Re: [ovirt-users] terminating sessions

2017-05-25 Thread Ravi Nori 
We do not display the information on running tasks or command in the UI.

The information is used internally by engine to keep session alive if there
are commands running for a session. The list of sessions and the associated
commands can be retrieved by running the following sql

su - postgres -c 'psql engine -c "select engine_session_id, command_id,
command_type, command_params_class from command_entities, engine_sessions,
status where command_entities.engine_session_seq_id = engine_sessions.id;"'


On Wed, May 24, 2017 at 6:29 AM, Martin Perina  wrote:

> AFAIK content of Tasks tab in webadmin should be available under
> /ovirt-engine/api/jobs , but sessions are not exposed to API.
>
> On Wed, May 24, 2017 at 11:58 AM, Fabrice Bacchella <
> fabrice.bacche...@orange.fr> wrote:
>
>> And tasks are not available through the REST API, I think.
>>
>> Le 24 mai 2017 à 11:07, Martin Perina  a écrit :
>>
>> Hi,
>>
>> there is no direct link between sessions and commands executed by them in
>> UI. You can take a look into Tasks tab in bottom right corner, if there are
>> any long running tasks.
>>
>> Ravi, would it be possible to display sessionId inside Tasks to be able
>> to identify which command belongs to which session?
>>
>>
>> Martin Perina
>>
>>
>> On Wed, May 24, 2017 at 9:21 AM, Fabrice Bacchella <
>> fabrice.bacche...@orange.fr> wrote:
>>
>>> No one has the answer ?
>>>
>>> Le 18 mai 2017 à 09:58, Sandro Bonazzola  a écrit :
>>>
>>> Adding some people who may be able to answer
>>>
>>> On Wed, May 17, 2017 at 11:45 AM, Fabrice Bacchella <
>>> fabrice.bacche...@orange.fr> wrote:
>>>
 I'm back with a long list of sessions, many of them started since many
 days. How can I get informations about them ?

 > Le 3 mai 2017 à 18:52, Fabrice Bacchella 
 a écrit :
 >
 > In the UI, I see 73 open sessions, all open by me.
 >
 > In ovirt logs, I see a lot of :
 > 2017-05-03 18:49:31,483+02 INFO  
 > [org.ovirt.engine.core.bll.aaa.SessionDataContainer]
 (DefaultQuartzScheduler3) [dcf02fc4-72c3-4237-8855-d4e474766088] Not
 removing session 'B/GWJOxyLh3pXQPPitfCk29iiJ3XW
 MerYdNmOdZyc9ceqD+oAW/hhhZDXCltK+N4yRo9TgunhGR7w7YEELOI5A==', session
 has running commands for user ''.
 >
 > And indeed I can't close those sessions in the UI.
 >
 >
 > I have two questions:
 >
 > Are those sessions accessible using the API ?
 > How to know what running command is waiting ?
 >

>>>
>>>
>>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirtvm-console : Failed to execute login on behalf - for user

2017-03-29 Thread Ravi Nori 
undertow.security.handlers.NotificationReceiverHandler.ha
> ndleRequest(NotificationReceiverHandler.java:50)
> [undertow-core-1.4.0.Final.jar:1.4.0.Final]
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> [undertow-core-1.4.0.Final.jar:1.4.0.Final]
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.4.0.Final.jar:1.4.0.Final]
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
> ndler.handleRequest(JACCContextIdHandler.java:61)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.4.0.Final.jar:1.4.0.Final]
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.4.0.Final.jar:1.4.0.Final]
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
> stRequest(ServletInitialHandler.java:292) [undertow-servlet-1.4.0.Final.
> jar:1.4.0.Final]
> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
> 0(ServletInitialHandler.java:81) [undertow-servlet-1.4.0.Final.
> jar:1.4.0.Final]
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> [undertow-servlet-1.4.0.Final.jar:1.4.0.Final]
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> [undertow-servlet-1.4.0.Final.jar:1.4.0.Final]
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
> [undertow-servlet-1.4.0.Final.jar:1.4.0.Final]
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.
> call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-1.4.0.Final.
> jar:1.4.0.Final]
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> [undertow-servlet-1.4.0.Final.jar:1.4.0.Final]
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> [undertow-servlet-1.4.0.Final.jar:1.4.0.Final]
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> [undertow-servlet-1.4.0.Final.jar:1.4.0.Final]
> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.
> call(LegacyThreadSetupActionWrapper.java:44)
> [undertow-servlet-1.4.0.Final.jar:1.4.0.Final]
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
> equest(ServletInitialHandler.java:272) [undertow-servlet-1.4.0.Final.
> jar:1.4.0.Final]
> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
> 0(ServletInitialHandler.java:81) [undertow-servlet-1.4.0.Final.
> jar:1.4.0.Final]
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
> equest(ServletInitialHandler.java:104) [undertow-servlet-1.4.0.Final.
> jar:1.4.0.Final]
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> [undertow-core-1.4.0.Final.jar:1.4.0.Final]
> at 
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
> [undertow-core-1.4.0.Final.jar:1.4.0.Final]
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [rt.jar:1.8.0_121]
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [rt.jar:1.8.0_121]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
>
>
> Le 29/03/2017 à 17:24, Ravi Nori a écrit :
>
>>
>> 
>>   
>>
>
> --
> Nathanaël Blanchet
>
> Supervision réseau
> Pôle Infrastrutures Informatiques
> 227 avenue Professeur-Jean-Louis-Viala
> 34193 MONTPELLIER CEDEX 5
> Tél. 33 (0)4 67 54 84 55
> Fax  33 (0)4 67 54 84 14
> blanc...@abes.fr
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirtvm-console : Failed to execute login on behalf - for user

