Problem: A kvm hostserver is not accessable via uvmm gui

kvm
uvmm

#1

Problem:

One hostserver is not accessable via uvmm gui on the KVM-Hostserver anymore.
On the KVM hostserver you get a Traceback in

/var/log/univention/virtual-machine-manager-daemon.log

2019-05-05 06:26:34,098 - uvmmd.node - WARNING - 'qemu://kvm-srv3.schein.ig/system' broken? next check in 0:00:30.000. Unable to read TLS confirmation: Input/output error
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/uvmm/node.py", line 834, in update_autoreconnect
    self.conn = libvirt.open(self.pd.uri)
  File "/usr/lib/python2.7/dist-packages/libvirt.py", line 255, in open
    if ret is None:raise libvirtError('virConnectOpen() failed')
libvirtError: Unable to read TLS confirmation: Input/output error

Investigation:

Step 1:

This traceback indicates a problem with the certificates. So check the certificates on both servers.

root@kvm-master:~# md5sum /etc/pki/CA/cacert.pem
9bbbaff7ae63154e46e72788d85a698c  /etc/pki/CA/cacert.pem

root@kvm-srv3:~# md5sum ucsCA/CAcert.pem                                                                                                        
9bbbaff7ae63154e46e72788d85a698c  ucsCA/CAcert.pem

root@kvm-master:~# md5sum /etc/univention/ssl/ucsCA/CAcert.pem
9bbbaff7ae63154e46e72788d85a698c  /etc/univention/ssl/ucsCA/CAcert.pem

Also check the certificate validity

Step 2:

Check the Logfiles on the hostserver

journalctl -u libvirtd.service or less /var/log/libvirt/libvirtd.log

2019-05-07 09:31:58.280+0000: 209484: error : virNetTLSContextCheckCertDNWhitelist:395 : Client's Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list). Use 'certtool -i --infile clientcert.pem' to view the Distinguished Name field in the client certificate, or run this daemon with --verbose option.
2019-05-07 09:31:58.280+0000: 209484: error : virNetTLSContextCheckCertificate:1133 : authentication failed: Failed to verify peer's certificate
2019-05-07 09:36:58.298+0000: 209484: error : virNetTLSContextCheckCertDNWhitelist:395 : Client's Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list). Use 'certtool -i --infile clientcert.pem' to view the Distinguished Name field in the client certificate, or run this daemon with --verbose option.
2019-05-07 09:36:58.298+0000: 209484: error : virNetTLSContextCheckCertificate:1133 : authentication failed: Failed to verify peer's certificate

The message part: Client’s Distinguished Name is not on the list of allowed clients (tls_allowed_dn_list) refers to the libvirtd configuration.

root@kvm-srv3:~# grep tls_allowed_dn_list /etc/libvirt/libvirtd.conf
#tls_allowed_dn_list = ["DN1", "DN2"]
tls_allowed_dn_list = ['*,CN=smarta.schein.ig,,*', '*,CN=kvm-srv3.schein.ig,*']

This part of the configuraton comes from a ucr variable: ucr get uvmm/managers

ucr get uvmm/managers
smarta.schein.ig, kvm-srv3.schein.ig

If the kvm-hostserver is not in this list there are two possibilities why,

  1. The ucr Variable was edit manually, after the libvirtd was startet on the kvm-hostserver
  2. Something is wrong with the listener.
    univention-ldapsearch '(|(univentionService=Virtual Machine Manager)(univentionService=KVM Host))' cn associatedDomain should find all kvm-servers
    univention-directory-listener-ctrl status should be green, especially the libvirtd-acl module.

Solution:

The ucr Variable was set manually. So the missing server was added to the list and libvirtd restarted

root@kvm-srv3:~# ucr set uvmm/managers
smarta.schein.ig, kvm-srv3.schein.ig, kvm-master.schein.ig
root@kvm-srv3:~# grep tls_allowed_dn_list /etc/libvirt/libvirtd.conf
tls_allowed_dn_list = ['*,CN=smarta.schein.ig,,*', '*,CN=kvm-srv3.schein.ig,*', '*,CN=kvm-master.schein.ig,*']
root@kvm-srv3:~# systemctl restart libvirtd.service

closed #2