Mailing List Archive: libpam-ldap and HVM domain erros

libpam-ldap and HVM domain erros

Jun 21, 2019, 3:20 AM

Post #1 of 4 (402 views)

Hi all,
Yesterday after server reboot i've experienced some strage error while
trying to recreate my HVM domains:

libxl: error: libxl_dm.c:2339:device_model_spawn_outcome: Domain
4:(null): spawn failed (rc=-3)
libxl: error: libxl_create.c:1501:domcreate_devmodel_started: Domain
4:device model did not start: -3
libxl: error: libxl_domain.c:1003:libxl__destroy_domid: Domain 4:Non-
existant domain
libxl: error: libxl_domain.c:962:domain_destroy_callback: Domain
4:Unable to destroy guest
libxl: error: libxl_domain.c:889:domain_destroy_cb: Domain
4:Destruction of domain failed

debug from xl create was not showing any interesting, and much later I
found some errors in systemd journal:

xl[3163]: nss_ldap: could not connect to any LDAP server as (null) -
Can't contact LDAP server
xl[3163]: nss_ldap: failed to bind to LDAP server ldap://auth-
01.domain.com: Can't contact LDAP server
xl[3163]: nss_ldap: could not connect to any LDAP server as (null) -
Can't contact LDAP server
xl[3163]: nss_ldap: failed to bind to LDAP server ldap://auth-
02.domain.com: Can't contact LDAP server
xl[3163]: nss_ldap: could not search LDAP server - Server is
unavailable

so i disabled ldap as user provider in nsswitch.conf
and voila, HVM domains are up and running.

Something about setup:
I'm using Xen 4.9 from Ubuntu repos on Ubuntu 18.04
three days ago I setup ldap authentication on server
Not like it must be LDAP auth on xen server, but it will be
appriciated.

So why XEN can fail to create domain because of broken nsswitch?
What could I do, to keep ldap auth, and be able to manage HVM domains,
when it fails?

Thank you,
Regards,
Danila Reznichuk.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-users

libpam-ldap and HVM domain erros [ In reply to ]

dreznichuk at gmail

Jun 20, 2019, 4:04 AM

Post #2 of 4 (402 views)

Permalink

Re: libpam-ldap and HVM domain erros [ In reply to ]

james-xen at dingwall

Jun 25, 2019, 7:30 AM

Post #3 of 4 (398 views)

Permalink

Hi Danila,

On Fri, Jun 21, 2019 at 01:20:47PM +0300, Danila Reznichuk wrote:
> Hi all,
> Yesterday after server reboot i've experienced some strage error while
> trying to recreate my HVM domains:
>
> libxl: error: libxl_dm.c:2339:device_model_spawn_outcome: Domain
> 4:(null): spawn failed (rc=-3)
> libxl: error: libxl_create.c:1501:domcreate_devmodel_started: Domain
> 4:device model did not start: -3
> libxl: error: libxl_domain.c:1003:libxl__destroy_domid: Domain 4:Non-
> existant domain
> libxl: error: libxl_domain.c:962:domain_destroy_callback: Domain
> 4:Unable to destroy guest
> libxl: error: libxl_domain.c:889:domain_destroy_cb: Domain
> 4:Destruction of domain failed
>
> debug from xl create was not showing any interesting, and much later I
> found some errors in systemd journal:
>
> xl[3163]: nss_ldap: could not connect to any LDAP server as (null) -
> Can't contact LDAP server
> xl[3163]: nss_ldap: failed to bind to LDAP server ldap://auth-
> 01.domain.com: Can't contact LDAP server
> xl[3163]: nss_ldap: could not connect to any LDAP server as (null) -
> Can't contact LDAP server
> xl[3163]: nss_ldap: failed to bind to LDAP server ldap://auth-
> 02.domain.com: Can't contact LDAP server
> xl[3163]: nss_ldap: could not search LDAP server - Server is
> unavailable
>
> so i disabled ldap as user provider in nsswitch.conf
> and voila, HVM domains are up and running.
>
> Something about setup:
> I'm using Xen 4.9 from Ubuntu repos on Ubuntu 18.04
> three days ago I setup ldap authentication on server
> Not like it must be LDAP auth on xen server, but it will be
> appriciated.
>
> So why XEN can fail to create domain because of broken nsswitch?
> What could I do, to keep ldap auth, and be able to manage HVM domains,
> when it fails?
>
> Thank you,
> Regards,
> Danila Reznichuk.