2017-03-29 Thread Ravi Nori 
Hi,

Can you enable debug logging for sso and give me the debug logs when the
error occurs.

You can enable debug logging for sso by adding the following to
/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in, just
below the entry for bll

   

  

Thanks

On Wed, Mar 29, 2017 at 3:21 AM, Francesco Romani 
wrote:

> Hi,
>
> On 03/02/2017 12:21 PM, Eduardo Mayoral wrote:
>
> Hi,
>
> I am getting exactly the same issue here with 4.1 , when trying to log
> in to the serial console over SSH.
>
>
> The user with domain is "emayoral_...@arsyslan.es"
>  (please note mailman may translate the "at"
> character to a textual "_at_"). The First name and last name as read from
> active directory is "Eduardo Mayoral" (with no quotes)
>
> The password is: 08.HJYqoce,nrW (OK, this is not the real password, but it
> has the same special characters and approximate structure and length)
>
> This is the engine.log output.
>
> 2017-03-02 11:13:31,917Z INFO  
> [org.ovirt.engine.core.bll.aaa.LoginOnBehalfCommand]
> (default task-25) [5d9b7d18] Running command: LoginOnBehalfCommand
> internal: true.
> 2017-03-02 11:13:31,938Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils]
> (default task-33) [] OAuthException server_error: java.text.ParseException:
> Invalid character ' ' encountered.
> 2017-03-02 11:13:31,939Z ERROR 
> [org.ovirt.engine.core.bll.aaa.LoginOnBehalfCommand]
> (default task-25) [5d9b7d18] Unable to create engine session:
> EngineException:  user emayoral_...@arsyslan.es in domain
> 'arsyslan.es-authz (Failed with error PRINCIPAL_NOT_FOUND and code 5200)
> 2017-03-02 11:13:31,945Z ERROR [org.ovirt.engine.core.dal.
> dbbroker.auditloghandling.AuditLogDirector] (default task-25) [5d9b7d18]
> EVENT_ID: USER_LOGIN_ON_BEHALF_FAILED(1,402), Correlation ID: 5d9b7d18,
> Call Stack: null, Custom Event ID: -1, Message: Failed to execute login on
> behalf - for user emayoral_...@arsyslan.es.
> 2017-03-02 11:13:31,945Z ERROR 
> [org.ovirt.engine.core.services.VMConsoleProxyServlet]
> (default task-25) [5d9b7d18] Error processing request: :
> java.lang.RuntimeException: Unable to create session using LoginOnBehalf
>
>
> This smells like one engine internal bug. Please make sure to file one
> bugzilla entry.
>
> Bests,
>
> --
> Francesco Romani
> Senior SW Eng., Virtualization R
> Red Hat
> IRC: fromani github: @fromanirh
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Python-SDK: ovirtsdk4.Connection object autologout?

2017-03-23 Thread Ravi Nori 
Can you give me the exact rpm version of ovirt-engine-backend, I can give
you a replacement jar file to test

On Thu, Mar 23, 2017 at 3:56 AM, <nico...@devels.es> wrote:

