[ovirt-users] Re: Fwd: Fwd: Issues with Gluster Domain

2020-06-19 Thread C Williams
Hello,

Was wanting to follow up on this issue. Users are impacted.

Thank You

On Fri, Jun 19, 2020 at 9:20 AM C Williams  wrote:

> Hello,
>
> Here are the logs (some IPs are changed )
>
> ov05 is the SPM
>
> Thank You For Your Help !
>
> On Thu, Jun 18, 2020 at 11:31 PM Strahil Nikolov 
> wrote:
>
>> Check on the hosts tab , which is your current SPM (last column in Admin
>> UI).
>> Then open the /var/log/vdsm/vdsm.log  and repeat the operation.
>> Then provide the log from that host and the engine's log (on the
>> HostedEngine VM or on your standalone engine).
>>
>> Best Regards,
>> Strahil Nikolov
>>
>> На 18 юни 2020 г. 23:59:36 GMT+03:00, C Williams 
>> написа:
>> >Resending to eliminate email issues
>> >
>> >-- Forwarded message -
>> >From: C Williams 
>> >Date: Thu, Jun 18, 2020 at 4:01 PM
>> >Subject: Re: [ovirt-users] Fwd: Issues with Gluster Domain
>> >To: Strahil Nikolov 
>> >
>> >
>> >Here is output from mount
>> >
>> >192.168.24.12:/stor/import0 on
>> >/rhev/data-center/mnt/192.168.24.12:_stor_import0
>> >type nfs4
>>
>> >(rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,soft,nosharecache,proto=tcp,timeo=600,retrans=6,sec=sys,clientaddr=192.168.24.18,local_lock=none,addr=192.168.24.12)
>> >192.168.24.13:/stor/import1 on
>> >/rhev/data-center/mnt/192.168.24.13:_stor_import1
>> >type nfs4
>>
>> >(rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,soft,nosharecache,proto=tcp,timeo=600,retrans=6,sec=sys,clientaddr=192.168.24.18,local_lock=none,addr=192.168.24.13)
>> >192.168.24.13:/stor/iso1 on
>> >/rhev/data-center/mnt/192.168.24.13:_stor_iso1
>> >type nfs4
>>
>> >(rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,soft,nosharecache,proto=tcp,timeo=600,retrans=6,sec=sys,clientaddr=192.168.24.18,local_lock=none,addr=192.168.24.13)
>> >192.168.24.13:/stor/export0 on
>> >/rhev/data-center/mnt/192.168.24.13:_stor_export0
>> >type nfs4
>>
>> >(rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,soft,nosharecache,proto=tcp,timeo=600,retrans=6,sec=sys,clientaddr=192.168.24.18,local_lock=none,addr=192.168.24.13)
>> >192.168.24.15:/images on
>> >/rhev/data-center/mnt/glusterSD/192.168.24.15:_images
>> >type fuse.glusterfs
>>
>> >(rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)
>> >192.168.24.18:/images3 on
>> >/rhev/data-center/mnt/glusterSD/192.168.24.18:_images3
>> >type fuse.glusterfs
>>
>> >(rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,max_read=131072)
>> >tmpfs on /run/user/0 type tmpfs
>> >(rw,nosuid,nodev,relatime,seclabel,size=13198392k,mode=700)
>> >[root@ov06 glusterfs]#
>> >
>> >Also here is a screenshot of the console
>> >
>> >[image: image.png]
>> >The other domains are up
>> >
>> >Import0 and Import1 are NFS . GLCL0 is gluster. They all are running
>> >VMs
>> >
>> >Thank You For Your Help !
>> >
>> >On Thu, Jun 18, 2020 at 3:51 PM Strahil Nikolov 
>> >wrote:
>> >
>> >> I don't see '/rhev/data-center/mnt/192.168.24.13:_stor_import1'
>> >mounted
>> >> at all  .
>> >> What is the status  of all storage domains ?
>> >>
>> >> Best  Regards,
>> >> Strahil  Nikolov
>> >>
>> >> На 18 юни 2020 г. 21:43:44 GMT+03:00, C Williams
>> >
>> >> написа:
>> >> >  Resending to deal with possible email issues
>> >> >
>> >> >-- Forwarded message -
>> >> >From: C Williams 
>> >> >Date: Thu, Jun 18, 2020 at 2:07 PM
>> >> >Subject: Re: [ovirt-users] Issues with Gluster Domain
>> >> >To: Strahil Nikolov 
>> >> >
>> >> >
>> >> >More
>> >> >
>> >> >[root@ov06 ~]# for i in $(gluster volume list);  do  echo $i;echo;
>> >> >gluster
>> >> >volume info $i; echo;echo;gluster volume status
>> >$i;echo;echo;echo;done
>> >> >images3
>> >> >
>> >> >
>> >> >Volume Name: images3
>> >> >Type: Replicate
>> >> >Volume ID: 0243d439-1b29-47d0-ab39-d61c2f15ae8b
>> >> >Status: Started
>> >> >Snapshot Count: 0
>> >> >Number of Bricks: 1 x 3 = 3
>> >> >Transport-type: tcp
>> >> >Bricks:
>> >> >Brick1: 192.168.24.18:/bricks/brick04/images3
>> >> >Brick2: 192.168.24.19:/bricks/brick05/images3
>> >> >Brick3: 192.168.24.20:/bricks/brick06/images3
>> >> >Options Reconfigured:
>> >> >performance.client-io-threads: on
>> >> >nfs.disable: on
>> >> >transport.address-family: inet
>> >> >user.cifs: off
>> >> >auth.allow: *
>> >> >performance.quick-read: off
>> >> >performance.read-ahead: off
>> >> >performance.io-cache: off
>> >> >performance.low-prio-threads: 32
>> >> >network.remote-dio: off
>> >> >cluster.eager-lock: enable
>> >> >cluster.quorum-type: auto
>> >> >cluster.server-quorum-type: server
>> >> >cluster.data-self-heal-algorithm: full
>> >> >cluster.locking-scheme: granular
>> >> >cluster.shd-max-threads: 8
>> >> >cluster.shd-wait-qlength: 1
>> >> >features.shard: on
>> >> >cluster.choose-local: off
>> >> >client.event-threads: 4
>> >> >server.event-threads: 4
>> >> >storage.owner-uid: 36
>> >> >storage.owner-gid: 36
>> >> >performance.strict-o-direct: on
>> >> >network.ping-timeout: 30
>> >> 

[ovirt-users] Re: status of oVirt 4.4.x and CentOS 8.2

2020-06-19 Thread Dominik Holler
Hello Mark,
can you please share the relevant lines of supervdsm.log from the host?
Helpful to understand the intended change are the lines starting with the
relevant "call setupNetworks",
including the line containing "Desired state"
until some lines below "Unexpected failure of libnm when running the
mainloop"
The most recent line containing "return network_caps with" is helpful to
understand the initial state before the error occurred.
Thanks
Dominik





