I see that the attempt disabling tls-proxy failed with:
2019-03-13 01:47:24.187 | + lib/tls:deploy_int_CA:356 : local ca_target_file=/etc/pki/nova-novnc/ca-cert.pem
2019-03-13 01:47:24.189 | + lib/tls:deploy_int_CA:358 : sudo cp /opt/stack/data/CA/int-ca/ca-chain.pem /etc/pki/nova-novnc/ca-cert.pem
2019-03-13 01:47:24.195 | cp: cannot stat '/opt/stack/data/CA/int-ca/ca-chain.pem': No such file or directory
2019-03-13 01:47:24.197 | + lib/tls:deploy_int_CA:1 : exit_trap
which makes sense, because that's the reason we needed to include tls-proxy in the first place. So, I don't think the presence of tls-proxy is the problem.
From the original failure with tls-proxy included, I see that the relevant error in screen-n-cpu.txt is actually this:
Feb 25 15:08:10.760376 ubuntu-bionic-rax-iad-0002993189 nova-compute[31732]: 2019-02-25T15:08:10.650607Z qemu-system-x86_64: -vnc 127.0.0.1:0,tls,x509verify=/etc/pki/libvirt-vnc: Failed to start VNC server: Cannot load certificate '/etc/pki/libvirt-vnc/server-cert.pem' & key '/etc/pki/libvirt-vnc/server-key.pem': Error while reading file.
This is the root cause of the problem.
I'm wondering if it's because there's been a change in the user:group we need for the certs directory. Currently, we're using libvirt-qemu:libvirt-qemu:
I see that the attempt disabling tls-proxy failed with:
2019-03-13 01:47:24.187 | + lib/tls: deploy_ int_CA: 356 : local ca_target_ file=/etc/ pki/nova- novnc/ca- cert.pem deploy_ int_CA: 358 : sudo cp /opt/stack/ data/CA/ int-ca/ ca-chain. pem /etc/pki/ nova-novnc/ ca-cert. pem data/CA/ int-ca/ ca-chain. pem': No such file or directory deploy_ int_CA: 1 : exit_trap
2019-03-13 01:47:24.189 | + lib/tls:
2019-03-13 01:47:24.195 | cp: cannot stat '/opt/stack/
2019-03-13 01:47:24.197 | + lib/tls:
which makes sense, because that's the reason we needed to include tls-proxy in the first place. So, I don't think the presence of tls-proxy is the problem.
From the original failure with tls-proxy included, I see that the relevant error in screen-n-cpu.txt is actually this:
Feb 25 15:08:10.760376 ubuntu- bionic- rax-iad- 0002993189 nova-compute[ 31732]: 2019-02- 25T15:08: 10.650607Z qemu-system-x86_64: -vnc 127.0.0. 1:0,tls, x509verify= /etc/pki/ libvirt- vnc: Failed to start VNC server: Cannot load certificate '/etc/pki/ libvirt- vnc/server- cert.pem' & key '/etc/pki/ libvirt- vnc/server- key.pem' : Error while reading file.
This is the root cause of the problem.
I'm wondering if it's because there's been a change in the user:group we need for the certs directory. Currently, we're using libvirt- qemu:libvirt- qemu:
https:/ /github. com/openstack- dev/devstack/ blob/94ca9f6756 e7b677b1ee3fd2e 32b555447e950dd /lib/nova_ plugins/ functions- libvirt# L158