search

osism / issues

This repository is used for bug reports that are cross-project or not bound to a specific repository (or to an unknown repository).
https://www.osism.tech
1 stars 1 forks source link

[bug] Can't create instances with vTPM (2.0) #1156

Closed netzvieh closed 1 week ago

netzvieh commented 1 week ago

OSISM release version

7.0.5

What's the problem?

Customer tries to create instances with vTPM (2.0) with extra specs set as per https://docs.openstack.org/nova/2023.2/admin/emulated-tpm.html. Instances stay in state ERROR with message:

{'code': 500, 'created': '2024-09-16T11:42:17Z', 'message': 'Exceeded maximum
number of retries. Exhausted all hosts available for retrying build failures
for instance b4ccc828-e340-4eb4-b9ee-fef78b749a67.', 'details': 'Traceback
(most recent call last):\n  File
"/var/lib/kolla/venv/lib/python3.10/site-packages/nova/conductor/manager.py",
line 705, in build_instances\n    raise
exception.MaxRetriesExceeded(reason=msg)\nnova.exception.MaxRetriesExceeded:
Exceeded maximum number of retries. Exhausted all hosts available for retrying
build failures for instance b4ccc828-e340-4eb4-b9ee-fef78b749a67.\n'}

Following the trail through the logs and nova-conductor to the compute node and the nova_libvirt container to the logfile "/var/log/swtpm/libvirt/qemu/instance-0000156c-swtpm.log" we find:

Starting vTPM manufacturing as tss:tss @ Mon 16 Sep 2024 11:42:07 AM UTC
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek
d176b906ee7ec1f2cb874b57d331458a37794bd03365a746a27389dc02fe72dd6b3cd509bc7421a134b2a7102b4ee58a5cb6abe53b669c2da7e7fe168a3771201ea52e9087d6e4b2eef7f10047e377be40ffc76e43ee2e6ed97b262d9a0797f2fcd9ad6065a07b8adcb129ae6e362087ac2a9897cc883e081316ddae165095a28ebb6f03052805c19b1fba42d1a4c8e68287404a9c8d7a1cc9cf54be57383a914a8316663b1c30058ed8d19eb0df920f1ad86138b0a0c28b7d6698738403a55b012098ba59574f5a73bd458353c14bef70e2d9e26b1cdcf34856f18c516dcc2b57b6bd94ab2164044cd41ff3dfaeae3eddbe0633142be914df960dbd3f7af64f
--dir /var/lib/libvirt/swtpm/b4ccc828-e340-4eb4-b9ee-fef78b749a67/tpm2
--logfile /var/log/swtpm/libvirt/qemu/instance-0000156c-swtpm.log --vmid
instance-0000156c:b4ccc828-e340-4eb4-b9ee-fef78b749a67 --tpm-spec-family 2.0
--tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014
--tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile
/etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Need read/write rights on statedir /var/lib/swtpm-localca for user tss.
swtpm-localca exit with status 1:
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Mon 16 Sep 2024 11:42:07 AM UTC

/var/lib/swtpm-localca has the wrong permissions:

(nova-libvirt)[root@compute03 /]# ls -ld /var/lib/swtpm-localca
drwxr-x--- 2 swtpm root 4096 May  3 10:04 /var/lib/swtpm-localca

(nova-libvirt)[root@compute03 /]# id tss
uid=103(tss) gid=109(tss) groups=109(tss)

Fixing the ownership/permissions helps and on this HV vTPM instances can be deployed and per dmesg vTPM seems to work:

$> chgrp tss /var/lib/swtpm-localca && chmod g+w /var/lib/swtpm-localca
[    0.013428] ACPI: TPM2 0x000000003FFD3815 00004C (v04 BOCHS  BXPC 00000001 BXPC 00000001)
[    0.013445] ACPI: Reserving TPM2 table memory at [mem 0x3ffd3815-0x3ffd3860]

References to existing reports

References to existing bug reports, mailing lists, ...

Severity

low

Urgency

medium

berendt commented 1 week ago

Are you changing this in the container or on the compute node?

berendt commented 1 week ago

Are you changing this in the container or on the compute node?

In the container...