Re: [ovirt-users] Upgrade problem

2015-09-11 Thread Yaniv Kaul 
On 11/09/15 19:18, Koen Vanoppen wrote:
> Hi everybody,
>
> I'm trying to upgrade ovirt to the ovirt 3.5.4 from my current version
> 3.5.3.
> But when I try to run engine-setup I got this:
>
> [ INFO  ] Checking for product updates...
>   Setup has found updates for some packages, do you wish to
> update them now? (Yes, No) [Yes]:
> [ INFO  ] Checking for an update for Setup...
> 
>   --== ALL IN ONE CONFIGURATION ==--
> 
> 
>   --== NETWORK CONFIGURATION ==--
> 
>   Setup can automatically configure the firewall on this system.
>   Note: automatic configuration of the firewall may overwrite
> current settings.
>   Do you want Setup to configure the firewall? (Yes, No) [Yes]:
> [ INFO  ] firewalld will be configured as firewall manager.
> 
>   --== DATABASE CONFIGURATION ==--
> 
>   The detected DWH database size is 198 MB.
>   Setup can backup the existing database. The time and space
> required for the database backup depend on its size. This process
> takes time, and in some cases (for instance, when the size is few GBs)
> may take several hours to complete.
>   If you choose to not back up the database, and Setup later
> fails for some reason, it will not be able to restore the database and
> all DWH data will be lost.
>   Would you like to backup the existing database before
> upgrading it? (Yes, No) [Yes]:
> 
>   --== OVIRT ENGINE CONFIGURATION ==--
> 
>   Skipping storing options as database already prepared
> 
>   --== PKI CONFIGURATION ==--
> 
> [ ERROR ] Failed to execute stage 'Environment customization': Command
> '/bin/openssl' failed to execute
> [ INFO  ] Stage: Clean up
>   Log file is located at
> /var/log/ovirt-engine/setup/ovirt-engine-setup-20150911181604-1gft67.log
> [ INFO  ] Generating answer file
> '/var/lib/ovirt-engine/setup/answers/20150911181626-setup.conf'
> [ INFO  ] Stage: Pre-termination
> [ INFO  ] Stage: Termination
> [ ERROR ] Execution of setup failed
>
>
> Any idea?

Looks like https://bugzilla.redhat.com/show_bug.cgi?id=1260752 .
Y.

>
> Kind regards,
>
> Koen
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Error while executing action: - General command validation failure.

2015-09-11 Thread Kyle Bassett 
Anyone have any ideas on this exception, as soon as I try to save the interface 
configuration from the web, I get the error

>> Error while executing action:
>> 
>> General command validation failure.

I see this in the server log on the manager, it doesn’t seem to make it to the 
vddm log...

> Caused by: java.lang.RuntimeException: could not find matching constructor 
> for Command class class 
> org.ovirt.engine.core.bll.network.host.GetAllChildVlanInterfacesQuery
>   at 
> org.ovirt.engine.core.bll.CommandsFactory.findCommandConstructor(CommandsFactory.java:209)
>  [bll.jar:]
>   at 
> org.ovirt.engine.core.bll.CommandsFactory.createQueryCommand(CommandsFactory.java:129)
>  [bll.jar:]

thanks
Kyle



> On Sep 10, 2015, at 2:51 PM, Kyle Bassett  
> wrote:
> 
> Hi I was able to bring up the interface manually… It’s green but i keep 
> getting same exception…
> 
> 2015-09-10 18:47:48,841 ERROR [org.jboss.ejb3.invocation] 
> (ajp--127.0.0.1-8702-6) JBAS014134: EJB Invocation failed on component 
> Backend for method public abstract 
> org.ovirt.engine.core.common.queries.VdcQueryReturnValue 
> org.ovirt.engine.core.bll.interfaces.BackendInternal.runInternalQuery(org.ovirt.engine.core.common.queries.VdcQueryType,org.ovirt.engine.core.common.queries.VdcQueryParametersBase,org.ovirt.engine.core.bll.context.EngineContext):
>  java.lang.RuntimeException: java.lang.RuntimeException: could not find 
> matching constructor for Command class class 
> org.ovirt.engine.core.bll.network.host.GetAllChildVlanInterfacesQuery
>   at 
> org.ovirt.engine.core.bll.CommandsFactory.createQueryCommand(CommandsFactory.java:137)
>  [bll.jar:]
>   at 
> org.ovirt.engine.core.bll.Backend.createQueryCommand(Backend.java:649) 
> [bll.jar:]
>   at org.ovirt.engine.core.bll.Backend.runQueryImpl(Backend.java:495) 
> [bll.jar:]
>   at org.ovirt.engine.core.bll.Backend.runInternalQuery(Backend.java:466) 
> [bll.jar:]
>   at sun.reflect.GeneratedMethodAccessor194.invoke(Unknown Source) 
> [:1.7.0_79]
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  [rt.jar:1.7.0_79]
>   at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79]
>   at 
> org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
>  [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>   at 
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) 
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>   at 
> org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374)
>  [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>   at 
> org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:114)
>  [jboss-as-weld-7.1.1.Final.jar:7.1.1.Final]
>   at 
> org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:125)
>  [jboss-as-weld-7.1.1.Final.jar:7.1.1.Final]
>   at 
> org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:135)
>  [jboss-as-weld-7.1.1.Final.jar:7.1.1.Final]
>   at 
> org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
>  [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>   at 
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) 
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>   at 
> org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
>  [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>   at 
> org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
>  [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
>   at 
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) 
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>   at 
> org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:82)
>  [jboss-as-weld-7.1.1.Final.jar:7.1.1.Final]
>   at 
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) 
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>   at 
> org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
>  [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>   at 
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) 
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>   at 
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
>  [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
>   at 
> org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
>

Re: [ovirt-users] Issues while deploying

2015-09-11 Thread Alon Bar-Lev 

Indeed.
Fabian, where is the 3.5 node iso located?
Should be at[1], right?

