[ovirt-users] Re: How-to get oVirt host certificated date
Sandro, the main is - "admin enroll new cert, but engine spam to log that cert
will be expire"
Check host cert via Martin snippet, the cert is deployed at Jan 10 2022
[root@control1 ovirt-engine]# openssl s_client -showcerts -connect
192.168.101.16:54321 | openssl x509 -text -noout | grep -A2 Validity
Can't use SSL_get_servername
depth=1 C = US, O = opentech.local, CN = control1.opentech.local.54279
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, O = opentech.local, CN = control1.opentech.local.54279
verify return:1
depth=0 O = opentech.local, CN = 192.168.101.16
verify return:1
140358921414464:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert
certificate required:ssl/record/rec_layer_s3.c:1543:SSL alert number 116
Validity
Not Before: Jan 10 16:57:10 2022 GMT
Not After : Feb 13 16:57:10 2023 GMT
But engine "don't see this changes" at 12 Jan, 13 Jan
[root@control1 ovirt-engine]# gunzip -c *\.gz | ack 'certification is about to
expire' | grep ovirt-host6 | awk '{print $1 " " $2 " " $10}'
2022-01-11 20:57:33,890+07 ovirt-host6.opentech.local
2022-01-12 20:57:33,925+07 ovirt-host6.opentech.local
2022-01-13 20:57:33,958+07 ovirt-host6.opentech.local
Yesterday I was restarted ovirt-engine, now this alerts are gone
The certificate enrolling routine should be documented
Thanks,
k
> On 14 Jan 2022, at 11:48, Sandro Bonazzola wrote:
>
> Martin, is this something which can fit in oVirt administration documentation?
> Konstantin, what's the purpose of getting the certificate's dates?
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TWKYIZK3VHKHZKAVG4PL7KVGHNV47AHN/
[ovirt-users] Re: How-to get oVirt host certificated date
Thanks Martin!!!
> On 14 Jan 2022, at 11:45, Martin Perina wrote:
>
> Hi,
>
> host certificates are not saved anywhere in the engine database, you need to
> go to the host itself to find out the expiration date. There are 2 options:
>
> 1. Directly on the host after connecting via SSH you can run below
> # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep
> -A2 Validity
>
> 2. Remotely using openssl you can run below
> # openssl s_client -showcerts -connect :54321 | openssl x509
> -text -noout | grep -A2 Validity
>
>
> ovirt-engine performs certificate checks every day (can be configured using
> engine-config option CertificationValidityCheckTimeInHours) and it checks not
> only hosts certificates, but also the engine certificate and the engine CA
> certificate. This check produces following records in ovirt-engine audit log:
>
> 1. If the certificate has already expired then below audit log ALERT is
> created depending on the type of certificate
> - Host ${VdsName} certification has expired at ${ExpirationDate}. Please
> renew the host's certification.
> - Engine's certification has expired at ${ExpirationDate}. Please renew
> the engine's certification.
> - Engine's CA certification has expired at ${ExpirationDate}.
>
> 2. If the certificate is going to expire in less than 7 days, then below
> audit log ALERT is created depending on the type of certificate
> - Host ${VdsName} certification is about to expire at ${ExpirationDate}.
> Please renew the host's certification.
> - Engine's certification is about to expire at ${ExpirationDate}. Please
> renew the engine's certification.
> - Engine's CA certification is about to expire at ${ExpirationDate}.
>
> 3. If the certificate is going to expire in less than 30 days, then below
> audit log WARNING is created depending on the type of certificate
> - Host ${VdsName} certification is about to expire at ${ExpirationDate}.
> Please renew the host's certification.
> - Engine's certification is about to expire at ${ExpirationDate}. Please
> renew the engine's certification.
> - Engine's CA certification is about to expire at ${ExpirationDate}.
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GJETF6RUBHZEZWVTX6DZWHXN6BCFDRSQ/
[ovirt-users] Re: How-to get oVirt host certificated date
Il giorno ven 14 gen 2022 alle ore 09:45 Martin Perina
ha scritto:
>
>
> On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola
> wrote:
>
>>
>>
>> Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <
>> k0...@k0ste.ru> ha scritto:
>>
>>> > It's possible to get, may be from Postgres, the host certificate date?
>>> > Engine run this check sometimes, but trigger this check seems
>>> impossible
>>>
>>> Anybody?
>>> @Sandro please help
>>>
>>> engine make check once per day and print to logs
>>> How can we run a manual check or see info in PostgreSQL database? This
>>> is required because the days until the end of the certificate's life
>>> expire, waiting for the next day in order to understand the result of
>>> deploying a new certificate is a strange situation
>>>
>>
>> Maybe @Martin Perina can assist?
