[ovirt-users] iSCSI multipath issue

2020-07-27 Thread Nick Kas via Users 
Hello evryone,
setup ovirt 4.4.1 on CentOS 8.2 as an experiment, and I am trying to get an 
iSCSI domain working but have issues. The little experimental cluster has 3 
hosts. There is an ovirtmgmt network on the default vlan, and two iSCSI network 
(172.27.0/1.X) with vlans 20/21. ovirtmgmt has all the functions (Data, 
display, migration etc), and the iSCSI networks nothing yet, and they are not 
set as required.
The SAN device is already serving a few iSCSI volumes to a vmware cluster, so I 
know things are fine on this end. It has two controllers, and four NICs per 
controller so a total of 8 NICs, half of the NICS per controller on 172.27.0.X 
and half on 172.27.1.X.

When I create the iSCSI domain, I login to only one of the targets, and add the 
Volume, all is good and I can use the disc fine. 
However when I login to more than one of the targets, then I start having 
issues with the Volume. Even when I enabled multipath in the cluster, and I 
created a single multipath by selecting both of the 172.27.0/1.X networks, and 
all the targets, the end result was the same. The hosts have difficulty 
accessing the volume, they may even swing between 'non-operational' and 'up' if 
I transfer data to the volume. When I ssh to the hosts and i check things in 
the command line I also get inconsistent results between hosts, and blocks that 
appear with lsblk when I first setup iSCSI have dissapeared after I try to 
actively use the volume.

I am new to iSCSI so I am not sure how to debug this. I am not sure if my 
multipath configuration is correct or not. The documentation on this part was 
not very detailed. I also tried to remove the domain, and try to experiment 
with mounting the iSCSI volume from the command line, but I cannot even 
discover the target from the command line, which is very bizarre. The command 
iscsiadm --mode discovery --target sendtargets --portal 172.27.0.55 --discover
returns the message 'iscsiadm: cannot make connection to 172.27.0.55: No route 
to host'. Yet through ovirt, and if I select only one target, everything work 
fine!

Any suggestions on how to start debugging this would really be appreciated.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/N5DNXQ5MAMPXMA3LOHM4RHUZLYKUUMLO/

[ovirt-users] Re: PKI Problem

2020-07-27 Thread Yedidyah Bar David 
On Thu, Jul 23, 2020 at 7:47 PM Nir Soffer  wrote:
>
> On Thu, Jul 23, 2020 at 5:14 PM Yedidyah Bar David  wrote:
> >
> > On Sun, Jul 19, 2020 at 5:23 PM  wrote:
> > >
> > > Hi
> > >
> > > I did a fresh installation of version 4.4.0.3. After the engine setup I 
> > > replaced the apache certificate with a custom certificate. I used this 
> > > article to do it: 
> > > https://myhomelab.gr/linux/2020/01/20/replacing_ovirt_ssl.html
> > >
> > > To summarize, I replaced those files with my own authority and the signed 
> > > custom certificate
> > >
> > > /etc/pki/ovirt-engine/keys/apache.key.nopass
> > > /etc/pki/ovirt-engine/certs/apache.cer
> > > /etc/pki/ovirt-engine/apache-ca.pem
> > >
> > > That worked so far, apache uses now my certificate, login is possible. To 
> > > setup a new machine, I need to upload an iso image, which failed. I found 
> > > this error in /var/log/ovirt-imageio/daemon.log
> > >
> > > 2020-07-08 20:43:23,750 INFO(Thread-10) [http] OPEN 
> > > client=192.168.1.228
> > > 2020-07-08 20:43:23,767 INFO(Thread-10) [backends.http] Open backend 
> > > netloc='the_secret_hostname:54322' 
> > > path='/images/ef60404c-dc69-4a3d-bfaa-8571f675f3e1' 
> > > cafile='/etc/pki/ovirt-engine/apache-ca.pem' secure=True
> > > 2020-07-08 20:43:23,770 ERROR   (Thread-10) [http] Server error
> > > Traceback (most recent call last):
> > >   File 
> > > "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/http.py", 
> > > line 699, in __call__
> > > self.dispatch(req, resp)
> > >   File 
> > > "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/http.py", 
> > > line 744, in dispatch
> > > return method(req, resp, *match.groups())
> > >   File 
> > > "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/cors.py", 
> > > line 84, in wrapper
> > > return func(self, req, resp, *args)
> > >   File 
> > > "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/images.py", 
> > > line 66, in put
> > > backends.get(req, ticket, self.config),
> > >   File 
> > > "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/__init__.py",
> > >  line 53, in get
> > > cafile=config.tls.ca_file)
> > >   File 
> > > "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/http.py",
> > >  line 48, in open
> > > secure=options.get("secure", True))
> > >   File 
> > > "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/http.py",
> > >  line 63, in __init__
> > > options = self._options()
> > >   File 
> > > "/usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/http.py",
> > >  line 364, in _options
> > > self._con.request("OPTIONS", self.url.path)
> > >   File "/usr/lib64/python3.6/http/client.py", line 1254, in request
> > > self._send_request(method, url, body, headers, encode_chunked)
> > >   File "/usr/lib64/python3.6/http/client.py", line 1300, in _send_request
> > > self.endheaders(body, encode_chunked=encode_chunked)
> > >   File "/usr/lib64/python3.6/http/client.py", line 1249, in endheaders
> > > self._send_output(message_body, encode_chunked=encode_chunked)
> > >   File "/usr/lib64/python3.6/http/client.py", line 1036, in _send_output
> > > self.send(msg)
> > >   File "/usr/lib64/python3.6/http/client.py", line 974, in send
> > > self.connect()
> > >   File "/usr/lib64/python3.6/http/client.py", line 1422, in connect
> > > server_hostname=server_hostname)
> > >   File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
> > > _context=self, _session=session)
> > >   File "/usr/lib64/python3.6/ssl.py", line 776, in __init__
> > > self.do_handshake()
> > >   File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
> > > self._sslobj.do_handshake()
> > >   File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
> > > self._sslobj.do_handshake()
> > > ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
> > > (_ssl.c:897)
> > > 2020-07-08 20:43:23,770 INFO(Thread-10) [http] CLOSE 
> > > client=192.168.1.228 [connection 1 ops, 0.019775 s] [dispatch 1 ops, 
> > > 0.003114 s]
> > >
> > > I'm a python developer so I had no problem reading the traceback.
> > >
> > > The SSL handshake fails when image-io tries to connect to what I think is 
> > > called an ovn-provider. But it is using my new authority certificate 
> > > cafile='/etc/pki/ovirt-engine/apache-ca.pem' which does not validate the 
> > > certificate generated by the ovirt engine setup, which the ovn-provider 
> > > probably uses.
> > >
> > > I didn't exactly know where the parameter for the validation ca file is. 
> > > Probably it is the ca_file parameter in 
> > > /etc/ovirt-imageio/conf.d/50-engine.conf. But that needs to be set to my 
> > > own authority ca file.
> > >
> > > I modified the python file to set the ca_file parameter to the engine 
> > > setups ca_file directly
> > >
> > > /usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/backends/__init__.py

