[solved] Authentication issue with MySQL/Galera backend on CentOS 7

eshelman · March 20, 2015, 3:10am

Hi All,

I’m having a bizarre authentication issue on a new OpenNebula installation. I’ve set up a new MySQL cluster using Galera. As best as I can tell, all the MySQL backend components are properly set up. I can connect to mysql without any problems. The onedb tool also seems to be connecting properly (although OpenNebula hasn’t bootstrapped yet). Here’s what I can do:

[oneadmin@nebula-1 ~]$ mysql -u oneadmin --password=onepass -h localhost
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 835
Server version: 10.0.17-MariaDB-wsrep MariaDB Server, wsrep_25.10.r4144

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show grants;
+-----------------------------------------------------------------------------------------------------------------+
| Grants for oneadmin@localhost                                                                                   |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'oneadmin'@'localhost' IDENTIFIED BY PASSWORD '*B9D675ADDE4D3F7E65CBE4FCD51687EA46413DF0' |
| GRANT ALL PRIVILEGES ON `opennebula`.* TO 'oneadmin'@'localhost'                                                |
+-----------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]>

Of course, the opennebula database is currently empty, because it hasn’t bootstrapped yet:

MariaDB [(none)]> use opennebula;
Database changed
MariaDB [opennebula]> show tables;
Empty set (0.00 sec)

Similarly, it appears that the onedb tool is connecting to the database and successfully searching for the user_pool table:

[oneadmin@nebula-1 ~]$ onedb fsck -v -S localhost -u oneadmin -p onepass -d opennebula
Database schema does not look to be created by OpenNebula: table user_pool is missing or empty.

Here’s the relevant section from my oned.conf file:

[oneadmin@nebula-1 ~]$ grep "^DB" -A8 /etc/one/oned.conf 
DB = [
    backend = "mysql",
    server = "localhost",
    port = 0,
    user = "oneadmin",
    password = "onepass",
    db_name = "opennebula"
]

However, oned fails to start:

[oneadmin@nebula-1 ~]$ one start
Could not open connect to database server.
oned failed to start
/bin/one: line 117: 231915 Terminated              $ONE_SCHEDULER

I can’t find anything suspicious in the logfile, either (snipped):

Thu Mar 19 22:59:01 2015 [Z0][ONE][I]: Starting OpenNebula 4.12.0
----------------------------------------
     OpenNebula Configuration File      
----------------------------------------
AUTH_MAD=AUTHN=ssh,x509,ldap,server_cipher,server_x509,EXECUTABLE=one_auth_mad
DATASTORE_BASE_PATH=/var/lib/one//datastores
DATASTORE_CAPACITY_CHECK=yes
DATASTORE_LOCATION=/var/lib/one//datastores
DATASTORE_MAD=ARGUMENTS=-t 15 -d dummy,fs,vmfs,lvm,ceph,dev,EXECUTABLE=one_datastore
DB=BACKEND=mysql,DB_NAME=opennebula,PASSWORD=onepass,PORT=0,SERVER=localhost,USER=oneadmin
...
----------------------------------------
Thu Mar 19 22:59:01 2015 [Z0][ONE][I]: Log level:3 [0=ERROR,1=WARNING,2=INFO,3=DEBUG]
Thu Mar 19 22:59:01 2015 [Z0][ONE][I]: Support for xmlrpc-c > 1.31: yes

I’ve put an strace on the oned process. I can see that it is accessing the MySQL socket. So, I tried setting the hostname to a network address (to force TCP a connection to MySQL instead of socket connection). I also GRANTed the appropriate privileges in MySQL. No luck. I was able to start up successfully by switching back to sqlite, but that’s no good for our HA setup.

I was trying this with OpenNebula version 4.10 all week. Today I upgraded to 4.12, but no change.

What could I possibly be doing wrong? What should I try next?

Thanks!

madko · March 20, 2015, 7:18am

It seems we are facing the same problem, but I’m not sure.

We’ve just tried to set up OpenNebula 4.12, but with a Mariadb galera on a different host, to build a good HA on this part. But OpenNebula can only create the tables, but fails to populate them with some strange error about it can’t connect (then how does the tables come from?)

The workaround was to install mariadb-server (not galera part) on the same host as oned, change the mysql host in oned.conf and start the service again. Then stop it, dump the database, inject it in the mariadb galera host, rechange the mysql host in oned.conf and start again the service. Now everything is fine.

At first we thought that it was because the MySQL was on a different host, a scenarii that may not have been tested by OpenNebula project. But it seems it’s more related to galera…

cmartin · March 20, 2015, 9:37am

OpenNebula shouldn’t have a problem connecting to a mysql/mariadb server in other machine. But we have not tested it with with galera at all.

How are you guys using galera? Is it for backups, or for active-active HA configuration? Because OpenNebula is not designed to work as active-active, that is going to fail quite badly.

madko · March 20, 2015, 10:27am

Here (I’m not the OP) we need galera just for backup.

eshelman · March 20, 2015, 11:17am

We are not attempting active-active OpenNebula either. Galera is being used for the database synchronization.

It’s quite easy (with Pacemaker and Corosync) to set up an active-active-active Galera cluster. We then intended to use Pacemaker to keep one copy of oned running.