>>
>> Hi,
>
> host certificates are not saved anywhere in the engine database, you need
> to go to the host itself to find out the expiration date. There are 2
> options:
>
> 1. Directly on the host after connecting via SSH you can run below
> # openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem |
> grep -A2 Validity
>
> 2. Remotely using openssl you can run below
> # openssl s_client -showcerts -connect :54321 | openssl
> x509 -text -noout | grep -A2 Validity
>
>
> ovirt-engine performs certificate checks every day (can be configured
> using engine-config option CertificationValidityCheckTimeInHours) and it
> checks not only hosts certificates, but also the engine certificate and the
> engine CA certificate. This check produces following records in
> ovirt-engine audit log:
>
> 1. If the certificate has already expired then below audit log ALERT is
> created depending on the type of certificate
> - *Host ${VdsName} certification has expired at ${ExpirationDate}.
> Please renew the host's certification.*
> - *Engine's certification has expired at ${ExpirationDate}. Please
> renew the engine's certification.*
> - *Engine's CA certification has expired at ${ExpirationDate}.*
>
> 2. If the certificate is going to expire in less than 7 days, then below
> audit log ALERT is created depending on the type of certificate
> - *Host ${VdsName} certification is about to expire at
> ${ExpirationDate}. Please renew the host's certification.*
> - *Engine's certification is about to expire at ${ExpirationDate}.
> Please renew the engine's certification.*
> - *Engine's CA certification is about to expire at ${ExpirationDate}.*
>
> 3. If the certificate is going to expire in less than 30 days, then below
> audit log WARNING is created depending on the type of certificate
> - *Host ${VdsName} certification is about to expire at
> ${ExpirationDate}. Please renew the host's certification.*
> - *Engine's certification is about to expire at ${ExpirationDate}.
> Please renew the engine's certification.*
> - *Engine's CA certification is about to expire at ${ExpirationDate}.*
>
> Regards,
> Martin
>
Martin, is this something which can fit in oVirt administration
documentation?
Konstantin, what's the purpose of getting the certificate's dates?
>
>
>>
>>>
>>>
>>> Thanks,
>>> k
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/
>>>
>>
>>
>> --
>>
>> Sandro Bonazzola
>>
>> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV
>>
>> Red Hat EMEA
[ovirt-users] Re: How-to get oVirt host certificated date
On Thu, Jan 13, 2022 at 4:53 PM Sandro Bonazzola
wrote:
>
>
> Il giorno gio 13 gen 2022 alle ore 15:34 Konstantin Shalygin <
> k0...@k0ste.ru> ha scritto:
>
>> > It's possible to get, may be from Postgres, the host certificate date?
>> > Engine run this check sometimes, but trigger this check seems impossible
>>
>> Anybody?
>> @Sandro please help
>>
>> engine make check once per day and print to logs
>> How can we run a manual check or see info in PostgreSQL database? This is
>> required because the days until the end of the certificate's life expire,
>> waiting for the next day in order to understand the result of deploying a
>> new certificate is a strange situation
>>
>
> Maybe @Martin Perina can assist?
>
> Hi,
host certificates are not saved anywhere in the engine database, you need
to go to the host itself to find out the expiration date. There are 2
options:
1. Directly on the host after connecting via SSH you can run below
# openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep
-A2 Validity
2. Remotely using openssl you can run below
# openssl s_client -showcerts -connect :54321 | openssl x509
-text -noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured using
engine-config option CertificationValidityCheckTimeInHours) and it checks
not only hosts certificates, but also the engine certificate and the engine
CA certificate. This check produces following records in ovirt-engine audit
log:
1. If the certificate has already expired then below audit log ALERT is
created depending on the type of certificate
- *Host ${VdsName} certification has expired at ${ExpirationDate}.
Please renew the host's certification.*
- *Engine's certification has expired at ${ExpirationDate}. Please
renew the engine's certification.*
- *Engine's CA certification has expired at ${ExpirationDate}.*
2. If the certificate is going to expire in less than 7 days, then below
audit log ALERT is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
3. If the certificate is going to expire in less than 30 days, then below
audit log WARNING is created depending on the type of certificate
- *Host ${VdsName} certification is about to expire at
${ExpirationDate}. Please renew the host's certification.*
- *Engine's certification is about to expire at ${ExpirationDate}.
