Re: [ovirt-users] roles for foreman integration user
I will check, but I now also have the problem in reverse. The compute resource in foreman 1.6 will only work with admin@internal. Gave the external user the superuser role to test but still permission denied. I also cannot login to the api with this user manually, do I have to configure external authentication for api access somewhere else? Thanks for all the help! Jorick On 01/22/2015 01:58 PM, Oved Ourfali wrote: Have a look at the prerequisites section in http://www.ovirt.org/Features/ForemanIntegration#Bare-Metal_Provisioning It specifies what you must be able to do in Foreman for the integration to work. (currently we require proper permissions to view relevant bare-metal hosts, host groups, compute resources and execute provision request - which is a request to add a host). It is not the complete set of specific roles in Foreman, but it can help do the mapping. CC-ing also Ohad from the Foreman team, which can help if the information in the wiki isn't enough. Thanks, Oved - Original Message - From: Jorick Astrego j.astr...@netbulae.eu To: users@ovirt.org Sent: Thursday, January 22, 2015 2:48:34 PM Subject: [ovirt-users] roles for foreman integration user Hi, Quick question, which foreman roles does the foreman integration user require in the foreman. I've tried a couple of permission settings but can only get the test to work when the use has role admin. Met vriendelijke groet, With kind regards, Jorick Astrego Netbulae Virtualization Experts Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3AKvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Met vriendelijke groet, With kind regards, Jorick Astrego Netbulae Virtualization Experts Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A KvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] [ANN] oVirt 3.5.1 Final Release is now available
- Original Message - From: Sandro Bonazzola sbona...@redhat.com To: annou...@ovirt.org, Users@ovirt.org, de...@ovirt.org Sent: Wednesday, January 21, 2015 6:09:45 PM Subject: [ovirt-users] [ANN] oVirt 3.5.1 Final Release is now available -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The oVirt team is pleased to announce that the oVirt 3.5.1 Final Release is now available as of Jan 21st 2015. The release candidate is available now for Fedora 20, Red Hat Enterprise Linux 6.6, CentOS 6.6, (or similar) and Red Hat Enterprise Linux 7, CentOS 7 (or similar). This release of oVirt includes numerous bug fixes. See the release notes [1] for a list of the new features and bugs fixed. Please refer to release notes [1] for Installation / Upgrade instructions. A new oVirt Live and oVirt Node ISO will be available soon as well[2]. Please note that mirrors[3] may need usually one day before being synchronized. Please refer to the release notes for known issues in this release. [1] http://www.ovirt.org/OVirt_3.5.1_Release_Notes [2] http://resources.ovirt.org/pub/ovirt-3.5/iso/ ovirt-live-el6-3.5.1.iso is now there. -- Didi ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] roles for foreman integration user
You need to share the logs on both ends (ovirt+foreman) for us to understand it. Thanks, Oved - Original Message - From: Jorick Astrego j.astr...@netbulae.eu To: Oved Ourfali ov...@redhat.com Cc: users@ovirt.org Sent: Thursday, January 22, 2015 3:25:51 PM Subject: Re: [ovirt-users] roles for foreman integration user I will check, but I now also have the problem in reverse. The compute resource in foreman 1.6 will only work with admin@internal. Gave the external user the superuser role to test but still permission denied. I also cannot login to the api with this user manually, do I have to configure external authentication for api access somewhere else? Thanks for all the help! Jorick On 01/22/2015 01:58 PM, Oved Ourfali wrote: Have a look at the prerequisites section in http://www.ovirt.org/Features/ForemanIntegration#Bare-Metal_Provisioning It specifies what you must be able to do in Foreman for the integration to work. (currently we require proper permissions to view relevant bare-metal hosts, host groups, compute resources and execute provision request - which is a request to add a host). It is not the complete set of specific roles in Foreman, but it can help do the mapping. CC-ing also Ohad from the Foreman team, which can help if the information in the wiki isn't enough. Thanks, Oved - Original Message - From: Jorick Astrego j.astrego@ netbulae.eu To: users@ ovirt.org Sent: Thursday, January 22, 2015 2:48:34 PM Subject: [ovirt-users] roles for foreman integration user Hi, Quick question, which foreman roles does the foreman integration user require in the foreman. I've tried a couple of permission settings but can only get the test to work when the use has role admin. Met vriendelijke groet, With kind regards, Jorick Astrego Netbulae Virtualization Experts Tel: 053 20 30 270 info@ netbulae.eu Staalsteden 4-3A KvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 ___ Users mailing list Users@ ovirt.org http://lists.ovirt.org/mailman/listinfo/users Met vriendelijke groet, With kind regards, Jorick Astrego Netbulae Virtualization Experts Tel: 053 20 30 270i...@netbulae.euStaalsteden 4-3AKvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 2:09:18 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astrego@ netbulae.eu
To: users@ ovirt.org
Sent: Thursday, January 22, 2015 1:41:40 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alonbl@ redhat.com
1. install ovirt-engine-extension-aaa- ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api.
extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api.
extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really
hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
as I wrote above, storing hash instead of password does not enhance security.
it is the same as if you just set the user's password to the hash.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration: vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet pool.default.serverset.type =
round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet pool.default.serverset.single.server =
${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Correct, there are multiple policies for you to choose from.
Also can we get rid of the internal admin or better just disable internal
authenticationt
without problems? As we have ipa we don't want local login
enabled, but in emergency situations we might need to turn it on quickly.
Yes, you can disable the internal by creating
/etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
---
ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false
---
Hmmm we have a bug in this case... will fix, so let's just disable the
authz for now.
---
ENGINE_EXTENSION_ENABLED_internal = false
---
Regards,
Alon
thanks! that will work.