If Galera has never been tested, then I suppose I better trying turning it all off and connecting directly to a standalone MariaDB instance.

ruben · March 20, 2015, 11:47am

oned itself has been deployed with HA suite,
http://docs.opennebula.org/4.12/advanced_administration/high_availability/oneha.html
.

Also, it can interface with a HA MySQL, we have not tested galera itself
but the Red Hat Cluster Suite. It seems that the deployment should be quite
similar…

eshelman · March 20, 2015, 1:56pm

Well now I’m really stumped. I’ve created the oneadmin user on one of our production MySQL database servers. This is a simple, standalone MySQL server. No replication or HA.

[root@head ~]# mysql --version
mysql  Ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) using readline 5.1

Here’s the user table:

mysql> select user,host from mysql.user;
+----------+-------------+
| user     | host        |
+----------+-------------+
| root     | 127.0.0.1   |
| oneadmin | 172.30.0.11 |
+----------+-------------+
6 rows in set (0.00 sec)

As in my posts above, I’m able to connect manually:

[oneadmin@nebula-1 ~]$ mysql -u oneadmin -ponepass -h 172.30.0.5 opennebula
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 1432
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [opennebula]> show grants;
+-------------------------------------------------------------------------------------------------------------------+
| Grants for oneadmin@172.30.0.11                                                                                   |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'oneadmin'@'172.30.0.11' IDENTIFIED BY PASSWORD '*B9D675ADDE4D3F7E65CBE4FCD51687EA46413DF0' |
| GRANT ALL PRIVILEGES ON `opennebula`.* TO 'oneadmin'@'172.30.0.11'                                                |
+-------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

The onedb tool seems to be connecting properly (although the DB isn’t bootstrapped yet):

[oneadmin@nebula-1 ~]$ onedb fsck -v -S 172.30.0.5 -u oneadmin -p onepass -d opennebula
Database schema does not look to be created by OpenNebula: table user_pool is missing or empty.

And still, oned refuses to start:

[oneadmin@nebula-1 ~]$ one start
Could not open connect to database server.
oned failed to start
/bin/one: line 117: 39433 Terminated              $ONE_SCHEDULER

I know that this should work. My question to you experts is: what else can I do to enable higher levels of debugging to dig into this problem further? Is there any way to make oned more verbose when attempting the database connection? Am I going to have to trace the TCP packets with Wireshark? I guess that’s my next task

christian_huening · March 21, 2015, 3:18pm

Hi there,

what does the MariaDB logfile say? I would look into it. There are a couple of logs available and you might want to change / activate their different logging states: https://mariadb.com/kb/en/mariadb/log-files/

Also what kind of replication do you have activated? Master-Master, Master-Slave ? (Or did I oversee that in previous posts?) Maybe your write call gets rerouted to another host and you got some connectivity or access right issue on that end.

Also what is your default character set configured on your MariaDB instance? I heard from connection issues, where a wrong default charset was responsible.

eshelman · March 21, 2015, 4:22pm

Thanks, Christian! Right now, I’m running without any replication enabled. Just a standalone MariaDB daemon.

I haven’t changed the default character set. I think MariaDB sets it to latin1 by default? And I see that opennebula is UTF-8.

I’ve enabled the general log, which shows this for the connection made by running one start:

150321 12:09:50     8 Connect   oneadmin@localhost as anonymous on
                    8 Connect   Access denied for user 'oneadmin'@'localhost' (using password: YES)

Given that, it’s clear that this is a privileges issue. I restarted MariaDB with skip-grant-tables in the my.cnf file:

[mysqld]
skip-grant-tables

That stops the DB from checking passwords. And with that, OpenNebula is able to start!

Of course, once I re-enable privilege checking, startup is broken again. I’m still able to connect manually as oneadmin. The onedb tool is able to run fsck successfully. But one start is still failing.

I’ve triple-checked the credentials in oned.conf and the DB user table. Still can’t find any issues there.

At least I know what to chase…

christian_huening · March 21, 2015, 4:33pm

Maybe you want to download MySQLWorkbench: http://dev.mysql.com/downloads/workbench/
It works with MariaDB as well (since it’s basically MySQL) and you can visually check your access rights here, if your not too familiar with the MySQL / MariaDB access rights management on the command line.

eshelman · March 21, 2015, 7:25pm

$#!%

OpenNebula with Galera works just fine. My MariaDB permissions were actually set correctly.

However, my DB credentials in oned.conf used the wrong key/value pairs…

I was using:

DB = [
    backend = "mysql",
    server = "localhost",
    port = 0,
    user = "oneadmin",
    password = "onepass",
    db_name = "opennebula"
]

Should have been:

DB = [
    backend = "mysql",
    server = "localhost",
    port = 0,
    user = "oneadmin",
    passwd = "onepass",
    db_name = "opennebula"
]

I am ashamed… marking as resolved.

Thanks for the help, everyone!

Topic		Replies	Views
Opennebula failed after update Community Support	3	734	January 31, 2017
Incorrect MySQL client library version Community Support	8	1784	September 16, 2016
Opennebula 5.0 Installation on Centos 7 Community Support	1	2429	May 30, 2016
Mariadb Centos7 Community Support	1	631	May 19, 2016
Could not open connect to database server Community Support	2	1190	October 29, 2015

[solved] Authentication issue with MySQL/Galera backend on CentOS 7

Related topics