On Fri, Jun 19, 2020 at 6:16 PM Mark R  wrote:

> The error with a bit more info from the events page, after adding network
> to an interface fails:
>
> VDSM rack4slot11.domain.com command HostSetupNetworksVDS failed: Internal
> JSON-RPC error: {'reason': 'Unexpected failure of libnm when running the
> mainloop: run execution'}
>
> Sorry, should have included that in the other message.
>
> Mark
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3BHB7KKSSTHCN2AN5ZAIY5MZVFI7IG36/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4OBNBGYGMTN4AFUOJVXAJQUALW3GJ7BB/


[ovirt-users] Re: Change Hosted engine VM cluster compatibility version throws error

2020-06-19 Thread Michal Skrivanek
On 19 Jun 2020, at 16:40, Ritesh Chikatwar  wrote:




On Fri, Jun 19, 2020, 7:26 PM Michal Skrivanek 
wrote:

>
>
> On 19 Jun 2020, at 13:41, Ritesh Chikatwar  wrote:
>
>
>
> On Thu, Jun 18, 2020 at 11:59 PM Michal Skrivanek <
> michal.skriva...@redhat.com> wrote:
>
>>
>>
>> On 18 Jun 2020, at 08:59, Ritesh Chikatwar  wrote:
>>
>> Hello Team,
>>
>>
>> When i try to change Cluster compatible version HE it throws error As
>>
>>
>> what exactly are you changing where?
>>
>
> I am trying to change the cluster compatible version for the Hosted engine
> in Ui. The drop down did not set any value and I am trying to set to 4.4.
>
>
> which drop down?
> Why are you changing cluster compatibility level of HE?
>
> maybe that’s the best question for starts - what’s the current situation
> and what are you trying to get to?:)
>

Yeah correct Michal I should have explained that in the beginning of mail
itself. Apologize for that.

I have 4.4 rhhi setup with storage as gluster. But in this setup gluster
service is not enable by default. I can make it enable from the UI by
editing cluster and when try the same I get the error as

 Error while executing action: Update of cluster compatibility version
failed because there are VMs/Templates [HostedEngine]


Ah ok, that explains a lot. The message is misleading, it has nothing to do
with cluster version.
Can you please share your engine.log with that failure to check what
exactly failed there?

Lucia, the message is definitely confusing and your patch should be
finalized and merged:)

Thanks,
michal

with incorrect configuration. To fix the issue, please go to each of them,
edit, change the Custom Compatibility Version of the VM/Template to the
cluster level you want to update the cluster to and press OK. If the save
does not pass, fix the dialog validation. After successful cluster update,
you can revert your Custom Compatibility Version change.

This is the reason I am changing vm's compatibility version.


I also have one doubt here when vm got created , why vm's not settled the
value for cluster compatible version.




> Thanks,
> michal
>
>
>>
>> Error while executing action:
>>
>> HostedEngine:
>>
>>- There was an attempt to change Hosted Engine VM values that are
>>locked.
>>
>> I am trying to change the version to 4.4 it was showing blank.
>>
>> Any suggestions on how I can edit.
>>
>> The VM other than HE is able to editi.
>>
>>
>>
>> *Ritesh*
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3EBGCBFDUBHNI6G5E3NG4DCD7RQJLUNC/
>>
>>
>>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3RBWL4PEJIEKNQ2GMONNJJDK2ZCWS4PO/


[ovirt-users] Re: [ANN] oVirt 4.4.1 Fifth Release Candidate is now available for testing

2020-06-19 Thread Sandro Bonazzola
>
> Notes:
>
> - oVirt Appliance is not yet available due to outage on Fedora
> infrastructure occurred during the build.
>
>
>
The outage has been workarounded and an Appliance has been built and
published.

-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R RHV

Red Hat EMEA 

sbona...@redhat.com


*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/W2ECVFDYEWIH2J6T6Q5NCA7E5V66UVC6/


[ovirt-users] Re: status of oVirt 4.4.x and CentOS 8.2

2020-06-19 Thread Mark R
The error with a bit more info from the events page, after adding network to an 
interface fails:

VDSM rack4slot11.domain.com command HostSetupNetworksVDS failed: Internal 
JSON-RPC error: {'reason': 'Unexpected failure of libnm when running the 
mainloop: run execution'}

Sorry, should have included that in the other message.

Mark
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3BHB7KKSSTHCN2AN5ZAIY5MZVFI7IG36/


[ovirt-users] Re: status of oVirt 4.4.x and CentOS 8.2

2020-06-19 Thread Mark R
Hi Michal,

Might the openvswitch issues you mention be tied to the issue I'm having 
standing up a new 4.4 installation on 8.2, namely that you can create a network 
in the UI, but when you go to apply/attach it to a host (using the 
drag-and-drop wizard to try to add a new network onto the same bond ovirtmgmt 
uses), it fails?  So I can now install a new hosted-engine setup on 8.2 with 
EPYC CPUs, definitely forward progress, but I can't configure any networks 
beyond ovirtmgmt. Dragging a new network onto the bond and clicking "OK" gets 
"Error while executing action HostSetupNetworks: Unexpected exception".

Thanks,
Mark
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XU2TX3OXQ3TVQNAGBOONX73CJMRBGGNY/


[ovirt-users] Re: Change Hosted engine VM cluster compatibility version throws error

2020-06-19 Thread Ritesh Chikatwar
On Fri, Jun 19, 2020, 7:26 PM Michal Skrivanek 
wrote:

>
>
> On 19 Jun 2020, at 13:41, Ritesh Chikatwar  wrote:
>
>
>
> On Thu, Jun 18, 2020 at 11:59 PM Michal Skrivanek <
> michal.skriva...@redhat.com> wrote:
>
>>
>>
>> On 18 Jun 2020, at 08:59, Ritesh Chikatwar  wrote:
>>
>> Hello Team,
>>
>>
>> When i try to change Cluster compatible version HE it throws error As
>>
>>
>> what exactly are you changing where?
>>
>
> I am trying to change the cluster compatible version for the Hosted engine
> in Ui. The drop down did not set any value and I am trying to set to 4.4.
>
>
> which drop down?
> Why are you changing cluster compatibility level of HE?
>
> maybe that’s the best question for starts - what’s the current situation
> and what are you trying to get to?:)
>

Yeah correct Michal I should have explained that in the beginning of mail
itself. Apologize for that.