[1] http://resources.ovirt.org/pub/ovirt-3.5/iso/

- Original Message -
> From: "Budur Nagaraju" 
> To: "Alon Bar-Lev" 
> Cc: users@ovirt.org
> Sent: Friday, September 11, 2015 12:18:49 PM
> Subject: Re: [ovirt-users] Issues while deploying
> 
> Hi Alon,
> 
> No ISO is available in the mentioned URL.
> 
> Thanks,
> Nagaraju
> 
> 
> On Thu, Sep 10, 2015 at 5:15 PM, Alon Bar-Lev  wrote:
> 
> >
> >
> > - Original Message -
> > > From: "Budur Nagaraju" 
> > > To: "Alon Bar-Lev" 
> > > Cc: users@ovirt.org
> > > Sent: Thursday, September 10, 2015 2:41:28 PM
> > > Subject: Re: [ovirt-users] Issues while deploying
> > >
> > > Hi Alon,
> > >
> > > Thanks for your quick response,
> > >
> > > How to resolve this ? in the ovirt portal I have not found the latest one
> > > hypervisor node.
> >
> > Try[1].
> > When it comes up again.
> >
> > [1] http://resources.ovirt.org/pub/ovirt-3.5/iso/
> >
> >
> > >
> > > Thanks
> > > On Sep 10, 2015 5:04 PM, "Alon Bar-Lev"  wrote:
> > >
> > > >
> > > > - Original Message -
> > > > > From: "Budur Nagaraju" 
> > > > > To: users@ovirt.org
> > > > > Sent: Thursday, September 10, 2015 6:18:36 AM
> > > > > Subject: [ovirt-users] Issues while deploying
> > > > >
> > > > > HI
> > > > >
> > > > > Installed ovirt3.5 and wile adding ovirt-node its getting stuck at
> > > > > "non-responsive" state ,as shown in the sreenshot.
> > > >
> > > > Non operational != non responsive :)
> > > >
> > > > > Below are the the ovirt-Engine logs,
> > > >
> > > > Next time please attach logs.
> > > >
> > > > As far as I can see the following is the actual issue:
> > > >
> > > > 2015-09-10 08:45:42,384 INFO
> > > > [org.ovirt.engine.core.vdsbroker.SetVdsStatusVDSCommand]
> > > > (DefaultQuartzScheduler_Worker-74) [41a02af3] START,
> > > > SetVdsStatusVDSCommand(HostName = test, HostId =
> > > > 400e5335-5e1c-4d7c-8470-d13b5438ad4a, status=NonOperational,
> > > > nonOperationalReason=CLUSTER_VERSION_INCOMPATIBLE_WITH_CLUSTER,
> > > > stopSpmFailureLogged=false), log id: 4d27a1fe
> > > >
> > > > I guess the repository configuration of the host is ovirt-3.4 and not
> > > > ovirt-3.5.
> > > >
> > > > Regards,
> > > > Alon
> > > >
> > >
> >
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Strange fencing behaviour 3.5.3

2015-09-11 Thread Martin Breault 

Hello,

I manage 2 oVirt clusters that are not associated in any way, they each 
have their own management engine running ovirt-engine-3.5.3.1-1.  The 
servers are Dell 6xx series and the power-management is configured using 
idrac5 settings and each cluster is a pair of hypervisors.


The engines are both in a datacenter that had an electrical issue, each 
cluster is at a different unrelated location.  The problem I had was 
caused by a downed switch causing the individual engines to continue to 
function, however no longer have connectivity to their respective 
clusters.  Once the switch was replaced (about 30 minutes of downtime) , 
when connectivity was resumed, both engines chose to fence one of the 
two "unresponsive hypervisors" by sending an iDrac command to power down.


The downed hypervisor Cluster1 for some reason, 8 minutes later, got a 
iDrac command to power-up again.  When I logged into the engine, the 
guests that were running on the powered-down host were in "off" state.  
I simply powered them back on.


The downed hypervisor on Cluster2 stayed off, and was unresponsive 
according to the engine, however the VMs that were running on it were in 
an unknown state.  I had to power on the host and click the "host has 
been rebooted" dialog for the cluster to free these guests to be booted 
again.


My question is, is it normal for the engine to fence one or more hosts 
when it loses connectivity to all thehypervisors in the cluster?  Is 
there a minimum of 3 hosts in a cluster for it to not fall into this 
mode?I'd like to know what I can troubleshoot or how I can avoid an 
issue like this should the engine be disconnected from the hypervisors 
temporarily and then resume connectivity only to kill the well-running 
guests.