[ovirt-users] Re: Adding hypervisor fails, yum links deprecated (Centos 7.7/ oVirt 4.3)

2020-07-27 Thread Yedidyah Bar David 
On Thu, Jul 23, 2020 at 5:44 PM  wrote:
>
> Greetings. In a multi-hypervisor environment, we are running Centos 7.7.1908, 
> with ovirt-4.3. There are problems adding a new hypervisor, because all the 
> yum resources have switched in favor of newer versions.
>
> Is there a proceedure to add a hypervisor under the oVirt Virtualization 
> manager while retaining an older, known working OS version like Centos 
> 7.7.1908 ? Upgrading everything across the board isn't an immediate option. 
> There are many VMs and hypervisors in production, and can't be disturbed.
>
> In sum: is it still possible to install known working 4.30.33-1.el7? All that 
> is presented now is 4.30.46-1.el7
> I ran: yum install vdsm-4.30.33-1.el7.x86_64. This completed. However, when I 
> tried to add the resulting hypservisor using the oVirt web UI, that fails. 
> Logs on that management server showed that the install process insists on 
> using 4.30.46-1.el7. Any way to avoid this?

You can try forcing ovirt-host-deploy to offline mode, see section OFFLINE in:

https://github.com/oVirt/ovirt-host-deploy

Best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DZGJ3APAEQUUK3CRVBMIIG4Y6IMPB7CM/

[ovirt-users] Re: change lun for hosted_engine use?

2020-07-27 Thread Philip Brown 
I managed to successfully do the migration of the iscsi storage domain for my 
hosted engine, from one host/target to another.
For posterity, here's how it went for me, skipping a few failed attempts.
Sorry for formatting


Note #1: oVirt 4.3, using the ovirt supplied "node" images for hosts

Note #2: this takes a really.. REALLY.. long time.  over an hour. possibly 
closer to 2 hours.


My Steps:
==

*. make sure that the hosted_engine vm is NOT running on node #1 of my cluster, 
so I have a fallback if I need it

*. do a "engine-backup" from the hosted_engine vm command line, and scp the 
resulting 7mb file out to node #1 of my cluster

*. create a new iscsi LUN for a new hosted_engine storage domain

*. put the cluster in global maint, with
hosted-engine  --set-maintenance --mode=global

*. shut down the hosted engine VM

*. on node #1, do   
ovirt-hosted-engine-cleanup

*. on node #1, 
systemctl enable firewalld; systemctl start firewalld

   and then doublecheck that
firewalld --list-services

   showed all the good things, including ssh and cockpit


*. on node #1, 
   ovirt-hosted-engine-setup 
--restore-from-file=ovirt-engine-backup=ovirt-engine-backup-x


   *** note: NOT engine-backup --mode=restore after the fact.
I'm glad I happened to stumble on this feature. I think.




*. Press return a lot. Occasionally actually putting in specifics of things.

  - Side quest: Since I had no idea how I was supposed to set up the new iSCSI 
storage domain, I chose the option for

  Pause the execution after adding this host to the engine?
  You will be able to iteratively connect to the restored engine.. 
  blahblah

Turns out, this was NOT needed. but I got to learn a few things. such as, 
the install process RENAMES any existing
storage domain called "hosted_storage" to "hosted_storage_old_xx"
 So, this may have a "point of no return" point


*. Wait. 
A LOT
  output said something about wait until VM gets into run state. or maybe 
it was
   TASK [ovirt.engine-setup : Make sure `ovirt-engine` service is running]
This took something like 10 minute or more, while giving ZERO feedback to 
me.
I wondered if it had locked up or somthing, and was tempted to kill it, but 
instead, I eventually left for lunch.
Good thing.



