[ovirt-users] Upgrade hosts/nodes from engine

2016-08-16 Thread Hanson 

Hi Guys,

Quick question, I have my nodes on a bond-bridge-privateVlan setup, and 
my engine on a bond-bridge-publicVlan setup for remote monitoring.


Understandably, the nodes are complaining that they are failing updates. 
(They're on a private vlan, and only configured with IP's in that vlan, 
the public vlan doesn't have IP's set on the hosts so they can pass it 
to VMs).


Is there a way to have the engine do the updates on the node using its 
internet connection, like a proxy?


For security reasons I like to have the nodes not publicly accessible, 
as we see hundreds if not thousands of ssh attempts, and root would 
probably be the most attacked account.


Thanks,

Hanson

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt Reports

2016-08-16 Thread Fernando Fuentes 
Yaniv,

Thanks for the reply.

Didi,

Dully noted!

Thank you all for the reply. I got it all fixed.

Regards,

--
Fernando Fuentes
ffuen...@txweather.org
http://www.txweather.org



On Tue, Aug 16, 2016, at 12:56 AM, Yaniv Dary wrote:
> This looks like a DWH, not a reports issue. Are you sure you only
> install reports remotely?
>
> Yaniv Dary Technical Product Manager Red Hat Israel Ltd. 34 Jerusalem
> Road Building A, 4th floor Ra'anana, Israel 4350109  Tel : +972 (9)
> 7692306 8272306 Email: yd...@redhat.com IRC : ydary
>
> On Tue, Aug 16, 2016 at 8:48 AM, Yedidyah Bar David
>  wrote:
>> On Tue, Aug 16, 2016 at 12:09 AM, Fernando Fuentes
>>  wrote:
>>  > David,
>>
>> (Actually it's "Yedidyah" or "Didi", "Bar David" is my surname)
>>
>>
>> >
>>  > After an attempt to run this remote setup something went really
>>  > wrong
>>  > and my dwh went fubar on my ovirt 4.0
>>  >
>>  > I got:
>>  >
>>  > 2016-08-15 16:03:34|ETL Service Started
>>  > ovirtEngineDbDriverClass|org.postgresql.Driver
>>  > ovirtEngineHistoryDbJdbcConnection|jdbc:postgresql://localhost:54-
>>  > 32/ovirt_engine_history?sslfactory=org.postgresql.ssl.NonValidati-
>>  > ngFactory
>>  > hoursToKeepDaily|43800
>>  > hoursToKeepHourly|1440
>>  > ovirtEngineDbPassword|**
>>  > runDeleteTime|3
>>  > ovirtEngineDbJdbcConnection|jdbc:postgresql://localhost:5432/engi-
>>  > ne?sslfactory=org.postgresql.ssl.NonValidatingFactory
>>  > runInterleave|20
>>  > limitRows|limit 1000
>>  > ovirtEngineHistoryDbUser|ovirt_engine_history
>>  > ovirtEngineDbUser|engine
>>  > deleteIncrement|10
>>  > timeBetweenErrorEvents|30
>>  > hoursToKeepSamples|24
>>  > deleteMultiplier|1000
>>  > lastErrorSent|2011-07-03 12:46:47.00
>>  > etlVersion|4.0.2
>>  > dwhAggregationDebug|false
>>  > dwhUuid|759f3eb5-5072-4c28-9686-a363eb956077
>>  > ovirtEngineHistoryDbDriverClass|org.postgresql.Driver
>>  > ovirtEngineHistoryDbPassword|**
>>  > Exception in component tJDBCInput_2
>>  > org.postgresql.util.PSQLException: ERROR: relation
>>  > "history_configuration" does not exist
>>  >   Position: 65
>>  > at
>>  > org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResp-
>>  > onse(QueryExecutorImpl.java:2157)
>>  > at
>>  > org.postgresql.core.v3.QueryExecutorImpl.processResults(Q-
>>  > ueryExecutorImpl.java:1886)
>>  > at
>>  > org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExe-
>>  > cutorImpl.java:255)
>>  > at
>>  > org.postgresql.jdbc2.AbstractJdbc2Statement.execute(Abstr-
>>  > actJdbc2Statement.java:555)
>>  > at
>>  > org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFl-
>>  > ags(AbstractJdbc2Statement.java:403)
>>  > at
>>  > org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(-
>>  > AbstractJdbc2Statement.java:283)
>>  > at
>>  > ovirt_engine_dwh.minimalversioncheck_4_0.MinimalVersionCh-
>>  > eck.tJDBCInput_2Process(MinimalVersionCheck.java:1574)
>>  > at
>>  > ovirt_engine_dwh.minimalversioncheck_4_0.MinimalVersionCh-
>>  > eck.tJDBCInput_1Process(MinimalVersionCheck.java:1229)
>>  > at
>>  > ovirt_engine_dwh.minimalversioncheck_4_0.MinimalVersionCh-
>>  > eck.tJDBCConnection_2Process(MinimalVersionCheck.java:782)
>>  > at
>>  > ovirt_engine_dwh.minimalversioncheck_4_0.MinimalVersionCh-
>>  > eck.tJDBCConnection_1Process(MinimalVersionCheck.java:657)
>>  > at
>>  > ovirt_engine_dwh.minimalversioncheck_4_0.MinimalVersionCh-
>>  > eck.runJobInTOS(MinimalVersionCheck.java:3089)
>>  > at
>>  > ovirt_engine_dwh.minimalversioncheck_4_0.MinimalVersionCh-
>>  > eck.runJob(MinimalVersionCheck.java:2853)
>>  > at
>>  > ovirt_engine_dwh.historyetl_4_0.HistoryETL.tRunJob_2Proce-
>>  > ss(HistoryETL.java:8009)
>>  > at
>>  > ovirt_engine_dwh.historyetl_4_0.HistoryETL$3.run(HistoryE-
>>  > TL.java:11520)
>>  > 2016-08-15
>>  > 16:03:34|NAl0ai|349e7f|349e7f|OVIRT_ENGINE_DWH|MinimalVersionChec-
>>  > k|Default|6|Java
>>  > Exception|tJDBCInput_2|org.postgresql.util.PSQLException:ERROR:
>>  > relation
>>  > "history_configuration" does not exist
>>  >   Position: 65|1
>>  > Exception in component tRunJob_2
>>  > java.lang.RuntimeException: Child job running failed
>>  > at
>>  > ovirt_engine_dwh.historyetl_4_0.HistoryETL.tRunJob_2Proce-
>>  > ss(HistoryETL.java:8032)
>>  > at
>>  > ovirt_engine_dwh.historyetl_4_0.HistoryETL$3.run(HistoryE-
>>  > TL.java:11520)
>>  > 2016-08-15
>>  > 16:03:34|349e7f|349e7f|349e7f|OVIRT_ENGINE_DWH|HistoryETL|Default-
>>  > |6|Java
>>  > Exception|tRunJob_2|java.lang.RuntimeException:Child job running
>>  > failed|1
>>  > 2016-08-15 16:03:34|ETL Service Stopped

Re: [ovirt-users] ovirt 3.6 python sdk how to find logical network from a host nic?