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270i...@netbulae.euStaalsteden 4-3AKvK
08198180
Fax:
Re: [ovirt-users] Power Management config on Ovirt
- Original Message - From: Renchu Mathew ren...@cracknell.com To: Martin Perina mper...@redhat.com Cc: users@ovirt.org Sent: Thursday, January 22, 2015 2:39:43 PM Subject: RE: [ovirt-users] Power Management config on Ovirt Hi Martin, Yes. The vdsm host.log is from node-02. That's strange, I cannot find any call to fenceNode which should appear, if PM status is gathered. Eli, any idea? I have checked the link and it says we need to install the sever view management agent net-snmp on the hosts. Do we need to try this? How to install this on node? I used the below irmc admin user. Not, AFAIK this is needed only from Clustersuite, but not for oVirt. But could you please execute this command on node-20 just to confirm that Fujitsu Primergy is communicating through IPMI: fence_ipmilan -a IP -l USER -p PASS -o status -v -P where IP is IPMI address (from the log it should be 192.168.1.114) USER and PASS please set according to you setup. Thanks Martin [cid:image001.png@01D03669.DD48B4E0] Regards Renchu Mathew | Sr. IT Administrator CRACKNELL DUBAI | P.O. Box 66231 | United Arab Emirates | T +971 4 3445417 | F +971 4 3493675 | M +971 50 7386484 ABU DHABI | DUBAI | LONDON | MUSCAT | DOHA | JEDDAH EMAIL ren...@cracknell.com | WEB www.cracknell.com This email, its content and any files transmitted with it are intended solely for the addressee(s) and may be legally privileged and/or confidential. If you are not the intended recipient please let us know by email reply and delete it from the system. Please note that any views or opinions presented in this email do not necessarily represent those of the company. Email transmissions cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The company therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. -Original Message- From: Martin Perina [mailto:mper...@redhat.com] Sent: Thursday, January 22, 2015 4:49 PM To: Renchu Mathew Cc: users@ovirt.org Subject: Re: [ovirt-users] Power Management config on Ovirt Hi, according to [1] Fujitsu iRMC should be accessible using IPMI. Now, I looked at logs, but I cannot see any fenceNode exection in vdsm.log. According to engine.log, host Node-02.cracknell.com was used as fence proxy. Are you sure that vdsm.log is from this host? Thanks Martin [1] https://www.redhat.com/archives/linux-cluster/2010-January/msg00056.html - Original Message - From: Renchu Mathew ren...@cracknell.com To: Martin Perina mper...@redhat.com Cc: users@ovirt.org Sent: Thursday, January 22, 2015 12:37:51 PM Subject: RE: [ovirt-users] Power Management config on Ovirt Hi Martin, Please find attached log files from engine and proxy host. Not sure whether IPMI or which one can be used. It is Fujitsu iRMC port. I also tried the rsb but same error. Can we configure Power management using Fujitsu iRMC? Thanks Regards Renchu Mathew -Original Message- From: Martin Perina [mailto:mper...@redhat.com] Sent: Thursday, January 22, 2015 1:58 PM To: Renchu Mathew Cc: users@ovirt.org Subject: Re: [ovirt-users] Power Management config on Ovirt Hi, first of all are you sure that Fujitsu PRIMERGY is accessible using IPMI protocol? If so, could you provide engine.log and also vdsm.log from host that was used as fencing proxy? You can find out which host is used as a proxy either in Events tab after you execute the test or in engine.log. Thanks Martin Perina - Original Message - From: Renchu Mathew ren...@cracknell.com To: users@ovirt.org Sent: Thursday, January 22, 2015 7:41:43 AM Subject: [ovirt-users] Power Management config on Ovirt Dear all, I am trying to configure power management on ovirt v3.5 (ovirt-node-iso-3.5.0.ovirt35.20140912.el6) and using two Fujitsu PRIMERGY RX2540 M1 as node hypervisor. I used Fujitsu iRMC port on power management configuration. The test gives a message “Test failed, argument of type ‘NoneType’ is not iterable” as below . Also tried rsb type as per redhat document. Fence-agents-3.1.5-35.el6_5.4.x86_64 is there on both nodes. Do we need to specify anything in Options? Please help me. Best Regards Renchu Mathew ___ Users mailing list Users@ovirt.orgmailto:Users@ovirt.org
[ovirt-users] Testing 2560x1200 from tablet and Opaque
Hello, I have a CentOS 7 VM on oVirt 3.5 configured as desktop. What is the maximum display size it can get by default without particular customizations? In my case I'm testing from a 12.1 android tablet connected over wifi+openvpn and Opaque app. In Opaque I have a setting called Sync remote to display resolution My tablet resolution is 2560x1600 (btw I don't know if I can change it in Android scaling to any other resolution) If I mark the setting above it seems it crashes If I deactivate it, I get a small window in upper left corner. I can change VM resolution up to 1920 and I get a bigger window, but I cannot go full screen for example... Anu advise at oVirt side to configure a bigger display size available? My VM has both oVirt Guest agent and spice vdagent installed ad active. Thanks in advance, Gianluca ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 01:47 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 2:30:30 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
Just a couple of addtions, please hash the password with SSHA (I really
hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but
it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should
not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
as I wrote above, storing hash instead of password does not enhance
security.
it is the same as if you just set the user's password to the hash.
Ah yes, silly me. You are absolutely
right. It has been such a long
habit... But it does help when people intercept the traffic.
No it is not... exactly the opposite... if the hash is sent it is actually
weaker than password, as it has lower diversity.
If you wish you can enable digest-MD5 and use SASL, but still you must store
the plain password at client side.
Does the
ldap plugin send it hashed to the ldap server?