*. notice that the process creates a TEMPORARY "external engine" VM.. that is 
maybe stored on host local disks or something? I dont know details. 
but this is what allowed me to connect in via browser and check out how 
things looked, when it prompted me that I could.

*. When I was ready, remove the trigger file /tmp/somethingsomething (via a 
separate window ssh session)


*. Answer a bunch more text prompts about what iSCSI host I want to connect to, 
and then which target to use, and then which lun.
   Finally, it got around to creating the new storage domain for hosted engine, 
on the new LUN.


  *** Fun fact ***. It just gives you lun sizes. It does not give you ACTUAL 
lun numbers for the target you select to use.
Specifically, it showed me my "lun #2" as MENU CHOICE #1.
So make sure you make all your luns slightly different sizes!
  
Also, it has NO AWARENESS of EXISTING STORAGE DOMAINS. In fact, it silently 
overwrote a new storage domain I had called "hosted_storage",
after I noticed that the prior one had been renamed

*. Wait
A long. time.


I am happy to say that eventually, it actually finished up what it was doing.
It then informed me that I had to go to each of the other hosts (through the 
hosted engine GUI) and individually
1. put the host in maintenance mode
2. choose  Installation  -> Reinstall
AND manually reenable the Hosted engine install, for those hosts that I 
want it on again.


I am happy to report that this went smoothly.

Here ends my tale  :)




   


- Original Message -
From: "Philip Brown" 
To: "Alan" 
Cc: "users" 
Sent: Monday, July 27, 2020 11:39:39 AM
Subject: Re: [ovirt-users] change lun for hosted_engine use?

To someone who has never dealt with the backup/restore stuff.. not to mention 
taking over a previously setup cluster.. it is exceedingly onerous :(

Those docs seem geared primarily towards doing backup and restore of a 
hosted_engine where nothing is changing.
it would be really helpful to have docs where the goal is changing the 
environment for the hosted engine.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EOC3YLSFYLHDZP4YTPTMMWVJMBVVKBEC/

[ovirt-users] oVirt 4.4 Self-Hosted Installation failed

2020-07-27 Thread enmanuelmoreira 
Hi There!

I'm trying to install oVirt self-hosted on Fedora 32 with kvm and the install 
failed. I got the following message on ovirt console:

Host localhost installation failed. Failed to execute Ansible host-deploy role: 
failed. Please check logs for more details: 
/var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20200727183159-localhost-5de7c489.log.

and the log content:

