Re: [ovirt-users] Ovirtmgmt, webinterfaces and VLANs
Using self-hosted engine. I thought about using several interfaces on the engine VM. The reason why I want to do that : I would like the users accessing the web interface not to be on the same network that ovirt is using to communicate betweem hosts and engine. But it would mean that 2 different FQDN are necessary, right ? I heard HA requires to access to the engine FQDN... Do you have any idea how to solve this situation ? Alexis On 24 August 2017 at 15:39, Alexis HAUSER wrote: > > In the way Ovirt is currently designed, is there a way to separate the > following elements in different VLANs : > > 1) Communication betweem nodes (hypervisors) and engine (manager) > 2) Access to webadmin interface > 3) access to user web interface > > It seems that the following elements all rely on ovirtmgmt, right ? Only #1. #2 and #3 could be changed AFAIK, depending on where and how you run the engine (Fir e.g. if you run it on a separate host, you could attach other interfaces with other VLANs to it). -- Barak Korren RHV DevOps team , RHCE, RHCi Red Hat EMEA redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Ovirtmgmt, webinterfaces and VLANs
Hi, In the way Ovirt is currently designed, is there a way to separate the following elements in different VLANs : 1) Communication betweem nodes (hypervisors) and engine (manager) 2) Access to webadmin interface 3) access to user web interface It seems that the following elements all rely on ovirtmgmt, right ? Regards, Alexis ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] 4.0 : hosts connecting/non responsive and data domains inactive
After rebooting the manager VM, hosts are connecting/non responsive and data domains inactive. Here are the engine and vdsmd logs. Any ideas ? Engine logs : 2017-05-11 17:28:09,302 WARN [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler5) [55f1aab5] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: Failed to verify Power Management configuration for Host rhvserv-05. 2017-05-11 17:28:09,346 INFO [org.ovirt.engine.core.bll.HandleVdsVersionCommand] (DefaultQuartzScheduler5) [48bc69cd] Running command: HandleVdsVersionCommand internal: true. Entities affected : ID: 04565f10-9abf-4709-9445-9dc6ed97e136 Type: VDS 2017-05-11 17:28:09,349 WARN [org.ovirt.engine.core.vdsbroker.VdsManager] (org.ovirt.thread.pool-6-thread-27) [639977e4] Host 'rhvserv-05' is not responding. 2017-05-11 17:28:09,364 WARN [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-27) [639977e4] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: Host rhvserv-05 is not responding. Host cannot be fenced automatically because power management for the host is disabled. 2017-05-11 17:28:11,299 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesVDSCommand] (DefaultQuartzScheduler3) [c0e6a2e] Command 'GetCapabilitiesVDSCommand(HostName = rhvserv-03, VdsIdAndVdsVDSCommandParametersBase:{runAsync='true', hostId='4036f027-8e90-49c0-8ca5-3ddb8d586916', vds='Host[rhvserv-03,4036f027-8e90-49c0-8ca5-3ddb8d586916]'})' execution failed: org.ovirt.vdsm.jsonrpc.client.ClientConnectionException: Connection failed 2017-05-11 17:28:11,299 ERROR [org.ovirt.engine.core.vdsbroker.monitoring.HostMonitoring] (DefaultQuartzScheduler3) [c0e6a2e] Failure to refresh host 'rhvserv-03' runtime info: org.ovirt.vdsm.jsonrpc.client.ClientConnectionException: Connection failed 2017-05-11 17:28:11,327 INFO [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor) [] Connecting to rhvserv-04.mydomain.com/192.168.93.214 2017-05-11 17:28:12,484 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHardwareInfoVDSCommand] (DefaultQuartzScheduler3) [c0e6a2e] START, GetHardwareInfoVDSCommand(HostName = rhvserv-05, VdsIdAndVdsVDSCommandParametersBase:{runAsync='true', hostId='04565f10-9abf-4709-9445-9dc6ed97e136', vds='Host[rhvserv-05,04565f10-9abf-4709-9445-9dc6ed97e136]'}), log id: f807ece 2017-05-11 17:28:12,487 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHardwareInfoVDSCommand] (DefaultQuartzScheduler3) [c0e6a2e] FINISH, GetHardwareInfoVDSCommand, log id: f807ece 2017-05-11 17:28:12,532 INFO [org.ovirt.engine.core.bll.HandleVdsCpuFlagsOrClusterChangedCommand] (DefaultQuartzScheduler3) [4e882ea0] Running command: HandleVdsCpuFlagsOrClusterChangedCommand internal: true. Entities affected : ID: 