> Hi Ravi,
>
> Could you please tell me what's the right way to apply this patch on an
> already working oVirt instance? I already have applied some patches on *.py
> files, but it seems the *.java files are not there.
>
> Thanks!
>
>
> El 2017-03-22 16:06, Ravi Nori escribió:
>
>> Hi Nicolás,
>>
>> There has been some changes to how a session is refreshed after 4.0.
>> So this is a BZ and is being tracked by BZ 1434605.
>>
>> Will post a patch to fix this. Thanks for reporting the issue.
>>
>> Ravi
>>
>> On Wed, Mar 22, 2017 at 9:10 AM, <nico...@devels.es> wrote:
>>
>> Hi Juan,
>>>
>>> I confirm this was working with 4.0.6 (but the same SDK package).
>>> The script is relatively new but I'm 100% sure it has been in
>>> execution for several weeks, in contrast to current version where
>>> after 5-6 iterations the exception starts showing up.
>>>
>>> I've voted for the bug and added myself as CC.
>>>
>>> Thank you.
>>>
>>> Regards,
>>>
>>> Nicolás
>>>
>>> El 2017-03-22 12:58, Juan Hernández escribió:
>>> On 03/22/2017 01:50 PM, Juan Hernández wrote:
>>> On 03/22/2017 01:10 PM, nico...@devels.es wrote:
>>> Hi,
>>>
>>> We've recently upgraded from oVirt 4.0.x to 4.1.0 and it seems that
>>> the
>>> behavior of a script we wrote in Python-SDK has changed slightly.
>>> We
>>> have a script that needs to be executed forever (daemon mode). This
>>> daemon creates an ovirtsdk4.Connection object and uses the same
>>> Connection object all the time.
>>>
>>> conn = sdk.Connection(
>>>   url=URI,
>>>   username=USERNAME,
>>>   password=PASSWORD,
>>>   ca_file=CAFILE
>>> )
>>>
>>> Between iterations we have ~5 minutes delays which we accomplish
>>> with a
>>> time.sleep(...) call.
>>>
>>> After some of these iterations (5 or 6), when trying to perform an
>>> operation on the Connection object (in this case, listing all SDs):
>>>
>>> try:
>>> sys_serv = conn.system_service()
>>> sd_serv = sys_serv.storage_domains_service()
>>> storages = sd_serv.list(search=sd_search_query)
>>> except Error, e:
>>> log('ERR: Error getting storage domains: %s' % (e))
>>>
>>> We start getting exceptions (i.e., the sd_serv.list() call throwing
>>> an
>>> Error exception) with this message:
>>>
>>> ERR: Error getting storage domains: HTTP response code is
>>> 401.
>>>
>>> I believe this has something to do with the Connection object
>>> expiring
>>> (even if it's not idle more than 5 minutes at any time). Is there a
>>> way
>>> to "refresh" the Connection object so it doesn't auto-logout
>>> (assuming
>>> this is the actual problem)?
>>>
>>> As I said, this started happening as of oVirt 4.1.0.
>>> ovirt-engine-sdk-python version is 4.1.1.
>>>
>>> Any ideas?
>>>
>>> This sound like this bug, opened yesterday:
>>>
>>>   SSO token used for the API expires when running only queries
>>>   https://bugzilla.redhat.com/1434605 [1]
>>>
>>> But I thought the same happened in 4.0. Can you confirm that you
>>> don't
>>> see this problem in 4.0?
>>>
>>> Open possible workaround is to force a refresh of the backend
>>> session
>>> sending an external event, like in this example:
>>>
>>>
>>> https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/
>> examples/vm_backup.py#L112-L131
>>
>>> [2]
>>>
>>> I also think that we need to modify the SDKs so that they detect
>>> expired
>>> SSO tokens and renew them automatically. I will open another bug
>>> for that.
>>>
>>
>>  Here is the bug for adding automatic SSO token renew to the SDK, in
>> case
>>  you want to follow/vote it:
>>
>>Implement automatic SSO token renew
>>https://bugzilla.redhat.com/1434830 [3]
>>  ___
>>  Users mailing list
>>  Users@ovirt.org
>>  http://lists.ovirt.org/mailman/listinfo/users [4]
>>
>>
>>
>> Links:
>> --
>> [1] https://bugzilla.redhat.com/1434605
>> [2]
>> https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/
>> examples/vm_backup.py#L112-L131
>> [3] https://bugzilla.redhat.com/1434830
>> [4] http://lists.ovirt.org/mailman/listinfo/users
>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Python-SDK: ovirtsdk4.Connection object autologout?

2017-03-22 Thread Ravi Nori 
Hi Nicolás,

There has been some changes to how a session is refreshed after 4.0. So
this is a BZ and is being tracked by BZ 1434605.

Will post a patch to fix this. Thanks for reporting the issue.

Ravi


On Wed, Mar 22, 2017 at 9:10 AM,  wrote:

> Hi Juan,
>
> I confirm this was working with 4.0.6 (but the same SDK package). The
> script is relatively new but I'm 100% sure it has been in execution for
> several weeks, in contrast to current version where after 5-6 iterations
> the exception starts showing up.
>
> I've voted for the bug and added myself as CC.
>
> Thank you.
>
> Regards,
>
> Nicolás
>
>
> El 2017-03-22 12:58, Juan Hernández escribió:
>
>> On 03/22/2017 01:50 PM, Juan Hernández wrote:
>>
>>> On 03/22/2017 01:10 PM, nico...@devels.es wrote:
>>>
 Hi,

 We've recently upgraded from oVirt 4.0.x to 4.1.0 and it seems that the
 behavior of a script we wrote in Python-SDK has changed slightly. We
 have a script that needs to be executed forever (daemon mode). This
 daemon creates an ovirtsdk4.Connection object and uses the same
 Connection object all the time.

 conn = sdk.Connection(
   url=URI,
   username=USERNAME,
   password=PASSWORD,
   ca_file=CAFILE
 )

 Between iterations we have ~5 minutes delays which we accomplish with a
 time.sleep(...) call.

