Re: 4.11.1 install feedback

[Rohit Yadav]

Rene, for testing purposes I've updated my temporarily files at:

http://lab.yadav.cloud/testing/4.11.1-pre-rc1/ (packages from latest 4.11)

http://lab.yadav.cloud/systemvmtemplates/4.11/


I'll stop using the above, we'll eventually share a different URL/location to 
share test artifacts for testing purposes.


- Rohit



From: Rene Moser <m...@renemoser.net>
Sent: Wednesday, May 23, 2018 1:48:47 PM
To: dev@cloudstack.apache.org
Subject: Re: 4.11.1 install feedback

Hi again

Regarding router: the router looks more stable (rohit lab version).
However, we still need to manually reboot it after first provisioning,
otherwise the management server does not get access by ssh.

Having a lot of fw rules and many VMs in an advanced network, still
takes a "hell of a time" to get the VR fully configured.

This is on VMware 6.5, I think, there is no automated testing for this
env right?

Regards
René

rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

Re: 4.11.1 install feedback

[Rohit Yadav]

Hi Rene,


About your login issue - if command.properties is not present in CloudStack's 
classpath for example, usually at /etc/cloudstack/management or somewhere in 
/usr/share/cloudstack-management/ path. The CloudStack upgrade logic has been 
simplified wrt dynamic roles and will automatically switch your env to use 
dynamic roles if commands.properties is missing:

https://github.com/apache/cloudstack/blob/4.11/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java#L65


I'm not sure exactly how the upgrade was tested - can you check either at your 
API logs why the login is failing and if the API is allowed for the login 
user/account from cloud.role_permission (select * from role_permissions where 
role_id=1; for admin user account).


You may also want to check for browser cache i.e. attempt using the UI in 
incognito mode. Are you able to reproduce failure by using cloudmonkey with 
login credentials (not apikey/secretkey)?


About the VR issue - a manual reboot should not be necessary after first 
provisioning, I would see that as a bug and perhaps a blocker. What we can do 
is look at your env, see systemd process chains (see what's blocking and 
causing blocking or failures?) and share our findings (or fix/PR) with the 
community.


After the VR is up, from vCenter client can you see where it is stuck and if it 
is able to start ssh. You can check for cloud-postinit service (systemctl 
status cloud-postinit). In the past I found and fixed an issue where it got 
stuck due to dependency issues around apache2 (killing or performing systemctl 
stop apache2 also fixed the issue, in my fix I made it stop+start without 
blocking the cloud-postinit process).


- Rohit

<https://cloudstack.apache.org>




From: Rene Moser <m...@renemoser.net>
Sent: Wednesday, May 23, 2018 1:48:47 PM
To: dev@cloudstack.apache.org
Subject: Re: 4.11.1 install feedback

Hi again

Regarding router: the router looks more stable (rohit lab version).
However, we still need to manually reboot it after first provisioning,
otherwise the management server does not get access by ssh.

Having a lot of fw rules and many VMs in an advanced network, still
takes a "hell of a time" to get the VR fully configured.

This is on VMware 6.5, I think, there is no automated testing for this
env right?

Regards
René

rohit.ya...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

Re: 4.11.1 install feedback

[Rene Moser]

Hi again

Regarding router: the router looks more stable (rohit lab version).
However, we still need to manually reboot it after first provisioning,
otherwise the management server does not get access by ssh.

Having a lot of fw rules and many VMs in an advanced network, still
takes a "hell of a time" to get the VR fully configured.

This is on VMware 6.5, I think, there is no automated testing for this
env right?

Regards
René

Re: 4.11.1 install feedback

[Dag Sonstebo]

You may want to try a update cloud.configuration set value='true' where 
name='dynamic.apichecker.enabled' and see if that lets you login.

Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue

On 22/05/2018, 17:25, "Rene Moser"  wrote:

On 05/22/2018 06:08 PM, Dag Sonstebo wrote:
> Rene – did you set dynamic.apichecker.enabled to true?

