Re: 4.11.1 install feedback
Rene, for testing purposes I've updated my temporarily files at: http://lab.yadav.cloud/testing/4.11.1-pre-rc1/ (packages from latest 4.11) http://lab.yadav.cloud/systemvmtemplates/4.11/ I'll stop using the above, we'll eventually share a different URL/location to share test artifacts for testing purposes. - Rohit From: Rene Moser Sent: Wednesday, May 23, 2018 1:48:47 PM To: dev@cloudstack.apache.org Subject: Re: 4.11.1 install feedback Hi again Regarding router: the router looks more stable (rohit lab version). However, we still need to manually reboot it after first provisioning, otherwise the management server does not get access by ssh. Having a lot of fw rules and many VMs in an advanced network, still takes a "hell of a time" to get the VR fully configured. This is on VMware 6.5, I think, there is no automated testing for this env right? Regards René rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
Re: 4.11.1 install feedback
Hi Rene, About your login issue - if command.properties is not present in CloudStack's classpath for example, usually at /etc/cloudstack/management or somewhere in /usr/share/cloudstack-management/ path. The CloudStack upgrade logic has been simplified wrt dynamic roles and will automatically switch your env to use dynamic roles if commands.properties is missing: https://github.com/apache/cloudstack/blob/4.11/engine/schema/src/com/cloud/upgrade/dao/Upgrade41000to41100.java#L65 I'm not sure exactly how the upgrade was tested - can you check either at your API logs why the login is failing and if the API is allowed for the login user/account from cloud.role_permission (select * from role_permissions where role_id=1; for admin user account). You may also want to check for browser cache i.e. attempt using the UI in incognito mode. Are you able to reproduce failure by using cloudmonkey with login credentials (not apikey/secretkey)? About the VR issue - a manual reboot should not be necessary after first provisioning, I would see that as a bug and perhaps a blocker. What we can do is look at your env, see systemd process chains (see what's blocking and causing blocking or failures?) and share our findings (or fix/PR) with the community. After the VR is up, from vCenter client can you see where it is stuck and if it is able to start ssh. You can check for cloud-postinit service (systemctl status cloud-postinit). In the past I found and fixed an issue where it got stuck due to dependency issues around apache2 (killing or performing systemctl stop apache2 also fixed the issue, in my fix I made it stop+start without blocking the cloud-postinit process). - Rohit <https://cloudstack.apache.org> From: Rene Moser Sent: Wednesday, May 23, 2018 1:48:47 PM To: dev@cloudstack.apache.org Subject: Re: 4.11.1 install feedback Hi again Regarding router: the router looks more stable (rohit lab version). However, we still need to manually reboot it after first provisioning, otherwise the management server does not get access by ssh. Having a lot of fw rules and many VMs in an advanced network, still takes a "hell of a time" to get the VR fully configured. This is on VMware 6.5, I think, there is no automated testing for this env right? Regards René rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
Re: 4.11.1 install feedback
Hi again Regarding router: the router looks more stable (rohit lab version). However, we still need to manually reboot it after first provisioning, otherwise the management server does not get access by ssh. Having a lot of fw rules and many VMs in an advanced network, still takes a "hell of a time" to get the VR fully configured. This is on VMware 6.5, I think, there is no automated testing for this env right? Regards René
Re: 4.11.1 install feedback
You may want to try a update cloud.configuration set value='true' where name='dynamic.apichecker.enabled' and see if that lets you login. Regards, Dag Sonstebo Cloud Architect ShapeBlue On 22/05/2018, 17:25, "Rene Moser" wrote: On 05/22/2018 06:08 PM, Dag Sonstebo wrote: > Rene – did you set dynamic.apichecker.enabled to true? I checked, it is false. dag.sonst...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
Re: 4.11.1 install feedback
On 05/22/2018 06:08 PM, Paul Angus wrote: > Had you 'upgraded' to dynamic roles in your 4.9 environment Rene? right, it was for 4.9. Yes, did that. the "session expired" issue seems only related to UI. api keys still work.