 After some of these iterations (5 or 6), when trying to perform an
 operation on the Connection object (in this case, listing all SDs):

 try:
 sys_serv = conn.system_service()
 sd_serv = sys_serv.storage_domains_service()
 storages = sd_serv.list(search=sd_search_query)
 except Error, e:
 log('ERR: Error getting storage domains: %s' % (e))

 We start getting exceptions (i.e., the sd_serv.list() call throwing an
 Error exception) with this message:

 ERR: Error getting storage domains: HTTP response code is 401.

 I believe this has something to do with the Connection object expiring
 (even if it's not idle more than 5 minutes at any time). Is there a way
 to "refresh" the Connection object so it doesn't auto-logout (assuming
 this is the actual problem)?

 As I said, this started happening as of oVirt 4.1.0.
 ovirt-engine-sdk-python version is 4.1.1.

 Any ideas?


>>> This sound like this bug, opened yesterday:
>>>
>>>   SSO token used for the API expires when running only queries
>>>   https://bugzilla.redhat.com/1434605
>>>
>>> But I thought the same happened in 4.0. Can you confirm that you don't
>>> see this problem in 4.0?
>>>
>>> Open possible workaround is to force a refresh of the backend session
>>> sending an external event, like in this example:
>>>
>>>
>>> https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/
>>> examples/vm_backup.py#L112-L131
>>>
>>> I also think that we need to modify the SDKs so that they detect expired
>>> SSO tokens and renew them automatically. I will open another bug for
>>> that.
>>>
>>>
>> Here is the bug for adding automatic SSO token renew to the SDK, in case
>> you want to follow/vote it:
>>
>>   Implement automatic SSO token renew
>>   https://bugzilla.redhat.com/1434830
>>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] 4.0 web UI Session expired please try again

2017-01-09 Thread Ravi Nori 
Created a BZ to track the issue

https://bugzilla.redhat.com/show_bug.cgi?id=1411416

On Wed, Jan 4, 2017 at 5:35 PM, Robert Story  wrote:

> On Wed, 4 Jan 2017 16:17:09 -0500 Ravi wrote:
> RN> A redirect to the login page from error page would be a more reasonable
> RN> solution IMO.
>
> That would still mean that I have to type in my login credential twice,
> which is what I'm trying to avoid.
>
>
> Robert
>
> --
> Senior Software Engineer @ Parsons
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] 4.0 web UI Session expired please try again

2017-01-04 Thread Ravi Nori 
A redirect to the login page from error page would be a more reasonable
solution IMO.

On Wed, Jan 4, 2017 at 3:23 PM, Robert Story  wrote:

> On Wed, 4 Jan 2017 14:40:06 -0500 Ravi wrote:
> RN> With SSO the client sends the client secret to SSO which is stored in
> the
> RN> session. Now when the clients session expires all the information
> including
> RN> the client secret is lost when the session is purged by the application
> RN> server.
>
> Is the session expiration time configurable?
>
> RN> 1. login to webadmin
> RN> 2. Leave the session until session time out on engine and user is
> RN> redirected to login page (the client id and secret are sent)
> RN> 3. If user tries to login now everything will be fine but if user
> leaves
> RN> and the session expires the session is purged, client secret is lost
> RN> 4. User enters user name password on the screen after coming back. The
> RN> login form does not have a session associated with it so the client and
> RN> secret are not found and SSO needs to report that the session has
> expired
> RN> and redirect user to welcome page.
>
> So in step 4, can't it just start a new session instead of going to an
> expiration page? Or show the page for a few seconds and then start a new
> session?
>
> Or in step 2, set a refresh on the login page that still has a session so
> that when the session expires it will redirect to a login screen that will
> start a new session?
>
>
>
> Robert
>
> --
> Senior Software Engineer @ Parsons
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] 4.0 web UI Session expired please try again

2017-01-04 Thread Ravi Nori 
With SSO the client sends the client secret to SSO which is stored in the
session. Now when the clients session expires all the information including
the client secret is lost when the session is purged by the application
server.

Here is the sequence

1. login to webadmin
2. Leave the session until session time out on engine and user is
redirected to login page (the client id and secret are sent)
3. If user tries to login now everything will be fine but if user leaves
and the session expires the session is purged, client secret is lost
4. User enters user name password on the screen after coming back. The
login form does not have a session associated with it so the client and
secret are not found and SSO needs to report that the session has expired
and redirect user to welcome page.

The client id and secret cannot be stored in login page as they are
supposed to be kept secret.

To revert to old behavior we need a patch that can save  client and secret
for the session out side the session object in a global data structure
and create a unique token that can be used to associate the login page with
the client secret stored in the global data structure.
The token can be included in the login page.