[root@localhost ~]# tail -100 
/var/log/ovirt-engine/host-deploy/ovirt-host-deploy-ansible-20200727183159-localhost-5de7c489.log
  "end" : "2020-07-27 18:35:18.688022",
  "delta" : "0:00:00.190619",
  "changed" : true,
  "invocation" : {
"module_args" : {
  "_raw_params" : 
"'/usr/bin/openssl'\n'req'\n'-new'\n'-newkey'\n'rsa:2048'\n'-nodes'\n'-subj'\n'/'\n'-keyout'\n'/tmp/ansible.oqj_hat2qemu'\n",
  "warn" : true,
  "_uses_shell" : false,
  "stdin_add_newline" : true,
  "strip_empty_ends" : true,
  "argv" : null,
  "chdir" : null,
  "executable" : null,
  "creates" : null,
  "removes" : null,
  "stdin" : null
}
  },
  "stdout_lines" : [ "-BEGIN CERTIFICATE REQUEST-", 
"MIICRTCCAS0CAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL++", 
"QCG8gpsb3isdQFw/noaoOIGxd6zXcoCMdPs2vOP8z7ciPSQPE5r6JxmNTM9tMzCb", 
"b1sC7ON8PJNaMyRTQ1mVGFoQhQIq54L77GwV27qzVlsjmfM3MCUISVqTGZPWJ/RQ", 
"QVc03RXDbLYC0UG7C5Y+NRCp7G+67/dLjvzyO4IASZH1rEE7K/PPjSsyJJYaq68X", 
"XeyckgB7kjQXYZCIexihH3lvMvp7j75wc0RZztEw2bGhhByVsTZCvgouciL/43N7", 
"h2/8pMZaNbIcx5h8ZIoyWWvYGCe2PaALd94jSLjrgwY6v8lHSt/5S96Ace/C2jt6", 
"WDwbTfFvthyIosxJRdkCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBp0Mj1WO4h", 
"n27hRFQ5n2hwRpLrbnD/KIkicNR9sFPszAMt6cN84a5jocrSJEcboPnz/Bg1yNlq", 
"FsN6gVI/RQY7BTmgP5chThe+/vtCJjP71K/+5YKpaBCbtpUIo/dERzHMsVS5O730", 
"iXjFERxAObnrzllohpahc42+dwxPrd4ZMFrRmA5m55/nN9VgCudHTo8Uzrv+iaN7", 
"0G3oPW1IJGnycUArYyGPOIXTHMWRKcxF4irPOxXCp3cyWKxrfrO7vrl8LfOvVsJx", 
"btRN84AUvUsSPzFDVPuAl8xZ9M0P+Ho9uGvSMlQ0xdyfXU/9wFIhf3oFK3Slbo3j", 
"rXgOHdj+ve1g", "-END CERTIFICATE REQUEST-" ],
  "stderr_lines" : [ "Generating a RSA private key", 
"+",
 ".+", "writing new private key to 
'/tmp/ansible.oqj_hat2qemu'", "-" ],
  "_ansible_no_log" : false,
  "failed" : false,
  "item" : {
"changed" : true,
"path" : "/tmp/ansible.oqj_hat2qemu",
"uid" : 0,
"gid" : 0,
"owner" : "root",
"group" : "root",
"mode" : "0600",
"state" : "file",
"secontext" : "unconfined_u:object_r:user_tmp_t:s0",
"size" : 0,
"invocation" : {
  "module_args" : {
"state" : "file",
"suffix" : "qemu",
"prefix" : "ansible.",
"path" : null
  }
},
"failed" : false,
"item" : {
  "suffix" : "qemu",
  "pending_file" : "libvirt-migrate/server-key.pending.pem",
  "req_dir" : "requests-qemu"
},
"ansible_loop_var" : "item"
  },
  "ansible_loop_var" : "item",
  "_ansible_item_label" : {
"changed" : true,
"path" : "/tmp/ansible.oqj_hat2qemu",
"uid" : 0,
"gid" : 0,
"owner" : "root",
"group" : "root",
"mode" : "0600",
"state" : "file",
"secontext" : "unconfined_u:object_r:user_tmp_t:s0",
"size" : 0,
"invocation" : {
  "module_args" : {
"state" : "file",
"suffix" : "qemu",
"prefix" : "ansible.",
"path" : null
  }
},
"failed" : false,
"item" : {
  "suffix" : "qemu",
  "pending_file" : "libvirt-migrate/server-key.pending.pem",
  "req_dir" : "requests-qemu"
},
"ansible_loop_var" : "item"
  }
} ],
"changed" : true,
"msg" : "All items completed"
  },
  "start" : "2020-07-27T18:35:18.064749",
  "end" : "2020-07-27T18:35:18.714265",
  "duration" : 0.649516,
  "event_loop" : null,
  "uuid" : "ce9afcb5-6c75-44a8-a640-5152a8605b52"
}
  }
}

2020-07-27 18:35:20 UTC - TASK [ovirt-host-deploy-vdsm-certificates : Copy vdsm 
and QEMU CSRs] ***
2020-07-27 18:35:20 UTC -
2020-07-27 18:35:20 UTC - [WARNING]: The loop variable 'item' is already in 
use. You should set the
`loop_var` value in the `loop_control` option for the task to something else to
avoid variable collisions and unexpected behavior.

[ovirt-users] Re: change lun for hosted_engine use?

2020-07-27 Thread Philip Brown 
To someone who has never dealt with the backup/restore stuff.. not to mention 
taking over a previously setup cluster.. it is exceedingly onerous :(

Those docs seem geared primarily towards doing backup and restore of a 
hosted_engine where nothing is changing.
it would be really helpful to have docs where the goal is changing the 
environment for the hosted engine.

At one point I stumbled across a reference to that sort of thing, but 
unfortunately I cannot find it again.




- Original Message -
From: "Alan G" 
To: "Philip Brown" 
Cc: "users" 
Sent: Monday, July 27, 2020 8:26:42 AM
Subject: Re: [ovirt-users] change lun for hosted_engine use?

The "long-winded" way is the only way I know of doing it.



https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/chap-backups_and_migration
 



Providing you plan in advance I don't think it's really that onerous. And it 
means you have a stable system going forward...





 On Mon, 27 Jul 2020 16:07:13 +0100 Philip  Brown  wrote 





I currently have a self-hosted engine, running in a dedicated ISCSI storage 
domain. 
I'd like to change the backend hardware for the storage. 
 
i think there's some longwinded and complicated method of shutting down the 
engine, backup, creating a NEW one, restore, and whoknowswhat. 
 
I was wondering though, if maybe there's a way to just add an iscsi lun to the 
storage domain, and tell ovirt, "Hey, move the stuff over to that other lun" 
? 
 
Ive added the new lun already :) havent found a reference to move the files' 
residence though. 
 
If it helps, my end goal is to remove that lun completely. 
 