I think FreeIPA supports salted sha512 but I'm not entirely sure.
You'll probably say that I need to enable TLS, but there have been many
weaknesses in ssl and MITM issues. So more is always better in a
security perspective.
Using plain protocol will always be weaker than using TLS, even if you use
digest-MD5, kerberos or any other challenge-response mechanism.
As the password must be kept at client side no mater what protocol you use,
using TLS and simple bind is the minimum you can have.
I believe that TLS + simple bind is sufficient for most usages for a user
that has no special access to information.
From my experience enabling SASL does have its issues, but you may want to
check it out if you do not trust TLS, but even if you use SASL, better to use
it over TLS.
Alon
Thanks for clarifying! So I was thought wrong all these years ago ;-)
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Power Management config on Ovirt
Hi Martin, Yes. The vdsm host.log is from node-02. I have checked the link and it says we need to install the sever view management agent net-snmp on the hosts. Do we need to try this? How to install this on node? I used the below irmc admin user. [cid:image001.png@01D03669.DD48B4E0] Regards Renchu Mathew | Sr. IT Administrator CRACKNELL DUBAI | P.O. Box 66231 | United Arab Emirates | T +971 4 3445417 | F +971 4 3493675 | M +971 50 7386484 ABU DHABI | DUBAI | LONDON | MUSCAT | DOHA | JEDDAH EMAIL ren...@cracknell.com | WEB www.cracknell.com This email, its content and any files transmitted with it are intended solely for the addressee(s) and may be legally privileged and/or confidential. If you are not the intended recipient please let us know by email reply and delete it from the system. Please note that any views or opinions presented in this email do not necessarily represent those of the company. Email transmissions cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The company therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. -Original Message- From: Martin Perina [mailto:mper...@redhat.com] Sent: Thursday, January 22, 2015 4:49 PM To: Renchu Mathew Cc: users@ovirt.org Subject: Re: [ovirt-users] Power Management config on Ovirt Hi, according to [1] Fujitsu iRMC should be accessible using IPMI. Now, I looked at logs, but I cannot see any fenceNode exection in vdsm.log. According to engine.log, host Node-02.cracknell.com was used as fence proxy. Are you sure that vdsm.log is from this host? Thanks Martin [1] https://www.redhat.com/archives/linux-cluster/2010-January/msg00056.html - Original Message - From: Renchu Mathew ren...@cracknell.com To: Martin Perina mper...@redhat.com Cc: users@ovirt.org Sent: Thursday, January 22, 2015 12:37:51 PM Subject: RE: [ovirt-users] Power Management config on Ovirt Hi Martin, Please find attached log files from engine and proxy host. Not sure whether IPMI or which one can be used. It is Fujitsu iRMC port. I also tried the rsb but same error. Can we configure Power management using Fujitsu iRMC? Thanks Regards Renchu Mathew -Original Message- From: Martin Perina [mailto:mper...@redhat.com] Sent: Thursday, January 22, 2015 1:58 PM To: Renchu Mathew Cc: users@ovirt.org Subject: Re: [ovirt-users] Power Management config on Ovirt Hi, first of all are you sure that Fujitsu PRIMERGY is accessible using IPMI protocol? If so, could you provide engine.log and also vdsm.log from host that was used as fencing proxy? You can find out which host is used as a proxy either in Events tab after you execute the test or in engine.log. Thanks Martin Perina - Original Message - From: Renchu Mathew ren...@cracknell.com To: users@ovirt.org Sent: Thursday, January 22, 2015 7:41:43 AM Subject: [ovirt-users] Power Management config on Ovirt Dear all, I am trying to configure power management on ovirt v3.5 (ovirt-node-iso-3.5.0.ovirt35.20140912.el6) and using two Fujitsu PRIMERGY RX2540 M1 as node hypervisor. I used Fujitsu iRMC port on power management configuration. The test gives a message “Test failed, argument of type ‘NoneType’ is not iterable” as below . Also tried rsb type as per redhat document. Fence-agents-3.1.5-35.el6_5.4.x86_64 is there on both nodes. Do we need to specify anything in Options? Please help me. Best Regards Renchu Mathew ___ Users mailing list Users@ovirt.orgmailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alo...@redhat.com
mailto:alo...@redhat.com
1. install ovirt-engine-extension-aaa-ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions.d/din.intranet-authz.properties
ovirt.engine.extension.name http://ovirt.engine.extension.name/ =
din-intranet-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
3. create /etc/ovirt-engine/extensions.d/din.intranet-authn.properties
ovirt.engine.extension.name http://ovirt.engine.extension.name/ =
din-intranet-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
http://ovirt.engine.aaa.authn.profile.name/ = din.intranet
ovirt.engine.aaa.authn.authz.plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din.intranet.properties
4. create /etc/ovirt-engine/aaa/din.intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn=accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really
hate plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password =, but it
fails to authenticate while plain text works fine.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration:
vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet
pool.default.serverset.type = round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet
pool.default.serverset.single.server = ${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Also can we get rid of the internal admin or better just disable
internal authenticationt without problems? As we have ipa we don't want
local login enabled, but in emergency situations we might need to turn
it on quickly.
Kind regards,
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 2:30:30 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
Just a couple of addtions, please hash the password with SSHA (I really
hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but
it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should
not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
as I wrote above, storing hash instead of password does not enhance
security.
it is the same as if you just set the user's password to the hash.
Ah yes, silly me. You are absolutely
right. It has been such a long
habit... But it does help when people intercept the traffic.
No it is not... exactly the opposite... if the hash is sent it is actually
weaker than password, as it has lower diversity.
If you wish you can enable digest-MD5 and use SASL, but still you must store
the plain password at client side.