2016-08-16 Thread Juan Hernández 
On 08/16/2016 08:20 PM, Huan He (huhe) wrote:
> Hi Juan,
> 
> Thanks! It works. 
> 
> One more question, do you know how to do ³save network configuration² in
> the api? I did the following
> 
> Params.Action(force=1, check_connectivity=1, host_nics=host_nics)
> 
> but the gui says the network configuration is not saved. I can¹t find any
> relevant params in the Action.
> 
> Thanks,
> Huan
> 

Saving the network configuration is a different action:

  host.commitnetconfig()

> 
> On 8/13/16, 5:09 AM, "Juan Hernández"  wrote:
> 
>> On 08/13/2016 12:17 AM, Huan He (huhe) wrote:
>>> Assuming the logical network ovirtmgmt has been configured in host NIC
>>> enp6s0.
>>>
>>> host = api.hosts.get(Œhost-123¹)
>>> host_nic = host.nics.get(Œenp6s0¹)
>>>
>>> How to get the logical network name ovirtmgmt?
>>>
>>> I basically need to find ovirtmgmt is configured in which NIC.
>>>
>>> Thanks,
>>> Huan
>>>
>>
>> To do this first you need to find the identifier of the "ovirtmgmt"
>> network of the relevant cluster (the same network name can be used in
>> multiple clusters) and then iterate the network attachments to find
>> which network interfaces are connected to that network. Something like
>> this:
>>
>> ---8<---
>> # Find the host:
>> host_name = 'myhost'
>> host = api.hosts.get(name=host_name)
>>
>> # Find the identifier of the cluster that the host belongs to:
>> cluster_id = host.get_cluster().get_id()
>>
>> # Find the networks available in the cluster, and locate the one
>> # ones with the name we are looking for:
>> network_name = 'ovirtmgmt'
>> network_ids = []
>> networks = api.clusters.get(id=cluster_id).networks.list()
>> for network in networks:
>>if network.get_name() == network_name:
>>network_ids.append(network.get_id())
>>
>> # Find the network interface of the host that has the network attached:
>> nic_ids = []
>> network_attachments = host.networkattachments.list()
>> for network_attachment in network_attachments:
>>if network_attachment.get_network().get_id() in network_ids:
>>nic_ids.append(network_attachment.get_host_nic().get_id())
>>
>> # Print the details of the nics:
>> for nic_id in nic_ids:
>>nic = host.nics.get(id=nic_id)
>>print(nic.get_name())
>> --->8---
>>
>> -- 
>> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>> 3ºD, 28016 Madrid, Spain
>> Inscrita en el Reg. Mercantil de Madrid ­ C.I.F. B82657941 - Red Hat S.L.
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 


-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirt 3.6 python sdk how to find logical network from a host nic?

2016-08-16 Thread Huan He (huhe) 
Hi Juan,

Thanks! It works. 

One more question, do you know how to do ³save network configuration² in
the api? I did the following

Params.Action(force=1, check_connectivity=1, host_nics=host_nics)

but the gui says the network configuration is not saved. I can¹t find any
relevant params in the Action.

Thanks,
Huan


On 8/13/16, 5:09 AM, "Juan Hernández"  wrote:

>On 08/13/2016 12:17 AM, Huan He (huhe) wrote:
>> Assuming the logical network ovirtmgmt has been configured in host NIC
>> enp6s0.
>> 
>> host = api.hosts.get(Œhost-123¹)
>> host_nic = host.nics.get(Œenp6s0¹)
>> 
>> How to get the logical network name ovirtmgmt?
>> 
>> I basically need to find ovirtmgmt is configured in which NIC.
>> 
>> Thanks,
>> Huan
>> 
>
>To do this first you need to find the identifier of the "ovirtmgmt"
>network of the relevant cluster (the same network name can be used in
>multiple clusters) and then iterate the network attachments to find
>which network interfaces are connected to that network. Something like
>this:
>
>---8<---
># Find the host:
>host_name = 'myhost'
>host = api.hosts.get(name=host_name)
>
># Find the identifier of the cluster that the host belongs to:
>cluster_id = host.get_cluster().get_id()
>
># Find the networks available in the cluster, and locate the one
># ones with the name we are looking for:
>network_name = 'ovirtmgmt'
>network_ids = []
>networks = api.clusters.get(id=cluster_id).networks.list()
>for network in networks:
>if network.get_name() == network_name:
>network_ids.append(network.get_id())
>
># Find the network interface of the host that has the network attached:
>nic_ids = []
>network_attachments = host.networkattachments.list()
>for network_attachment in network_attachments:
>if network_attachment.get_network().get_id() in network_ids:
>nic_ids.append(network_attachment.get_host_nic().get_id())
>
># Print the details of the nics:
>for nic_id in nic_ids:
>nic = host.nics.get(id=nic_id)
>print(nic.get_name())
>--->8---
>
>-- 
>Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
>3ºD, 28016 Madrid, Spain
>Inscrita en el Reg. Mercantil de Madrid ­ C.I.F. B82657941 - Red Hat S.L.

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Gluster replication on 1Gb interfaces

2016-08-16 Thread Edward Clay 
We experienced severe performance degridation with a 5TB volume with
500GB of data on it.  So much so that we went ahead and upgraded to
10GbE.  Our setup was 1Gbe interface for all gluster communication and
client access.  We experience no performance hits when since switching
to 10Gbe.


On 08/16/2016 11:25 AM, Fernando Frediani wrote:
> Hi all.
>
> I understand using 10Gb interfaces when using Gluster is advised for
> helping with data replication specially in situations where a node
> went down for a while and need to re-sync data.
>
> However can anyone tell if using one 1Gb interface dedicated for it in
> hosts with 1.8 TB of Raw storage would be still Ok or can it cause
> severe impact on performance ? What are the chances of a 1Gb nice
> being saturated during normal operation ?
>
> Thanks
> Fernando
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

-- 
Best regards,
Edward Clay
Systems Administrator
UK2 Group - US Operations
Phone: 1-800-222-2165
FAX: 435-755-3449
E-mail: edward.c...@uk2group.com
 
Believe in Better Hosting
http://www.westhost.com

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Gluster replication on 1Gb interfaces

2016-08-16 Thread Fernando Frediani 

Hi all.

I understand using 10Gb interfaces when using Gluster is advised for 
helping with data replication specially in situations where a node went 
down for a while and need to re-sync data.


However can anyone tell if using one 1Gb interface dedicated for it in 
hosts with 1.8 TB of Raw storage would be still Ok or can it cause 
severe impact on performance ? What are the chances of a 1Gb nice being 
saturated during normal operation ?


Thanks
Fernando

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] edit gluster storage domain

2016-08-16 Thread Edward Clay 
Thank.  That did it.