Thanks in advance,

Marty

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Extension aaa: No search for principal

2015-09-11 Thread Daniel Helgenberger 
Hello,

I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for 
ovirt 3.5.4. I am following the [readme.md] and so far it was quite 
strait forward:
> include = 
>
> #
> # Active directory domain name.
> #
> vars.domain = int.corp.de
>
> #
> # Search user and its password.
> #
> vars.user = bind@${global:vars.domain}
> vars.password = [redacted]
>
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
>
> pool.default.serverset.type = srvrecord
> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Uncomment if using custom DNS
> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = 
> ${global:vars.dns}
> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file = 
> ${local:_basedir}/${global:vars.domain}.jks
> #pool.default.ssl.truststore.password = changeit



The config seems to work; at least the domain and binddn part. I can 
browse and add users to ovirt as suggested in step (3). All quotes are 
from engine.log:

> 2015-09-11 11:54:50,261 INFO  
> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] 
> (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command: 
> AddSystemPermissionCommand internal: false. Entities affected :  ID: 
> aaa0----123456789aaa Type: SystemAction group 
> MANIPULATE_PERMISSIONS with role type USER,  ID: 
> aaa0----123456789aaa Type: SystemAction group 
> ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
> 2015-09-11 11:54:50,268 INFO  [org.ovirt.engine.core.bll.aaa.AddUserCommand] 
> (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command: 
> AddUserCommand internal: true. Entities affected :  ID: 
> aaa0----123456789aaa Type: SystemAction group 
> MANIPULATE_USERS with role type ADMIN
> 2015-09-11 11:54:50,301 INFO  
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] 
> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72, Call 
> Stack: null, Custom Event ID: -1, Message: User 'Administrator' was added 
> successfully to the system.
> 2015-09-11 11:54:50,379 INFO  
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] 
> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9, Call 
> Stack: null, Custom Event ID: -1, Message: User/Group Administrator was 
> granted permission for Role SuperUser on System by admin@internal.

Yet, when loging in as a user administrator I get:

> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class 
> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
>  Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class 
> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No
>  search for principal 'administra...@int.corp.com'}

Followed by a java stack trace.
I did not find any configurable search path.

The config seems to load:
> 2015-09-11 12:01:34,897 INFO  
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
> 1-2) Loading extension 'builtin-authn-internal'
> 2015-09-11 12:01:34,903 INFO  
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
> 1-2) Extension 'builtin-authn-internal' loaded
> 2015-09-11 12:01:34,905 INFO  
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
> 1-2) Loading extension 'internal'
> 2015-09-11 12:01:34,907 INFO  
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
> 1-2) Extension 'internal' loaded
> 2015-09-11 12:01:34,919 INFO  
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
> 1-2) Loading extension 'corp-authn'
> 2015-09-11 12:01:34,967 INFO  
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
> 1-2) Extension 'corp-authn' loaded
> 2015-09-11 12:01:34,971 INFO  
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
> 1-2) Loading extension 'corp-authz'
> 2015-09-11 12:01:34,981 INFO  
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
> 1-2) Extension 'corp-authz' loaded
> 2015-09-11 12:01:34,982 INFO  
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
> 1-2) Initializing extension 'corp-authn'
> 2015-09-11 12:01:34,983 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] 
> (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::corp-authn] 
> Creating LDAP pool 'authz'
> 2015-09-11 12:01:35,120 INFO  [org.ovirt.engineextensions.aaa.ldap.Framework] 
> (MSC service thread 1-2)

[ovirt-users] Upgrade problem

2015-09-11 Thread Koen Vanoppen 
Hi everybody,

I'm trying to upgrade ovirt to the ovirt 3.5.4 from my current version
3.5.3.
But when I try to run engine-setup I got this:

[ INFO  ] Checking for product updates...
  Setup has found updates for some packages, do you wish to update
them now? (Yes, No) [Yes]:
[ INFO  ] Checking for an update for Setup...

  --== ALL IN ONE CONFIGURATION ==--


  --== NETWORK CONFIGURATION ==--

  Setup can automatically configure the firewall on this system.
  Note: automatic configuration of the firewall may overwrite
current settings.
  Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ INFO  ] firewalld will be configured as firewall manager.

  --== DATABASE CONFIGURATION ==--

  The detected DWH database size is 198 MB.
  Setup can backup the existing database. The time and space
required for the database backup depend on its size. This process takes
time, and in some cases (for instance, when the size is few GBs) may take
several hours to complete.
  If you choose to not back up the database, and Setup later fails
for some reason, it will not be able to restore the database and all DWH
data will be lost.
  Would you like to backup the existing database before upgrading
it? (Yes, No) [Yes]:

  --== OVIRT ENGINE CONFIGURATION ==--

  Skipping storing options as database already prepared

  --== PKI CONFIGURATION ==--

[ ERROR ] Failed to execute stage 'Environment customization': Command
'/bin/openssl' failed to execute
[ INFO  ] Stage: Clean up
  Log file is located at
/var/log/ovirt-engine/setup/ovirt-engine-setup-20150911181604-1gft67.log
[ INFO  ] Generating answer file
'/var/lib/ovirt-engine/setup/answers/20150911181626-setup.conf'
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination
[ ERROR ] Execution of setup failed


Any idea?

Kind regards,

Koen
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] vdsm high mem usage

2015-09-11 Thread Daniel Helgenberger 
Hello Michael,

I ran into the issue myself and can confirm restarting vdsm with nfs 
mitgates the issue. I even had a cron job for that

On 11.09.2015 04:30, Darrell Budic wrote:
> If you’re using nfs mounts (even if they are gluster based), it’s safe to
> restart vdsmd, you’ll see it change status in ovirt, but your VMs will 
> continue
> running. If you’re mounting gluster based storage as glusterfs shares directly
> (not over nfs), there’s another issue that will cause all your VMs to pause 
> and
> the only way to recover is to stop them and restart them, but that’s going to
> happen to them anyway when vdsmd runs out of ram and crashes… Best solution is
> to migrate them yourself in this case, then restart and migrate back.
This is what I have done. The easiest way to do so is to set the host in 
maintenance, wait for the migration finishes and then restart vdsm. You 
sould do this only at one host and then wait a while so you do not run 
into OOM on the whole cluster at once.