Does the
ldap plugin send it hashed to the ldap server?
I think FreeIPA supports salted sha512 but I'm not entirely sure.
You'll probably say that I need to enable TLS, but there have been many
weaknesses in ssl and MITM issues. So more is always better in a
security perspective.
Using plain protocol will always be weaker than using TLS, even if you use
digest-MD5, kerberos or any other challenge-response mechanism.
As the password must be kept at client side no mater what protocol you use,
using TLS and simple bind is the minimum you can have.
I believe that TLS + simple bind is sufficient for most usages for a user that
has no special access to information.
From my experience enabling SASL does have its issues, but you may want to
check it out if you do not trust TLS, but even if you use SASL, better to use
it over TLS.
Alon
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] roles for foreman integration user
Ah sorry, could have checked myself. Trying to get 3.5.1 running for DEV
in a hurry ;-)
Processing by ComputeResourcesController#test_connection as */*
Parameters: {utf8=✓,
authenticity_token=D/PZVxVpow1glpUBkxcD90WsMJjAxilbdWgXClgf7C8=,
compute_resource={name=engineen,
provider=Ovirt, description=,
url=https://ovirt-engine.netbulae.test/api;,
user=test-ad...@netbulae.test, password=[FILTERED],
location_ids=[, 2], organization_ids=[, 1]},
cr_id=null}
CR_ID IS null
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
String does not start with the prefix 'encrypted-', so
Foreman::Model::Ovirt engineen was not decrypted
And the other side:
2015-01-22 13:59:20,034 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-8-thread-8) [1414b745] Correlation ID:
1414b745, Call Stack: null, Custom Event ID: -1, Message: User/Group
test- was granted permission for Role DataCenterAdmin on System by
2015-01-22 14:00:21,674 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-1) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:00:21,763 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-6) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:00:21,849 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-5) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:09:39,982 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-1) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:09:40,071 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-8) User test-adminauthentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
2015-01-22 14:09:40,203 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-2) User test-admin authentication failed.
profile is netbulae.mgmt. Invocation Result code is 0. Authn result
code is CREDENTIALS_EXPIRED
Cheers, Jorick
On 01/22/2015 02:29 PM, Oved Ourfali wrote:
You need to share the logs on both ends (ovirt+foreman) for us to understand
it.
Thanks,
Oved
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: Oved Ourfali ov...@redhat.com
Cc: users@ovirt.org
Sent: Thursday, January 22, 2015 3:25:51 PM
Subject: Re: [ovirt-users] roles for foreman integration user
I will check, but I now also have the problem in reverse. The compute
resource in foreman 1.6 will only work with admin@internal. Gave the
external user the superuser role to test but still permission denied.
I also cannot login to the api with this user manually, do I have to
configure external authentication for api access somewhere else?
Thanks for all the help!
Jorick
On 01/22/2015 01:58 PM, Oved Ourfali wrote:
Have a look at the prerequisites section in
http://www.ovirt.org/Features/ForemanIntegration#Bare-Metal_Provisioning
It specifies what you must be able to do in Foreman for the integration to
work.
(currently we require proper permissions to view relevant bare-metal hosts,
host groups, compute resources and execute provision request - which is a
request to add a host).
It is not the complete set of specific roles in Foreman, but it can help do
the mapping.
CC-ing also Ohad from the Foreman team, which can help if the information
in the wiki isn't enough.
Thanks,
Oved
- Original Message -
From: Jorick Astrego j.astrego@ netbulae.eu
To: users@ ovirt.org
Sent: Thursday, January 22, 2015 2:48:34 PM
Subject: [ovirt-users] roles for foreman integration user
Hi,
Quick question, which foreman roles does the foreman integration user
require in the foreman.
I've tried a couple of permission settings but can only get the test to
work when the use has role admin.
Met
Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 1:41:40 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alo...@redhat.com
1. install ovirt-engine-extension-aaa- ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration: vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet pool.default.serverset.type =
round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet pool.default.serverset.single.server =
${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Correct, there are multiple policies for you to choose from.
Also can we get rid of the internal admin or better just disable internal
authenticationt without problems? As we have ipa we don't want local login
enabled, but in emergency situations we might need to turn it on quickly.
Yes, you can disable the internal by creating
/etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
---
ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false
---
Hmmm we have a bug in this case... will fix, so let's just disable the
authz for now.
---
ENGINE_EXTENSION_ENABLED_internal = false
---
Regards,
Alon
thanks! that will work.
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 01:13 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 2:09:18 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 01/22/2015 12:59 PM, Alon Bar-Lev wrote:
- Original Message -
From: Jorick Astrego j.astrego@ netbulae.eu
To: users@ ovirt.org
Sent: Thursday, January 22, 2015 1:41:40 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alonbl@ redhat.com
1. install ovirt-engine-extension-aaa- ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api.
extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api.
extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really
hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this
means that if I get the server database I can authenticate to any user
without knowing his password.
Also, please note that the user you specify within configuration should not
have any special privilege but to query public objects within ldap.
I don't like storing plain text in textfiles, so I try to avoid it. Even
if it is a read only user there are no public objects that I like to
expose to anyone. I can query groups, group members, e-mail addresses,
krbPasswordExpiration, krbLastPwdChange etc. with this user.
So that's why I try to have the bind user password hashed in the
properties file.
as I wrote above, storing hash instead of password does not enhance security.
it is the same as if you just set the user's password to the hash.
Ah yes, silly me. You are absolutely right. It has been such a long
habit... But it does help when people intercept the traffic. Does the
ldap plugin send it hashed to the ldap server?
I think FreeIPA supports salted sha512 but I'm not entirely sure.