04565f10-9abf-4709-9445-9dc6ed97e136 Type: VDS 2017-05-11 17:28:12,539 INFO [org.ovirt.engine.core.bll.InitVdsOnUpCommand] (DefaultQuartzScheduler3) [75f25b35] Running command: InitVdsOnUpCommand internal: true. Entities affected : ID: 58f8df36-019f-02bc-00e7-0023 Type: StoragePool 2017-05-11 17:28:12,545 INFO [org.ovirt.engine.core.bll.storage.pool.ConnectHostToStoragePoolServersCommand] (DefaultQuartzScheduler3) [46cc3f58] Running command: ConnectHostToStoragePoolServersCommand internal: true. Entities affected : ID: 58f8df36-019f-02bc-00e7-0023 Type: StoragePool 2017-05-11 17:28:12,556 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.ConnectStorageServerVDSCommand] (DefaultQuartzScheduler3) [46cc3f58] START, ConnectStorageServerVDSCommand(HostName = rhvserv-05, StorageServerConnectionManagementVDSParameters:{runAsync='true', hostId='04565f10-9abf-4709-9445-9dc6ed97e136', storagePoolId='58f8df36-019f-02bc-00e7-0023', storageType='ISCSI', connectionList='[StorageServerConnections:{id='10c0528b-f08d-4d1d-8c63-8a05fd9d58b9', connection='10.35.21.1', iqn='iqn.1984-05.com.dell:powervault.md3200i.6782bcb00073e3324edde164', vfsType='null', mountOptions='null', nfsVersion='null', nfsRetrans='null', nfsTimeo='null', iface='null', netIfaceName='null'}]'}), log id: 1beb27b6 2017-05-11 17:28:13,031 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.ConnectStorageServerVDSCommand] (DefaultQuartzScheduler3) [46cc3f58] FINISH, ConnectStorageServerVDSCommand, return: {10c0528b-f08d-4d1d-8c63-8a05fd9d58b9=0}, log id: 1beb27b6 2017-05-11 17:28:13,032 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.ConnectStorageServerVDSCommand] (DefaultQuartzScheduler3) [46cc3f58] START, ConnectStorageServerVDSCommand(HostName = rhvserv-05, StorageServerConnectionManagementVDSParameters:{runAsync='true', hostId='04565f10-9abf-4709-9445-9dc6ed97e136', storagePoolId='58f8df36-019f-02bc-00e7-0023', storageType='NFS', connectionList='[StorageServerConnections:{id='e604d0d2-0810-4c25-b9ed-610f9923cb1a', connection='nfsserv-01:/nfs/export', iqn
[ovirt-users] Bonding type
Hi, I would like to bond 2 NICS from RHV side. There 2 links would go on 2 separates switch. Which kind of bond would you advice me to use (betweem the 4 proposed mode or the custom mode) ? Regardes ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Extending data domain size
Hi, Is it possible in ovirt-4.0 to extend the size of a data domain ? In theory it should be possible with LVM to do it, but does ovirt provide this functionality ? Regards ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Networking setup
Hi, I have an Ovirt installation with 3 nodes (5 soon), containing 6 network cards (8 soon), a multipath iSCSI array and I would like to know how you would advice me to choose which link to bond or not. I thought about : 1+2 : ovirtmgmt (bond) 3+4 : iSCSI (multipath) 5 : VM and Display 6 : Migration What do you think about this configuration ? Is it a bad idea to set VM and display on the same network interface ? Do ovirtmgmt need high bandwidth ? In terms of bandwidth, is it a bad idea to have one single NIC for Migration ? Thanks in advance for your suggestions ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Separating NFS network flow
Hi, Is there a way to separate the network flow from NFS ? I know it is possible to do it with VM, display, ovirtmgmt, iSCSI, but what about NFS ? Does it use ovirtmgmt ? Thanks in advance ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] VM Permissions (3.6)
hi, I'm trying to figure out how to manage VM permissions with ovirt. >From what I've understood, if you add a user to user role in the system >preferences, this user can access every VM and resources on the cluster, with >the associated permissions; right ? Now, if I want to control who has access to each VM : I musn't add this user to user role from the system tab; but instead add it on each resources (like on each VM) it should access ? Is there another way to manage permissions ? How you guys do personally manage this ? Do you automate it with scripts ? Thanks for you ideas and suggestions (using 3.6) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] VM Permissions (3.6)