I have 4.4 rhhi setup with storage as gluster. But in this setup gluster
service is not enable by default. I can make it enable from the UI by
editing cluster and when try the same I get the error as

 Error while executing action: Update of cluster compatibility version
failed because there are VMs/Templates [HostedEngine] with incorrect
configuration. To fix the issue, please go to each of them, edit, change
the Custom Compatibility Version of the VM/Template to the cluster level
you want to update the cluster to and press OK. If the save does not pass,
fix the dialog validation. After successful cluster update, you can revert
your Custom Compatibility Version change.

This is the reason I am changing vm's compatibility version.


I also have one doubt here when vm got created , why vm's not settled the
value for cluster compatible version.




> Thanks,
> michal
>
>
>>
>> Error while executing action:
>>
>> HostedEngine:
>>
>>- There was an attempt to change Hosted Engine VM values that are
>>locked.
>>
>> I am trying to change the version to 4.4 it was showing blank.
>>
>> Any suggestions on how I can edit.
>>
>> The VM other than HE is able to editi.
>>
>>
>>
>> *Ritesh*
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3EBGCBFDUBHNI6G5E3NG4DCD7RQJLUNC/
>>
>>
>>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XLQUQCZMU3X5HWENI4RYFBHJPYJM2FP4/


[ovirt-users] Re: status of oVirt 4.4.x and CentOS 8.2

2020-06-19 Thread Michal Skrivanek


> On 19 Jun 2020, at 13:16, Gianluca Cecchi  wrote:
> 
> Hello,
> what is the current status both if using plain CentOS based nodes and 
> ovirt-node-ng?
> Do the release of CentOS 8.2 impact new installation for 4.4.0 and/or 4.4.1rc?

Hi,
newer builds (the 4.4.1 build sandro sent just now) use 8.2 and require 8.2.
If you’d upgrade your existing 4.4.0/4.4.1 host to 8.2 it may not necessarily 
work, openvswitch issues might break. We were not testing it, CentOS releases 
are always without any heads up.
I would suggest to do it together with upgrading to 4.4.1 rc5, but certainly 
not on a production setupu just yet

Thanks,
michal

> 
> Thanks,
> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives: 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/5QZZNPOBXC5T5XXJ52ZWWR4PRKMJZIXK/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EPFMUOGKKP4Z3L6GDKD5ZRIQ6ZC77S4W/


[ovirt-users] Re: Change Hosted engine VM cluster compatibility version throws error

2020-06-19 Thread Michal Skrivanek


> On 19 Jun 2020, at 13:41, Ritesh Chikatwar  wrote:
> 
> 
> 
> On Thu, Jun 18, 2020 at 11:59 PM Michal Skrivanek 
> mailto:michal.skriva...@redhat.com>> wrote:
> 
> 
>> On 18 Jun 2020, at 08:59, Ritesh Chikatwar > > wrote:
>> 
>> Hello Team,
>> 
>> 
>> When i try to change Cluster compatible version HE it throws error As
> 
> what exactly are you changing where?
> 
> I am trying to change the cluster compatible version for the Hosted engine in 
> Ui. The drop down did not set any value and I am trying to set to 4.4.  

which drop down?
Why are you changing cluster compatibility level of HE?

maybe that’s the best question for starts - what’s the current situation and 
what are you trying to get to?:)

Thanks,
michal

> 
>> 
>> Error while executing action:
>> 
>> HostedEngine:
>> There was an attempt to change Hosted Engine VM values that are locked.
>> I am trying to change the version to 4.4 it was showing blank.
>> 
>> Any suggestions on how I can edit.
>> 
>> The VM other than HE is able to editi.
>> 
>> 
>> 
>> Ritesh
>> ___
>> Users mailing list -- users@ovirt.org 
>> To unsubscribe send an email to users-le...@ovirt.org 
>> 
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html 
>> 
>> oVirt Code of Conduct: 
>> https://www.ovirt.org/community/about/community-guidelines/ 
>> 
>> List Archives: 
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3EBGCBFDUBHNI6G5E3NG4DCD7RQJLUNC/
>>  
>> 
> 

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TZZZWD76X2PAFCIMR4GXEZARNWDJBCZ7/


[ovirt-users] [ANN] oVirt 4.4.1 Fifth Release Candidate is now available for testing

2020-06-19 Thread Sandro Bonazzola
oVirt 4.4.1 Fifth Release Candidate is now available for testing

The oVirt Project is pleased to announce the availability of oVirt 4.4.1
Fifth Release Candidate for testing, as of June 19th, 2020.

This update is the first in a series of stabilization updates to the 4.4
series.
Important notes before you try it

Please note this is a pre-release build.

The oVirt Project makes no guarantees as to its suitability or usefulness.

This pre-release must not be used in production.

Important changes from previous versions

   -

   Wildfly has been updated to version 19.1 Final
   -

   oVirt Node has been rebased on top of CentOS 8.2.2004
   -

   oVirt Node UEFI support has been re-introduced
   -

   Advanced Virtualization and openvswitch 2.11 have been updated to latest
   version available for CentOS 8.2.2004

Installation instructions

For the engine: either use appliance or:

- Install CentOS Linux 8.2 minimal from
http://centos.mirror.garr.it/centos/8/isos/x86_64/CentOS-8.2.2004-x86_64-dvd1.iso

- dnf install
https://resources.ovirt.org/pub/yum-repo/ovirt-release44-pre.rpm

- dnf update (reboot if needed)

- dnf module enable -y javapackages-tools pki-deps postgresql:12

- dnf install ovirt-engine

- engine-setup

For the nodes:

Either use oVirt Node ISO or:

- Install CentOS Linux 8 from
http://centos.mirror.garr.it/centos/8/isos/x86_64/CentOS-8.2.2004-x86_64-dvd1.iso
; select minimal installation

- dnf install
https://resources.ovirt.org/pub/yum-repo/ovirt-release44-pre.rpm

- dnf update (reboot if needed)

- Attach the host to engine and let it be deployed.



This release is available now on x86_64 architecture for:

* Red Hat Enterprise Linux 8.2 or newer

* CentOS Linux (or similar) 8.2 or newer

This release supports Hypervisor Hosts on x86_64 and ppc64le architectures
for:

* Red Hat Enterprise Linux 8.2 or newer

* CentOS Linux (or similar) 8.2 or newer

* oVirt Node 4.4.1 based on CentOS Linux 8.2 (available for x86_64 only)

See the release notes [1] for installation instructions and a list of new
features and bugs fixed.

Notes:

- oVirt Appliance is not yet available due to outage on Fedora
infrastructure occurred during the build.

- oVirt Node NG is already available.