You'll probably say that I need to enable TLS, but there have been many
weaknesses in ssl and MITM issues. So more is always better in a
security perspective.
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Upgrade to 3.5.1
Hello, I have an ovirt 3.5.0 cluster with three nodes and we using glusterfs for serving backend storage for VM-s. Glusterfs are on same servers with ovirt. We have Gluster 3.5.1 on all of nodes. How can I upgrade to ovirt 3.5.1 with new glusterfs? I don't want data inconsistency/data loss/split brains? Need I update gluster version to the latest? How I need to upgrade the nodes ? Is there any whitepaper about this? Thanks in advance, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Power Management config on Ovirt
Hi, according to [1] Fujitsu iRMC should be accessible using IPMI. Now, I looked at logs, but I cannot see any fenceNode exection in vdsm.log. According to engine.log, host Node-02.cracknell.com was used as fence proxy. Are you sure that vdsm.log is from this host? Thanks Martin [1] https://www.redhat.com/archives/linux-cluster/2010-January/msg00056.html - Original Message - From: Renchu Mathew ren...@cracknell.com To: Martin Perina mper...@redhat.com Cc: users@ovirt.org Sent: Thursday, January 22, 2015 12:37:51 PM Subject: RE: [ovirt-users] Power Management config on Ovirt Hi Martin, Please find attached log files from engine and proxy host. Not sure whether IPMI or which one can be used. It is Fujitsu iRMC port. I also tried the rsb but same error. Can we configure Power management using Fujitsu iRMC? Thanks Regards Renchu Mathew -Original Message- From: Martin Perina [mailto:mper...@redhat.com] Sent: Thursday, January 22, 2015 1:58 PM To: Renchu Mathew Cc: users@ovirt.org Subject: Re: [ovirt-users] Power Management config on Ovirt Hi, first of all are you sure that Fujitsu PRIMERGY is accessible using IPMI protocol? If so, could you provide engine.log and also vdsm.log from host that was used as fencing proxy? You can find out which host is used as a proxy either in Events tab after you execute the test or in engine.log. Thanks Martin Perina - Original Message - From: Renchu Mathew ren...@cracknell.com To: users@ovirt.org Sent: Thursday, January 22, 2015 7:41:43 AM Subject: [ovirt-users] Power Management config on Ovirt Dear all, I am trying to configure power management on ovirt v3.5 (ovirt-node-iso-3.5.0.ovirt35.20140912.el6) and using two Fujitsu PRIMERGY RX2540 M1 as node hypervisor. I used Fujitsu iRMC port on power management configuration. The test gives a message “Test failed, argument of type ‘NoneType’ is not iterable” as below . Also tried rsb type as per redhat document. Fence-agents-3.1.5-35.el6_5.4.x86_64 is there on both nodes. Do we need to specify anything in Options? Please help me. Best Regards Renchu Mathew ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] roles for foreman integration user
Hi, Quick question, which foreman roles does the foreman integration user require in the foreman. I've tried a couple of permission settings but can only get the test to work when the use has role admin. Met vriendelijke groet, With kind regards, Jorick Astrego Netbulae Virtualization Experts Tel: 053 20 30 270 i...@netbulae.euStaalsteden 4-3A KvK 08198180 Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] roles for foreman integration user
are you able to login with these credentials to oVirt directly?
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: Oved Ourfali ov...@redhat.com
Cc: Ohad Levy ohadl...@redhat.com, users@ovirt.org
Sent: Thursday, January 22, 2015 3:48:45 PM
Subject: Re: [ovirt-users] roles for foreman integration user
Ah sorry, could have checked myself. Trying to get 3.5.1 running for DEV in a
hurry ;-)
Processing by ComputeResourcesController#test_connection as */*
Parameters: {utf8=✓,
authenticity_token=D/PZVxVpow1glpUBkxcD90WsMJjAxilbdWgXClgf7C8=,
compute_resource={name=engineen, provider=Ovirt,
description=, url= https://ovirt-engine.netbulae.test/api; ,
user= test-ad...@netbulae.test , password=[FILTERED],
location_ids=[, 2], organization_ids=[, 1]}, cr_id=null}
CR_ID IS null
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
And the other side:
2015-01-22 13:59:20,034 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-8-thread-8) [1414b745] Correlation ID: 1414b745, Call
Stack: null, Custom Event ID: -1, Message: User/Group test- was granted
permission for Role DataCenterAdmin on System by
2015-01-22 14:00:21,674 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-1) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:00:21,763 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-6) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:00:21,849 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-5) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:09:39,982 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-1) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:09:40,071 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-8) User test-adminauthentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:09:40,203 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-2) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
Cheers, Jorick
On 01/22/2015 02:29 PM, Oved Ourfali wrote:
You need to share the logs on both ends (ovirt+foreman) for us to understand
it.
Thanks,
Oved
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu To: Oved Ourfali
ov...@redhat.com Cc: users@ovirt.org Sent: Thursday, January 22, 2015
3:25:51 PM
Subject: Re: [ovirt-users] roles for foreman integration user
I will check, but I now also have the problem in reverse. The compute
resource in foreman 1.6 will only work with admin@internal. Gave the
external user the superuser role to test but still permission denied.
I also cannot login to the api with this user manually, do I have to
configure external authentication for api access somewhere else?
Thanks for all the help!
Jorick
On 01/22/2015 01:58 PM, Oved Ourfali wrote:
Have a look at the prerequisites section in
http://www.ovirt.org/Features/ForemanIntegration#Bare-Metal_Provisioning It
specifies what you must be able to do in Foreman for the integration to
work.
(currently we require proper permissions to view relevant bare-metal hosts,
host groups, compute resources and execute provision request - which is a
request to add a host).