hi, I'm trying to figure out how to manage VM permissions with ovirt. >From what I've understood, if you add a user to user role in the system >preferences, this user can access every VM and resources on the cluster, with >the associated permissions; right ? Now, if I want to control who has access to each VM : I musn't add this user to user role from the system tab; but instead add it on each resources (like on each VM) it should access ? Is there another way to manage permissions ? How you guys do personally manage this ? Do you automate it with scripts ? Thanks for you ideas and suggestions (using 3.6) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : Hosted engine High Availability
Ok, now after removing it, it auto-adds itself to the web interface. I tries to "install" and fails with just after the step "installating host stage: termination" "host is not rechable". I can ping it and its FQDN from the engine and other host. Any ideas ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : Hosted engine High Availability
>No, in both the case it's referring to the host you are going to add to >your engine (the host where you are running hosted-engine --deploy): the >first one is a label to easily identify your host, the second one the >address to reach it. Thanks, then it means only the default label is wrong, right ? It should be [host_2] (refering to the host itself) instead of [hosted_engine_2] (refering to the engine itself), no ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : Hosted engine High Availability
Thank you for your explanations, this is very clear now :) Actually I was confused because "this host" is used in several different contexts, if I am right : 1 - For the engine (which is not a host, but a guest) : "Enter the name which will be used to identify this host inside the Administrator Portal [hosted_engine_2]" 2 - For the Host It asks the same things for the FQDN, but not for the engine this time, for the real "host" Please confirm me this, so I will know if I have to open a bug for this. Now my error is the following : "[ ERROR ] Failed to execute stage 'Closing up': Specified cluster does not exist: Default" I think it assume I didn't change the name of the default cluster after deploying the first host. I will try to workaround with this by renaming the datacenter I will check if a bug if open on the bugzilla about this and if not I'll open one. ----- Mail original - De: "Simone Tiraboschi" À: "Alexis HAUSER" Cc: "users" Envoyé: Jeudi 25 Août 2016 16:56:17 Objet: Re: [ovirt-users] 3.6 : Hosted engine High Availability On Thu, Aug 25, 2016 at 4:26 PM, Alexis HAUSER wrote: > >> Can you please share your hosted-engine-setup logs? > > Yes of course, here they are :) OK, the issue is here: 2016-08-25 12:49:04 DEBUG otopi.plugins.otopi.dialog.human human.queryString:156 query OVESETUP_NETWORK_FQDN_HOST_HOSTNAME 2016-08-25 12:49:04 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:219 DIALOG:SEND Please provide the address of this host. 2016-08-25 12:49:04 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:219 DIALOG:SEND Note: The engine VM and all the other hosts should be able to correctly resolve it. 2016-08-25 12:49:04 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:219 DIALOG:SEND Host address: [localhost.localdomain]: 2016-08-25 12:49:37 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:219 DIALOG:RECEIVEvm-rhemgr.mydomain.com 2016-08-25 12:49:37 DEBUG otopi.plugins.ovirt_hosted_engine_setup.network.bridge hostname.test_hostname:411 test_hostname exception Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ovirt_setup_lib/hostname.py", line 407, in test_hostname not_local_text, File "/usr/lib/python2.7/site-packages/ovirt_setup_lib/hostname.py", line 252, in _validateFQDNresolvability fqdn=fqdn, RuntimeError: vm-rhemgr.mydomain.com did not resolve into an IP address 2016-08-25 12:49:37 ERROR otopi.plugins.ovirt_hosted_engine_setup.network.bridge dialog.queryEnvKey:115 Host name is not valid: vm-rhemgr.mydomain.com did not resolve into an IP address 'Please provide the address of THIS host.' means that you have to enter/validate the address of the host you are going to add (the host where you are running hosted-engine --deploy command). Let's try to recap: the fqdn of your engine VM is 'vm-rhemgr.mydomain.com', the fqdn of your host is currently 'localhost.localdomain' but it's not acceptable (try to run 'ssh localhost.localdomain' on the