Additional Resources:

* Read more about the oVirt 4.4.1 release highlights:
http://www.ovirt.org/release/4.4.1/

* Get more oVirt project updates on Twitter: https://twitter.com/ovirt

* Check out the latest project news on the oVirt blog:
http://www.ovirt.org/blog/


[1] http://www.ovirt.org/release/4.4.1/

[2] http://resources.ovirt.org/pub/ovirt-4.4-pre/iso/


-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R RHV

Red Hat EMEA 

sbona...@redhat.com


*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.
*
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CPFMRFE4J52LUIHAEIQICGTFV6A3ES6R/


[ovirt-users] Re: Change Hosted engine VM cluster compatibility version throws error

2020-06-19 Thread Ritesh Chikatwar
On Thu, Jun 18, 2020 at 11:59 PM Michal Skrivanek <
michal.skriva...@redhat.com> wrote:

>
>
> On 18 Jun 2020, at 08:59, Ritesh Chikatwar  wrote:
>
> Hello Team,
>
>
> When i try to change Cluster compatible version HE it throws error As
>
>
> what exactly are you changing where?
>

I am trying to change the cluster compatible version for the Hosted engine
in Ui. The drop down did not set any value and I am trying to set to 4.4.

>
>
> Error while executing action:
>
> HostedEngine:
>
>- There was an attempt to change Hosted Engine VM values that are
>locked.
>
> I am trying to change the version to 4.4 it was showing blank.
>
> Any suggestions on how I can edit.
>
> The VM other than HE is able to editi.
>
>
>
> *Ritesh*
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3EBGCBFDUBHNI6G5E3NG4DCD7RQJLUNC/
>
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/V4TDLJZPIGV2ZBORTOWAW5FJZLM6RCO2/


[ovirt-users] status of oVirt 4.4.x and CentOS 8.2

2020-06-19 Thread Gianluca Cecchi
Hello,
what is the current status both if using plain CentOS based nodes and
ovirt-node-ng?
Do the release of CentOS 8.2 impact new installation for 4.4.0 and/or
4.4.1rc?

Thanks,
Gianluca
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5QZZNPOBXC5T5XXJ52ZWWR4PRKMJZIXK/


[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Anton Louw via Users
Hi Artur,

Please see below:

ovirt-engine.noarch 4.3.10.4-1.el7@ovirt-4.3
ovirt-engine-extension-aaa-misc.noarch  1.0.4-1.el7   @ovirt-4.3
mod_auth_openidc.x86_64 1.8.8-5.el7   @base

[root@virt ~]# cat /etc/*elease
CentOS Linux release 7.7.1908 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/;
BUG_REPORT_URL="https://bugs.centos.org/;

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.7.1908 (Core)
CentOS Linux release 7.7.1908 (Core)

KeyCloak –

Server Version
10.0.1

Thanks a lot for your help Artur. Please let me know if you need anything else.

From: Artur Socha 
Sent: 19 June 2020 12:39
To: Anton Louw ; users@ovirt.org
Cc: Stephen Hutchinson 
Subject: Re: [ovirt-users] KeyCloak Integration

On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote:

Yes I didn’t get to the OVN part yet, as I first wanted to test the if the 
token can be obtained.

This is the first time we are testing KeyCloak in any environment, so we have 
never been able to obtain a token for API access.

Please post the exact versions of:
- ovirt-engine* :
yum list --installed | grep ovirt-engine
yum list --intalled | grep ovirt-engine-extension-aaa-misc
yum list --installed | grep mod_auth_openidc
- keycloak
- OS
cat /etc/*elease

I'll submit a bug ... which, most likely, I will assign to myself anyway :)

Artur

Thanks

From: Artur Socha mailto:aso...@redhat.com>>
Sent: 19 June 2020 12:16
To: Anton Louw 
mailto:anton.l...@voxtelecom.co.za>>; 
users@ovirt.org
Cc: Stephen Hutchinson 
mailto:stephen.hutchin...@voxtelecom.co.za>>
Subject: Re: [ovirt-users] KeyCloak Integration

On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote:

Hi Artur,

Sure, please see below output:

[root@virt ~]# curl -vvv -H "Accept:application/json" 
'https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
* About to connect() to virt.example.co.za port 443 
(#0)
*   Trying 127.0.0.1...
* Connected to virt.example.co.za 
(127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=*.example.co.za,OU=Domain Control Validated
*   start date: Sep 25 07:46:12 2019 GMT
*   expire date: Oct 02 07:39:01 2020 GMT
*   common name: *example.co.za
*   issuer: CN=Starfield Secure Certificate Authority - 
G2,OU=http://certs.starfieldtech.com/repository/,O="Starfield
 Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
> GET 
> /ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api
>  HTTP/1.1
> User-Agent: curl/7.29.0
> Host: virt.example.co.za
> Accept:application/json
>
< HTTP/1.1 400 Bad Request
< Date: Fri, 19 Jun 2020 09:52:11 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
< Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647; 
Expires=Wed, 07-Jul-2088 13:06:18 GMT
< X-XSS-PROTECTION: 1; MODE=BLOCK
< X-CONTENT-TYPE-OPTIONS: NOSNIFF
< X-FRAME-OPTIONS: SAMEORIGIN
< Content-Type: application/json
< Content-Length: 233
< Connection: close
<
* Closing connection 0
{"error_code":"access_denied","error":"Cannot authenticate user Invalid scopes: 
ovirt-app-api ovirt-ext=token-info:authz-search 
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate 
ovirt-ext=token:password-access."}

1) Test connection using python script (from the blog post ) using sdk. I 
suspect it will not work either.
Testing from Python gives me the same error as well.

2) I saw some errors in the log on revoking token. Please go to keycloak admin 
panel, and under users kill all its active sessions. Then, please without 
logging in to engine admin UI, use that curl to obtain token.
Tested this again, but still getting the below:
{"error_code":"access_denied","error":"Cannot authenticate user Invalid scopes: 
ovirt-app-api ovirt-ext=token-info:authz-search 
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate 
ovirt-ext=token:password-access."}

Thanks for these test ... unfortunately nothing helped


3) Does it work without OVN integration enabled?
Can you explain a bit more? How can I disable OVN integration to test this?