I checked, it is false.








dag.sonst...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

Re: 4.11.1 install feedback

[Rene Moser]

On 05/22/2018 06:08 PM, Paul Angus wrote:
> Had you 'upgraded' to dynamic roles in your 4.9 environment Rene?

right, it was for 4.9. Yes, did that.

the "session expired" issue seems only related to UI. api keys still work.

Re: 4.11.1 install feedback

[Dag Sonstebo]

Rene – did you set dynamic.apichecker.enabled to true?

Regards,
Dag Sonstebo
Cloud Architect
ShapeBlue

On 22/05/2018, 16:48, "Rene Moser"  wrote:

appending some logs

2018-05-22 17:45:49,929 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356) (logid:33635259) ===START===
10.184.2.226 -- GET  command=listZones=json&_=1527003949904
2018-05-22 17:45:49,932 DEBUG [c.c.a.ApiServer]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:49,937 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) ===END===
10.184.2.226 -- GET  command=listZones=json&_=1527003949904
2018-05-22 17:45:50,025 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef) (logid:53421488) ===START===
10.184.2.226 -- GET  command=cloudianIsEnabled=json&_=1527003949976
2018-05-22 17:45:50,028 DEBUG [c.c.a.ApiServer]
(qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,032 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) ===END===
10.184.2.226 -- GET  command=cloudianIsEnabled=json&_=1527003949976
2018-05-22 17:45:50,093 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054) (logid:1abefa91) ===START===
10.184.2.226 -- GET  command=quotaIsEnabled=json&_=1527003950074
2018-05-22 17:45:50,097 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) The given
command 'quotaIsEnabled' either does not exist, is not available for
user, or not available from ip address '/10.184.2.226'.
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) ===END===
10.184.2.226 -- GET  command=quotaIsEnabled=json&_=1527003950074
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-20:ctx-5a7f0d91) (logid:9a3f5b56) ===START===
10.184.2.226 -- GET  command=listZones=json&_=1527003950156
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServer]
(qtp1386767190-20:ctx-5a7f0d91 ctx-382a670b) (logid:9a3f5b56) Expired
session, missing signature, or missing apiKey -- ignoring request.
Signature: null, apiKey: null


On 05/22/2018 05:39 PM, Rene Moser wrote:
> Hi
> 
> I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the issue
> where I can still not login with admin after upgrade. I immediately get
> a "session expired" in the UI. I remember an issue related to roles but
> can not find the "workaround" and thought it were fixed for 4.11.1.
> 
> Any help is appreciated.
> 
> René
> 



dag.sonst...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 

RE: 4.11.1 install feedback

[Paul Angus]

Had you 'upgraded' to dynamic roles in your 4.9 environment Rene?

Kind regards,

Paul Angus

paul.an...@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 


-Original Message-
From: Rene Moser <m...@renemoser.net> 
Sent: 22 May 2018 16:48
To: dev@cloudstack.apache.org
Subject: Re: 4.11.1 install feedback