engine VM and see where are you getting...) So you have just to configure a valid fqdn on your additional host (something like 'my2ndhost.mydomain.com') and confirm it when asked by that question. Normally we suggest to rely on a properly configured DNS; you can just work entering values under '/etc/hosts' but it's up to you to properly maintain it: - the engine VM should be able to resolve the address of all the hosts to contact them: this is not true in your env, with 'localhost.localdomain' your engine VM will not reach your host... - each host should be able to resolve the address of all the other hosts and also the address of the engine VM: this is not true in your env as I read 'RuntimeError: vm-rhemgr.mydomain.com did not resolve into an IP address' ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : Hosted engine High Availability
> This is that part that confused me a bit : I need to set up a new FQDN for > the engine, but a different one right ? So each engine on each node needs a > different FQDN ? > No, you have just to use a sensate globally resolvable FQDN for your > additional host: 'localhost.localdomain' is not. Well actually when I use the FQDN of my current hosted engine, I doesn't seem to resolve... Host address: [localhost.localdomain]: engine.mydomain.com [ ERROR ] Host name is not valid: vm-rhemgr.rennes.enst-bretagne.fr did not resolve into an IP address Please provide the address of this host. Note: The engine VM and all the other hosts should be able to correctly resolve it. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : Hosted engine High Availability
>This instead is an issue of your env: >your additional host is still named 'localhost.localdomain': of course >the engine VM will be able to resolve it but it will not reach your >host; in that case the engine will just try to add the engine VM >itself as an host creating a mess. >Since we saw this issue many times in the past from user logs, we are >now explicitly rejecting 'localhost.localdomain' as an host address. This is that part that confused me a bit : I need to set up a new FQDN for the engine, but a different one right ? So each engine on each node needs a different FQDN ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : Hosted engine High Availability
>No, it's not: you have to point to the same storage server you used >for the first host, hosted-engine-setup will detect the existing >installation and it will ask if you are going to add an additional >host. >At that point it will consume the answer file saved on the shared storage. This is exactly what I've done but it stills asks me those question about FQDN, hostname and password, and as we can see it seems to find the answer file : hosted-engine --deploy [ INFO ] Stage: Initializing [ INFO ] Generating a temporary VNC password. [ INFO ] Stage: Environment setup Continuing will configure this host for serving as hypervisor and create a VM where you have to install the engine afterwards. Are you sure you want to continue? (Yes, No)[Yes]: Configuration files: [] Log file: /var/log/ovirt-hosted-engine-setup/ovirt-hosted-engine-setup-20160825082809-4evynk.log Version: otopi-1.4.2 (otopi-1.4.2-1.el7ev) It has been detected that this program is executed through an SSH connection without using screen. Continuing with the installation may lead to broken installation if the network connection fails. It is highly recommended to abort the installation and run it inside a screen session using command "screen". Do you want to continue anyway? (Yes, No)[No]: yes [ INFO ] Hardware supports virtualization [ INFO ] Bridge ovirtmgmt already created [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment setup [ INFO ] Stage: Environment customization --== STORAGE CONFIGURATION ==-- During customization use CTRL-D to abort. Please specify the storage you would like to use (glusterfs, iscsi, fc, nfs3, nfs4)[nfs3]: iscsi Please specify the iSCSI portal IP address: x.x.x.x Please specify the iSCSI portal port [3260]: Please specify the iSCSI portal user: Please specify the target name (iqn.1984-05.com.dell:powervault., iqn.1984-05.com.dell:powervault., iqn.1984-05.com.dell:powervault., iqn.1984-05.com.dell:powervault.) [iqn.1984-05.com.dell:powervault.]: The following luns have been found on the requested target: [1] 