On 08/16/2016 10:44 AM, Nir Soffer wrote:
> On Tue, Aug 16, 2016 at 7:28 PM, Edward Clay  wrote:
>> So I've run into an issue where I add
>> "-obackup-volfile-servers=10.4.16.19:10.4.16.12"
> -o is added by vdsm on the host, try:
>
> backup-volfile-servers=10.4.16.19:10.4.16.12
>
>> to the storage domain
>> object and click ok.  Then I get an error that says "Failed to connect
>> Host hv5.domain.com to the Storage Domains SANB".  Am I getting the
>> mount option correct?  Any thoughts on what I'm doing wrong here?
>>
>>
>> On 08/11/2016 12:38 PM, Nir Soffer wrote:
>>> On Thu, Aug 11, 2016 at 9:22 PM, Edward Clay  
>>> wrote:
 Hello,  I need to edit a glusterfs storage domain to add the mount
 option " backupvolfile-server=SERVER" So when the primary servers IP is
 not accessible the remaining servers will be used to retrieve data
 stored on the gluster volume.  Right now when I try to edit the storage
 domain the mount options box is grayed out and not editable.  I recently
 had to take all vms down so I put the HV in maintenance mode and the
 edit options wasn't present.


 I need to understand if this is the correct option to make a glusterfs
 volume fault tolerant?
>>> Yes.
>>>
 Also I need to understand how to make this edit in the ovirt web
 interface or other method.
>>> You need to put the storage domain in maintenance mode, and then
>>> you can edit the gluster mount options.
>>>
>>> This requires either shutting down all the vms using this storage, or
>>> if you cannot afford any downtime, you can live-migrate the disks to
>>> another storage domain, edit gluster options, and live-migrate the disks
>>> back.
>>>
>>> Nir
>> --
>> Best regards,
>> Edward Clay
>> Systems Administrator
>> UK2 Group - US Operations
>> Phone: 1-800-222-2165
>> FAX: 435-755-3449
>> E-mail: edward.c...@uk2group.com
>>
>> Believe in Better Hosting
>> http://www.westhost.com
>>

-- 
Best regards,
Edward Clay
Systems Administrator
UK2 Group - US Operations
Phone: 1-800-222-2165
FAX: 435-755-3449
E-mail: edward.c...@uk2group.com
 
Believe in Better Hosting
http://www.westhost.com

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] edit gluster storage domain

2016-08-16 Thread Nir Soffer 
On Tue, Aug 16, 2016 at 7:28 PM, Edward Clay  wrote:
> So I've run into an issue where I add
> "-obackup-volfile-servers=10.4.16.19:10.4.16.12"

-o is added by vdsm on the host, try:

backup-volfile-servers=10.4.16.19:10.4.16.12

> to the storage domain
> object and click ok.  Then I get an error that says "Failed to connect
> Host hv5.domain.com to the Storage Domains SANB".  Am I getting the
> mount option correct?  Any thoughts on what I'm doing wrong here?
>
>
> On 08/11/2016 12:38 PM, Nir Soffer wrote:
>> On Thu, Aug 11, 2016 at 9:22 PM, Edward Clay  
>> wrote:
>>> Hello,  I need to edit a glusterfs storage domain to add the mount
>>> option " backupvolfile-server=SERVER" So when the primary servers IP is
>>> not accessible the remaining servers will be used to retrieve data
>>> stored on the gluster volume.  Right now when I try to edit the storage
>>> domain the mount options box is grayed out and not editable.  I recently
>>> had to take all vms down so I put the HV in maintenance mode and the
>>> edit options wasn't present.
>>>
>>>
>>> I need to understand if this is the correct option to make a glusterfs
>>> volume fault tolerant?
>> Yes.
>>
>>> Also I need to understand how to make this edit in the ovirt web
>>> interface or other method.
>> You need to put the storage domain in maintenance mode, and then
>> you can edit the gluster mount options.
>>
>> This requires either shutting down all the vms using this storage, or
>> if you cannot afford any downtime, you can live-migrate the disks to
>> another storage domain, edit gluster options, and live-migrate the disks
>> back.
>>
>> Nir
>
> --
> Best regards,
> Edward Clay
> Systems Administrator
> UK2 Group - US Operations
> Phone: 1-800-222-2165
> FAX: 435-755-3449
> E-mail: edward.c...@uk2group.com
>
> Believe in Better Hosting
> http://www.westhost.com
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] edit gluster storage domain

2016-08-16 Thread Edward Clay 
So I've run into an issue where I add
"-obackup-volfile-servers=10.4.16.19:10.4.16.12" to the storage domain
object and click ok.  Then I get an error that says "Failed to connect
Host hv5.domain.com to the Storage Domains SANB".  Am I getting the
mount option correct?  Any thoughts on what I'm doing wrong here?


On 08/11/2016 12:38 PM, Nir Soffer wrote:
> On Thu, Aug 11, 2016 at 9:22 PM, Edward Clay  wrote:
>> Hello,  I need to edit a glusterfs storage domain to add the mount
>> option " backupvolfile-server=SERVER" So when the primary servers IP is
>> not accessible the remaining servers will be used to retrieve data
>> stored on the gluster volume.  Right now when I try to edit the storage
>> domain the mount options box is grayed out and not editable.  I recently
>> had to take all vms down so I put the HV in maintenance mode and the
>> edit options wasn't present.
>>
>>
>> I need to understand if this is the correct option to make a glusterfs
>> volume fault tolerant?
> Yes.
>
>> Also I need to understand how to make this edit in the ovirt web
>> interface or other method.
> You need to put the storage domain in maintenance mode, and then
> you can edit the gluster mount options.
>
> This requires either shutting down all the vms using this storage, or
> if you cannot afford any downtime, you can live-migrate the disks to
> another storage domain, edit gluster options, and live-migrate the disks
> back.
>
> Nir

-- 
Best regards,
Edward Clay
Systems Administrator
UK2 Group - US Operations
Phone: 1-800-222-2165
FAX: 435-755-3449
E-mail: edward.c...@uk2group.com
 
Believe in Better Hosting
http://www.westhost.com

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4 + Foreman

2016-08-16 Thread Juan Hernández 
On 08/16/2016 11:58 AM, Arsène Gschwind wrote:
> Hi,
> 
> has anybody been able to configure Foreman with oVirt 4 ? When trying to
> add Foreman as an external provider and test the login it always return
> : Failed to communicate with the external provider, see log for
> additional details.
> 
> On the Foreman side i get an SSO failed in the log, the user and
> password entered are correct.
> 
> Running version:
> 
> oVirt Engine Version: 4.0.2.6-1.el7.centos
> Foreman Version 1.12.1
> 
> Please find the log extract attached.
> Thanks for any help/hint.
> 
> Regards,
> Arsène
> 

There are two important differences in version 4 of oVirt

1. The URL is now only /ovirt-engine/api (it used to accept /api and
/ovirt-engine/api).

2. There are two versions of the API now, v3, compatible with oVirt 3,
and v4, new and incompatible. Foreman only supports v3.

So, I'd suggest you try to use "https://.../ovirt-engine/api/v3; in the
URL. Does that work? If it doesn't, can you provide more details? Log files?