appending some logs

2018-05-22 17:45:49,929 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356) (logid:33635259) ===START===
10.184.2.226 -- GET  command=listZones=json&_=1527003949904
2018-05-22 17:45:49,932 DEBUG [c.c.a.ApiServer]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) CIDRs from which 
account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:49,937 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) ===END===
10.184.2.226 -- GET  command=listZones=json&_=1527003949904
2018-05-22 17:45:50,025 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef) (logid:53421488) ===START===
10.184.2.226 -- GET  command=cloudianIsEnabled=json&_=1527003949976
2018-05-22 17:45:50,028 DEBUG [c.c.a.ApiServer] (qtp1386767190-16:ctx-8f4234ef 
ctx-1c7598cc) (logid:53421488) CIDRs from which account 'Acct[2-admin]' is 
allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,032 DEBUG [c.c.a.ApiServlet] (qtp1386767190-16:ctx-8f4234ef 
ctx-1c7598cc) (logid:53421488) ===END===
10.184.2.226 -- GET  command=cloudianIsEnabled=json&_=1527003949976
2018-05-22 17:45:50,093 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054) (logid:1abefa91) ===START===
10.184.2.226 -- GET  command=quotaIsEnabled=json&_=1527003950074
2018-05-22 17:45:50,097 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) CIDRs from which 
account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) The given command 
'quotaIsEnabled' either does not exist, is not available for user, or not 
available from ip address '/10.184.2.226'.
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) ===END===
10.184.2.226 -- GET  command=quotaIsEnabled=json&_=1527003950074
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-20:ctx-5a7f0d91) (logid:9a3f5b56) ===START===
10.184.2.226 -- GET  command=listZones=json&_=1527003950156
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServer]
(qtp1386767190-20:ctx-5a7f0d91 ctx-382a670b) (logid:9a3f5b56) Expired session, 
missing signature, or missing apiKey -- ignoring request.
Signature: null, apiKey: null


On 05/22/2018 05:39 PM, Rene Moser wrote:
> Hi
> 
> I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the 
> issue where I can still not login with admin after upgrade. I 
> immediately get a "session expired" in the UI. I remember an issue 
> related to roles but can not find the "workaround" and thought it were fixed 
> for 4.11.1.
> 
> Any help is appreciated.
> 
> René
> 

Re: 4.11.1 install feedback

[Rene Moser]

appending some logs

2018-05-22 17:45:49,929 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356) (logid:33635259) ===START===
10.184.2.226 -- GET  command=listZones=json&_=1527003949904
2018-05-22 17:45:49,932 DEBUG [c.c.a.ApiServer]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:49,937 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) ===END===
10.184.2.226 -- GET  command=listZones=json&_=1527003949904
2018-05-22 17:45:50,025 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef) (logid:53421488) ===START===
10.184.2.226 -- GET  command=cloudianIsEnabled=json&_=1527003949976
2018-05-22 17:45:50,028 DEBUG [c.c.a.ApiServer]
(qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,032 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) ===END===
10.184.2.226 -- GET  command=cloudianIsEnabled=json&_=1527003949976
2018-05-22 17:45:50,093 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054) (logid:1abefa91) ===START===
10.184.2.226 -- GET  command=quotaIsEnabled=json&_=1527003950074
2018-05-22 17:45:50,097 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) CIDRs from
which account 'Acct[2-admin]' is allowed to perform API calls:
0.0.0.0/0,::/0
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServer]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) The given
command 'quotaIsEnabled' either does not exist, is not available for
user, or not available from ip address '/10.184.2.226'.
2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) ===END===
10.184.2.226 -- GET  command=quotaIsEnabled=json&_=1527003950074
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServlet]
(qtp1386767190-20:ctx-5a7f0d91) (logid:9a3f5b56) ===START===
10.184.2.226 -- GET  command=listZones=json&_=1527003950156
2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServer]
(qtp1386767190-20:ctx-5a7f0d91 ctx-382a670b) (logid:9a3f5b56) Expired
session, missing signature, or missing apiKey -- ignoring request.
Signature: null, apiKey: null


On 05/22/2018 05:39 PM, Rene Moser wrote:
> Hi
> 
> I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the issue
> where I can still not login with admin after upgrade. I immediately get
> a "session expired" in the UI. I remember an issue related to roles but
> can not find the "workaround" and thought it were fixed for 4.11.1.
> 
> Any help is appreciated.
> 
> René
> 

4.11.1 install feedback

[Rene Moser]

Hi

I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the issue
where I can still not login with admin after upgrade. I immediately get
a "session expired" in the UI. I remember an issue related to roles but
can not find the "workaround" and thought it were fixed for 4.11.1.

Any help is appreciated.

René