  Or live
> migrate them to NFS mounted storage so when vdsm crashes they don’t lock up, 
> and
> clean up after you’ve had an opportunity to upgrade or patch.
>
> Upgrade to 3.5.3 or later at your earliest opportunity, the mem leak is 
> resolved
> there. Sounds like you already found the patch you can apply if upgrading 
> isn’t
> an option, but it will still require you to restart your vdsms.

I can confirm 3.5.3 finally solved the issue for us and VDSM keeps below 
100MB RSS.


>
> -Darrell
>
>> On Sep 10, 2015, at 1:45 PM, Michael Kleinpaste
>> > > wrote:
>>
>> Hi everybody.
>>
>> So I ran into that high mem usage thing. The problem I have with patching is
>> that this is a live system so I can't do it mid day.  Can anybody tell me if
>> it is possible to just restart the vdsm service or does the host have to be 
>> in
>> "maintenance mode" before restarting it?  It is using gluster storage, if 
>> that
>> makes a difference as well.
>>
>> Thanks,
>>
>> --
>> *Michael Kleinpaste*
>> Senior Systems Administrator
>> SharperLending, LLC.
>> www.SharperLending.com
>> michael.kleinpa...@sharperlending.com
>> 
>> (509) 324-1230   Fax: (509) 324-1234
>> ___
>> Users mailing list
>> Users@ovirt.org 
>> http://lists.ovirt.org/mailman/listinfo/users
>

-- 
Daniel Helgenberger
m box bewegtbild GmbH

P: +49/30/2408781-22
F: +49/30/2408781-10

ACKERSTR. 19
D-10115 BERLIN


www.m-box.de  www.monkeymen.tv

Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] RESTAPI: 'action type cpu profile empty' if more then one profile defined in the cluster

2015-09-11 Thread Sandro Bonazzola 
On Thu, Sep 10, 2015 at 1:19 PM, Daniel Helgenberger <
daniel.helgenber...@m-box.de> wrote:

> Hello,
>
> Sandro set BZ1160846 to resolved for 3.5.4, yet the same issue still
> exists with cpu profiles (I even remember a duplicate poining to this BZ
> but seem to be unable to find it).
>

Well, according to bugzilla it was verified on oVirt 3.5.1 so it should
have been closed on 3.5.1.
If you still have the issue it should be a regression, please open a new BZ
against 3.5.4.
Please use the new classification for it :-)
https://bugzilla.redhat.com/enter_bug.cgi?classification=oVirt



>
> Steps:
> 1. Set up forman provisoniong for ovirt
> 2. Add a second cpu profile to cluster
> 3. Provision a VM using foreman
>
> Result:
> Error: action type cpu profile empty
>
> after removing any extra CPU profiles leaving only 'Default', vm
> provisioning works again.
>
> engine.log:
> > 2015-09-10 13:07:20,573 INFO
> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-5)
> Running command: LoginUserCommand internal: false.
> > 2015-09-10 13:07:20,790 INFO  [org.ovirt.engine.core.bll.AddVmCommand]
> (ajp--127.0.0.1-8702-5) [3651d332] Lock Acquired to object EngineLock
> [exclusiveLocks= key: test03 value: VM_NAME
> > 2015-09-10 13:07:20,845 WARN  [org.ovirt.engine.core.bll.AddVmCommand]
> (ajp--127.0.0.1-8702-5) [3651d332] CanDoAction of action AddVm failed for
> user admin@internal. Reasons:
> VAR__ACTION__ADD,VAR__TYPE__VM,ACTION_TYPE_CPU_PROFILE_EMPTY
> > 2015-09-10 13:07:20,846 INFO  [org.ovirt.engine.core.bll.AddVmCommand]
> (ajp--127.0.0.1-8702-5) [3651d332] Lock freed to object EngineLock
> [exclusiveLocks= key: test03 value: VM_NAME
> > 2015-09-10 13:07:20,905 ERROR
> [org.ovirt.engine.api.restapi.resource.AbstractBackendResource]
> (ajp--127.0.0.1-8702-5) Operation Failed: [action type cpu profile empty]
>
>
> Versions:
> ovirt-engine-3.5.4.2-1.el7.centos.noarch
> Foreman 1.8.3
>
> If nobody objects I would open a BZ asap.
>
> Thanks,
>
>
>
> On 20.08.2015 14:41, Daniel Helgenberger wrote:
> > Hello,
> >
> > I still seem to have an issue in ovirt with a [BZ1160846].
> > In my case, foreman is unable to add hosts if I have multiple CPU
> > Profiles defined in the cluster:
> >
> > Failed to create a compute oVirt (oVirt) instance $hostname: action type
> > cpu profile empty
> >
> > BZ says this was resolved in RHEV 3.5.1; but running 3.5.3 I still have
> > this issue (if this BZ is even applicable)
> >
> > Thanks!
> >
> > Versions:
> > oVirt 3.5.3 el7
> > Foreman 1.8.2
> >
> > Thanks!
> >
> > [BZ1160846] https://bugzilla.redhat.com/show_bug.cgi?id=1160846
> >
>
> --
> Daniel Helgenberger
> m box bewegtbild GmbH
>
> P: +49/30/2408781-22
> F: +49/30/2408781-10
>
> ACKERSTR. 19
> D-10115 BERLIN
>
>
> www.m-box.de  www.monkeymen.tv
>
> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>



-- 
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Issues while deploying

2015-09-11 Thread Fabian Deutsch 
On Fri, Sep 11, 2015 at 11:33 AM, Alon Bar-Lev  wrote:
>
> Indeed.
> Fabian, where is the 3.5 node iso located?
> Should be at[1], right?

