yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1918250] [NEW] live migration is failing with libvirt >= 6.8.0

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Martin Schuppert <1918250@xxxxxxxxxxxxxxxxxx>
Date: Tue, 09 Mar 2021 07:21:43 -0000
Reply-to: Bug 1918250 <1918250@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

With libvirt 6.8.0 introduced virt-ssh-helper:

+  * remote: ``virt-ssh-helper`` replaces ``nc`` for SSH tunnelling
+
+    Libvirt now provides a ``virt-ssh-helper`` binary on the server
+    side. The libvirt remote client will use this binary for setting
+    up an SSH tunnelled connection to hosts. If not present, it will
+    transparently fallback to the traditional ``nc`` tunnel. The new
+    binary makes it possible for libvirt to transparently connect
+    across hosts even if libvirt is built with a different installation
+    prefix on the client vs server. It also enables remote access to
+    the unprivileged per-user libvirt daemons(eg using a URI such as
+    ``qemu+ssh://hostname/session``. The only requirement is that
+    ``virt-ssh-helper`` is present in $PATH of the remote host.

Libvirt first checks for the `virt-ssh-helper` binary, if it's not present,
then it falls back to `nc`.

The code where the 'nova-migration-wrapper' script looks for the 
"nc" binary is here[1]

libvirt used to first check for `nc` (netcat).  But these two libvirt 
commits[2][3] -- which are present in the libvirt build used in this
bug -- have now changed it to first look for `virt-ssh-helper`, if it
not available, then fall back to `nc`  (see David's comment#18 for the
debug logging).

So this trips up the 'nova-migration-wrapper'

Mar 08 16:52:39 overcloud-novacompute-1 nova_migration_wrapper[240622]:
Denying connection='192.168.24.18 54668 192.168.24.9 2022'
command=['sh', '-c', "'which", 'virt-ssh-helper', '1>/dev/null',
'2>&1;', 'if', 'test', '$?', '=', '0;', 'then', '', '', '', '', 'virt-
ssh-helper', "'qemu:///system';", 'else', '', '', '', 'if', "'nc'",
'-q', '2>&1', '|', 'grep', '"requires', 'an', 'argument"', '>/dev/null',
'2>&1;', 'then', 'ARG=-q0;else', "ARG=;fi;'nc'", '$ARG', '-U',
'/var/run/libvirt/libvirt-sock;', "fi'"]


A possible workaround is to force-use "netcat" (`nc`) by appending to the
migration URI: "&proxy=netcat", so the `diff` of the URL:

  - qemu+ssh://nova_migration@compute-0.ctlplane.redhat.local:2022/system?keyfile=/etc/nova/migration/identity
  + qemu+ssh://nova_migration@compute-0.ctlplane.redhat.local:2022/system?keyfile=/etc/nova/migration/identity&proxy=netcat

But longer term we want to allow the virt-ssh-helper, because that's needed
to work properly with the split daemons as the socket path has changed

[1] https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-
migration-wrapper#L32

[2] https://libvirt.org/git/?p=libvirt.git;a=commit;h=f8ec7c842d (rpc: 
    use new virt-ssh-helper binary for remote tunnelling, 2020-07-08)

[3] https://libvirt.org/git/?p=libvirt.git;a=commit;h=7d959c302d (rpc: 
    Fix virt-ssh-helper detection, 2020-10-27)

** Affects: nova
     Importance: Undecided
         Status: New

** Affects: tripleo
     Importance: Undecided
     Assignee: Martin Schuppert (mschuppert)
         Status: In Progress

** Also affects: nova
   Importance: Undecided
       Status: New

** Changed in: tripleo
     Assignee: (unassigned) => Martin Schuppert (mschuppert)

** Changed in: tripleo
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1918250

Title:
  live migration is failing with libvirt >= 6.8.0

Status in OpenStack Compute (nova):
  New
Status in tripleo:
  In Progress

Bug description:
  With libvirt 6.8.0 introduced virt-ssh-helper:

  +  * remote: ``virt-ssh-helper`` replaces ``nc`` for SSH tunnelling
  +
  +    Libvirt now provides a ``virt-ssh-helper`` binary on the server
  +    side. The libvirt remote client will use this binary for setting
  +    up an SSH tunnelled connection to hosts. If not present, it will
  +    transparently fallback to the traditional ``nc`` tunnel. The new
  +    binary makes it possible for libvirt to transparently connect
  +    across hosts even if libvirt is built with a different installation
  +    prefix on the client vs server. It also enables remote access to
  +    the unprivileged per-user libvirt daemons(eg using a URI such as
  +    ``qemu+ssh://hostname/session``. The only requirement is that
  +    ``virt-ssh-helper`` is present in $PATH of the remote host.

  Libvirt first checks for the `virt-ssh-helper` binary, if it's not present,
  then it falls back to `nc`.

  The code where the 'nova-migration-wrapper' script looks for the 
  "nc" binary is here[1]

  libvirt used to first check for `nc` (netcat).  But these two libvirt 
  commits[2][3] -- which are present in the libvirt build used in this
  bug -- have now changed it to first look for `virt-ssh-helper`, if it
  not available, then fall back to `nc`  (see David's comment#18 for the
  debug logging).

  So this trips up the 'nova-migration-wrapper'

  Mar 08 16:52:39 overcloud-novacompute-1
  nova_migration_wrapper[240622]: Denying connection='192.168.24.18
  54668 192.168.24.9 2022' command=['sh', '-c', "'which", 'virt-ssh-
  helper', '1>/dev/null', '2>&1;', 'if', 'test', '$?', '=', '0;',
  'then', '', '', '', '', 'virt-ssh-helper', "'qemu:///system';",
  'else', '', '', '', 'if', "'nc'", '-q', '2>&1', '|', 'grep',
  '"requires', 'an', 'argument"', '>/dev/null', '2>&1;', 'then',
  'ARG=-q0;else', "ARG=;fi;'nc'", '$ARG', '-U', '/var/run/libvirt
  /libvirt-sock;', "fi'"]

  
  A possible workaround is to force-use "netcat" (`nc`) by appending to the
  migration URI: "&proxy=netcat", so the `diff` of the URL:

    - qemu+ssh://nova_migration@compute-0.ctlplane.redhat.local:2022/system?keyfile=/etc/nova/migration/identity
    + qemu+ssh://nova_migration@compute-0.ctlplane.redhat.local:2022/system?keyfile=/etc/nova/migration/identity&proxy=netcat

  But longer term we want to allow the virt-ssh-helper, because that's needed
  to work properly with the split daemons as the socket path has changed

  [1] https://github.com/rdo-packages/nova-distgit/blob/rpm-master/nova-
  migration-wrapper#L32

  [2] https://libvirt.org/git/?p=libvirt.git;a=commit;h=f8ec7c842d (rpc: 
      use new virt-ssh-helper binary for remote tunnelling, 2020-07-08)

  [3] https://libvirt.org/git/?p=libvirt.git;a=commit;h=7d959c302d (rpc: 
      Fix virt-ssh-helper detection, 2020-10-27)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1918250/+subscriptions
Follow ups

[Bug 1918250] Re: live migration is failing with libvirt >= 6.8.0
From: Martin Schuppert, 2021-08-12
[Bug 1918250] Re: live migration is failing with libvirt >= 6.8.0
From: Balazs Gibizer, 2021-03-17