Please renew the engine's certification.*
- *Engine's CA certification is about to expire at ${ExpirationDate}.*
Regards,
Martin
>
>>
>>
>> Thanks,
>> k
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3WK5CJYL3PXXCJJQKLEQCQJG5X2YA3XV/
>>
>
>
> --
>
> Sandro Bonazzola
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV
>
> Red Hat EMEA
[ovirt-users] Re: give cloud-init the VM name
Hi, sorry for the late response, can you expand a bit more on what you said? in particular, if I understood correctly, you are suggesting I should launch a script to modify the name using oVirt's 'before_vm_start' hook? And also in which way can i get the VM name using this method? Thanks a lot in advance, Best Regards, LC ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/2A3CREYYT2YC7TGVWD7QZNQYP3NBYX7B/
[ovirt-users] External engine CentOS 8.4 and 4.4.8 to Rocky Linux 8.5 and 4.4.9
Just wanted to share what in subject and feedback/comments welcome. Starting env is an external engine on CentOS 8.4, updated up to late September, with 4.4.8 async 2 (ovirt-engine-4.4.8.6-1.el8.noarch.rpm) and kernel 4.18.0-305.19.1.el8_4 [g.cecchi@ovmgr1 ~]$ cat /etc/centos-release CentOS Linux release 8.4.2105 I migrated to Rocky Linux 8.5 and then run engine-setup to take it to current 4.4.9 level. The system is a VM on a vSphere environment. Currently there are 3 hosts with CentOS 8.4, that I'm going then to migrate to Rocky Linux too. Downloaded the current migration script from https://raw.githubusercontent.com/rocky-linux/rocky-tools/main/migrate2rocky/migrate2rocky.sh chmod +x migrate2rocky.sh My engine needs a proxy to exit on the internet and the script doesn't check my /etc/yum.conf configuration so I set export https_proxy=http://my_proxy:my_proxy_port export http_proxy=http://my_proxy:my_proxy_port (not sure if this necessary...) otherwise when you run the script you get curl: (7) Failed to connect to dl.rockylinux.org port 443: Connection timed out Error downloading the Rocky Linux signing key. then as root ./migrate2rocky.sh -r notable things observed: . some packages from ovirt repos are gathered too... I don't know if correct in this stage... Running dnf update before we attempt the migration. Last metadata expiration check: 0:00:47 ago on Thu Jan 13 11:56:21 2022. Dependencies resolved. . . . otopi-common noarch 1.9.6-1.el8 ovirt-4.4 94 k ovirt-ansible-collection noarch 1.6.5-1.el8 ovirt-4.4 289 k ovirt-engine-dwh-grafana-integration-setup noarch 4.4.9.1-1.el8 ovirt-4.4 88 k ovirt-engine-dwh-setup noarch 4.4.9.1-1.el8 ovirt-4.4 95 k ovirt-engine-extension-aaa-ldapnoarch 1.4.5-1.el8 ovirt-4.4 130 k ovirt-engine-metrics noarch 1.4.4-1.el8 ovirt-4.4 92 k ovirt-engine-setup noarch 4.4.9.5-1.el8 ovirt-4.4 18 k ovirt-engine-setup-basenoarch 4.4.9.5-1.el8 ovirt-4.4 116 k ovirt-engine-setup-plugin-cinderlibnoarch 4.4.9.5-1.el8 ovirt-4.4 39 k ovirt-engine-setup-plugin-imageio noarch 4.4.9.5-1.el8 ovirt-4.4 27 k ovirt-engine-setup-plugin-ovirt-engine noarch 4.4.9.5-1.el8 ovirt-4.4 203 k ovirt-engine-setup-plugin-ovirt-engine-common noarch 4.4.9.5-1.el8 ovirt-4.4 122 k ovirt-engine-setup-plugin-vmconsole-proxy-helper noarch 4.4.9.5-1.el8 ovirt-4.4 38 k ovirt-engine-setup-plugin-websocket-proxy noarch 4.4.9.5-1.el8 ovirt-4.4 39 k ovirt-engine-vmconsole-proxy-helpernoarch 4.4.9.5-1.el8 ovirt-4.4 26 k ovirt-engine-websocket-proxy noarch 4.4.9.5-1.el8 ovirt-4.4 33 k ovirt-imageio-client x86_64 2.3.0-1.el8 ovirt-4.4 21 k ovirt-imageio-common x86_64 2.3.0-1.el8 ovirt-4.4 158 k ovirt-imageio-daemon x86_64 2.3.0-1.el8 ovirt-4.4 15 k ovirt-release44noarch 4.4.9.3-1.el8 ovirt-4.4 20 k ovirt-web-ui noarch 1.7.2-1.el8 ovirt-4.4 11 M . . . qemu-img x86_64 15:6.0.0-33.el8 ovirt-4.4-advanced-virtualization 1.9 M . . . Transaction Summary = Install5 Packages Upgrade 393 Packages Remove 3 Packages Total download size: 689 M . . . Generating grub configuration file ... File descriptor 3 (/dev/pts/1) leaked on vgs invocation. Parent PID 4056644: /usr/sbin/grub2-probe File descriptor 4 (/dev/pts/1) leaked on vgs