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] qos problem in ovirt python sdk

2016-08-16 Thread Juan Hernández 
On 08/16/2016 03:52 AM, like...@cs2c.com.cn wrote:
> Hello,
> 
> I'm using ovirt3.6.7, and i want to use QoS function by restapi. But i
> fount i can't update the qos to unlimited. 
> For example, i assigned a qos named qos1 to a vnic profile named
> vprofile1, then i want to set the qos of vprofile1 to unlimited,
> so i set the qos to None in sdk when update vnic profile, but after
> update the vnic profile still has qos named qos1.
> 
> So, how should i do if i want to set qos of a vnic profile to unlimited?
> 
> Look forward to your help!
> Thanks 
> 

This is a general issue with the way the API works: we don't have
different methods for updating or replacing completely the
representation of an object, we use PUT for everything. This means that
we have to assume that when you send a request without an attribute what
you mean is that you want to preserve it. For example, when you send
something like this:

  PUT /ovirt-engine/api/vnicprofiles/123
  

  

We have to assume that you want to preserve the attributes, as otherwise
we would just remove all of them. A side effect of this is that there is
no way to express that what you want to do is remove the QoS.

The workaround for that is to create an unlimited QoS (manually or via
the API) and then update the VNIC profile to use that instead of the
previous one. For example:

---8<---
# Find the data center:
dc = api.datacenters.get(name='mydc')

# Find the "unlimited" QoS, or create it if it doesn't exit
# yet:
unlimited = dc.qoss.get(name='unlimitednetwork')
if unlimited is None:
   unlimited = dc.qoss.add(
   params.QoS(
   name='unlimitednetwork',
   type_='network',
   )
   )

# Find the VNIC profile:
profile = api.vnicprofiles.get(name='myprofile')

# Change the VNIC profile to use the unlimited QoS:
profile.set_qos(
params.QoS(id=unlimited.get_id())
)
profile.update()
--->8---

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] iSCSI Multipathing -> host inactive

2016-08-16 Thread Uwe Laverenz 

Hi Elad,

Am 16.08.2016 um 10:52 schrieb Elad Ben Aharon:


Please be sure that ovirtmgmt is not part of the iSCSI bond.


Yes, I made sure it is not part of the bond.


It does seem to have a conflict between default and enp9s0f0/ enp9s0f1.
Try to put the host in maintenance and then delete the iscsi nodes using
'iscsiadm -m node -o delete'. Then activate the host.


I tried that, I managed to get the iSCSI interface clean, no "default" 
anymore. But that didn't solve the problem of the host becoming 
"inactive". Not even the NFS domains would come up.


As soon as I remove the iSCSI-bond, the host becomes responsive again 
and I can activate all storage domains. Removing the bond also brings 
the duplicated "Iface Name" back (but this time causes no problems).


...

I wonder if there is a basic misunderstanding on my side: wouldn't it be 
necessary that all targets are reachable from all interfaces that are 
configured into the bond to make it work?


But this would either mean two interfaces in the same network or routing 
between the iSCSI networks.


Thanks,
Uwe
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread aleksey . maksimov 

Oh yeah :)
I mistakenly used a root certificate from a local CA for 
/etc/pki/ovirt-engine/apache-ca.pem.
Now I understood, and it works. 
Thanks again.

16.08.2016, 16:15, "Jiri Belka" :
> IMO you "owe" explanation what was wrong, so other users
> could learn from your mistakes and this mailing-list archive
> would thus be beneficial for them when searching for help ;)
>
> Anyway, that's great news!
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Tuesday, August 16, 2016 2:59:21 PM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> Thank you, Jiri !
> I did everything step by step and SPICE HTML5 browser client now works.
>
> 16.08.2016, 10:46, "Jiri Belka" :
>>  So,
>>
>>  I used this for my own ca test:
>>
>>  OWN CA AND OWN ENGINE KEY/CRT
>>  =
>>
>>  0> CA
>>
>>  # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
>>  certificate = $dir/my-ca.crt # The CA certificate
>>  crl = $dir/my-ca.crl # The current CRL
>>  private_key = $dir/private/my-ca.key # The private key
>>  countryName_default = CZ
>>  stateOrProvinceName_default = Jihomoravsky kraj
>>  localityName_default = Brno
>>  0.organizationName_default = Shoot them in the head, s. r. o.
>>
>>  touch /etc/pki/CA/index.txt
>>  echo 01 > /etc/pki/CA/serial
>>  cd /etc/pki/CA
>>  (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
>>  openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
>>
>>  0> engine cert
>>
>>  openssl genrsa -out my-engine.key 4096
>>  openssl req -new -out my-engine.csr -key my-engine.key
>>  openssl ca -in my-engine.csr -out my-engine.crt
>>  # use 'mypass' for p12 bundle export !!!
>>  openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in 
>> my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt
>>
>>  0> existing engine keys/certs/p12 replacement
>>
>>  (follow 
>> $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)
>>
>>  rm -f /etc/pki/ovirt-engine/apache-ca.pem
>>  cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
>>  cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
>>  openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > 
>> /etc/pki/ovirt-engine/keys/apache.key.nopass
>>  openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > 
>> /etc/pki/ovirt-engine/certs/apache.cer
>>  install -o ovirt -g ovirt -m 600 /dev/null 
>> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>>  # 'changeit' is default java truststore pass on EL
>>  cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
>>  ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
>>  ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
>>  EOF
>>
>>  0> add custom CA into system truststore after backup
>>
>>  cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
>>  update-ca-trust
>>
>>  0> check if system truststore knows about custom CA
>>
>>  openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
>> -noout
>>  # 'changeit' is default java truststore pass on EL
>>  keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep 
>> "$( openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint 
>> -sha1 -noout | sed -e '/SHA1/s/.*=//;' )"
>>  grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" 
>> /etc/pki/ca-trust/extracted/
>>
>>  0> engine-setup pki configuration check
>>
>>  engine-setup # see if 'PKI CONFIGURATION' section passed without errors
>>
>>  (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)
>>
>>  And this for websocket proxy:
>>
>>  # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>  PROXY_PORT=6100
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_ONLY=True
>>
>>  You can start manually websocket proxy:
>>
>>  
>> /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py
>>  --help
>>  Usage: ovirt-websocket-proxy.py [options] start
>>
>>  Options:
>>    -h, --help show this help message and exit
>>    -d, --debug debug mode
>>    --pidfile=FILE pid file to use
>>    --background Go into the background
>>    --systemd=SYSTEMD Systemd type simple|notify
>>    --redirect-output Redirect output of daemon
>>
>>  It is also handy to do:
>>
>>  openssl s_client -connect $websocketproxy_host:6100
>>
>>  j.
>>
>>  - Original Message -
>>  From: "aleksey maksimov" 
>>  To: "Jiri Belka" 
>>  Cc: "users" 
>>  Sent:

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread Jiri Belka 
IMO you "owe" explanation what was wrong, so other users
could learn from your mistakes and this mailing-list archive
would thus be beneficial for them when searching for help ;)

Anyway, that's great news!

j.

- Original Message -
From: "aleksey maksimov" 
To: "Jiri Belka" 
Cc: "users" 
Sent: Tuesday, August 16, 2016 2:59:21 PM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
browser client -> WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/

Thank you, Jiri ! 
I did everything step by step and SPICE HTML5 browser client now works.