I had in mind reverting OVN vs Keycloak integration done according to 
"Configuring OVN" chapter in 

[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Artur Socha
On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote:
> 
> 
> 
> Yes I didn’t get to the OVN part yet, as I first wanted to test the if the
> token can be obtained.
> 
>  
> 
> This is the first time we are testing KeyCloak in any environment, so we have
> never been able to obtain a token for API access.
> 
>  
Please post the exact versions of:
- ovirt-engine* :   
yum list --installed | grep ovirt-engine 
yum list --intalled | grep ovirt-engine-extension-aaa-misc

yum list --installed | grep mod_auth_openidc
- keycloak
- OS
cat /etc/*elease

I'll submit a bug ... which, most likely, I will assign to myself anyway :)

Artur

> Thanks
>  
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 19 June 2020 12:16
> 
> To: Anton Louw ; users@ovirt.org
> 
> Cc: Stephen Hutchinson 
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote:
> 
> >  
> > Hi Artur,
> >  
> > Sure, please see below output:
> >  
> > [root@virt ~]# curl -vvv -H "Accept:application/json" '
> > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
> > * About to connect() to 
> > virt.example.co.za port 443 (#0)
> > *   Trying 
> > 127.0.0.1...
> > * Connected to 
> > virt.example.co.za (127.0.0.1) port 443 (#0)
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >   CApath: none
> > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> > * Server certificate:
> > *   subject: CN=*.example.co.za,OU=Domain Control Validated
> > *   start date: Sep 25 07:46:12 2019 GMT
> > *   expire date: Oct 02 07:39:01 2020 GMT
> > *   common name: *example.co.za
> > *   issuer: CN=Starfield Secure Certificate Authority - G2,OU=
> > http://certs.starfieldtech.com/repository/,O="Starfield Technologies,
> >  Inc.",L=Scottsdale,ST=Arizona,C=US
> > > GET /ovirt-
> > engine/sso/oauth/token?grant_type=password=myuser=mypass
> > cope=ovirt-app-api HTTP/1.1
> > > User-Agent: curl/7.29.0
> > > Host: 
> > virt.example.co.za
> > > Accept:application/json
> > > 
> > < HTTP/1.1 400 Bad Request
> > < Date: Fri, 19 Jun 2020 09:52:11 GMT
> > < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
> > < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647;
> > Expires=Wed, 07-Jul-2088 13:06:18 GMT
> > < X-XSS-PROTECTION: 1; MODE=BLOCK
> > < X-CONTENT-TYPE-OPTIONS: NOSNIFF
> > < X-FRAME-OPTIONS: SAMEORIGIN
> > < Content-Type: application/json
> > < Content-Length: 233
> > < Connection: close
> > < 
> > * Closing connection 0
> > {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> > info:public-authz-search ovirt-ext=token-info:validate ovirt-
> > ext=token:password-access."}
> >  
> > 1) Test connection using python script (from the blog post ) using sdk. I
> > suspect it will not work either.
> > Testing from Python gives me the same error as well.
> >  
> > 2) I saw some errors in the log on revoking token. Please go to keycloak
> > admin panel, and under users kill all its active sessions. Then, please
> > without logging in to engine admin UI, use that curl
> >  to obtain token.
> > Tested this again, but still getting the below:
> > {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> > info:public-authz-search ovirt-ext=token-info:validate
> >  ovirt-ext=token:password-access."}
> >  
> 
> Thanks for these test ... unfortunately nothing helped
> 
> 
>  
> 
> 
>  
> 
> > 3) Does it work without OVN integration enabled?
> > Can you explain a bit more? How can I disable OVN integration to test this?
> 
>  
> 
> 
> I had in mind reverting OVN vs Keycloak integration done according to
> "Configuring OVN" chapter in
> 
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> 
> 
> 
> Unless, of course, you skipped it.
> 
> 
> 
>  
> 
> 
> Most likely you found a bug. Have you ever been able to obtain token for api
> access with keycloak integration (even with you previous environments)? 
> 
> 
> I am now trying to understand what happened and how to reproduce it before
> submitting the bug into
> 
> http://bugzilla.redhat.com
> 
> 
>  
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> >  
> > Thanks
> >  
> >  
> > 
> > 
> > 
> > 
> > Anton Louw
> > 
> > 
> > 
> > 
> > Cloud Engineer: Storage 

[ovirt-users] Re: oVirt 4.4.0 Release is now generally available

2020-06-19 Thread olaf . buitelaar
Dear oVirt users,

I was wondering with the release of 4.4, but having a quite difficult upgrade 
path; reinstalling the engine, and moving all machines to rhel/centos 8.
Are there any plans to update the gluster dependencies to version 7 in the the 
ovirt-4.3-dependencies.repo? Or will oVirt 4.3 always be stuck at gluster 
version 6?

Thanks Olaf
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PBCMNR7RDGGANVAJM3KF7V6Y3G4NV27L/


[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Artur Socha
On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
> 
>  
> 
> Sure, please see below output:
> 
>  
> 
> [root@virt ~]# curl -vvv -H "Accept:application/json" '
> https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
> 
> * About to connect() to virt.example.co.za port 443 (#0)
> 
> *   Trying 127.0.0.1...
> 
> * Connected to virt.example.co.za (127.0.0.1) port 443 (#0)
> 
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> 
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> 
>   CApath: none
> 
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> 
> * Server certificate:
> 
> *   subject: CN=*.example.co.za,OU=Domain Control Validated
> 
> *   start date: Sep 25 07:46:12 2019 GMT
> 
> *   expire date: Oct 02 07:39:01 2020 GMT
> 
> *   common name: *.example.co.za
> 
> *   issuer: CN=Starfield Secure Certificate Authority - G2,OU=
> http://certs.starfieldtech.com/repository/,O="Starfield Technologies,
> Inc.",L=Scottsdale,ST=Arizona,C=US
> 
> > GET /ovirt-
> engine/sso/oauth/token?grant_type=password=myuser=mypass
> pe=ovirt-app-api HTTP/1.1
> 
> > User-Agent: curl/7.29.0
> 
> > Host: virt.example.co.za
> 
> > Accept:application/json
> 
> > 
> 
> < HTTP/1.1 400 Bad Request
> 
> < Date: Fri, 19 Jun 2020 09:52:11 GMT
> 
> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
> 
> < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647;
> Expires=Wed, 07-Jul-2088 13:06:18 GMT
> 
> < X-XSS-PROTECTION: 1; MODE=BLOCK
> 
> < X-CONTENT-TYPE-OPTIONS: NOSNIFF
> 
> < X-FRAME-OPTIONS: SAMEORIGIN
> 
> < Content-Type: application/json
> 
> < Content-Length: 233
> 
> < Connection: close
> 
> < 
> 
> * Closing connection 0
> 
> {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate ovirt-
> ext=token:password-access."}
> 
>  
> 
> 1) Test connection using python script (from the blog post ) using sdk. I
> suspect it will not work either.
> 
> Testing from Python gives me the same error as well.
> 
>  
> 
> 2) I saw some errors in the log on revoking token. Please go to keycloak admin
> panel, and under users kill all its active sessions. Then, please without
> logging in to engine admin UI, use that curl
>  to obtain token.
> 
> Tested this again, but still getting the below:
> 
> {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate
>  ovirt-ext=token:password-access."}
> 
>  
Thanks for these test ... unfortunately nothing helped

> 3) Does it work without OVN integration enabled?
> 
> Can you explain a bit more? How can I disable OVN integration to test this?