Yes, it should be there, but we are missing some publishers.

In the mean time, please retrieve the Node iso from:
http://jenkins.ovirt.org/job/ovirt-node_ovirt-3.5_create-iso-el7_merged/
or
http://jenkins.ovirt.org/job/ovirt-node_ovirt-3.5_create-iso-el6_merged/

- fabian

> [1] http://resources.ovirt.org/pub/ovirt-3.5/iso/
>
> - Original Message -
>> From: "Budur Nagaraju" 
>> To: "Alon Bar-Lev" 
>> Cc: users@ovirt.org
>> Sent: Friday, September 11, 2015 12:18:49 PM
>> Subject: Re: [ovirt-users] Issues while deploying
>>
>> Hi Alon,
>>
>> No ISO is available in the mentioned URL.
>>
>> Thanks,
>> Nagaraju
>>
>>
>> On Thu, Sep 10, 2015 at 5:15 PM, Alon Bar-Lev  wrote:
>>
>> >
>> >
>> > - Original Message -
>> > > From: "Budur Nagaraju" 
>> > > To: "Alon Bar-Lev" 
>> > > Cc: users@ovirt.org
>> > > Sent: Thursday, September 10, 2015 2:41:28 PM
>> > > Subject: Re: [ovirt-users] Issues while deploying
>> > >
>> > > Hi Alon,
>> > >
>> > > Thanks for your quick response,
>> > >
>> > > How to resolve this ? in the ovirt portal I have not found the latest one
>> > > hypervisor node.
>> >
>> > Try[1].
>> > When it comes up again.
>> >
>> > [1] http://resources.ovirt.org/pub/ovirt-3.5/iso/
>> >
>> >
>> > >
>> > > Thanks
>> > > On Sep 10, 2015 5:04 PM, "Alon Bar-Lev"  wrote:
>> > >
>> > > >
>> > > > - Original Message -
>> > > > > From: "Budur Nagaraju" 
>> > > > > To: users@ovirt.org
>> > > > > Sent: Thursday, September 10, 2015 6:18:36 AM
>> > > > > Subject: [ovirt-users] Issues while deploying
>> > > > >
>> > > > > HI
>> > > > >
>> > > > > Installed ovirt3.5 and wile adding ovirt-node its getting stuck at
>> > > > > "non-responsive" state ,as shown in the sreenshot.
>> > > >
>> > > > Non operational != non responsive :)
>> > > >
>> > > > > Below are the the ovirt-Engine logs,
>> > > >
>> > > > Next time please attach logs.
>> > > >
>> > > > As far as I can see the following is the actual issue:
>> > > >
>> > > > 2015-09-10 08:45:42,384 INFO
>> > > > [org.ovirt.engine.core.vdsbroker.SetVdsStatusVDSCommand]
>> > > > (DefaultQuartzScheduler_Worker-74) [41a02af3] START,
>> > > > SetVdsStatusVDSCommand(HostName = test, HostId =
>> > > > 400e5335-5e1c-4d7c-8470-d13b5438ad4a, status=NonOperational,
>> > > > nonOperationalReason=CLUSTER_VERSION_INCOMPATIBLE_WITH_CLUSTER,
>> > > > stopSpmFailureLogged=false), log id: 4d27a1fe
>> > > >
>> > > > I guess the repository configuration of the host is ovirt-3.4 and not
>> > > > ovirt-3.5.
>> > > >
>> > > > Regards,
>> > > > Alon
>> > > >
>> > >
>> >
>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Extension aaa: No search for principal

2015-09-11 Thread Alon Bar-Lev 
Hi!

Thank you for the information, for some reason the administrator user cannot be 
resolved to userPrincipalName during login, is it specific for Administrator or 
any user?

Can you please attach the extension configuration for both authn/authz as well?

I will also need debug log with ALL level, see [1] for instructions.