 
-- 
Philip Brown| Sr. Linux System Administrator | Medata, Inc. 
5 Peters Canyon Rd Suite 250 
Irvine CA 92606 
Office 714.918.1310| Fax 714.918.1325 
mailto:pbr...@medata.com| www.medata.com
___
Users mailing list -- mailto:users@ovirt.org
To unsubscribe send an email to mailto:users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/522VCAWNK7SSLEAEAKRKK42YRO4GKA2T/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/57MFALBCEN2GH64MDZLBECBGG7BRFR5S/

[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-07-27 Thread Nir Soffer 
On Sat, Jul 25, 2020 at 5:24 AM Lynn Dixon  wrote:

> All,
> I recently bought a wildcard certificate for my lab domain (shadowman.dev)
> and I replaced all the certs on my RHV4.3 machine per our documentation.
> The WebUI presents the certs successfully and without any issues, and
> everything seemed to be fine, until I tried to upload a disk image (or an
> ISO) to my storage domain.  I get this error in the events tab:
>
> https://share.getcloudapp.com/p9uPvegx
> [image: image.png]
>
> I also see that the disk is showing up in my storage domain, but its
> showing "Paused by System" and I can't do anything with it.  I cant even
> delete it!
>
> I have tried following this document to fix the issue, but it didn't work:
> https://access.redhat.com/solutions/4148361
>
> I am seeing this error pop into my engine.log:
> https://pastebin.com/kDLSEq1A
>
> And I see this error in my image-proxy.log:
> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR
> [172.17.0.30] PUT /tickets/ [403] Error verifying signed ticket: Invalid
> ovirt ticket (data='--my_ticket_data-', reason=Untrusted
> certificate) [request=0.002946/1]
>

This means ssl_* configuration in broken.

We have 2 groups:

Client ssl configuration:

# Key file for SSL connections
ssl_key_file = /etc/pki/ovirt-engine/keys/image-proxy.key.nopass

# Certificate file for SSL connections
ssl_cert_file = /etc/pki/ovirt-engine/certs/image-proxy.cer

And engine SSL configuration:

# Certificate file used when decoding signed token
engine_cert_file = /etc/pki/ovirt-engine/certs/engine.cer

# CA certificate file used to verify signed token
engine_ca_cert_file = /etc/pki/ovirt-engine/ca.pem

engine configuration is used to verify signed ticket used by engine when
adding tickets to the proxy. This is internal flow that clients should not
care
about. You should not replace these unless you are using also custom
certificate
for engine itself - very unlikely and maybe unsupported.
(Didi please correct me on this).

SSL client configuration is used when communicating with clients, and does
not depend on engine ssl configuration. You can replace these with your
certificates.

Can you share your /etc/ovirt-imageio/ovirt-imageio-proxy.conf?

The main issue with the current configuration is that we don't have
ssl_ca_cert configuration,
assuming that ssl_cert_file is a self signed certificate that includes the
CA certificate, since
this is what engine is creating.

In 4.4, we have more flexible configuration that should work for your case:

$ cat /etc/ovirt-imageio/conf.d/50-engine.conf
...
[tls]
enable = true
key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
cert_file = /etc/pki/ovirt-engine/certs/apache.cer
ca_file = /etc/pki/ovirt-engine/apache-ca.pem

Adding ssl_ca_cert to imageio 1.5.3 looks simple enough, so I posted this
completely untested patch:
https://gerrit.ovirt.org/c/110498/

You can try to upgrade your proxy to using this build:
https://jenkins.ovirt.org/job/ovirt-imageio_standard-check-patch/3384/artifact/build-artifacts.el7.x86_64/

Add a yum repo file with this baseurl=.

Again this is untested, but you seem to be in the best place to test it,
since I don't have any real certificates for testing.

It would also be useful if you file a bug for this issue.

Nir

Now, when I bought my wildcard, I was given a root certificate for the CA,
> as well as a separate intermediate CA certificate from the provider.
> Likewise, they gave me a certificate and a private key of course. The root
> and intermediate CA's certificates have been added
> to /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>
> I also started experiencing issues with the ovpn network provider at the
> same time I replaced the SSL certs, but I disregarded it at the time, but
> now I am thinking its related.  Any advice on what to look for to fix the
> ovirt-imageio-proxy?
>
> Thanks!
>
>
> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
> *Solutions Architect* | NA Commercial
> Google Voice: 423-618-1414
> Cell/Text: 423-774-3188
> Click here to view my Certification Portfolio 
>
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IT7OWF7WZ6LTLLLP4TSSPBNKMTCDNG2H/

[ovirt-users] Re: change lun for hosted_engine use?

2020-07-27 Thread Alan G 
The "long-winded" way is the only way I know of doing it.



https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.3/html/administration_guide/chap-backups_and_migration
 



Providing you plan in advance I don't think it's really that onerous. And it 
means you have a stable system going forward...





 On Mon, 27 Jul 2020 16:07:13 +0100 Philip  Brown  wrote 





I currently have a self-hosted engine, running in a dedicated ISCSI storage 
domain. 
I'd like to change the backend hardware for the storage. 
 
i think there's some longwinded and complicated method of shutting down the 
engine, backup, creating a NEW one, restore, and whoknowswhat. 
 
I was wondering though, if maybe there's a way to just add an iscsi lun to the 
storage domain, and tell ovirt, "Hey, move the stuff over to that other lun" 
? 
 
Ive added the new lun already :) havent found a reference to move the files' 
residence though. 
 
If it helps, my end goal is to remove that lun completely. 
 
 
-- 
Philip Brown| Sr. Linux System Administrator | Medata, Inc. 
5 Peters Canyon Rd Suite 250 
Irvine CA 92606 
Office 714.918.1310| Fax 714.918.1325 
mailto:pbr...@medata.com| www.medata.com
___
Users mailing list -- mailto:users@ovirt.org
To unsubscribe send an email to mailto:users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/522VCAWNK7SSLEAEAKRKK42YRO4GKA2T/___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EZUKDYU7QDRH52B3PF2K63RIWSGV6MLS/

[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-07-27 Thread Greg Scott 
Imageio 1.5.3 on both RHVM and your hypervisors, right? And the test
returned success - that eliminates what I saw then.