I had in mind reverting OVN vs Keycloak integration done according to
"Configuring OVN" chapter in 
https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
   Unless, of course, you skipped it. 
Most likely you found a bug.  Have you ever been able to obtain token for api
access with keycloak integration (even with you previous environments)? I am now
trying to understand what happened and how to reproduce it before submitting the
bug into http://bugzilla.redhat.com id="-x-evo-selection-start-marker">
>  
> Thanks
>  
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 19 June 2020 11:40
> 
> To: Anton Louw ; users@ovirt.org
> 
> Cc: Stephen Hutchinson 
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> On Fri, 2020-06-19 at 08:34 +, Anton Louw wrote:
> 
> >  
> > Hi Artur,
> >  
> > Thank you for the quick response. 
> >  
> > I have actually tried creating another user, but I still get the same error.
> > I have attached the output of curl -vvv as well as the logs the engine and
> > keycloak logs.
> 
>  
> 
> 
> This `curl -vvv ...` is actually is incorrect because it is missing -H before
> 'Accept' header. However, previous attempts that led to this error seemed to
> be fine. Could you just re-send output of
>  the correct curl? 
> 
> 
>  
> 
> 
> There are few things we can test to try to narrow down the root cause:
> 
> 
>  
> 
> 
> 1) Test connection using python script (from the blog post ) using sdk. I
> suspect it will not work either.
> 
> 
>  
> 
> 
> 2) I saw some errors in the log on revoking token. Please go to keycloak admin
> 

[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Anton Louw via Users
Yes I didn’t get to the OVN part yet, as I first wanted to test the if the 
token can be obtained.

This is the first time we are testing KeyCloak in any environment, so we have 
never been able to obtain a token for API access.

Thanks

From: Artur Socha 
Sent: 19 June 2020 12:16
To: Anton Louw ; users@ovirt.org
Cc: Stephen Hutchinson 
Subject: Re: [ovirt-users] KeyCloak Integration

On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote:

Hi Artur,

Sure, please see below output:

[root@virt ~]# curl -vvv -H "Accept:application/json" 
'https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
* About to connect() to virt.example.co.za port 443 
(#0)
*   Trying 127.0.0.1...
* Connected to virt.example.co.za 
(127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=*.example.co.za,OU=Domain Control Validated
*   start date: Sep 25 07:46:12 2019 GMT
*   expire date: Oct 02 07:39:01 2020 GMT
*   common name: *example.co.za
*   issuer: CN=Starfield Secure Certificate Authority - 
G2,OU=http://certs.starfieldtech.com/repository/,O="Starfield
 Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
> GET 
> /ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api
>  HTTP/1.1
> User-Agent: curl/7.29.0
> Host: virt.example.co.za
> Accept:application/json
>
< HTTP/1.1 400 Bad Request
< Date: Fri, 19 Jun 2020 09:52:11 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
< Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647; 
Expires=Wed, 07-Jul-2088 13:06:18 GMT
< X-XSS-PROTECTION: 1; MODE=BLOCK
< X-CONTENT-TYPE-OPTIONS: NOSNIFF
< X-FRAME-OPTIONS: SAMEORIGIN
< Content-Type: application/json
< Content-Length: 233
< Connection: close
<
* Closing connection 0
{"error_code":"access_denied","error":"Cannot authenticate user Invalid scopes: 
ovirt-app-api ovirt-ext=token-info:authz-search 
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate 
ovirt-ext=token:password-access."}

1) Test connection using python script (from the blog post ) using sdk. I 
suspect it will not work either.
Testing from Python gives me the same error as well.

2) I saw some errors in the log on revoking token. Please go to keycloak admin 
panel, and under users kill all its active sessions. Then, please without 
logging in to engine admin UI, use that curl to obtain token.
Tested this again, but still getting the below:
{"error_code":"access_denied","error":"Cannot authenticate user Invalid scopes: 
ovirt-app-api ovirt-ext=token-info:authz-search 
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate 
ovirt-ext=token:password-access."}

Thanks for these test ... unfortunately nothing helped


3) Does it work without OVN integration enabled?
Can you explain a bit more? How can I disable OVN integration to test this?

I had in mind reverting OVN vs Keycloak integration done according to 
"Configuring OVN" chapter in 
https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
Unless, of course, you skipped it.

Most likely you found a bug. Have you ever been able to obtain token for api 
access with keycloak integration (even with you previous environments)?
I am now trying to understand what happened and how to reproduce it before 
submitting the bug into http://bugzilla.redhat.com


Thanks


Anton Louw
Cloud Engineer: Storage and Virtualization at Vox

T:  087 805  | D: 087 805 1572
M: N/A
E: anton.l...@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

[F]

[T]

[I]

[L]

[Y]


Anton Louw
Cloud Engineer: Storage and Virtualization
__
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.l...@voxtelecom.co.za

www.vox.co.za



From: Artur Socha mailto:aso...@redhat.com>>
Sent: 19 June 2020 11:40
To: Anton Louw 
mailto:anton.l...@voxtelecom.co.za>>; 
users@ovirt.org
Cc: Stephen Hutchinson 
mailto:stephen.hutchin...@voxtelecom.co.za>>
Subject: Re: 

[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Anton Louw via Users
Hi Artur,

Sure, please see below output:

[root@virt ~]# curl -vvv -H "Accept:application/json" 
'https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
* About to connect() to virt.example.co.za port 443 (#0)
*   Trying 127.0.0.1...
* Connected to virt.example.co.za (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=*.example.co.za,OU=Domain Control Validated
*   start date: Sep 25 07:46:12 2019 GMT
*   expire date: Oct 02 07:39:01 2020 GMT
*   common name: *.example.co.za
*   issuer: CN=Starfield Secure Certificate Authority - 
G2,OU=http://certs.starfieldtech.com/repository/,O="Starfield Technologies, 
Inc.",L=Scottsdale,ST=Arizona,C=US
> GET 
> /ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api
>  HTTP/1.1
> User-Agent: curl/7.29.0
> Host: virt.example.co.za
> Accept:application/json
>
< HTTP/1.1 400 Bad Request
< Date: Fri, 19 Jun 2020 09:52:11 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
< Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647; 
Expires=Wed, 07-Jul-2088 13:06:18 GMT
< X-XSS-PROTECTION: 1; MODE=BLOCK
< X-CONTENT-TYPE-OPTIONS: NOSNIFF
< X-FRAME-OPTIONS: SAMEORIGIN
< Content-Type: application/json
< Content-Length: 233
< Connection: close
<
* Closing connection 0
{"error_code":"access_denied","error":"Cannot authenticate user Invalid scopes: 
ovirt-app-api ovirt-ext=token-info:authz-search 
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate 
ovirt-ext=token:password-access."}

1) Test connection using python script (from the blog post ) using sdk. I 
suspect it will not work either.
Testing from Python gives me the same error as well.

