search

kimchi-project / kimchi

An HTML5 management interface for KVM guests
https://github.com/kimchi-project/kimchi/releases/latest
Other
3.12k stars 364 forks source link

Kimchi/Wok fails after a reboot #1336

Closed pmulgaonkar closed 4 years ago

pmulgaonkar commented 4 years ago

I had kimchi/wok running smoothly on a CentOS 7 base. Until I rebooted. Now I am getting a nginx 502 Bad Gateway error. The wok-error.log does not show anything obvious other than a unknown device type drm Qemu-kvm is running because I can connect to the kvm from a remote machine.

Push server created on address /run/user/0/woknotifications

*** Kimchi: Running feature tests ***
Service Libvirtd running ...: True
operation failed: no storage pools were found on host '127.0.0.1'
NFS Target Probe support ...: True
Fibre Channel Host support .: True
Kernel VFIO support ........: True
Network Manager running ....: True
Memory Hotplug support .....: False
*** Kimchi: Feature tests completed ***

Unknown device type: drm
Unknown device type: drm
Unknown device type: drm
Unknown device type: drm
Unknown device type: drm
Unknown device type: drm
Unknown device type: drm
Unknown device type: drm
Unknown device type: drm
Unknown device type: drm
[19/Nov/2020:13:43:48] ENGINE Listening for SIGHUP.
[19/Nov/2020:13:43:48] ENGINE Listening for SIGTERM.
[19/Nov/2020:13:43:48] ENGINE Listening for SIGUSR1.
[19/Nov/2020:13:43:48] ENGINE Bus STARTING
[19/Nov/2020:13:43:48] ENGINE Serving on 127.0.0.1:8010

*** Kimchi: Running dependable feature tests ***
QEMU stream support .......: True
Libvirt Stream Protocols ..: ['http', 'https', 'ftp', 'ftps', 'tftp']
*** Kimchi: Dependable feature tests completed ***

[19/Nov/2020:13:43:48] ENGINE Bus STARTED

The config files are as below:

[root@kimchi prasanna]# cat /etc/nginx/conf.d/wok.conf 
#
# This is the default nginx configuration for wokd service.
# If you need to change it for any reason, please, validate /etc/wok/wok.conf
#

client_max_body_size 4194304k;

# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout
# when Wok is processing a request.
#
# Session timeout value must be properly set in /etc/wok/wok.conf as well
proxy_connect_timeout       10m;
proxy_send_timeout          10m;
proxy_read_timeout          10m;
send_timeout                10m;

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

# To use a different port to websockets connections, change the configuration
# below and DO NOT forget to update /etc/wok/wok.conf accordingly
upstream websocket {
    server 127.0.0.1:64667;
}

server {
    # Default HTTPS port is 8001
    #
    # DO NOT forget to update proxy_port parameter in /etc/wok/wok.conf when
    # changing this value
    listen 0.0.0.0:8001 ssl;

    ssl_certificate /etc/wok/wok-cert.pem;
    ssl_certificate_key /etc/wok/wok-key.pem;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/wok/dhparams.pem;

    # Session timeout value must be properly set in /etc/wok/wok.conf as well
    ssl_session_timeout 10m;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # Update location path for relative path
    # e.g.: localtion /wok
    location / {
        # Default cherrypy port for Wok is 8010
        # DO NOT forget to update cherrypy_port parameter in /etc/wok/wok.conf
        # when changing this value
        proxy_pass http://127.0.0.1:8010;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # Update location path for https for relative path
        # e.g.: proxy_redirect http://127.0.0.1:8010/ https://$host:8001/wok/;
        proxy_redirect http://127.0.0.1:8010/ https://$host:8001/;
    }

    # Update location path for relative path
    # e.g.: localtion /wok/websockify
    location /websockify {
        proxy_pass http://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

# Default HTTP port is 8001
#
# Every HTTP request will be forwarded to HTTPS by default
# Remove the block below to disable HTTP connections
server {
    listen 0.0.0.0:8001;
    rewrite ^/(.*)$ https://$host:8001/$1 redirect;
}

and 

[root@kimchi prasanna]# cat /etc/wok/wok.conf
#
# Configuration file for Wok Web Server
#

[server]
# Start an SSL-enabled server on the given port
#proxy_port = 8001

# Cherrypy server port
#cherrypy_port = 8010

# Port for websocket proxy to listen on
#websockets_port = 64667

# Number of minutes that a session can remain idle before the server
# terminates it automatically.
#session_timeout = 10

# Running environment of the server
#environment = production

# Max request body size in KB, default value is 4GB
#max_body_size = 4 * 1024 * 1024

# Wok server root. Set the following variable to configure any relative path to
# the server. For example, to have Wok pointing to https://localhost:8001/wok/
# uncomment the following:
#server_root=/wok

# Federation feature: register Wok server on openSLP and discover peers
# in the same network. Check README-federation for more details.
#federation = off

[logging]
# Log directory

# Be aware that editting logging directory, you must change logrotate
# configuration file to keep logs being compressed.
# Look /etc/logrotate.d/wokd

#log_dir = /var/log/wok

# Logging level: debug, info, warning, error or critical
#log_level = info

[authentication]
# Authentication method, available option: pam, ldap.
# method = pam

# If specified method to ldap, following fields need to be specified.
# ldap server domain name used to authenticate.
# ldap_server = "localhost"

# Search tree base in ldap
# ldap_search_base = "ou=People, dc=wok, dc=org"

# User id filter
# ldap_search_filter = "uid=%(username)s"

# User IDs regarded as Wok admin
# ldap_admin_id = "foo@foo.com, bar@bar.com"

Anything you experts see as missing? --prasanna

pmulgaonkar commented 4 years ago

Solved. SELinux was blocking nginx from talking to upstream. To fix it:

[root@kimchi prasanna]# setsebool httpd_can_network_connect on
[root@kimchi prasanna]# setsebool httpd_can_network_connect on -P