On Mon, Jul 27, 2020 at 9:44 AM Lynn Dixon  wrote:

> I am running 1.5.3 of all of the imageio-* packages.  THe test button in
> RHVM for the uploader comes back successfully with no errors.
>
> I am at a loss here.
>
> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
> *Solutions Architect* | NA Commercial
> Google Voice: 423-618-1414
> Cell/Text: 423-774-3188
> Click here to view my Certification Portfolio 
>
>
>
>
> On Sat, Jul 25, 2020 at 12:53 AM Greg Scott  wrote:
>
>> Make sure you have the right imageio versions. We spent around two months
>> troubleshooting a similar problem and eventually found my customer had
>> imageio 1.0.0 when they should have had something like 1.4.4. Do an rpm -
>> qa | grep imageio on both your RHVM and RHV-H systems and see what it looks
>> like.
>>
>> Also try that test button in RHVM and see how it behaves. Does it fail
>> right away or does it take a couple seconds?
>>
>> - Greg
>>
>> On Fri, Jul 24, 2020 at 9:24 PM Lynn Dixon  wrote:
>>
>>> All,
>>> I recently bought a wildcard certificate for my lab domain (
>>> shadowman.dev) and I replaced all the certs on my RHV4.3 machine per
>>> our documentation.  The WebUI presents the certs successfully and without
>>> any issues, and everything seemed to be fine, until I tried to upload a
>>> disk image (or an ISO) to my storage domain.  I get this error in the
>>> events tab:
>>>
>>> https://share.getcloudapp.com/p9uPvegx
>>> [image: image.png]
>>>
>>> I also see that the disk is showing up in my storage domain, but its
>>> showing "Paused by System" and I can't do anything with it.  I cant even
>>> delete it!
>>>
>>> I have tried following this document to fix the issue, but it didn't
>>> work: https://access.redhat.com/solutions/4148361
>>>
>>> I am seeing this error pop into my engine.log:
>>> https://pastebin.com/kDLSEq1A
>>>
>>> And I see this error in my image-proxy.log:
>>> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR
>>> [172.17.0.30] PUT /tickets/ [403] Error verifying signed ticket: Invalid
>>> ovirt ticket (data='--my_ticket_data-', reason=Untrusted
>>> certificate) [request=0.002946/1]
>>>
>>> Now, when I bought my wildcard, I was given a root certificate for the
>>> CA, as well as a separate intermediate CA certificate from the provider.
>>> Likewise, they gave me a certificate and a private key of course. The root
>>> and intermediate CA's certificates have been added
>>> to /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>>>
>>> I also started experiencing issues with the ovpn network provider at the
>>> same time I replaced the SSL certs, but I disregarded it at the time, but
>>> now I am thinking its related.  Any advice on what to look for to fix the
>>> ovirt-imageio-proxy?
>>>
>>> Thanks!
>>>
>>>
>>> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
>>> *Solutions Architect* | NA Commercial
>>> Google Voice: 423-618-1414
>>> Cell/Text: 423-774-3188
>>> Click here to view my Certification Portfolio 
>>>
>>>
>>>
>>
>> --
>> Greg Scott
>> Red Hat Senior Technical Account Manager
>> mobile 1-651-260-1051
>>
>

-- 
Greg Scott
Red Hat Senior Technical Account Manager
mobile 1-651-260-1051
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QMS3CTP2FGWCG4ELC6SW4YICMA2O22ND/

[ovirt-users] change lun for hosted_engine use?

2020-07-27 Thread Philip Brown 

I currently have a self-hosted engine, running in a dedicated ISCSI storage 
domain.
I'd like to change the backend hardware for the storage.

i think there's some longwinded and complicated method of shutting down the 
engine, backup, creating a NEW one, restore, and whoknowswhat.

I was wondering though, if maybe there's a way to just add an iscsi lun to the 
storage domain, and tell ovirt, "Hey, move the stuff over to that other lun"
?

Ive added the new lun already :) havent found a reference to move the files' 
residence though.

If it helps, my end goal is to remove that lun completely.


--
Philip Brown| Sr. Linux System Administrator | Medata, Inc. 
5 Peters Canyon Rd Suite 250 
Irvine CA 92606 
Office 714.918.1310| Fax 714.918.1325 
pbr...@medata.com| www.medata.com
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/522VCAWNK7SSLEAEAKRKK42YRO4GKA2T/

[ovirt-users] Re: [rhev-tech] ovirt-imageio-proxy not working after updating SSL certificates with a wildcard cert issued by AlphaSSL (intermediate)

2020-07-27 Thread Lynn Dixon 
I am running 1.5.3 of all of the imageio-* packages.  THe test button in
RHVM for the uploader comes back successfully with no errors.

I am at a loss here.

*Lynn Dixon* | Red Hat Certified Architect #100-006-188
*Solutions Architect* | NA Commercial
Google Voice: 423-618-1414
Cell/Text: 423-774-3188
Click here to view my Certification Portfolio 




On Sat, Jul 25, 2020 at 12:53 AM Greg Scott  wrote:

> Make sure you have the right imageio versions. We spent around two months
> troubleshooting a similar problem and eventually found my customer had
> imageio 1.0.0 when they should have had something like 1.4.4. Do an rpm -
> qa | grep imageio on both your RHVM and RHV-H systems and see what it looks
> like.
>
> Also try that test button in RHVM and see how it behaves. Does it fail
> right away or does it take a couple seconds?
>
> - Greg
>
> On Fri, Jul 24, 2020 at 9:24 PM Lynn Dixon  wrote:
>
>> All,
>> I recently bought a wildcard certificate for my lab domain (shadowman.dev)
>> and I replaced all the certs on my RHV4.3 machine per our documentation.
>> The WebUI presents the certs successfully and without any issues, and
>> everything seemed to be fine, until I tried to upload a disk image (or an
>> ISO) to my storage domain.  I get this error in the events tab:
>>
>> https://share.getcloudapp.com/p9uPvegx
>> [image: image.png]
>>
>> I also see that the disk is showing up in my storage domain, but its
>> showing "Paused by System" and I can't do anything with it.  I cant even
>> delete it!
>>
>> I have tried following this document to fix the issue, but it didn't
>> work: https://access.redhat.com/solutions/4148361
>>
>> I am seeing this error pop into my engine.log:
>> https://pastebin.com/kDLSEq1A
>>
>> And I see this error in my image-proxy.log:
>> WARNING 2020-07-24 15:26:34,802 web:137:web:(log_error) ERROR
>> [172.17.0.30] PUT /tickets/ [403] Error verifying signed ticket: Invalid
>> ovirt ticket (data='--my_ticket_data-', reason=Untrusted
>> certificate) [request=0.002946/1]
>>
>> Now, when I bought my wildcard, I was given a root certificate for the
>> CA, as well as a separate intermediate CA certificate from the provider.
>> Likewise, they gave me a certificate and a private key of course. The root
>> and intermediate CA's certificates have been added
>> to /etc/pki/ca-trust/source/anchors/ and I did an update-ca-trust.
>>
>> I also started experiencing issues with the ovpn network provider at the
>> same time I replaced the SSL certs, but I disregarded it at the time, but
>> now I am thinking its related.  Any advice on what to look for to fix the
>> ovirt-imageio-proxy?
>>
>> Thanks!
>>
>>
>> *Lynn Dixon* | Red Hat Certified Architect #100-006-188
>> *Solutions Architect* | NA Commercial
>> Google Voice: 423-618-1414
>> Cell/Text: 423-774-3188
>> Click here to view my Certification Portfolio 
>>
>>
>>
>
> --
> Greg Scott
> Red Hat Senior Technical Account Manager
> mobile 1-651-260-1051
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LDJXJZWADLMDZNEEUI6XIPE3G4GAJARJ/

[ovirt-users] Re: Centos based Ovirt 4.3.10.4-1.el7, VMs cannot communicate over VM networks

2020-07-27 Thread Strahil Nikolov via Users 
Have you tried ovn-trace to detect your issues ?

I think  the following blog  is  quite good:
https://www.google.com/amp/s/blog.russellbryant.net/2016/11/11/ovn-logical-flows-and-ovn-trace/amp/

Best Regards,
Strahil Nikolov


На 27 юли 2020 г. 15:43:48 GMT+03:00, Konstantinos B  
написа:
>Hi all
>
>Can anyone point into the right direction on how to troubleshoot VM
>connectivity between VM networks?
>
>The nodes have been double-installed from the engine.
>The external ovn-provider is reachable through HTTP.
>
>ovs-vsctl shows the interfaces once a VM is booted.
>
>However, no traffic is passed between VMs.
>
>Any help is greatly appreciated.
>___
>Users mailing list -- users@ovirt.org
>To unsubscribe send an email to users-le...@ovirt.org
>Privacy Statement: https://www.ovirt.org/privacy-policy.html
>oVirt Code of Conduct:
>https://www.ovirt.org/community/about/community-guidelines/
>List Archives:
>https://lists.ovirt.org/archives/list/users@ovirt.org/message/J2RIQUGR6VJRITBXWDFURFHPABUFKCN4/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/Q2CHYKQVO6A7LF5UQ5VLW3X3QIJK5L53/

[ovirt-users] Re: New ovirt 4.4.0.3-1.el8 leaves disks in illegal state on all snapshot actions

2020-07-27 Thread h aanst 
Hi, 

Removed everything .. reinstall with images

Hitting know bug
[ ERROR ] fatal: [localhost]: FAILED! => {"attempts": 10, "changed": false, 
"msg": "The Python 2 yum module is needed for this module. If you require 
Python 3 support use the `dnf` Ansible module instead."}

https://bugzilla.redhat.com/show_bug.cgi?id=1858234

clean installs with 
ovirt-node-ng-installer-4.4.1-2020071311.el8.iso
ovirt-node-ng-installer-4.4.1-2020070811.el8.iso

4.4.0 install would not upgrade .. how to install now?

any advice?
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JE6BD4EWH2MKNNO2M4NDOZPI47GUTNO5/

[ovirt-users] Centos based Ovirt 4.3.10.4-1.el7, VMs cannot communicate over VM networks

2020-07-27 Thread Konstantinos B 
Hi all

Can anyone point into the right direction on how to troubleshoot VM 
connectivity between VM networks?

