From reproducer env:
[zuul@node-0000586121 ~]$ ll /etc/pki/libvirt-vnc/ total 16 lrwxrwxrwx. 1 root root 31 Nov 12 09:09 ca-cert.pem -> /etc/pki/CA/certs/vnc-proxy.crt -rw-r--r--. 1 root root 1911 Nov 12 09:09 client-cert.pem -rw-r-----. 1 root qemu 1708 Nov 12 09:09 client-key.pem -rw-r--r--. 1 root root 1911 Nov 12 09:09 server-cert.pem -rw-r-----. 1 root qemu 1704 Nov 12 09:09 server-key.pem
[zuul@node-0000586121 ~]$ sudo podman exec -it -u root nova_libvirt sh sh-4.4# ls -la /etc/pki total 88 drwxr-xr-x. 1 root root 4096 Nov 12 09:21 . drwxr-xr-x. 1 root root 4096 Nov 12 09:21 .. drwxr-xr-x. 1 root root 4096 Nov 12 09:21 CA drwxr-xr-x. 4 root root 4096 Sep 1 19:39 ca-trust drwxr-xr-x. 2 root root 4096 Aug 17 20:21 consumer drwxr-xr-x. 2 root root 4096 Aug 17 20:21 entitlement lrwxrwxrwx. 1 root root 32 Sep 1 19:39 entitlement-host -> /run/secrets/etc-pki-entitlement drwxr-xr-x. 2 root root 4096 Sep 1 19:39 java drwxr-xr-x. 3 root root 4096 Nov 12 09:09 libvirt drwxr-xr-x. 2 root root 4096 Nov 12 09:09 libvirt-nbd drwxr-xr-x. 2 root root 4096 Nov 12 09:21 libvirt-vnc drwxr-xr-x. 2 root root 4096 Nov 12 00:49 nssdb drwxr-xr-x. 2 root root 4096 Nov 12 00:31 product drwxr-xr-x. 2 root root 4096 Sep 1 19:39 product-default drwxr-xr-x. 2 root root 4096 Nov 12 09:21 qemu drwxr-xr-x. 2 root root 4096 Sep 1 19:39 rpm-gpg drwxr-xr-x. 3 root root 4096 Sep 1 19:39 swid drwxr-xr-x. 5 root root 4096 Sep 1 19:39 tls
sh-4.4# ls -la /etc/pki/libvirt-vnc/ total 28 drwxr-xr-x. 2 root root 4096 Nov 12 09:21 . drwxr-xr-x. 1 root root 4096 Nov 12 09:21 .. -rw-r--r--. 1 root root 1623 Nov 12 09:09 ca-cert.pem -rw-r--r--. 1 root root 1911 Nov 12 09:09 server-cert.pem -rw-r-----. 1 root 107 1704 Nov 12 09:09 server-key.pem
The issue is that the qemu user id is different from the one on the host:
sh-4.4# grep qemu /etc/passwd qemu:x:42427:42427::/home/qemu:/usr/sbin/nologin
This is different then in previous releases.
From a downstream osp16 (train) release:
[root@compute-0 ~]# podman exec -it -u root nova_libvirt sh ()[root@compute-0 /]$ grep qemu /etc/passwd qemu:x:107:107::/home/qemu:/usr/sbin/nologin
From reproducer env:
[zuul@node- 0000586121 ~]$ ll /etc/pki/ libvirt- vnc/ CA/certs/ vnc-proxy. crt
total 16
lrwxrwxrwx. 1 root root 31 Nov 12 09:09 ca-cert.pem -> /etc/pki/
-rw-r--r--. 1 root root 1911 Nov 12 09:09 client-cert.pem
-rw-r-----. 1 root qemu 1708 Nov 12 09:09 client-key.pem
-rw-r--r--. 1 root root 1911 Nov 12 09:09 server-cert.pem
-rw-r-----. 1 root qemu 1704 Nov 12 09:09 server-key.pem
[zuul@node- 0000586121 ~]$ sudo podman exec -it -u root nova_libvirt sh etc-pki- entitlement
sh-4.4# ls -la /etc/pki
total 88
drwxr-xr-x. 1 root root 4096 Nov 12 09:21 .
drwxr-xr-x. 1 root root 4096 Nov 12 09:21 ..
drwxr-xr-x. 1 root root 4096 Nov 12 09:21 CA
drwxr-xr-x. 4 root root 4096 Sep 1 19:39 ca-trust
drwxr-xr-x. 2 root root 4096 Aug 17 20:21 consumer
drwxr-xr-x. 2 root root 4096 Aug 17 20:21 entitlement
lrwxrwxrwx. 1 root root 32 Sep 1 19:39 entitlement-host -> /run/secrets/
drwxr-xr-x. 2 root root 4096 Sep 1 19:39 java
drwxr-xr-x. 3 root root 4096 Nov 12 09:09 libvirt
drwxr-xr-x. 2 root root 4096 Nov 12 09:09 libvirt-nbd
drwxr-xr-x. 2 root root 4096 Nov 12 09:21 libvirt-vnc
drwxr-xr-x. 2 root root 4096 Nov 12 00:49 nssdb
drwxr-xr-x. 2 root root 4096 Nov 12 00:31 product
drwxr-xr-x. 2 root root 4096 Sep 1 19:39 product-default
drwxr-xr-x. 2 root root 4096 Nov 12 09:21 qemu
drwxr-xr-x. 2 root root 4096 Sep 1 19:39 rpm-gpg
drwxr-xr-x. 3 root root 4096 Sep 1 19:39 swid
drwxr-xr-x. 5 root root 4096 Sep 1 19:39 tls
sh-4.4# ls -la /etc/pki/ libvirt- vnc/
total 28
drwxr-xr-x. 2 root root 4096 Nov 12 09:21 .
drwxr-xr-x. 1 root root 4096 Nov 12 09:21 ..
-rw-r--r--. 1 root root 1623 Nov 12 09:09 ca-cert.pem
-rw-r--r--. 1 root root 1911 Nov 12 09:09 server-cert.pem
-rw-r-----. 1 root 107 1704 Nov 12 09:09 server-key.pem
The issue is that the qemu user id is different from the one on the host:
sh-4.4# grep qemu /etc/passwd 42427:42427: :/home/ qemu:/usr/ sbin/nologin
qemu:x:
This is different then in previous releases.
From a downstream osp16 (train) release:
[root@compute-0 ~]# podman exec -it -u root nova_libvirt sh 107:107: :/home/ qemu:/usr/ sbin/nologin
()[root@compute-0 /]$ grep qemu /etc/passwd
qemu:x: