StepBee opened a new issue, #11144: URL: https://github.com/apache/cloudstack/issues/11144
### problem Dear CloudStack community, we discovered in bug which prevents VM start on (at least) newer Ubuntu Versions or newer Libvirt version after provisioning host security keys. Looks like @rohityadavcloud stumbled across the same bug in [https://github.com/apache/cloudstack/issues/9984](https://github.com/apache/cloudstack/issues/9984) but did not follow up on the root cause The issue is in [https://github.com/apache/cloudstack/blob/3e3a0c06781953371691dc395f71a37bb5483969/scripts/util/keystore-cert-import#L125](https://github.com/apache/cloudstack/blob/3e3a0c06781953371691dc395f71a37bb5483969/scripts/util/keystore-cert-import#L125) In newer versions of Libvirt, the default user and group changed from user:root and group:root to user: libvirt-qemu and group: kvm The mentioned line in the script is checking the config file /etc/libvirt/qemu.conf for the pattern "group=" and will change the owner group of the new host security key certificate files to the group name found in the config file. If "group=" is not set the chgrp command is not executed and the certificate files will stay with owner root:root Since the new default user and group of libvirt is libvirt-qemu:kvm the libvirt process will not be able to access the certificate files in standard configuration ("user=" and "group=" are not specifically set and are commented in qemu.conf) and will raise the error Cannot load CA certificate '/etc/pki/libvirt-vnc/ca-cert.pem': Error while reading file. The second issue is the pattern the script is using to search for the group. The search does not include spaces like "group = kvm", only "group=kvm" will work - but spaces are the default in the commented lines in qemu.conf. ### versions Ubuntu 24.04.2 LTS libvirt version: 10.0.0 Apache Cloudstack 20.1.0 ### The steps to reproduce the bug 1. Install CloudStack on one of the newer Ubuntu Releases 2. Execute "Provision Host Security Keys" 3. Try to start a VM on the host ### What to do about it? To fix the issue two steps are required from my perspective: 1. replacing the matching pattern in the script [https://github.com/apache/cloudstack/blob/3e3a0c06781953371691dc395f71a37bb5483969/scripts/util/keystore-cert-import#L125](https://github.com/apache/cloudstack/blob/3e3a0c06781953371691dc395f71a37bb5483969/scripts/util/keystore-cert-import#L125) with an expression allowing spaces as well like for example `$(sed -n 's/^group\s*=//p' /etc/libvirt/qemu.conf | awk -F'"' '{print $2}' | tail -n1)` 2. Adjust the installation documentation for (at least) Ubuntu adding the requirement to specifically define "group = kvm" in /etc/libvirt/qemu.conf -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