16.08.2016, 10:46, "Jiri Belka" :
> So,
>
> I used this for my own ca test:
>
> OWN CA AND OWN ENGINE KEY/CRT
> =
>
> 0> CA
>
> # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
> certificate = $dir/my-ca.crt # The CA certificate
> crl = $dir/my-ca.crl # The current CRL
> private_key = $dir/private/my-ca.key # The private key
> countryName_default = CZ
> stateOrProvinceName_default = Jihomoravsky kraj
> localityName_default = Brno
> 0.organizationName_default = Shoot them in the head, s. r. o.
>
> touch /etc/pki/CA/index.txt
> echo 01 > /etc/pki/CA/serial
> cd /etc/pki/CA
> (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
> openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
>
> 0> engine cert
>
> openssl genrsa -out my-engine.key 4096
> openssl req -new -out my-engine.csr -key my-engine.key
> openssl ca -in my-engine.csr -out my-engine.crt
> # use 'mypass' for p12 bundle export !!!
> openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in 
> my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt
>
> 0> existing engine keys/certs/p12 replacement
>
> (follow 
> $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)
>
> rm -f /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > 
> /etc/pki/ovirt-engine/keys/apache.key.nopass
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > 
> /etc/pki/ovirt-engine/certs/apache.cer
> install -o ovirt -g ovirt -m 600 /dev/null 
> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
> # 'changeit' is default java truststore pass on EL
> cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
> EOF
>
> 0> add custom CA into system truststore after backup
>
> cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
> update-ca-trust
>
> 0> check if system truststore knows about custom CA
>
> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
> -noout
> # 'changeit' is default java truststore pass on EL
> keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( 
> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
> -noout | sed -e '/SHA1/s/.*=//;' )"
> grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" 
> /etc/pki/ca-trust/extracted/
>
> 0> engine-setup pki configuration check
>
> engine-setup # see if 'PKI CONFIGURATION' section passed without errors
>
> (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)
>
> And this for websocket proxy:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> You can start manually websocket proxy:
>
> /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py
>  --help
> Usage: ovirt-websocket-proxy.py [options] start
>
> Options:
>   -h, --help show this help message and exit
>   -d, --debug debug mode
>   --pidfile=FILE pid file to use
>   --background Go into the background
>   --systemd=SYSTEMD Systemd type simple|notify
>   --redirect-output Redirect output of daemon
>
> It is also handy to do:
>
> openssl s_client -connect $websocketproxy_host:6100
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Tuesday, August 16, 2016 9:33:54 AM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> Jiri, I did not hide information. Tell me what the log file should show and I 
> will show
>
> 16.08.2016, 10:29, "Jiri Belka" :
>>  It does have logs, filenames "hide" real data.
>>
>>  

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread aleksey . maksimov 
Thank you, Jiri ! 
I did everything step by step and SPICE HTML5 browser client now works.

16.08.2016, 10:46, "Jiri Belka" :
> So,
>
> I used this for my own ca test:
>
> OWN CA AND OWN ENGINE KEY/CRT
> =
>
> 0> CA
>
> # awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
> certificate = $dir/my-ca.crt # The CA certificate
> crl = $dir/my-ca.crl # The current CRL
> private_key = $dir/private/my-ca.key # The private key
> countryName_default = CZ
> stateOrProvinceName_default = Jihomoravsky kraj
> localityName_default = Brno
> 0.organizationName_default = Shoot them in the head, s. r. o.
>
> touch /etc/pki/CA/index.txt
> echo 01 > /etc/pki/CA/serial
> cd /etc/pki/CA
> (umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
> openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
>
> 0> engine cert
>
> openssl genrsa -out my-engine.key 4096
> openssl req -new -out my-engine.csr -key my-engine.key
> openssl ca -in my-engine.csr -out my-engine.crt
> # use 'mypass' for p12 bundle export !!!
> openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in 
> my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt
>
> 0> existing engine keys/certs/p12 replacement
>
> (follow 
> $engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)
>
> rm -f /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
> cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > 
> /etc/pki/ovirt-engine/keys/apache.key.nopass
> openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > 
> /etc/pki/ovirt-engine/certs/apache.cer
> install -o ovirt -g ovirt -m 600 /dev/null 
> /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
> # 'changeit' is default java truststore pass on EL
> cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
> ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
> EOF
>
> 0> add custom CA into system truststore after backup
>
> cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
> update-ca-trust
>
> 0> check if system truststore knows about custom CA
>
> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
> -noout
> # 'changeit' is default java truststore pass on EL
> keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( 
> openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
> -noout | sed -e '/SHA1/s/.*=//;' )"
> grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" 
> /etc/pki/ca-trust/extracted/
>
> 0> engine-setup pki configuration check
>
> engine-setup # see if 'PKI CONFIGURATION' section passed without errors
>
> (doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)
>
> And this for websocket proxy:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> You can start manually websocket proxy:
>
> /usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py
>  --help
> Usage: ovirt-websocket-proxy.py [options] start
>
> Options:
>   -h, --help show this help message and exit
>   -d, --debug debug mode
>   --pidfile=FILE pid file to use
>   --background Go into the background
>   --systemd=SYSTEMD Systemd type simple|notify
>   --redirect-output Redirect output of daemon
>
> It is also handy to do:
>
> openssl s_client -connect $websocketproxy_host:6100
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Tuesday, August 16, 2016 9:33:54 AM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> Jiri, I did not hide information. Tell me what the log file should show and I 
> will show
>
> 16.08.2016, 10:29, "Jiri Belka" :
>>  It does have logs, filenames "hide" real data.
>>
>>  You should reveal logs and what each file is and
>>  which exact commands you were executing.
>>
>>  Vague statements won't help much. It does work for me,
>>  there much be something strange in your setup but we
>>  cannot know what without details.
>>
>>  j.
>>
>>  - Original Message -
>>  From: "aleksey maksimov" 
>>  To: "Jiri Belka" 
>>  Cc: "users" 
>>  Sent: Monday, August 15, 2016 6:18:48 PM
>>  Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
>> HTML5 browser client ->

Re: [ovirt-users] iSCSI Multipathing -> host inactive

2016-08-16 Thread Uwe Laverenz 

Hi,

Am 16.08.2016 um 09:26 schrieb Elad Ben Aharon:

Currently, your host is connected through a single initiator, the
'Default' interface (Iface Name: default), to 2 targets: tgta and tgtb


I see what you mean, but the "Iface Name" is somewhat irritating here, 
it does not mean that the wrong interface (ovirtmgmt) is used.
If you have a look at "Iface IPaddress" for both you can see that the 
correct, dedicated interfaces are used:


Iface IPaddress: 10.0.131.122   (iSCSIA network)
Iface IPaddress: 10.0.132.122   (iSCSIB network)


(Target: iqn.2005-10.org.freenas.ctl:tgta and Target:
iqn.2005-10.org.freenas.ctl:tgtb). Hence, each LUN is exposed from the
storage server via 2 paths.
Since the connection to the storage is done via the 'Default' interface
and not via the 2 iSCSI networks you've configured, currently, the iSCSI
bond is not operational.


Please see above. The storage servers iSCSI-addresses aren't even 
reachable from the ovirtmgmt net, they are in completely isolated networks.