Thanks!
Alon

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377

- Original Message -
> From: "Daniel Helgenberger" 
> To: Users@ovirt.org
> Sent: Friday, September 11, 2015 1:28:10 PM
> Subject: [ovirt-users] Extension aaa: No search for principal
> 
> Hello,
> 
> I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
> ovirt 3.5.4. I am following the [readme.md] and so far it was quite
> strait forward:
> > include = 
> >
> > #
> > # Active directory domain name.
> > #
> > vars.domain = int.corp.de
> >
> > #
> > # Search user and its password.
> > #
> > vars.user = bind@${global:vars.domain}
> > vars.password = [redacted]
> >
> > #
> > # Optional DNS servers, if enterprise
> > # DNS server cannot resolve the domain srvrecord.
> > #
> > #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
> >
> > pool.default.serverset.type = srvrecord
> > pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > # Uncomment if using custom DNS
> > #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> > = ${global:vars.dns}
> > #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
> >
> > # Create keystore, import certificate chain and uncomment
> > # if using ssl/tls.
> > #pool.default.ssl.startTLS = true
> > #pool.default.ssl.truststore.file =
> > ${local:_basedir}/${global:vars.domain}.jks
> > #pool.default.ssl.truststore.password = changeit
> 
> 
> 
> The config seems to work; at least the domain and binddn part. I can
> browse and add users to ovirt as suggested in step (3). All quotes are
> from engine.log:
> 
> > 2015-09-11 11:54:50,261 INFO
> > [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> > (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command:
> > AddSystemPermissionCommand internal: false. Entities affected :  ID:
> > aaa0----123456789aaa Type: SystemAction group
> > MANIPULATE_PERMISSIONS with role type USER,  ID:
> > aaa0----123456789aaa Type: SystemAction group
> > ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
> > 2015-09-11 11:54:50,268 INFO
> > [org.ovirt.engine.core.bll.aaa.AddUserCommand]
> > (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command:
> > AddUserCommand internal: true. Entities affected :  ID:
> > aaa0----123456789aaa Type: SystemAction group
> > MANIPULATE_USERS with role type ADMIN
> > 2015-09-11 11:54:50,301 INFO
> > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> > (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72,
> > Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was
> > added successfully to the system.
> > 2015-09-11 11:54:50,379 INFO
> > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> > (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9,
> > Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator
> > was granted permission for Role SuperUser on System by admin@internal.
> 
> Yet, when loging in as a user administrator I get:
> 
> > {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
> > java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
> > Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
> > java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No
> > search for principal 'administra...@int.corp.com'}
> 
> Followed by a java stack trace.
> I did not find any configurable search path.
> 
> The config seems to load:
> > 2015-09-11 12:01:34,897 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Loading extension 'builtin-authn-internal'
> > 2015-09-11 12:01:34,903 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Extension 'builtin-authn-internal' loaded
> > 2015-09-11 12:01:34,905 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Loading extension 'internal'
> > 2015-09-11 12:01:34,907 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Extension 'internal' loaded
> > 2015-09-11 12:01:34,919 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Loading extension 'corp-authn'
> > 2015-09-11 12:01:34,967 INFO
> >

Re: [ovirt-users] RESTAPI: 'action type cpu profile empty' if more then one profile defined in the cluster

2015-09-11 Thread Daniel Helgenberger 
Hello Sandro,

On 11.09.2015 14:02, Sandro Bonazzola wrote:
>
>
> On Thu, Sep 10, 2015 at 1:19 PM, Daniel Helgenberger
> > wrote:
>
>  Hello,
>
>  Sandro set BZ1160846 to resolved for 3.5.4, yet the same issue still
>  exists with cpu profiles (I even remember a duplicate poining to this BZ
>  but seem to be unable to find it).
>
>
> Well, according to bugzilla it was verified on oVirt 3.5.1 so it should have
> been closed on 3.5.1.
> If you still have the issue it should be a regression, please open a new BZ
> against 3.5.4.
> Please use the new classification for it :-)
> https://bugzilla.redhat.com/enter_bug.cgi?classification=oVirt

I already did so, BZ1262293:
https://bugzilla.redhat.com/show_bug.cgi?id=1262293

Btw, great that ovirt has its own classification now

>
>
>  Steps:
>  1. Set up forman provisoniong for ovirt
>  2. Add a second cpu profile to cluster
>  3. Provision a VM using foreman
>
>  Result:
>  Error: action type cpu profile empty
>
>  after removing any extra CPU profiles leaving only 'Default', vm
>  provisioning works again.
>
>  engine.log:
>   > 2015-09-10 13:07:20,573 INFO
>  [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-5)
>  Running command: LoginUserCommand internal: false.
>   > 2015-09-10 13:07:20,790 INFO  [org.ovirt.engine.core.bll.AddVmCommand]
>  (ajp--127.0.0.1-8702-5) [3651d332] Lock Acquired to object EngineLock
>  [exclusiveLocks= key: test03 value: VM_NAME
>   > 2015-09-10 13:07:20,845 WARN  [org.ovirt.engine.core.bll.AddVmCommand]
>  (ajp--127.0.0.1-8702-5) [3651d332] CanDoAction of action AddVm failed for
>  user admin@internal. Reasons:
>  VAR__ACTION__ADD,VAR__TYPE__VM,ACTION_TYPE_CPU_PROFILE_EMPTY
>   > 2015-09-10 13:07:20,846 INFO  [org.ovirt.engine.core.bll.AddVmCommand]
>  (ajp--127.0.0.1-8702-5) [3651d332] Lock freed to object EngineLock
>  [exclusiveLocks= key: test03 value: VM_NAME
>   > 2015-09-10 13:07:20,905 ERROR
>  [org.ovirt.engine.api.restapi.resource.AbstractBackendResource]
>  (ajp--127.0.0.1-8702-5) Operation Failed: [action type cpu profile empty]
>
>
>  Versions:
>  ovirt-engine-3.5.4.2-1.el7.centos.noarch
>  Foreman 1.8.3
>
>  If nobody objects I would open a BZ asap.
>
>  Thanks,
>
>
>
>  On 20.08.2015 14:41, Daniel Helgenberger wrote:
>   > Hello,
>   >
>   > I still seem to have an issue in ovirt with a [BZ1160846].
>   > In my case, foreman is unable to add hosts if I have multiple CPU
>   > Profiles defined in the cluster:
>   >
>   > Failed to create a compute oVirt (oVirt) instance $hostname: action 
> type
>   > cpu profile empty
>   >
>   > BZ says this was resolved in RHEV 3.5.1; but running 3.5.3 I still 
> have
>   > this issue (if this BZ is even applicable)
>   >
>   > Thanks!
>   >
>   > Versions:
>   > oVirt 3.5.3 el7
>   > Foreman 1.8.2
>   >
>   > Thanks!
>   >
>   > [BZ1160846] https://bugzilla.redhat.com/show_bug.cgi?id=1160846
>   >
>
>  --
>  Daniel Helgenberger
>  m box bewegtbild GmbH
>
>  P: +49/30/2408781-22
>  F: +49/30/2408781-10
>
>  ACKERSTR. 19
>  D-10115 BERLIN
>
>
>  www.m-box.de  www.monkeymen.tv 
> 
>
>  Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>  Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>
>
>
>
> --
> Sandro Bonazzola
> Better technology. Faster innovation. Powered by community collaboration.
> See how it works at redhat.com 
>

