On Fri, Apr 11, 2014 at 2:53 PM, Sandro "red" Mathys <red@xxxxxxxxxxxxxxxxx> wrote: > On Fri, Apr 11, 2014 at 12:43 AM, Mats Wichmann <mats@xxxxxxxxxxx> wrote: >> On 04/10/14 02:09, Juerg Haefliger wrote: >>> In a nutshell, dwarf is OpenStack API on top of local libvirt/KVM. >> >> I suppose it's too late to suggest a name change? dwarf already has >> long-time usage as the debugging format for various compilers, and >> there's a matching libdwarf with an api for examining the format. >> http://dwarfstd.org/ > > FWIW: It's also not very ideal because one of the OpenStack components > (I think it was Trove) used to be called Red Dwarf... > > Anyway, thanks Juerg for packaging this and putting it into a copr > repo as requested. Will give it a try. > > -- Sandro Let me start by saying I did not see any SELinux issues, before I get to the bad (possibly TL;DR) news. So, on the only system I could try this out, a few things are changed from the defaults. I hope that didn't cause any of the issues I've found. I hope I didn't either. ;) If dwarf is started through systemd, it will log "sudo: sorry, you must have a tty to run sudo" whenever it is: 1) trying to chown the console-log - and therefore, 'nova console-log <server>' won't work: 2014-04-11 16:53:23,077 - INFO - dwarf.utils : execute(cmd=['chown', 991, '/var/lib/dwarf/instances/997adba9-ba7c-4f2a-9fff-94e4cfe5d37c/console.log'], check_exit_code=None, shell=False, run_as_root=True) 2014-04-11 16:53:23,106 - WARNING - dwarf.exception : Exception caught: Failed to run command: ['sudo', 'chown', '991', '/var/lib/dwarf/instances/997adba9-ba7c-4f2a-9fff-94e4cfe5d37c/console.log'] exit_code: 1 stdout: stderr: sudo: sorry, you must have a tty to run sudo (500) 2) trying to set up the nat prerouting rule for the ec2 metadata service: 2014-04-11 16:27:22,717 - INFO - dwarf.utils : execute(cmd=['iptables', '-t', 'nat', '-D', 'PREROUTING', '-s', u'', '-d', '169.254.169.254/32', '-p', 'tcp', '-m', 'tcp', '--dport', 80, '-j', 'REDIRECT', '--to-port', 8080], check_exit_code=False, shell=False, run_as_root=True) 2014-04-11 16:27:22,729 - INFO - dwarf.utils : execute(stderr=sudo: sorry, you must have a tty to run sudo ) ...now, working around the issue by starting dwarf by hand instead of through systemd should solve both based on the given sudo errors. But it seems the iptables still isn't put into place (but the log shows no issues). At least iptables -L -t nat shows no rules at all (yes, I cleared them beforehand). Now, I noticed that the above log entry shows "-s u" and wonder if "u" is ever replaced but since it's not logged anymore, I can't tell. Since that would result in an error I figure it would turn up in the log if it was an issue. Anyway, because of this cloud-init obviously can't reach the ec2 metadata. I tried to execute the iptables command myself but didn't figure out what I should replace u by. My guesses were either the instance's IP or virbr0's IP or the network address but all failed like: $ sudo iptables -t nat -D PREROUTING -s 192.168.111.1/24 -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080 iptables: No chain/target/match by that name. (Yes, my libvirt is configured to use non-default IP ranges and yes, I updated dwarf.conf accordingly). That's where my poor network-fu ends. The work around successfully enables the console-log, though. Also, when trying to work around this issue by configuring the ec2 metadata to listen on port 80 directly (and opening that port in the firewall - or just shut it down as I did) and waiting for cloud-init to fall back to the gateway IP instead of using 169.254.169.254, it will be able to connect but get a 404 not found. I'd expect this to work but either you really expect access through the special IP or you don't expect a request for /latest/meta-data/instance-id but only for /2009-04-04/meta-data-instance-id. I removed the workaround to try other things before I came up with this idea and therefore couldn't verify it right now. -- Sandro _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