RE: 4.11.1 install feedback
Had you 'upgraded' to dynamic roles in your 4.9 environment Rene? Kind regards, Paul Angus paul.an...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -Original Message- From: Rene Moser Sent: 22 May 2018 16:48 To: dev@cloudstack.apache.org Subject: Re: 4.11.1 install feedback appending some logs 2018-05-22 17:45:49,929 DEBUG [c.c.a.ApiServlet] (qtp1386767190-11:ctx-0a395356) (logid:33635259) ===START=== 10.184.2.226 -- GET command=listZones&response=json&_=1527003949904 2018-05-22 17:45:49,932 DEBUG [c.c.a.ApiServer] (qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls: 0.0.0.0/0,::/0 2018-05-22 17:45:49,937 DEBUG [c.c.a.ApiServlet] (qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) ===END=== 10.184.2.226 -- GET command=listZones&response=json&_=1527003949904 2018-05-22 17:45:50,025 DEBUG [c.c.a.ApiServlet] (qtp1386767190-16:ctx-8f4234ef) (logid:53421488) ===START=== 10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976 2018-05-22 17:45:50,028 DEBUG [c.c.a.ApiServer] (qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls: 0.0.0.0/0,::/0 2018-05-22 17:45:50,032 DEBUG [c.c.a.ApiServlet] (qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) ===END=== 10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976 2018-05-22 17:45:50,093 DEBUG [c.c.a.ApiServlet] (qtp1386767190-17:ctx-16bff054) (logid:1abefa91) ===START=== 10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074 2018-05-22 17:45:50,097 DEBUG [c.c.a.ApiServer] (qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls: 0.0.0.0/0,::/0 2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServer] (qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) The given command 'quotaIsEnabled' either does not exist, is not available for user, or not available from ip address '/10.184.2.226'. 2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServlet] (qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) ===END=== 10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074 2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServlet] (qtp1386767190-20:ctx-5a7f0d91) (logid:9a3f5b56) ===START=== 10.184.2.226 -- GET command=listZones&response=json&_=1527003950156 2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServer] (qtp1386767190-20:ctx-5a7f0d91 ctx-382a670b) (logid:9a3f5b56) Expired session, missing signature, or missing apiKey -- ignoring request. Signature: null, apiKey: null On 05/22/2018 05:39 PM, Rene Moser wrote: > Hi > > I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the > issue where I can still not login with admin after upgrade. I > immediately get a "session expired" in the UI. I remember an issue > related to roles but can not find the "workaround" and thought it were fixed > for 4.11.1. > > Any help is appreciated. > > René >
Re: 4.11.1 install feedback
Rene – did you set dynamic.apichecker.enabled to true? Regards, Dag Sonstebo Cloud Architect ShapeBlue On 22/05/2018, 16:48, "Rene Moser" wrote: appending some logs 2018-05-22 17:45:49,929 DEBUG [c.c.a.ApiServlet] (qtp1386767190-11:ctx-0a395356) (logid:33635259) ===START=== 10.184.2.226 -- GET command=listZones&response=json&_=1527003949904 2018-05-22 17:45:49,932 DEBUG [c.c.a.ApiServer] (qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls: 0.0.0.0/0,::/0 2018-05-22 17:45:49,937 DEBUG [c.c.a.ApiServlet] (qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) ===END=== 10.184.2.226 -- GET command=listZones&response=json&_=1527003949904 2018-05-22 17:45:50,025 DEBUG [c.c.a.ApiServlet] (qtp1386767190-16:ctx-8f4234ef) (logid:53421488) ===START=== 10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976 2018-05-22 17:45:50,028 DEBUG [c.c.a.ApiServer] (qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls: 0.0.0.0/0,::/0 2018-05-22 17:45:50,032 DEBUG [c.c.a.ApiServlet] (qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) ===END=== 10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976 2018-05-22 17:45:50,093 DEBUG [c.c.a.ApiServlet] (qtp1386767190-17:ctx-16bff054) (logid:1abefa91) ===START=== 10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074 2018-05-22 17:45:50,097 DEBUG [c.c.a.ApiServer] (qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls: 0.0.0.0/0,::/0 2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServer] (qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) The given command 'quotaIsEnabled' either does not exist, is not available for user, or not available from ip address '/10.184.2.226'. 