Ravi


On Wed, Jan 4, 2017 at 12:59 PM, Robert Story  wrote:

> Since I upgrade to 4.0, I get this annoying message when I try to log in
> again after I've been away for a while. On 3.6 the ui would go to a login
> screen after some period of inactivity, and I could log right back in. With
> 4.0, logging in after inactivity goes to a page with this message, and I
> have to click to get a login page and then log in again. This is very
> annoying. Is there a way to revert to the old behavior?
>
>
> Robert
>
> --
> Senior Software Engineer @ Parsons
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-10-27 Thread Ravi Nori 
Since you replace ca.pem you need to replace the private key of ca.pem

Please copy the private key of  /etc/pki/ovirt-engine/ca.pem to
/etc/pki/ovirt-engine/private/ca.pem and let me know if everything works

On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w...@qrk.us> wrote:

>
> Thanks Ravi, that's helpful and I appreciate the precision and attention
> to detail. I performed similar steps to install a custom certificate for
> the oVirt Manager GUI. But what about configuring ovirt-engine to trust a
> certificate issued by the same CA and presented by the VDSM host? On the
> hypervisor host, I used the existing private key to generate the CSR,
> issued the server certificate, and installed in three locations before
> bouncing vdsmd.
>
> On the hypervisor Host server (not the Manager/engine server):
> /etc/pki/vdsm/certs/vdsmcert.pem
> /etc/pki/vdsm/libvirt-spice/server-cert.pem
> /etc/pki/libvirt/clientcert.pem
>
> Now, that host is "non responsive" in Manager because ovirt-engine does
> not trust the new certificate even though I already performed all of the
> steps that you describe above except that I installed the issuer's CA
> certificate as the trusted entity. I've documented all of the steps I took in
> this Gist
> <https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>.
>
>
>
> On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rn...@redhat.com> wrote:
>
>> Here is a complete set of instructions that works for me
>>
>> You can skip the first few steps of generating the certificate.
>>
>> Ravi
>>
>>
>> Generate a self-signed certificate using openssl
>> ==
>> openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
>> privateKey.key -out certificate.pem
>>
>> Convert a PEM certificate file and a private key to PKCS#12 (.p12)
>> =
>> openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
>> certificate.pem
>>
>> Extract the key from the bundle
>> =
>> openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass
>>
>> Extract the certificate from the bundle
>> ==
>> openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
>>
>> Create a new Keystore for testing
>> ==
>> keytool -keystore clientkeystore -genkey -alias client
>>
>> Convert .pem to .der
>> 
>> openssl x509 -outform der -in certificate.pem -out certificate.der
>>
>> Import certificates to keystore
>> ===
>> keytool -import -alias apache -keystore ./clientkeystore -file
>> ./certificate.der
>>
>> Create Custom conf for ovirt
>> ==
>> vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>>
>> Set location of truststore and its password
>> =
>> ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
>> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
>>
>> Copy the custom certificates
>> ==
>> rm /etc/pki/ovirt-engine/apache-ca.pem
>> cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
>> cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
>> cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
>> cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
>>
>> Restart engine and httpd
>> ===
>> service httpd restart
>> service ovirt-engine restart
>>
>> On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nico...@ecarnot.net>
>> wrote:
>>
>> Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
>>
>> I did install a server certificate from a private CA on the engine
>> server for the oVirt 4 Manager GUI, but haven't figured out how to
>> configure engine to trust the same CA which also issued the server
>> certificate presented by vdsm. This is important for us because this is
>> the same server certificate presented by the host when using the console
>> (e.g. websocket console falls silently if the user agent doesn't trust
>> the console server's certificate).
>>
>>
>> Hello,
>>
>> Maybe related bug : on an oVirt 4, I followed the same procedure below to
>> install a custom CA, with *SUCCESS*.
>>
>> Today, I had to reinstall one of the hosts, and it is failing with :
>> "CA certificate and CA private key do not match" :
>>
>> http://pastebin.com/9JS0

Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

2016-10-27 Thread Ravi Nori 
Here is a complete set of instructions that works for me

You can skip the first few steps of generating the certificate.

Ravi


Generate a self-signed certificate using openssl
==
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
privateKey.key -out certificate.pem

Convert a PEM certificate file and a private key to PKCS#12 (.p12)
=
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in
certificate.pem

Extract the key from the bundle
=
openssl pkcs12 -in  certificate.p12 -nocerts -nodes > apache.key.nopass

Extract the certificate from the bundle
==
openssl pkcs12 -in certificate.p12 -nokeys > apache.cer

Create a new Keystore for testing
==
keytool -keystore clientkeystore -genkey -alias client

Convert .pem to .der

openssl x509 -outform der -in certificate.pem -out certificate.der

Import certificates to keystore
===
keytool -import -alias apache -keystore ./clientkeystore -file
./certificate.der

Create Custom conf for ovirt
==
vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

Set location of truststore and its password
=
ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"

Copy the custom certificates
==
rm /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem
cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12
cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer
cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass

Restart engine and httpd
===
service httpd restart
service ovirt-engine restart

On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot 
wrote:

> Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
>
>> I did install a server certificate from a private CA on the engine
>> server for the oVirt 4 Manager GUI, but haven't figured out how to
>> configure engine to trust the same CA which also issued the server
>> certificate presented by vdsm. This is important for us because this is
>> the same server certificate presented by the host when using the console
>> (e.g. websocket console falls silently if the user agent doesn't trust
>> the console server's certificate).
>>
>
> Hello,
>
> Maybe related bug : on an oVirt 4, I followed the same procedure below to
> install a custom CA, with *SUCCESS*.
>
> Today, I had to reinstall one of the hosts, and it is failing with :
> "CA certificate and CA private key do not match" :
>
> http://pastebin.com/9JS05JtJ
>
> Which certificate did we (Kenneth and I) did we mis-used?
> What did we do wrong?
>
> Regards,
>
> Nicolas ECARNOT
>
>
>>
>> On Wed, Oct 26, 2016, 16:58 Beckman, Daniel
>> > > wrote:
>>
>> We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release.
>> I read the release notes (https://www.ovirt.org/release/4.0.4/) and
>> noted comment #4 under “Install / Upgrade from previous version”:
>>
>> __ __
>>
>> /If you are using HTTPS certificate signed by custom certificate
>> authority, please take a look at https://bugzilla.redhat.com/1336838
>> for steps which need to be done after migration to 4.0. Also please
>> consult https://bugzilla.redhat.com/1313379 how to setup this custom
>> CA for use with virt-viewer clients./
>>
>> /__ __/
>>
>> So I referred to the first bugzilla
>> (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it
>> states as follows:
>>
>> __ __
>>
>> If customer wants to use custom HTTPS certificate signed by
>> different CA, then he has to perform following steps: 
>>
>> __ __
>>
>> 1. Install custom CA (that signed HTTPS certificate) into host wide
>> trustore (more info can be found in update-ca-trust man page) 
>>
>> __ __
>>
>> 2. Configure HTTPS certificate in Apache (this step is same as in
>> previous versions) 
>>
>> __ __
>>
>> 3. Create new configuration file (for example
>> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with
>> following content: 
>>
>> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" 
>>
>> __ __
>>
>> 4. Restart ovirt-engine service
>>
>> __ __
>>
>> I find it humorous that step # 1 suggests reading the “man page”
>> which is only slightly better than suggesting to “google” it. 
>>
>> __ __
>>
>> Has anyone using a custom CA for their HTTPS certificate
>> successfully upgraded to oVirt 4? If so could you share your
>> detailed steps? Or can anyone point me to an actual example of this
>>

Re: [ovirt-users] new internal SSO

2016-08-15 Thread Ravi Nori 
In addition to the list of urls in the original email

/ovirt-engine/webadmin/sso/logout
/ovirt-engine/userportal/sso/oauth2-callback
/ovirt-engine/userportal/sso/login
/ovirt-engine/userportal/sso/logout
/ovirt-engine/login
/ovirt-engine/logout
/ovirt-engine/switch-user
/ovirt-engine/error.html
/ovirt-engine/index.html
/ovirt-engine/oauth2-callback

/ovirt-engine/sso/interactive-login
/ovirt-engine/sso/interactive-redirect-to-module
/ovirt-engine/sso/interactive-login-basic
/ovirt-engine/sso/interactive-login-basic-enforce
/ovirt-engine/sso/interactive-login-negotiate
/ovirt-engine/sso/interactive-change-passwd
/ovirt-engine/sso/login-unauthorized
/ovirt-engine/sso/interactive-login-next-auth
/ovirt-engine/sso/oauth/authorize
/ovirt-engine/sso/oauth/token
/ovirt-engine/sso/oauth/token-http-auth/*
/ovirt-engine/sso/oauth/token-info
/ovirt-engine/sso/oauth/revoke
/ovirt-engine/sso/login.html
/ovirt-engine/sso/credentials-change.html

and there is also

/ovirt-engine/api and all the resources  hosts, vms etc


On Fri, Aug 12, 2016 at 6:45 AM, Fabrice Bacchella
 wrote:
> I'm currently fighting with the new mandatory SSO system introduced in 4.0.
>
> It's also used internally as ovirt-engine is calling himself, as shown in
> the apache log, to identity himself to himself:
>
> [2016-08-12 11:30:24] 10.83.16.34 "ovirt.prod.exalead.com" "POST
> /ovirt-engine/sso/status HTTP/1.1" 256 401 + 163 "-" "Java/1.8.0_92"
> [2016-08-12 10:55:49] 10.83.16.34 "ovirt.prod.exalead.com" "POST
> /ovirt-engine/sso/oauth/token HTTP/1.1" 237 401 + 163 "-" "Java/1.8.0_92"
>
> But the sso will be acceded by human too:
>
> [2016-08-12 11:29:27] 192.168.205.59 "ovirt.prod.exalead.com" "GET
> /ovirt-engine/sso/interactive-redirect-to-module HTTP/1.1" 5097 302 + -
> "https://ovirt.prod.exalead.com/ovirt-engine/; "Mozilla/5.0 (Macintosh;
> Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
>
>
> I'm using a custom apache configuration, as I need that to better integrate
> ovirt in our running SSO and PKI setup.
>
> So under SSO I wonder which part needs to be protected using our own SSO,
> and what part can be open to any access, and the internal security of ovirt
> will manage it ?
>
> In https://bugzilla.redhat.com/show_bug.cgi?id=1342192, it seems for me that
> ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth) needs
> to be protected. Am i right ?
>
> In my log, I've seen access to:
>
> /ovirt-engine/sso/status
> /ovirt-engine/sso/oauth/token-info
> /ovirt-engine/webadmin/sso/oauth2-callback
> /ovirt-engine/webadmin/sso/login
> /ovirt-engine/sso/oauth/token
> /ovirt-engine/sso/oauth/authorize
> /ovirt-engine/sso/interactive-redirect-to-module
> /ovirt-engine/sso/interactive-login-next-auth
> /ovirt-engine/sso/interactive-login-negotiate/ovirt-auth
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Ovirt 4.0 Login Issue