It is not the complete set of specific roles in Foreman, but it can help do
the mapping.
CC-ing also Ohad from the Foreman team, which can help if the information
in the wiki isn't enough.
Thanks,
Oved
- Original Message -
From: Jorick Astrego j.astrego@ netbulae.eu
To: users@ ovirt.org
Sent: Thursday, January 22, 2015 2:48:34 PM
Subject: [ovirt-users] roles for foreman integration user
Hi,
Re: [ovirt-users] Power Management config on Ovirt
Hi, first of all are you sure that Fujitsu PRIMERGY is accessible using IPMI protocol? If so, could you provide engine.log and also vdsm.log from host that was used as fencing proxy? You can find out which host is used as a proxy either in Events tab after you execute the test or in engine.log. Thanks Martin Perina - Original Message - From: Renchu Mathew ren...@cracknell.com To: users@ovirt.org Sent: Thursday, January 22, 2015 7:41:43 AM Subject: [ovirt-users] Power Management config on Ovirt Dear all, I am trying to configure power management on ovirt v3.5 (ovirt-node-iso-3.5.0.ovirt35.20140912.el6) and using two Fujitsu PRIMERGY RX2540 M1 as node hypervisor. I used Fujitsu iRMC port on power management configuration. The test gives a message “Test failed, argument of type ‘NoneType’ is not iterable” as below . Also tried rsb type as per redhat document. Fence-agents-3.1.5-35.el6_5.4.x86_64 is there on both nodes. Do we need to specify anything in Options? Please help me. Best Regards Renchu Mathew ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Power Management config on Ovirt
CCing Eli Mesika. May be can help you. 22.01.2015, 09:43, "Renchu Mathew" ren...@cracknell.com:Dear all, I am trying to configure power management on ovirt v3.5 (ovirt-node-iso-3.5.0.ovirt35.20140912.el6) and using two Fujitsu PRIMERGY RX2540 M1 as node hypervisor. I used Fujitsu iRMC port on power management configuration. The test gives a message “Test failed, argument of type ‘NoneType’ is not iterable” as below. Also tried rsb type as per redhat document. Fence-agents-3.1.5-35.el6_5.4.x86_64 is there on both nodes. Do we need to specify anything in Options? Please help me. Best Regards Renchu Mathew ,___Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Details of the host
When you add a host you will be able to see the details, and then you can place the host in maintenance mode to ensure no VM’s are brought up on it. But if you just need the mac address, why not ssh into it and get it from ip addr Donny D From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of ChandraShekar Shastri Sent: Wednesday, January 21, 2015 6:28 AM To: users@ovirt.org Subject: [ovirt-users] Details of the host Hi All, I want to get the details of the Host without activating is there a way to do it. I want to query the RHEV-Manager and would like to get the details of MAC address without activating it. Do you have the script to do this. Thanks, Chandrashekar ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5 and FreeIpa
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: users@ovirt.org
Sent: Thursday, January 22, 2015 1:41:40 PM
Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa
On 10/31/2014 02:47 PM, Marcelo Donato wrote:
Below the solution. Resolved By Alon Bar-Lev alo...@redhat.com
1. install ovirt-engine-extension-aaa- ldap, it is available in
ovirt-3.5-snapshots repository.
2. create /etc/ovirt-engine/extensions. d/din.intranet-authz. properties
ovirt.engine.extension.name = din-intranet-authz
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
3. create /etc/ovirt-engine/extensions. d/din.intranet-authn. properties
ovirt.engine.extension.name = din-intranet-authn
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = din.intranet
ovirt.engine.aaa.authn.authz. plugin = din-intranet-authz
config.profile.file.1 = /etc/ovirt-engine/aaa/din. intranet.properties
4. create /etc/ovirt-engine/aaa/din. intranet.properties
include = ipa.properties
vars.user = uid=admin,cn=users,cn= accounts,dc=din,dc=intranet
vars.password = 123456
vars.server = ipa1.din.intranet
pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}
5. restart engine.
Thanks a lot Alon.
Thanks for this, saved me some time!
Just a couple of addtions, please hash the password with SSHA (I really hate
plain text admin passwords...)
I tried putting an {SSHA} encoded password in vars.password = , but it
fails to authenticate while plain text works fine.
I am unsure I understand.
using hash to store password hint at server side makes sense.
but using hash to store password at client side does not makes sens, this means
that if I get the server database I can authenticate to any user without
knowing his password.
Also, please note that the user you specify within configuration should not
have any special privilege but to query public objects within ldap.
For people with multiple ipa replica's I you guess you need to use:
Round robin configuration: vars.server1 = ipa1.din.intranet
vars.server2 = ipa2.din.intranet pool.default.serverset.type =
round-robin
pool.default.serverset.round-robin.1.server = ${global:vars.server1}
pool.default.serverset.round-robin.2.server = ${global:vars.server2}
instead of
vars.server = ipa1.din.intranet pool.default.serverset.single.server =
${global:vars.server}
But I still have to test that as our second replica is down at the moment.
Correct, there are multiple policies for you to choose from.
Also can we get rid of the internal admin or better just disable internal
authenticationt without problems? As we have ipa we don't want local login
enabled, but in emergency situations we might need to turn it on quickly.
Yes, you can disable the internal by creating
/etc/ovirt-engine/engine.conf.d/50-disable-internal.conf
---
ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false
---
Hmmm we have a bug in this case... will fix, so let's just disable the
authz for now.