Are you using options to run the qemu process as a de-privileged user?
I encountered some issues previously when having pam/nsswitch with
ldap/winbind as the a return code from the getpwnam_r call was not (in
my opinion) correctly checked:
https://lists.xenproject.org/archives/html/xen-devel/2018-08/msg00160.html

Regards,
James

_______________________________________________
Xen-users mailing list
Xen-users@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-users

Re: libpam-ldap and HVM domain erros [ In reply to ]

dreznichuk at gmail

Jun 25, 2019, 8:51 AM

Post #4 of 4 (398 views)

Permalink

Hi James,

I'm definitely shure it's running as root
machine is starting with sudo xl create

The only change to xl toolstack is network-script
and VM config is almost minimal:

builder = "hvm"
name = "gw-01.domain.com"
memory = 4096
vcpus = 2
vif = [
'mac=$MAC_ADDR1,bridge=xenbr1',
'mac=$MAC_ADDR2,bridge=xenbr0'
]
disk = [ '/dev/xen-domU/gw-01-xvda,raw,xvda,rw' ]
vnc = 1

Attached link looks like solution.
I'll try to test it.

Thanks,
Danila Reznichuk

On Tue, 2019-06-25 at 14:30 +0000, James Dingwall wrote:
> Hi Danila,
>
> On Fri, Jun 21, 2019 at 01:20:47PM +0300, Danila Reznichuk wrote:
> > Hi all,
> > Yesterday after server reboot i've experienced some strage error
> > while
> > trying to recreate my HVM domains:
> >
> > libxl: error: libxl_dm.c:2339:device_model_spawn_outcome: Domain
> > 4:(null): spawn failed (rc=-3)
> > libxl: error: libxl_create.c:1501:domcreate_devmodel_started:
> > Domain
> > 4:device model did not start: -3
> > libxl: error: libxl_domain.c:1003:libxl__destroy_domid: Domain
> > 4:Non-
> > existant domain
> > libxl: error: libxl_domain.c:962:domain_destroy_callback: Domain
> > 4:Unable to destroy guest
> > libxl: error: libxl_domain.c:889:domain_destroy_cb: Domain
> > 4:Destruction of domain failed
> >
> > debug from xl create was not showing any interesting, and much
> > later I
> > found some errors in systemd journal:
> >
> > xl[3163]: nss_ldap: could not connect to any LDAP server as (null)
> > -
> > Can't contact LDAP server
> > xl[3163]: nss_ldap: failed to bind to LDAP server ldap://auth-
> > 01.domain.com: Can't contact LDAP server
> > xl[3163]: nss_ldap: could not connect to any LDAP server as (null)
> > -
> > Can't contact LDAP server
> > xl[3163]: nss_ldap: failed to bind to LDAP server ldap://auth-
> > 02.domain.com: Can't contact LDAP server
> > xl[3163]: nss_ldap: could not search LDAP server - Server is
> > unavailable
> >
> > so i disabled ldap as user provider in nsswitch.conf
> > and voila, HVM domains are up and running.
> >
> > Something about setup:
> > I'm using Xen 4.9 from Ubuntu repos on Ubuntu 18.04
> > three days ago I setup ldap authentication on server
> > Not like it must be LDAP auth on xen server, but it will be
> > appriciated.
> >
> > So why XEN can fail to create domain because of broken nsswitch?
> > What could I do, to keep ldap auth, and be able to manage HVM
> > domains,
> > when it fails?
> >
> > Thank you,
> > Regards,
> > Danila Reznichuk.
>
> Are you using options to run the qemu process as a de-privileged
> user?
> I encountered some issues previously when having pam/nsswitch with
> ldap/winbind as the a return code from the getpwnam_r call was not
> (in
> my opinion) correctly checked:
>
https://lists.xenproject.org/archives/html/xen-devel/2018-08/msg00160.html
>
> Regards,
> James

_______________________________________________
Xen-users mailing list
Xen-users@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-users