The nodes have been double-installed from the engine.
The external ovn-provider is reachable through HTTP.

ovs-vsctl shows the interfaces once a VM is booted.

However, no traffic is passed between VMs.

Any help is greatly appreciated.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/J2RIQUGR6VJRITBXWDFURFHPABUFKCN4/

[ovirt-users] Re: problem with custom bond options

2020-07-27 Thread Jiří Sléžka 
On 7/24/20 5:23 PM, Strahil Nikolov wrote:
> Hi Jiri,
> 
> you are the second person who mentions it.  Can you open a bug at 
> bugzilla.redhat.com  about that  ?

sure, here it is

https://bugzilla.redhat.com/show_bug.cgi?id=1860843

Best Regards,

Jiri Slezka


> 
> Best Regards,
> Strahil Nikolov
> 
> На 24 юли 2020 г. 16:30:02 GMT+03:00, "Jiří Sléžka"  
> написа:
>> On 7/24/20 11:36 AM, Jiří Sléžka wrote:
>>> On 7/24/20 10:56 AM, Ales Musil wrote:


 On Fri, Jul 24, 2020 at 10:40 AM Jiří Sléžka >>> > wrote:

 On 7/23/20 2:07 PM, Jiří Sléžka wrote:
 > On 7/23/20 12:35 PM, Ales Musil wrote:
 >>
 >>
 >> On Thu, Jul 23, 2020 at 11:50 AM Jiří Sléžka
>> >>> 
 >> >>
>> wrote:
 >>
 >>     On 7/23/20 11:03 AM, Ales Musil wrote:
 >>     >
 >>     >
 >>     > On Thu, Jul 23, 2020 at 10:35 AM Jiří Sléžka
 mailto:jiri.sle...@slu.cz>
 >>     >
 >>     > 
 >     >
 >>     >     Hi,
 >>     >
 >>     >     On 7/23/20 8:38 AM, Ales Musil wrote:
 >>     >     >
 >>     >     >
 >>     >     > On Wed, Jul 22, 2020 at 9:41 PM Jiří Sléžka
 >>     mailto:jiri.sle...@slu.cz>
 >
 >>     >     > 
 >>
 >>     >     >  >
 >>     
 
>> wrote:
 >>     >     >
 >>     >     >     Hello,
 >>     >     >
 >>     >     >
 >>     >     > Hi,
 >>     >     >
 >>     >     >
 >>     >     >     CentOS8, oVirt 4.4.1.10-1.el8
 >>     >     >
 >>     >     >     I am trying to setup active-backup (mode=1)
 bonding mode
 >>     with
 >>     >     custom
 >>     >     >     properties. I have one 10GE switch, the
>> second is
 just 1G.
 >>     >     10GE link is
 >>     >     >     the primary one.
 >>     >     >
 >>     >     >     cat
>> /etc/sysconfig/network-scripts/ifcfg-bond0
 >>     >     >
 >>     >     >
 >>     >     > first of all in oVirt 4.4 the network-scripts are
>> not
 relevant
 >>     >     anymore.
 >>     >     > More relevant is output from 'nmstatectl show'.
 >>     >
 >>     >     thanks, I believed that ifcfg files still describes
>> saved
 >>     interface
 >>     >     configuration (even on nm managed interfaces)...
 >>     >
 >>     >
 >>     > It does but it might not be that detailed as we would
>> have
 hoped for.
 >>     > Another reason why I said that it is not relevant is of
 course if
 >>     > someone tries
 >>     > reconfigure the interface through network-scripts.
 >>
 >>     well, honestly I did that (modified ifcfg and then use
>> nmcli con
 >>     reload). So right way is using nmcli con modify command?
 >>
 >>
 >> Yes or nmstate. Just be aware that anything that you do to
>> interface
 >> outside of oVirt can have harmful impacts on the host and
>> overall
 oVirt
 >> state.
 >>  
 >>
 >>
 >>     >     from nmstatectl show I can see that bond0 has
>> specified mac
 >>     address
 >>     >
 >>     >   
 >>   

>>   
>> https://paste.slu.cz/?d363cf2c029f6b83#Ew2rCiYyNGrdfffy6bvzSjbb8x4jJsaUdhxkjwThMFka
 >>     >
 >>     >     >     BONDING_OPTS="active_slave=ens5 downdelay=0
 miimon=100
 >>     >     >     mode=active-backup primary=ens5 updelay=0"
 >>     >     >     TYPE=Bond
 >>     >     >     BONDING_MASTER=yes
 >>     >     >     PROXY_METHOD=none
 >>     >     >     BROWSER_ONLY=no
 >>     >     >     IPV4_FAILURE_FATAL=no
 >>     >     >     IPV6_DISABLED=yes
 >>     >     >     IPV6INIT=no
 >>     >     >     NAME=bond0
 >>     >     >     UUID=c054364e-47cf-47ee-a7fc-70b37c9977e7
 >>     >     >     DEVICE=bond0
 >>     >     >     ONBOOT=yes
 >>     >     >     MTU=9000
 >>     >     >
 >>     >