---
ENGINE_EXTENSION_ENABLED_internal = false
---
Regards,
Alon
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Testing 2560x1200 from tablet and Opaque
On Thu, Jan 22, 2015 at 3:12 PM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: Hello, I have a CentOS 7 VM on oVirt 3.5 configured as desktop. What is the maximum display size it can get by default without particular customizations? In my case I'm testing from a 12.1 android tablet connected over wifi+openvpn and Opaque app. In Opaque I have a setting called Sync remote to display resolution My tablet resolution is 2560x1600 (btw I don't know if I can change it in Android scaling to any other resolution) If I mark the setting above it seems it crashes If I deactivate it, I get a small window in upper left corner. I can change VM resolution up to 1920 and I get a bigger window, but I cannot go full screen for example... Can it depend on this bug? https://bugzilla.redhat.com/show_bug.cgi?id=1075139 Currently my host is CentOS 6.5 with qemu-kvm-rhev-0.12.1.2-2.415.el6_5.14.x86_64 provided by Is there a qemu-kvm-rhev with patch as in described in https://bugzilla.redhat.com/show_bug.cgi?id=1075139#c14 based on qemu-kvm-0.12.1.2-2.429.el6 ? Will 3.5.1 provide also an update for qemu-kvm-rhev? Or perhaps the bugzilla entry is only related with multi-monitor and not generic single-display resolution to put it at 2560x1200? The functionality to chhange screen resolutions on the fly from inside the virtual desktop works ok. Gianluca ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] REST exception building from master
Solved. I exchanged the existing jboss-as on my development machine (old
download from jboss website) for the one used in 3.5.1 RC:
http://resources.ovirt.org/pub/ovirt-3.5-pre/src/ovirt-engine-jboss-as/jboss-as-7.1.1.Final.zip
Yours, Lior.
On 21/01/15 15:46, Ori Liel wrote:
I think Muli had a similar problem recently, and the cause was the Jboss
version (Juan worked out the problem).
Juan/Muli?
- Original Message -
From: Lior Vernia lver...@redhat.com
To: Users@ovirt.org List Users@ovirt.org
Sent: Wednesday, January 21, 2015 3:43:50 PM
Subject: [ovirt-users] REST exception building from master
Hello,
Building from master (i.e. towards 3.6), trying to use REST produces
some exceptions - anyone has any clue as to why? Attaching the response
(stack trace); this is to a GET operation on /api.
Yours, Lior.
htmlheadtitleJBoss Web/7.0.0.SNAPSHOT - Error
report/titlestyle!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}HR {color : #525D76;}--/style
/headbodyh1HTTP Status 500 - /h1HR size=1
noshade=noshadepbtype/b Exception report/ppbmessage/b
u/u/ppbdescription/b uThe server encountered an internal
error () that prevented it from fulfilling this
request./u/ppbexception/b prejavax.servlet.ServletException:
Servlet.init() for servlet
org.ovirt.engine.api.restapi.BackendApplication threw exception
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:489)
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
java.lang.Thread.run(Thread.java:724)
/pre/ppbroot cause/b prejava.lang.RuntimeException:
java.lang.RuntimeException: Unable to instantiate MessageBodyReader
org.jboss.resteasy.plugins.providers.RegisterBuiltin.register(RegisterBuiltin.java:35)
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:211)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:67)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:489)
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
java.lang.Thread.run(Thread.java:724)
/pre/ppbroot cause/b prejava.lang.RuntimeException: Unable
to instantiate MessageBodyReader
org.jboss.resteasy.spi.ResteasyProviderFactory.registerProvider(ResteasyProviderFactory.java:761)
org.jboss.resteasy.plugins.providers.RegisterBuiltin.registerProviders(RegisterBuiltin.java:70)
org.jboss.resteasy.plugins.providers.RegisterBuiltin.register(RegisterBuiltin.java:31)
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:211)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:67)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:489)
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
Re: [ovirt-users] roles for foreman integration user
Nope, I just reset the password twice in FreeIPA. Once with a random
password and next with a very simple password
2015-01-22 15:31:09,344 INFO
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-5) Cant login user test-admin with
authentication profile netbulae.test because the authentication
failed.
2015-01-22 15:31:09,366 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-5) Correlation ID: null, Call Stack: null,
Custom Event ID: -1, Message: User test-ad...@netbulae.test failed
to log in.
2015-01-22 15:31:09,367 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-5) CanDoAction of action LoginAdminUser failed
for user test-ad...@netbulae.test. Reasons: USER_PASSWORD_EXPIRED
On the ipa side, I don't see any authentication attempts in de logs.
ldapsearch with the same account and password on the ipa works fine.
On 01/22/2015 02:55 PM, Oved Ourfali wrote:
are you able to login with these credentials to oVirt directly?
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu
To: Oved Ourfali ov...@redhat.com
Cc: Ohad Levy ohadl...@redhat.com, users@ovirt.org
Sent: Thursday, January 22, 2015 3:48:45 PM
Subject: Re: [ovirt-users] roles for foreman integration user
Ah sorry, could have checked myself. Trying to get 3.5.1 running for DEV in a
hurry ;-)
Processing by ComputeResourcesController#test_connection as */*
Parameters: {utf8=✓,
authenticity_token=D/PZVxVpow1glpUBkxcD90WsMJjAxilbdWgXClgf7C8=,
compute_resource={name=engineen, provider=Ovirt,
description=, url= https://ovirt-engine.netbulae.test/api; ,
user= test-ad...@netbulae.test , password=[FILTERED],
location_ids=[, 2], organization_ids=[, 1]}, cr_id=null}
CR_ID IS null
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
String does not start with the prefix 'encrypted-', so Foreman::Model::Ovirt
engineen was not decrypted
And the other side:
2015-01-22 13:59:20,034 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-8-thread-8) [1414b745] Correlation ID: 1414b745, Call
Stack: null, Custom Event ID: -1, Message: User/Group test- was granted
permission for Role DataCenterAdmin on System by
2015-01-22 14:00:21,674 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-1) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:00:21,763 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-6) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:00:21,849 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-5) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:09:39,982 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-1) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:09:40,071 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-8) User test-adminauthentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
2015-01-22 14:09:40,203 ERROR
[org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
(ajp--127.0.0.1-8702-2) User test-admin authentication failed. profile is
netbulae.mgmt. Invocation Result code is 0. Authn result code is
CREDENTIALS_EXPIRED
Cheers, Jorick
On 01/22/2015 02:29 PM, Oved Ourfali wrote:
You need to share the logs on both ends (ovirt+foreman) for us to understand
it.