-- 
Daniel Helgenberger
m box bewegtbild GmbH

P: +49/30/2408781-22
F: +49/30/2408781-10

ACKERSTR. 19
D-10115 BERLIN


www.m-box.de  www.monkeymen.tv

Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Extension aaa: No search for principal

2015-09-11 Thread Daniel Helgenberger 


On 11.09.2015 12:48, Alon Bar-Lev wrote:
> Hi!
>
> Thank you for the information, for some reason the administrator user cannot 
> be resolved to userPrincipalName during login, is it specific for 
> Administrator or any user?

Thanks for getting back to me Alon.

>
> Can you please attach the extension configuration for both authn/authz as 
> well?

here you go, but I did northing apart form changing the profile naming. 
Please note I performed anonymization and replaced my domain with 'corp' 
(as you might have guessed). If this had any side effects I can mail you 
the original logs as well.

# cat /etc/ovirt-engine/extensions.d/corp-authn.properties
> ovirt.engine.extension.name = corp-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module = 
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class = 
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = corp
> ovirt.engine.aaa.authn.authz.plugin = corp-authz
> config.profile.file.1 = ../aaa/corp.properties

# cat /etc/ovirt-engine/extensions.d/corp-authz.properties
> ovirt.engine.extension.name = corp-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module = 
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class = 
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = ../aaa/corp.properties

>
> I will also need debug log with ALL level, see [1] for instructions.
please find engine log with debugging on attached. I did a number of 
logins in the logged timeframe as well as engine restarts; and hope it 
is sufficient.

Thanks!

>
> Thanks!
> Alon
>
> [1] 
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377
>
> - Original Message -
>> From: "Daniel Helgenberger" 
>> To: Users@ovirt.org
>> Sent: Friday, September 11, 2015 1:28:10 PM
>> Subject: [ovirt-users] Extension aaa: No search for principal
>>
>> Hello,
>>
>> I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
>> ovirt 3.5.4. I am following the [readme.md] and so far it was quite
>> strait forward:
>>> include = 
>>>
>>> #
>>> # Active directory domain name.
>>> #
>>> vars.domain = int.corp.de
>>>
>>> #
>>> # Search user and its password.
>>> #
>>> vars.user = bind@${global:vars.domain}
>>> vars.password = [redacted]
>>>
>>> #
>>> # Optional DNS servers, if enterprise
>>> # DNS server cannot resolve the domain srvrecord.
>>> #
>>> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
>>>
>>> pool.default.serverset.type = srvrecord
>>> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
>>> pool.default.auth.simple.bindDN = ${global:vars.user}
>>> pool.default.auth.simple.password = ${global:vars.password}
>>>
>>> # Uncomment if using custom DNS
>>> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
>>> = ${global:vars.dns}
>>> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>>>
>>> # Create keystore, import certificate chain and uncomment
>>> # if using ssl/tls.
>>> #pool.default.ssl.startTLS = true
>>> #pool.default.ssl.truststore.file =
>>> ${local:_basedir}/${global:vars.domain}.jks
>>> #pool.default.ssl.truststore.password = changeit
>>
>>
>>
>> The config seems to work; at least the domain and binddn part. I can
>> browse and add users to ovirt as suggested in step (3). All quotes are
>> from engine.log:
>>
>>> 2015-09-11 11:54:50,261 INFO
>>> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>>> (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command:
>>> AddSystemPermissionCommand internal: false. Entities affected :  ID:
>>> aaa0----123456789aaa Type: SystemAction group
>>> MANIPULATE_PERMISSIONS with role type USER,  ID:
>>> aaa0----123456789aaa Type: SystemAction group
>>> ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
>>> 2015-09-11 11:54:50,268 INFO
>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command:
>>> AddUserCommand internal: true. Entities affected :  ID:
>>> aaa0----123456789aaa Type: SystemAction group
>>> MANIPULATE_USERS with role type ADMIN
>>> 2015-09-11 11:54:50,301 INFO
>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72,
>>> Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was
>>> added successfully to the system.
>>> 2015-09-11 11:54:50,379 INFO
>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]

Re: [ovirt-users] Extension aaa: No search for principal

2015-09-11 Thread Daniel Helgenberger 
sorry, forgot one:

On 11.09.2015 12:48, Alon Bar-Lev wrote:
> Hi!
>
> Thank you for the information, for some reason the administrator user cannot 
> be resolved to userPrincipalName during login, is it specific for 
> Administrator or any user?
This is the default domain administrator account witch exits in any 
forest. But just in case I created a new domain user just for the 
purpose; same outcome

