conf:
live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE,VIR_MIGRATE_PEER2PEER,VIR_MIGRATE_LIVE
Could you please let me know whether nova/libvirt support p2p live
migration with sasl and if so point out what might be misconfigured?
Disabling sasl solves all my problems but I have to configure some
authentication.
Hmm, so Nova uses migrateToURI, which means that the source
libvirtd connects directly to the destination libvirtd. Looking
at the code though, it seems to be using virConnectOpen(), which
means that all the authentication callbacks are disabled. Since
no auth callback is present, SASL doesn't find any mechanisms,
and thus auth fails.
So I think this is a flaw in the QEMU migration code, which
should instead use virConnectOpenAuth().
The only workaround you have in the shorterm is to configure
libvirtd to use TLS + x509 certificates for security and then
setup a whitelist of TLS cert distinguished names in libvirtd.conf
to control which servers can connect to each other
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4161
days inactive
4162
days old
6 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Maciej Gałkiewicz -
Martin Kletzander