2) I saw some errors in the log on revoking token. Please go to keycloak admin 
panel, and under users kill all its active sessions. Then, please without 
logging in to engine admin UI, use that curl to obtain token.
Tested this again, but still getting the below:
{"error_code":"access_denied","error":"Cannot authenticate user Invalid scopes: 
ovirt-app-api ovirt-ext=token-info:authz-search 
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate 
ovirt-ext=token:password-access."}

3) Does it work without OVN integration enabled?
Can you explain a bit more? How can I disable OVN integration to test this?

Thanks


Anton Louw
Cloud Engineer: Storage and Virtualization
__
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.l...@voxtelecom.co.za

www.vox.co.za



From: Artur Socha 
Sent: 19 June 2020 11:40
To: Anton Louw ; users@ovirt.org
Cc: Stephen Hutchinson 
Subject: Re: [ovirt-users] KeyCloak Integration

On Fri, 2020-06-19 at 08:34 +, Anton Louw wrote:

Hi Artur,

Thank you for the quick response.

I have actually tried creating another user, but I still get the same error. I 
have attached the output of curl -vvv as well as the logs the engine and 
keycloak logs.

This `curl -vvv ...` is actually is incorrect because it is missing -H before 
'Accept' header. However, previous attempts that led to this error seemed to be 
fine. Could you just re-send output of the correct curl?

There are few things we can test to try to narrow down the root cause:

1) Test connection using python script (from the blog post ) using sdk. I 
suspect it will not work either.

2) I saw some errors in the log on revoking token. Please go to keycloak admin 
panel, and under users kill all its active sessions. Then, please without 
logging in to engine admin UI, use that curl to obtain token.

3) Does it work without OVN integration enabled?

Artur



Thank you


Anton Louw
Cloud Engineer: Storage and Virtualization at Vox

T:  087 805  | D: 087 805 1572
M: N/A
E: anton.l...@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

[F]

[T]

[I]

[L]

[Y]


From: Artur Socha mailto:aso...@redhat.com>>
Sent: 19 June 2020 10:23
To: Anton Louw 
mailto:anton.l...@voxtelecom.co.za>>; 
users@ovirt.org
Subject: Re: [ovirt-users] KeyCloak Integration

O
n Fri, 2020-06-19 at 07:35 +, Anton Louw via Users wrote:

Hi Everybody,

Hi Anton,

So I have implemented KeyCloak into our oVirt environment, which works, up 
until a point. So WebUI access works, but when calling the API, using:
curl -k -H "Accept: application/json" 

[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Artur Socha
On Fri, 2020-06-19 at 08:34 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
> 
>  
> 
> Thank you for the quick response. 
> 
>  
> 
> I have actually tried creating another user, but I still get the same error. I
> have attached the output of curl -vvv as well as the logs the engine and
> keycloak logs.

This `curl -vvv ...`  is actually is incorrect because it is missing -H before
'Accept' header.   However, previous attempts that led to this error seemed to
be fine. Could you just re-send output of the correct curl? 
There are few things we can test to try to narrow down the root cause:
1) Test connection using python script  (from the blog post ) using sdk. I
suspect it will not work either.
2) I saw some errors  in the log on revoking token. Please go to keycloak admin
panel, and under users kill all its active sessions. Then, please without
logging in to engine admin UI, use that curl to obtain token.
3) Does it work without OVN integration enabled?
Artur

>  
> Thank you
>  
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 19 June 2020 10:23
> 
> To: Anton Louw ; users@ovirt.org
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> O
> 
> 
> n Fri, 2020-06-19 at 07:35 +, Anton Louw via Users wrote:
> 
> >  
> > Hi Everybody,
> 
>  
> 
> 
> Hi Anton,
> 
> >  
> > So I have implemented KeyCloak into our oVirt environment, which works, up
> > until a point. So WebUI access works, but when calling the API, using:
> > 
> > curl -k -H "Accept: application/json" '
> > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=admin@openidchttp=mypass=ovirt-app-api'
> >  
> > I get the below error:
> >  
> > {"error_description":"Cannot authenticate user Invalid scopes: 
> > ovirt-app-api 
> > ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-
> > ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-
> > ext=token:password-access.","error":"access_denied"}
> >  
> > If my configs are removed, and I use “admin@internal” for my username, then
> > it works.
> >  
> > I followed the below article step by step, and I double checked that all the
> > scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)
> > 
> >  
> > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> >  
> > Anybody have any ideas?
> 
>  
> 
> 
> It is my blind shot but could create & check another user?
> 
> 
>  
> 
> 
> One more thing to check please use curl -vvv to check if there are any
> redirects along the way.
> 
> 
> 
> I will check keycloak settings on my setup - perhaps there is something non-
> obvious that could have been missed.
> 
> 
>  
> 
> 
> Any chance to get a bit more logs from engine.log and even from keycloak?
> Perhaps there is something there that could help.
> 
> 
>  
> 
> 
> Artur
> 
> 
>  
> 
> >  
> > Thank you
> >  
> > 
> > 
> > 
> > 
> > Anton Louw
> > 
> > 
> > 
> > 
> > Cloud Engineer: Storage and Virtualization
> >  at Vox
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > T:
> >  087 805  |
> > D: 087 805 1572
> > 
> > M: N/A
> > 
> > E:
> > anton.l...@voxtelecom.co.za
> > 
> > A: Rutherford Estate,
> >  1 Scott Street, Waverley, Johannesburg
> > 
> > www.vox.co.za
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > Disclaimer
> > The contents of this email are confidential to the sender and the intended
> > recipient. Unless the contents are clearly and entirely of a personal
> > nature, they are subject to copyright
> >  in favour of the holding company of the Vox group of companies. Any
> > recipient who receives this email in error should immediately report the
> > error to the sender and permanently delete this email from all storage
> > devices.
> > 
> > 
> > 
> > This email has been scanned for viruses and malware, and may have been
> > automatically archived by
> > Mimecast Ltd, an innovator in Software as a Service (SaaS) for business.
> > Providing a
> > safer and more useful place for your human generated data. Specializing in;
> > Security, archiving and compliance. To find out more
> > 
> > Click Here.
> >  
> > 

[ovirt-users] Recall: KeyCloak Integration

2020-06-19 Thread Anton Louw via Users
Anton Louw would like to recall the message, "[ovirt-users] KeyCloak 
Integration".