2016-07-06 Thread Ravi Nori 
This happens when you are on the login screen and the server is restarted
or the session times out due to inactivity.

The welcome page maintains a session state which is passed to and back from
SSO module. The error is raised when the state is lost due to session
timeout/engine restart

Ravi

On Wed, Jul 6, 2016 at 11:00 AM, Ralf Schenk  wrote:

> Hello,
>
> I've got this, too. But I thought this to be normal since the
> session-timeout was reached.
>
> Bye
>
> Am 06.07.2016 um 04:08 schrieb Melissa Mesler:
>
> I am running 4.0 on CentOS 7.2. Sometimes when I first log in to the
> admin page, it will give me and error that says "Request state does not
> match session state." Then if I go through the process of logging in
> again, it will go through with no issue. It doesn't do this every time
> but it does do it quite often. Any ideas on why?
>
> - MeLLy
> ___
> Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
>
>
> --
>
>
> *Ralf Schenk*
> fon +49 (0) 24 05 / 40 83 70
> fax +49 (0) 24 05 / 40 83 759
> mail *r...@databay.de* 
>
> *Databay AG*
> Jens-Otto-Krag-Straße 11
> D-52146 Würselen
> *www.databay.de* 
>
> Sitz/Amtsgericht Aachen • HRB:8437 • USt-IdNr.: DE 210844202
> Vorstand: Ralf Schenk, Dipl.-Ing. Jens Conze, Aresch Yavari, Dipl.-Kfm.
> Philipp Hermanns
> Aufsichtsratsvorsitzender: Wilhelm Dohmen
> --
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Log4j hostname

2016-05-10 Thread Ravi Nori 
Hi Dominique,

Add

log4j.appender.myappender.header = true

and see if you get the hostname

Ravi


On Mon, May 9, 2016 at 9:37 AM, Dominique Taffin 
wrote:

> Hello!
>
>
> We are using the log4j extension  to send ovirt logs to a logstash server.
>
> As we do have several engine hosts and only one logging backend, we do
> need to filter logs by hostname. So far I am unable to provide a hostname in
>
> Log4jLogger.properties. All Log4j configurations we have in other
> applications/servers to honor the log4j.Application property. I tried
> setting it up by:
>
>
>
>
> ovirt.engine.extension.name = Log4j
> ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.logger.Logger
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.logger.log4j
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.logger.log4j.Log4jLogger
> log4j.rootLogger=DEBUG, myappender
>
> log4j.appender.myappender = org.apache.log4j.net.SyslogAppender
> log4j.appender.myappender.SyslogHost = logstash-server.something
> log4j.appender.myappender.Port = 5544
> log4j.appender.myappender.ReconnectionDelay = 6
> log4j.appender.myappender.Application = ovirthostname
> log4j.appender.myappender.LocationInfo = true
> log4j.appender.myappender.Threshold = DEBUG
> log4j.appender.myappender.layout = org.apache.log4j.PatternLayout
> log4j.appender.myappender.layout.ConversionPattern=[%c] %m%n
>
>
>
>
> Logs do arrive, but no hostname. Can anyone point me out on how to include
> the hostname in the logs?
>
>
> thank you and best,
>
>  Dominique
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Hiding events

2016-03-13 Thread Ravi Nori 


Currently there is no way to hide an event type from showing up in the 
events list.


The UI only provides a way to hide a specific event after it occurs, 
future occurrences can not be hidden.


Thanks

Ravi

On 03/10/2016 02:32 PM, nico...@devels.es wrote:

Hi,

Is there currently a way to hide specific events from the event list? 
I mean not showing them up when they occur.


Thanks.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA

2015-09-22 Thread Ravi Nori 
Once you have installed ovirt-engine-extension-aaa-ldap and 
ovirt-engine-extension-aaa-ldap-setup


You can run ovirt-engine-extension-aaa-ldap-setup and follow the steps 
to set up ldap.