Thanks,
Oved
- Original Message -
From: Jorick Astrego j.astr...@netbulae.eu To: Oved Ourfali
ov...@redhat.com Cc: users@ovirt.org Sent: Thursday, January 22, 2015
3:25:51 PM
Subject: Re: [ovirt-users] roles for foreman integration user
I will check, but I now also have the problem in reverse. The compute
resource in foreman 1.6 will only work with admin@internal. Gave the
external user the superuser role to test but still permission denied.
I also cannot login to the
Re: [ovirt-users] Details of the host
Hi Donny, We don't have the libraries like expect or pexpect or sshpass or any other supported, to automate the process or logging into the machine and get the details of it. So, I just of thought of connecting RHEV-Manager using the REST API and get the details of it. Any suggestions would be really helpful. Thanks, Chandrashekar On Fri, Jan 23, 2015 at 12:01 AM, Donny Davis do...@cloudspin.me wrote: When you add a host you will be able to see the details, and then you can place the host in maintenance mode to ensure no VM’s are brought up on it. But if you just need the mac address, why not ssh into it and get it from ip addr Donny D *From:* users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] *On Behalf Of *ChandraShekar Shastri *Sent:* Wednesday, January 21, 2015 6:28 AM *To:* users@ovirt.org *Subject:* [ovirt-users] Details of the host Hi All, I want to get the details of the Host without activating is there a way to do it. I want to query the RHEV-Manager and would like to get the details of MAC address without activating it. Do you have the script to do this. Thanks, Chandrashekar ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] oVirt 3.5.1; hosted-engine --deploy, VM OS install, VNC dies after VM os install started formatting drive
Hi there list users,
I have run into a problem were I get through the point of installing the OS in
the hosted engine VM but as soon as I reach the process were its formatting the
vm drive vnc connection closes and the following error is displayed.
{remote-viewer:21676: Gdk-CRITICAL **: IA__gdk_drawtable_get_size: assertion
'GDK_IS_DRAWABLE (drawable)' failed
and I can not connect to the VM again
Any ideas out there?
Mik
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt 3.5.1; hosted-engine --deploy, VM OS install, VNC dies after VM os install started formatting drive
Disregard... the issue disappeared, not sure how but I was able to get the vm
os installed...
On Jan 22, 2015, at 2:50 PM, Mikola Rose mr...@power-soft.com wrote:
Hi there list users,
I have run into a problem were I get through the point of installing the OS
in the hosted engine VM but as soon as I reach the process were its
formatting the vm drive vnc connection closes and the following error is
displayed.
{remote-viewer:21676: Gdk-CRITICAL **: IA__gdk_drawtable_get_size: assertion
'GDK_IS_DRAWABLE (drawable)' failed
and I can not connect to the VM again
Any ideas out there?
Mik
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] oVirt 3.5.1 ; No Network Access on hosted engine vm
Hi again I think I may have selected the wrong interface during the hosted-engine deploy routine. My VM doe not have network access. The interface is connected and setup within the VM just no network access. Is there a way I can change the bridge interface? Mik ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Details of the host
Hi All, I want to get the details of the Host without activating is there a way to do it. I want to query the RHEV-Manager and would like to get the details of MAC address without activating it. Do you have the script to do this. Thanks, Chandrashekar ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to 3.5.1
On 01/22/2015 08:03 PM, Demeter Tibor wrote: Hello, I have an ovirt 3.5.0 cluster with three nodes and we using glusterfs for serving backend storage for VM-s. Glusterfs are on same servers with ovirt. We have Gluster 3.5.1 on all of nodes. How can I upgrade to ovirt 3.5.1 with new glusterfs? I don't want data inconsistency/data loss/split brains? Do you have a replica 3 volume setup across these 3 nodes? Glusterfs supports rolling upgrade for replica volumes. But there are some issues to upgrade from 3.5 to 3.6 versions (depending on version used) Adding gluster-users Pranith for recommended procedures. thanks sahina Need I update gluster version to the latest? How I need to upgrade the nodes ? Is there any whitepaper about this? * * * * Thanks in advance, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to 3.5.1
Sorry, wrong ML earlier On 01/23/2015 12:33 PM, Sahina Bose wrote: On 01/22/2015 08:03 PM, Demeter Tibor wrote: Hello, I have an ovirt 3.5.0 cluster with three nodes and we using glusterfs for serving backend storage for VM-s. Glusterfs are on same servers with ovirt. We have Gluster 3.5.1 on all of nodes. How can I upgrade to ovirt 3.5.1 with new glusterfs? I don't want data inconsistency/data loss/split brains? Do you have a replica 3 volume setup across these 3 nodes? Glusterfs supports rolling upgrade for replica volumes. But there are some issues to upgrade from 3.5 to 3.6 versions (depending on version used) Adding gluster-users Pranith for recommended procedures. thanks sahina Need I update gluster version to the latest? How I need to upgrade the nodes ? Is there any whitepaper about this? * * * * Thanks in advance, Tibor ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