Anton Louw
Cloud Engineer: Storage and Virtualization
__
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.l...@voxtelecom.co.za

www.vox.co.za






___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/I7CVJEG66PDRTXBP3Y2PNVTVKM52RQNC/


[ovirt-users] Re: Upgrade ovirt from 3.4 to 4.3

2020-06-19 Thread lu . alfonsi
Anyone else can confirm this?

Thanks
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3SSOZGHIIADTO7S77JAEBWXWXHSZA4OB/


[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Artur Socha
On Fri, 2020-06-19 at 07:35 +, Anton Louw via Users wrote:
> 
> 
> 
> Hi Everybody,

Hi Anton,
>  
> 
> So I have implemented KeyCloak into our oVirt environment, which works, up
> until a point. So WebUI access works, but when calling the API, using:
> 
> 
> curl -k -H "Accept: application/json" '
> https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=admin@openidchttp=mypass=ovirt-app-api'
> 
>  
> 
> I get the below error:
> 
>  
> 
> {"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-api
> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate ovirt-
> ext=token:password-access.","error":"access_denied"}
> 
>  
> 
> If my configs are removed, and I use “admin@internal” for my username, then it
> works.
> 
>  
> 
> I followed the below article step by step, and I double checked that all the
> scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)
> 
> 
>  
> 
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> 
>  
> 
> Anybody have any ideas?

It is my blind shot but could create & check  another user?
One more thing to check please use curl -vvv to check if there are any redirects
along the way.  I will check keycloak settings on my setup - perhaps there is
something non-obvious that could have been missed.
Any chance to get a bit more logs from engine.log and even from keycloak?
Perhaps there is something there that could help.
Artur
>  
> Thank you
> 
> 
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
>  
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> Disclaimer
> The contents of this email are confidential to the sender and the intended
> recipient. Unless the contents are clearly and entirely of a personal nature,
> they are subject to copyright in favour of the holding company of the Vox
> group of companies. Any recipient who receives this email in error should
> immediately report the error to the sender and permanently delete this email
> from all storage devices.
> 
> This email has been scanned for viruses and malware, and may have been
> automatically archived by Mimecast Ltd, an innovator in Software as a Service
> (SaaS) for business.  Providing a safer and more useful place for your human
> generated data.  Specializing in; Security, archiving and compliance. To find
> out more Click Here.
> 
> 
> 
> 
> 
> 
> 
>   
> 
> ___Users mailing list -- 
> users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives: 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJYE2B3NP4LT4TN4CJX4C7BU/


signature.asc
Description: This is a digitally signed message part
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CXYLGC5W5EYD3LO54FPWYOWX6ZCMLYMB/


[ovirt-users] Re: How to config ovirt-engine to Https ?

2020-06-19 Thread Martin Perina
Hi,

have you used the default certificate created by engine-setup? Or have you
provided your custom HTTPS certificate as described below?

https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html

Anyway in both cases please make sure you are accessing oVirt engine using
the same FQDN which you have provided in engine-setup

Regards,
Martin


On Fri, Jun 19, 2020 at 6:06 AM zhou...@vip.friendtimes.net <
zhou...@vip.friendtimes.net> wrote:

> The https web access is ok,but I cant login the ovirt-engine,how
> to config a https web?
>
>
> --
> zhou...@vip.friendtimes.net
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/43UGIBIJ23HSADJ5XYPRH57MCYPOIFS4/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/N3KFCJ3423KK3SZUV5BZIHO5XJ4GDZ3C/


[ovirt-users] KeyCloak Integration

2020-06-19 Thread Anton Louw via Users
Hi Everybody,

So I have implemented KeyCloak into our oVirt environment, which works, up 
until a point. So WebUI access works, but when calling the API, using:
curl -k -H "Accept: application/json" 
'https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=admin@openidchttp=mypass=ovirt-app-api'

I get the below error:

{"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-api 
ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search 
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate 
ovirt-ext=token:password-access.","error":"access_denied"}

If my configs are removed, and I use "admin@internal" for my username, then it 
works.

I followed the below article step by step, and I double checked that all the 
scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)

https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/

Anybody have any ideas?

Thank you


Anton Louw
Cloud Engineer: Storage and Virtualization
__
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.l...@voxtelecom.co.za

www.vox.co.za






___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJYE2B3NP4LT4TN4CJX4C7BU/


[ovirt-users] Re: EXTERNAL - Re: Update to Ovirt 4.3.10-4-1 causes XFS issue

2020-06-19 Thread Chaz Vidal
Yeah, running 

yum update 

from the affected host shows no packages marked for update:

# yum update
Loaded plugins: enabled_repos_upload, fastestmirror, imgbased-persist, 
package_upload, product-id, search-disabled-repos, subscription-manager, 
vdsmupgrade,
  : versionlock

This system is not registered with an entitlement server. You can use 
subscription-manager to register.

Loading mirror speeds from cached hostfile
 * ovirt-4.3-epel: fedora.melbourneitmirror.net
No packages marked for update
Uploading Enabled Repositories Report
Cannot upload enabled repos report, is this client registered?

From the host the kernel version is 
# uname -r
3.10.0-1127.8.2.el7.x86_64


However, I updated the ovirt manager prior and that seems to have gotten the 
updated kernel:

# uname -r
3.10.0-1127.10.1.el7.x86_64


Somehow I cannot get the host to update it's kernel without maybe manually 
downloading the RPM but I don't know if that will break the Ovirt setttings.


Appreciate any advice!


Thanks
Chaz



Chaz Vidal | ICT Infrastructure | Tel: +61-8-8128-4397 | Mob: +61-492-874-982 | 
chaz.vi...@sahmri.com

-Original Message-
From: Derek Atkins  
Sent: Wednesday, 17 June 2020 11:32 PM
To: Chaz Vidal 
Cc: users@ovirt.org
Subject: Re: EXTERNAL - [ovirt-users] Re: Update to Ovirt 4.3.10-4-1 causes XFS 
issue

Hi,

Chaz Vidal  writes:

> Thank you for the response!
>
> I tried to do another upgrade again on the ovirt manager and can 
> confirm that it is now in the supposedly fixed version of the kernel.
>
> However, when I try to update the hosts using the prescribed gui style 
> method they do report back as no updates available.
>
> Should I force an update on the kernel on the hosts or is this not advised?

There shouldn't be a need.  Are you sure the hosts are running the old kernel?  
The hosts should just update via "yum update", although I admit I don't know 
what the "update" function from the UI does under the covers.  I have a 
single-host hyperconverged system so I have to update manually..

You can check if there is anything to do by logging into the host and
running: "yum check-update"; it shouldn't list anything.

> Thanks
> Chaz

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/W2THHWTAMKALTAALSWVX7QVOWVOUMR4Y/