Once that is done you can login to webadmin and add users/groups from ipa

On 09/22/2015 11:57 AM, supo...@logicworks.pt wrote:

Here is what I'm trying to do:

Ovirt engine : engine.domain.tld
Freeipa 4.1.0 : ipa.domain.tld

I have installed on the engine:
/ovirt-engine-extension-aaa-ldap/
/openldap-clients/

/etc/ovirt-engine/aaa/profile1.properties:
#
# Select one
#
#include = 
#include = <389ds.properties>
#include = 
include = 
#include = 
#include = 
#include = 

#
# Server
#
vars.server = ipa.domain.tld

#
# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld
vars.password =/ipa_admin_password/

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit


On the engine cannot find any users configured on the ipa server.

Any help?

Thanks

Jose



*De: *"Alon Bar-Lev" 
*Para: *supo...@logicworks.pt
*Cc: *"users" 
*Enviadas: *Sexta-feira, 18 De Setembro de 2015 15:48:22
*Assunto: *Re: [ovirt-users] FreeIPA



- Original Message -
> From: supo...@logicworks.pt
> To: "users" 
> Sent: Friday, September 18, 2015 5:45:18 PM
> Subject: [ovirt-users] FreeIPA
>
> Hi,
>
> Is there any documentation about FreeIPA integration with oVirt 3.5 
and how

> to configure it?
>

Hi,

Please find documentation at [1][2].

Regards,
Alon Bar-Lev.

[1] http://www.ovirt.org/Features/AAA
[2] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] OVIRT-3.5-TEST-DAY-3 - Monitoring Dashboard

2014-09-17 Thread Ravi Nori 

Hi,

I tested Monitoring (UI Plugin) Dashboard (integrated with Nagios Monitoring) 
and ran into several issues.
The nagios server installed smoothly and showed all the bricks and their 
trends. I had several issues with
the plugin and have opened BZs.

1. BZ 1143018  Plugins are not refreshed on Webadmin reload
   PluginDataManager seems to be ignoring symbolic links to files and 
directories in
   /usr/share/ovirt-engine/ui-plugins

   Had to manually copy the files and directories to the ui-plugins directory 
to get
   the plugin to show.

2. BZ 1143041Plugin prompts for authentication

   Once the plugin showed up navigating to the trends tab required me to 
authenticate again

3. BZ 1143044Nagios plugin does not show trends

   Once authenticated the trends tab does not show the images. Some issue with 
file not found on the server
   for a new Cluster C_34 I had created.

Thanks

Ravi

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Ovirt 3.5 2nd Test Day Report

2014-07-29 Thread Ravi Nori 

Hi,

I tested the following on Fedora 20

*Bug 1090530*OVIRT35 - [RFE] Please add host count and guest count 
columns to Clusters tab in webadmin


Everything worked fine

*Bug 1078836*  OVIRT35 - [RFE] add a warning when changing display network

Everything worked fine

Thanks

Ravi


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Test Day Report

2014-07-02 Thread Ravi Nori 

Hi,

I tested the following

*Bug 1090530*-OVIRT35 - [RFE] Please add host count and guest 
count columns to Clusters tab in webadmin


Everything worked fine here


*Bug 1078836*-OVIRT35 - [RFE] add a warning when changing 
display network


Everything worked fine but I had to go into events tab to see the warning

Thanks

Ravi

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] tags?

2014-03-07 Thread Ravi Nori 

On 03/07/2014 12:11 PM, Robert Story wrote:

On Fri, 7 Mar 2014 11:47:11 -0500 (EST) Einav wrote:
EC actually, what you are asking for should not be limited only to a
EC sub-set of objects filtered by tag; we should allow batch operations on
EC any sub- set of objects, filtered by tags, object name, object's
EC cluster-description and/or cpu-consumption.

Yes, I agree.

EC one way of resolving what you are asking for is to change the
EC sub-tabs to support displaying data and performing actions in the
EC context of multiple items, rather than a single item.
EC [snip]
EC please feel free to open an RFE on this issue:
EC https://bugzilla.redhat.com/enter_bug.cgi?product=oVirt

See https://bugzilla.redhat.com/show_bug.cgi?id=1074026,  RFE: support bulk
operations in admin portal.

Robert

--
Senior Software Engineer @ Parsons


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Just FYI if you need this functionality ASAP, you can use Java SDK [1] 
to get what you need. You will need a little Java program to loop 
through the VMs and invoke operations on it.


[1] http://www.ovirt.org/Java-sdk

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] big problem with ovirt on Fedora 19

2013-07-17 Thread Ravi Nori 

On 07/17/2013 07:35 AM, Hetz Ben Hamo wrote:

Hi Sandro,

I just tried it. I let it create the DB automatically but when it's 
installing, it stops in the middle to ask for passowrd, and after I 
use any password, it gives an error:


[ ERROR ] Failed to execute stage 'Misc configuration': Command 
'/usr/share/ovirt-engine/dbscripts/create_schema.sh' failed to execute


I'm enclosing the related log file.

btw, I'm on the #ovirt in irc.oftc if you need more testing..

Thanks,
Hetz


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Hi Hetz,

Can you try to do an engine-cleanup. Uninstall everything including 
postgres, upgrade otopi, and then try to install ovirt. Let us know if 
it works


Thanks

Ravi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users