>
> Can you please attach the extension configuration for both authn/authz as 
> well?
>
> I will also need debug log with ALL level, see [1] for instructions.
>
> Thanks!
> Alon
>
> [1] 
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377
>
> - Original Message -
>> From: "Daniel Helgenberger" 
>> To: Users@ovirt.org
>> Sent: Friday, September 11, 2015 1:28:10 PM
>> Subject: [ovirt-users] Extension aaa: No search for principal
>>
>> Hello,
>>
>> I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
>> ovirt 3.5.4. I am following the [readme.md] and so far it was quite
>> strait forward:
>>> include = 
>>>
>>> #
>>> # Active directory domain name.
>>> #
>>> vars.domain = int.corp.de
>>>
>>> #
>>> # Search user and its password.
>>> #
>>> vars.user = bind@${global:vars.domain}
>>> vars.password = [redacted]
>>>
>>> #
>>> # Optional DNS servers, if enterprise
>>> # DNS server cannot resolve the domain srvrecord.
>>> #
>>> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
>>>
>>> pool.default.serverset.type = srvrecord
>>> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
>>> pool.default.auth.simple.bindDN = ${global:vars.user}
>>> pool.default.auth.simple.password = ${global:vars.password}
>>>
>>> # Uncomment if using custom DNS
>>> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
>>> = ${global:vars.dns}
>>> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>>>
>>> # Create keystore, import certificate chain and uncomment
>>> # if using ssl/tls.
>>> #pool.default.ssl.startTLS = true
>>> #pool.default.ssl.truststore.file =
>>> ${local:_basedir}/${global:vars.domain}.jks
>>> #pool.default.ssl.truststore.password = changeit
>>
>>
>>
>> The config seems to work; at least the domain and binddn part. I can
>> browse and add users to ovirt as suggested in step (3). All quotes are
>> from engine.log:
>>
>>> 2015-09-11 11:54:50,261 INFO
>>> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>>> (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command:
>>> AddSystemPermissionCommand internal: false. Entities affected :  ID:
>>> aaa0----123456789aaa Type: SystemAction group
>>> MANIPULATE_PERMISSIONS with role type USER,  ID:
>>> aaa0----123456789aaa Type: SystemAction group
>>> ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
>>> 2015-09-11 11:54:50,268 INFO
>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command:
>>> AddUserCommand internal: true. Entities affected :  ID:
>>> aaa0----123456789aaa Type: SystemAction group
>>> MANIPULATE_USERS with role type ADMIN
>>> 2015-09-11 11:54:50,301 INFO
>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72,
>>> Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was
>>> added successfully to the system.
>>> 2015-09-11 11:54:50,379 INFO
>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9,
>>> Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator
>>> was granted permission for Role SuperUser on System by admin@internal.
>>
>> Yet, when loging in as a user administrator I get:
>>
>>> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
>>> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
>>> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
>>> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No
>>> search for principal 'administra...@int.corp.com'}
>>
>> Followed by a java stack trace.
>> I did not find any configurable search path.
>>
>> The config seems to load:
>>> 2015-09-11 12:01:34,897 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'builtin-authn-internal'
>>> 2015-09-11 12:01:34,903 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'builtin-authn-internal' loaded
>>> 2015-09-11 12:01:34,905 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'internal'
>>> 2015-09-11 12:01:34,907 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>>

Re: [ovirt-users] Extension aaa: No search for principal

2015-09-11 Thread Alon Bar-Lev 


- Original Message -
> From: "Daniel Helgenberger" 
> To: "Alon Bar-Lev" 
> Cc: Users@ovirt.org
> Sent: Friday, September 11, 2015 5:33:21 PM
> Subject: Re: [ovirt-users] Extension aaa: No search for principal
> 
> sorry, forgot one:
> 
> On 11.09.2015 12:48, Alon Bar-Lev wrote:
> > Hi!
> >
> > Thank you for the information, for some reason the administrator user
> > cannot be resolved to userPrincipalName during login, is it specific for
> > Administrator or any user?
> This is the default domain administrator account witch exits in any
> forest. But just in case I created a new domain user just for the
> purpose; same outcome

I am unsure what actually happens...
Something in global catalog is out of sync.
Usually - you do not add domain administrator to external application... there 
is no need to expose it.
By default Administrator does not have "login from network" and "user principal 
suffix".

Also in my environment I do not get result for administrator, but I do get one 
for regular user that has upn suffix in user record, you can see these fields 
in user and domain manager.

So please use regular unprivileged users which belongs to "Domain Users" from 
now on.

To test if user has userPrincipalName use the following command (assuming we 
search for u...@int.corp.de):

$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H 
ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w PASSWORD -b 
'' '(userPrincipalName=u...@int.corp.de)' cn userPrincipalName

This should find the user (return one result), if not, please checkout user in 
Users and Domains manager for the domain suffix, maybe it is empty.

To find user without userPrincipalName such as Administrator use the following 
command:

$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H 
ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w PASSWORD -b 
'' '(sAMAccountName=user)' cn userPrincipalName

For example, the above will work for Administrator, but for kerberos to work 
properly user principal name must be defined, so these users will not work.

You can dump entire GC and send me a user record if no result so I can 
determine what is different from expectations:

$ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H 
ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w PASSWORD -b 
'' > /tmp/dump.out

Regards,
Alon
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users