For the iSCSI bond to be operational, you'll have to do the following:
- Create 2 networks in RHEVM under the relevant cluster (not sure if
you've already did it) - iSCSI1 and iSCSI2 . Configure both networks to
be non-required networks for the cluster (should be also non-VM networks).
- Attach the networks to the host's 2 interfaces using hosts Setup-networks.
- Create a new iSCSI bond / modify the bond you've created and pick the
2 newly created networks along with all storage targets. Make sure that
the Default network is not part of the bond (usually, the Default
network is the management one - 'ovirtmgmt').
- Put the host in maintenance and re-activate it so the iSCSI sessions
will be refreshed with the new connection specifications.


This is exactly what I did, expect that I had to add the iSCSI-storage 
first, otherwise the "iSCSI Multipathing" tab does not appear in the 
data center section.


I configured an iSCSI-Bond and the problem seems to be that it leads to 
conflicting iSCSI-settings on the host. The host uses the very same 
interface twice only with different "IFace Name":


iSCSIA:

Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.1994-05.com.redhat:cda91b279ac5
Iface IPaddress: 10.0.131.122

Iface Name: enp9s0f0
Iface Transport: tcp
Iface Initiatorname: iqn.1994-05.com.redhat:cda91b279ac5
Iface IPaddress: 10.0.131.122


iSCSIB:

Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.1994-05.com.redhat:cda91b279ac5
Iface IPaddress: 10.0.132.122

Iface Name: enp9s0f1
Iface Transport: tcp
Iface Initiatorname: iqn.1994-05.com.redhat:cda91b279ac5
Iface IPaddress: 10.0.132.122

I guess this is the reason why the host has problems to attach the 
storage domain, it toggles all storage domains on and off all the time.


Thank you,
Uwe
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread Jiri Belka 
So,

I used this for my own ca test:

OWN CA AND OWN ENGINE KEY/CRT
=


0> CA

# awk '/my-/ || $1 ~ /^[^#]*_default/' /etc/pki/tls/openssl.cnf
certificate = $dir/my-ca.crt# The CA certificate
crl = $dir/my-ca.crl# The current CRL
private_key = $dir/private/my-ca.key # The private key
countryName_default = CZ
stateOrProvinceName_default = Jihomoravsky kraj
localityName_default= Brno
0.organizationName_default  = Shoot them in the head, s. r. o.

touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
cd /etc/pki/CA
(umask 077 ; openssl genrsa -out private/my-ca.key -des3 2048 )
openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt


0> engine cert

openssl genrsa -out my-engine.key 4096
openssl req -new -out my-engine.csr -key my-engine.key
openssl ca -in my-engine.csr -out my-engine.crt
# use 'mypass' for p12 bundle export !!!
openssl pkcs12 -export -out my-engine.p12 -inkey my-engine.key -in 
my-engine.crt -chain -CAfile /etc/pki/CA/my-ca.crt


0> existing engine keys/certs/p12 replacement

(follow 
$engine_url/ovirt-engine/docs/manual/en_US/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html)

rm -f /etc/pki/ovirt-engine/apache-ca.pem
cp my-engine.crt /etc/pki/ovirt-engine/apache-ca.pem
cp my-engine.p12 /etc/pki/ovirt-engine/keys/apache.p12
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > 
/etc/pki/ovirt-engine/keys/apache.key.nopass
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > 
/etc/pki/ovirt-engine/certs/apache.cer
install -o ovirt -g ovirt -m 600 /dev/null 
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
# 'changeit' is default java truststore pass on EL
cat > /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf << EOF
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="changeit"
EOF


0> add custom CA into system truststore after backup

cp /etc/pki/CA/my-ca.crt /etc/pki/ca-trust/source/anchors/CA.crt
update-ca-trust


0> check if system truststore knows about custom CA

openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
-noout
# 'changeit' is default java truststore pass on EL
keytool -list -keystore /etc/pki/java/cacerts -storepass changeit | grep "$( 
openssl x509 -in /etc/pki/ca-trust/source/anchors/CA.crt -fingerprint -sha1 
-noout | sed -e '/SHA1/s/.*=//;' )"
grep -IR "$(sed -n '2p' /etc/pki/ca-trust/source/anchors/CA.crt)" 
/etc/pki/ca-trust/extracted/


0> engine-setup pki configuration check

engine-setup # see if 'PKI CONFIGURATION' section passed without errors

(doctext here https://bugzilla.redhat.com/show_bug.cgi?id=1336838)

And this for websocket proxy:

# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
SSL_ONLY=True

You can start manually websocket proxy:

/usr/share/ovirt-engine/services/ovirt-websocket-proxy/ovirt-websocket-proxy.py 
--help
Usage: ovirt-websocket-proxy.py [options] start

Options:
  -h, --help show this help message and exit
  -d, --debugdebug mode
  --pidfile=FILE pid file to use
  --background   Go into the background
  --systemd=SYSTEMD  Systemd type simple|notify
  --redirect-output  Redirect output of daemon

It is also handy to do:

openssl s_client -connect $websocketproxy_host:6100

j.

- Original Message -
From: "aleksey maksimov" 
To: "Jiri Belka" 
Cc: "users" 
Sent: Tuesday, August 16, 2016 9:33:54 AM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
browser client -> WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/


Jiri, I did not hide information. Tell me what the log file should show and I 
will show

16.08.2016, 10:29, "Jiri Belka" :
> It does have logs, filenames "hide" real data.
>
> You should reveal logs and what each file is and
> which exact commands you were executing.
>
> Vague statements won't help much. It does work for me,
> there much be something strange in your setup but we
> cannot know what without details.
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Monday, August 15, 2016 6:18:48 PM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> I tried a version of Nicolás.
> No success :((
>
> 1) I create full bundle cert file:
>
> # cat /etc/pki/ovirt-engine/certs/apache.cer 
> /etc/pki/ovirt-engine/apache-ca.pem > 
>

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread aleksey . maksimov 

Jiri, I did not hide information. Tell me what the log file should show and I 
will show

16.08.2016, 10:29, "Jiri Belka" :
> It does have logs, filenames "hide" real data.
>
> You should reveal logs and what each file is and
> which exact commands you were executing.
>
> Vague statements won't help much. It does work for me,
> there much be something strange in your setup but we
> cannot know what without details.
>
> j.
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "Jiri Belka" 
> Cc: "users" 
> Sent: Monday, August 15, 2016 6:18:48 PM
> Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/
>
> I tried a version of Nicolás.
> No success :((
>
> 1) I create full bundle cert file:
>
> # cat /etc/pki/ovirt-engine/certs/apache.cer 
> /etc/pki/ovirt-engine/apache-ca.pem > 
> /etc/pki/ovirt-engine/certs/apache-with-ca.cer
> # openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer
>
> /etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK
>
> 2) I changed config file:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> SSL_ONLY=True
> FORCE_DATA_VERIFICATION=False
>
> 3) I restarted the service
>
> # service ovirt-websocket-proxy restart
>
> Problem still exists :(
> Any ideas how to trablshut problem?
>
> 14.08.2016, 08:59, "aleksey.maksi...@it-kb.ru" :
>>  Hi Jiri.
>>  But your variant does not work, too
>>
>>  # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
>>  PROXY_PORT=6100
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_ONLY=True
>>
>>  Some error:
>>  WebSocket error: Can't connect to websocket on URL: 
>> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>>
>>  any ideas how to trablshut problem?
>>
>>  14.08.2016, 01:53, "Jiri Belka" :
>>>   I have different files for those variables, maybe this is the case?
>>>
>>>   Review again.
>>>
>>>   j.
>>>
>>>   - Original Message -
>>>   From: "aleksey maksimov" 
>>>   To: "Jiri Belka" 
>>>   Cc: "users" 
>>>   Sent: Saturday, August 13, 2016 4:57:45 PM
>>>   Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
>>> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
>>> wss://ovirt.engine.fqdn:6100/
>>>
>>>   I changed my file 
>>> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
>>>
>>>   PROXY_PORT=6100
>>>   #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>>>   #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>>>   #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>>   SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>>   SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>>   CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>>>   SSL_ONLY=True
>>>
>>>   ...and restart HostedEngine VM.
>>>   Problem still exists.
>>>
>>>   13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" 
>>> :
    It does not work for me. any ideas?