2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServlet] (qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) ===END=== 10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074 2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServlet] (qtp1386767190-20:ctx-5a7f0d91) (logid:9a3f5b56) ===START=== 10.184.2.226 -- GET command=listZones&response=json&_=1527003950156 2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServer] (qtp1386767190-20:ctx-5a7f0d91 ctx-382a670b) (logid:9a3f5b56) Expired session, missing signature, or missing apiKey -- ignoring request. Signature: null, apiKey: null On 05/22/2018 05:39 PM, Rene Moser wrote: > Hi > > I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the issue > where I can still not login with admin after upgrade. I immediately get > a "session expired" in the UI. I remember an issue related to roles but > can not find the "workaround" and thought it were fixed for 4.11.1. > > Any help is appreciated. > > René > dag.sonst...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
Re: 4.11.1 install feedback
appending some logs 2018-05-22 17:45:49,929 DEBUG [c.c.a.ApiServlet] (qtp1386767190-11:ctx-0a395356) (logid:33635259) ===START=== 10.184.2.226 -- GET command=listZones&response=json&_=1527003949904 2018-05-22 17:45:49,932 DEBUG [c.c.a.ApiServer] (qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls: 0.0.0.0/0,::/0 2018-05-22 17:45:49,937 DEBUG [c.c.a.ApiServlet] (qtp1386767190-11:ctx-0a395356 ctx-7a746d15) (logid:33635259) ===END=== 10.184.2.226 -- GET command=listZones&response=json&_=1527003949904 2018-05-22 17:45:50,025 DEBUG [c.c.a.ApiServlet] (qtp1386767190-16:ctx-8f4234ef) (logid:53421488) ===START=== 10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976 2018-05-22 17:45:50,028 DEBUG [c.c.a.ApiServer] (qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls: 0.0.0.0/0,::/0 2018-05-22 17:45:50,032 DEBUG [c.c.a.ApiServlet] (qtp1386767190-16:ctx-8f4234ef ctx-1c7598cc) (logid:53421488) ===END=== 10.184.2.226 -- GET command=cloudianIsEnabled&response=json&_=1527003949976 2018-05-22 17:45:50,093 DEBUG [c.c.a.ApiServlet] (qtp1386767190-17:ctx-16bff054) (logid:1abefa91) ===START=== 10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074 2018-05-22 17:45:50,097 DEBUG [c.c.a.ApiServer] (qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) CIDRs from which account 'Acct[2-admin]' is allowed to perform API calls: 0.0.0.0/0,::/0 2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServer] (qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) The given command 'quotaIsEnabled' either does not exist, is not available for user, or not available from ip address '/10.184.2.226'. 2018-05-22 17:45:50,098 DEBUG [c.c.a.ApiServlet] (qtp1386767190-17:ctx-16bff054 ctx-b0e8c230) (logid:1abefa91) ===END=== 10.184.2.226 -- GET command=quotaIsEnabled&response=json&_=1527003950074 2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServlet] (qtp1386767190-20:ctx-5a7f0d91) (logid:9a3f5b56) ===START=== 10.184.2.226 -- GET command=listZones&response=json&_=1527003950156 2018-05-22 17:45:50,232 DEBUG [c.c.a.ApiServer] (qtp1386767190-20:ctx-5a7f0d91 ctx-382a670b) (logid:9a3f5b56) Expired session, missing signature, or missing apiKey -- ignoring request. Signature: null, apiKey: null On 05/22/2018 05:39 PM, Rene Moser wrote: > Hi > > I ran the update from 4.9.3 to 4.11.1 (rohit lab) and got into the issue > where I can still not login with admin after upgrade. I immediately get > a "session expired" in the UI. I remember an issue related to roles but > can not find the "workaround" and thought it were fixed for 4.11.1. > > Any help is appreciated. > > René >