    02.08.2016, 17:22, "Jiri Belka" :
> This works for me:
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> - Original Message -
> From: "aleksey maksimov" 
> To: "users" 
> Sent: Monday, August 1, 2016 12:13:38 PM
> Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
> HTML5 browser client -> WebSocket error: Can't connect to websocket on 
> URL: wss://ovirt.engine.fqdn:6100/
>
> Hello oVirt guru`s !
>
> I have successfully replaced the oVirt 4 site SSL-certificate 
> according to the instructions from "Replacing oVirt SSL Certificate"
> section in "oVirt Administration Guide"
> http://www.ovirt.org/documentation/admin-guide/administration-guide/
>
> 3 files have been replaced:
>
> /etc/pki/ovirt-engine/certs/apache.cer
> /etc/pki/ovirt-engine/keys/apache.key.nopass
> /etc/pki/ovirt-engine/apache-ca.pem
>
> Now the oVirt site using my certificate and everything works fine, 
>

Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: wss://ovirt.engine.fqdn:6100/

2016-08-16 Thread Jiri Belka 
It does have logs, filenames "hide" real data.

You should reveal logs and what each file is and
which exact commands you were executing.

Vague statements won't help much. It does work for me,
there much be something strange in your setup but we
cannot know what without details.

j.

- Original Message -
From: "aleksey maksimov" 
To: "Jiri Belka" 
Cc: "users" 
Sent: Monday, August 15, 2016 6:18:48 PM
Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE HTML5 
browser client -> WebSocket error: Can't connect to websocket on URL: 
wss://ovirt.engine.fqdn:6100/

I tried a version of Nicolás. 
No success :((

1) I create full bundle cert file:

# cat /etc/pki/ovirt-engine/certs/apache.cer 
/etc/pki/ovirt-engine/apache-ca.pem > 
/etc/pki/ovirt-engine/certs/apache-with-ca.cer
# openssl verify /etc/pki/ovirt-engine/certs/apache-with-ca.cer

/etc/pki/ovirt-engine/certs/apache-with-ca.cer: OK

2) I changed config file:

# cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

PROXY_PORT=6100
SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache-with-ca.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
SSL_ONLY=True
FORCE_DATA_VERIFICATION=False

3) I restarted the service

# service ovirt-websocket-proxy restart

Problem still exists :(
Any ideas how to trablshut problem?

14.08.2016, 08:59, "aleksey.maksi...@it-kb.ru" :
> Hi Jiri.
> But your variant does not work, too
>
> # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
> PROXY_PORT=6100
> SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
> SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
> CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
> SSL_ONLY=True
>
> Some error:
> WebSocket error: Can't connect to websocket on URL: 
> wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]
>
> any ideas how to trablshut problem?
>
> 14.08.2016, 01:53, "Jiri Belka" :
>>  I have different files for those variables, maybe this is the case?
>>
>>  Review again.
>>
>>  j.
>>
>>  - Original Message -
>>  From: "aleksey maksimov" 
>>  To: "Jiri Belka" 
>>  Cc: "users" 
>>  Sent: Saturday, August 13, 2016 4:57:45 PM
>>  Subject: Re: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
>> HTML5 browser client -> WebSocket error: Can't connect to websocket on URL: 
>> wss://ovirt.engine.fqdn:6100/
>>
>>  I changed my file 
>> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf to:
>>
>>  PROXY_PORT=6100
>>  #SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/websocket-proxy.cer
>>  #SSL_KEY=/etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass
>>  #CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
>>  SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
>>  SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>  CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/apache-ca.pem
>>  SSL_ONLY=True
>>
>>  ...and restart HostedEngine VM.
>>  Problem still exists.
>>
>>  13.08.2016, 17:52, "aleksey.maksi...@it-kb.ru" :
>>>   It does not work for me. any ideas?
>>>
>>>   02.08.2016, 17:22, "Jiri Belka" :
    This works for me:

    # cat /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
    PROXY_PORT=6100
    SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem
    SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
    CERT_FOR_DATA_VERIFICATION=/etc/pki/ovirt-engine/certs/engine.cer
    SSL_ONLY=True

    - Original Message -
    From: "aleksey maksimov" 
    To: "users" 
    Sent: Monday, August 1, 2016 12:13:38 PM
    Subject: [ovirt-users] oVirt 4 with custom SSL-certificate and SPICE 
 HTML5 browser client -> WebSocket error: Can't connect to websocket on 
 URL: wss://ovirt.engine.fqdn:6100/

    Hello oVirt guru`s !

    I have successfully replaced the oVirt 4 site SSL-certificate according 
 to the instructions from "Replacing oVirt SSL Certificate"
    section in "oVirt Administration Guide"
    http://www.ovirt.org/documentation/admin-guide/administration-guide/

    3 files have been replaced:

    /etc/pki/ovirt-engine/certs/apache.cer
    /etc/pki/ovirt-engine/keys/apache.key.nopass
    /etc/pki/ovirt-engine/apache-ca.pem

    Now the oVirt site using my certificate and everything works fine, but 
 when I try to use SPICE HTML5 browser client in Firefox or Chrome I see a 
 gray screen and message under the button "Toggle messages output":

    WebSocket error: Can't connect to websocket on URL: 
 wss://ovirt.engine.fqdn:6100/eyJ...0=[object Event]

    Before replacing certificates SPICE HTML5 browser client works.
    Native SPICE

Re: [ovirt-users] iSCSI Multipathing -> host inactive

2016-08-16 Thread Elad Ben Aharon 
Currently, your host is connected through a single initiator, the 'Default'
interface (Iface Name: default), to 2 targets: tgta and tgtb (Target:
iqn.2005-10.org.freenas.ctl:tgta and Target: iqn.2005-10.org.freenas.ctl:tgtb).
Hence, each LUN is exposed from the storage server via 2 paths.
Since the connection to the storage is done via the 'Default' interface and
not via the 2 iSCSI networks you've configured, currently, the iSCSI bond
is not operational.

For the iSCSI bond to be operational, you'll have to do the following:
- Create 2 networks in RHEVM under the relevant cluster (not sure if you've
already did it) - iSCSI1 and iSCSI2 . Configure both networks to be
non-required networks for the cluster (should be also non-VM networks).
- Attach the networks to the host's 2 interfaces using hosts Setup-networks.
- Create a new iSCSI bond / modify the bond you've created and pick the 2
newly created networks along with all storage targets. Make sure that the
Default network is not part of the bond (usually, the Default network is
the management one - 'ovirtmgmt').
- Put the host in maintenance and re-activate it so the iSCSI sessions will
be refreshed with the new connection specifications.



Please let me know if it works for you.

Elad

On Tue, Aug 16, 2016 at 9:26 AM, Uwe Laverenz  wrote:

> Hi,
>
> Am 15.08.2016 um 16:53 schrieb Elad Ben Aharon:
>
> Is the iSCSI domain that supposed to be connected through the bond the
>> current master domain?
>>
>
> No, it isn't. An NFS share is the master domain.
>
>
> Also, can you please provide the output of 'iscsiadm -m session -P3' ?
>>
>
> Yes, of course (meanwhile I have switched to 2 targets, 1 per portal).
> This is _without_ iSCSI-Bond:
>
> [root@ovh01 ~]# iscsiadm -m session -P3
> iSCSI Transport Class version 2.0-870
> version 6.2.0.873-33.2
> Target: iqn.2005-10.org.freenas.ctl:tgta (non-flash)
> Current Portal: 10.0.131.121:3260,257
> Persistent Portal: 10.0.131.121:3260,257
> **
> Interface:
> **
> Iface Name: default
> Iface Transport: tcp
> Iface Initiatorname: iqn.1994-05.com.redhat:cda91b279ac5
> Iface IPaddress: 10.0.131.122
> Iface HWaddress: 
> Iface Netdev: 
> SID: 34
> iSCSI Connection State: LOGGED IN
> iSCSI Session State: LOGGED_IN
> Internal iscsid Session State: NO CHANGE
> *
> Timeouts:
> *
> Recovery Timeout: 5
> Target Reset Timeout: 30
> LUN Reset Timeout: 30
> Abort Timeout: 15
> *
> CHAP:
> *
> username: 
> password: 
> username_in: 
> password_in: 
> 
> Negotiated iSCSI params:
> 
> HeaderDigest: None
> DataDigest: None
> MaxRecvDataSegmentLength: 262144
> MaxXmitDataSegmentLength: 131072
> FirstBurstLength: 131072
> MaxBurstLength: 16776192
> ImmediateData: Yes
> InitialR2T: Yes
> MaxOutstandingR2T: 1
> 
> Attached SCSI devices:
> 
> Host Number: 44 State: running
> scsi44 Channel 00 Id 0 Lun: 0
> Attached scsi disk sdf  State: running
> scsi44 Channel 00 Id 0 Lun: 1
> Attached scsi disk sdg  State: running
> scsi44 Channel 00 Id 0 Lun: 2
> Attached scsi disk sdh  State: running
> scsi44 Channel 00 Id 0 Lun: 3
> Attached scsi disk sdi  State: running
> Target: iqn.2005-10.org.freenas.ctl:tgtb (non-flash)
> Current Portal: 10.0.132.121:3260,258
> Persistent Portal: 10.0.132.121:3260,258
> **
> Interface:
> **
> Iface Name: default
> Iface Transport: tcp
> Iface Initiatorname: iqn.1994-05.com.redhat:cda91b279ac5
> Iface IPaddress: 10.0.132.122
> Iface HWaddress: 
> Iface Netdev: 
> SID: 35
> iSCSI Connection State: LOGGED IN
> iSCSI Session State: LOGGED_IN
> Internal iscsid Session State: NO CHANGE
> *
> Timeouts:
> *
> Recovery Timeout: 5
> Target Reset

Re: [ovirt-users] iSCSI Multipathing -> host inactive

2016-08-16 Thread Uwe Laverenz 

Hi,

Am 15.08.2016 um 16:53 schrieb Elad Ben Aharon:


Is the iSCSI domain that supposed to be connected through the bond the
current master domain?


No, it isn't. An NFS share is the master domain.



Also, can you please provide the output of 'iscsiadm -m session -P3' ?


Yes, of course (meanwhile I have switched to 2 targets, 1 per portal). 
This is _without_ iSCSI-Bond:


[root@ovh01 ~]# iscsiadm -m session -P3
iSCSI Transport Class version 2.0-870
version 6.2.0.873-33.2
Target: iqn.2005-10.org.freenas.ctl:tgta (non-flash)
Current Portal: 10.0.131.121:3260,257
Persistent Portal: 10.0.131.121:3260,257
**
Interface:
**
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.1994-05.com.redhat:cda91b279ac5
Iface IPaddress: 10.0.131.122
Iface HWaddress: 
Iface Netdev: 
SID: 34
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE
*
Timeouts:
*
Recovery Timeout: 5
Target Reset Timeout: 30
LUN Reset Timeout: 30
Abort Timeout: 15
*
CHAP:
*
username: 
password: 
username_in: 
password_in: 

Negotiated iSCSI params:

HeaderDigest: None
DataDigest: None
MaxRecvDataSegmentLength: 262144
MaxXmitDataSegmentLength: 131072
FirstBurstLength: 131072
MaxBurstLength: 16776192
ImmediateData: Yes
InitialR2T: Yes
MaxOutstandingR2T: 1

Attached SCSI devices:

Host Number: 44 State: running
scsi44 Channel 00 Id 0 Lun: 0
Attached scsi disk sdf  State: running
scsi44 Channel 00 Id 0 Lun: 1
Attached scsi disk sdg  State: running
scsi44 Channel 00 Id 0 Lun: 2
Attached scsi disk sdh  State: running
scsi44 Channel 00 Id 0 Lun: 3
Attached scsi disk sdi  State: running
Target: iqn.2005-10.org.freenas.ctl:tgtb (non-flash)
Current Portal: 10.0.132.121:3260,258
Persistent Portal: 10.0.132.121:3260,258
**
Interface:
**
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.1994-05.com.redhat:cda91b279ac5
Iface IPaddress: 10.0.132.122
Iface HWaddress: 
Iface Netdev: 
SID: 35
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE
*
Timeouts:
*
Recovery Timeout: 5
Target Reset Timeout: 30
LUN Reset Timeout: 30
Abort Timeout: 15
*
CHAP:
*
username: 
password: 
username_in: 
password_in: 

Negotiated iSCSI params:

HeaderDigest: None
DataDigest: None
MaxRecvDataSegmentLength: 262144
MaxXmitDataSegmentLength: 131072
FirstBurstLength: 131072
MaxBurstLength: 16776192
ImmediateData: Yes
InitialR2T: Yes
MaxOutstandingR2T: 1

Attached SCSI devices:

Host Number: 45 State: running
scsi45 Channel 00 Id 0 Lun: 0
Attached scsi disk sdj  State: running
scsi45 Channel 00 Id 0 Lun: 1
Attached scsi disk sdk  State: running
scsi45 Channel 00 Id 0 Lun: 2
Attached scsi disk sdl  State: running
scsi45 Channel 00 Id 0 Lun: 3
Attached scsi disk sdm  State: running

And `multipath -ll`:

[root@ovh01 ~]# multipath -ll
36589cfc00fafcc87da5ddd69c7e2 dm-2 FreeNAS ,iSCSI Disk