36002219000897d5e25bd5754b30f 836GiB DELL MD3000i status: used, paths: 1 active [2] 36002219000897d5e2ea457a406f7 100GiB DELL MD3000i status: used, paths: 1 active [3] 36002219000897d5e2e5357980305 150GiB DELL MD3000i status: free, paths: 1 active [4] 36002219000897d5e2fa357ad109e 500GiB DELL MD3000i status: free, paths: 1 active [5] 36002219000897d5e2fa857ad11c2 80GiB DELL MD3000i status: free, paths: 1 active [6] 36002219000897d5e2f1657a920a2 587GiB DELL MD3000i status: used, paths: 1 active Please select the destination LUN (1, 2, 3, 4, 5, 6) [1]: 2 The specified storage location already contains a data domain. Is this an additional host setup (Yes, No)[Yes]? [ INFO ] Installing on additional host Please specify the Host ID [Must be integer, default: 2]: --== SYSTEM CONFIGURATION ==-- [WARNING] A configuration file must be supplied to deploy Hosted Engine on an additional host. [ INFO ] Answer file successfully loaded --== NETWORK CONFIGURATION ==-- [ INFO ] Additional host deployment, firewall manager is 'iptables' The following CPU types are supported by this host: - model_Haswell-noTSX: Intel Haswell-noTSX Family - model_SandyBridge: Intel SandyBridge Family - model_Westmere: Intel Westmere Family - model_Nehalem: Intel Nehalem Family - model_Penryn: Intel Penryn Family - model_Conroe: Intel Conroe Family --== HOSTED ENGINE CONFIGURATION ==-- Enter the name which will be used to identify this host inside the Administrator Portal [hosted_engine_2]: Enter 'admin@internal' user password that will be used for accessing the Administrator Portal: Confirm 'admin@internal' user password: [ INFO ] Stage: Setup validation [WARNING] Cannot validate host name settings, reason: resolved host does not match any of the local addresses Please provide the address of this host. Note: The engine VM a
[ovirt-users] 3.6 : Hosted engine High Availability
Hi, I'm trying to "deploy" the hosted engine (3.6) on a second node for HA. I used hosted-engine --delpoy, answering the script questions it's a new host setup. However it is requesting me for a FQDN, an engine name and a password for admin@internal. Is this a normal behavior ? It seems very strange to me that the configuration isn't taken from the hosted engine storage, do you think I forgot a step ? Thanks in advance ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] 3.6 : VLAN / non VLAN
hi, I'd like to know what happens when you create a new network, tagged with VLAN for example 25 and using em2 : - the packets outgoing from em2.25 are tagged, right ? - the packets outgoing from em2 are tagged or not ? - the result is packets inside ovirt are tagged, but when you go out of it and reach something from em2, are the packets still tagged ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : iSCSI LUN not detected
> Yes, you cannot remove the master storage domain, so you need to create > another > domain and make it the master. Then you will be able to detach the > original storage > domain properly. > Nir I would love to do that...But it's not possible as long as the master data domain is in maintenance mode. And it doesn't activate... I'm now stuck with second data domain with unknown status, same for hosted_storage and master data domain still in maintenance mode. I can't activate any of the storage and can't reinitialize data center... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : iSCSI LUN not detected
> Hi Alexis > Were you able to resolve your storage LUN issue? > Regards, > Kevin I am trying the suggested solution on this post by Nir Soffer : reconnect the storage to the older hypervisor and detach it correctly...But it doesn't work : >From the DC : 1. I set the storage (which is master data domain) to maintenance mode 2. I try to detach it. I get this error message : "Error while executing action: Cannot remove the master Storage Domain from the Data Center without another active Storage Domain to take its place. -Either activate another Storage Domain in the Data Center, or remove the Data Center. 3. If I go in the storage domain menu, I get only the "destroy option", not "remove", which is maybe not what I want. I'd like to be able to keep the data on it. 4. If I try to remove the datacenter as suggested in the error message I get this error (as the hosted-engine storage is still up) : "Error while executing action: Cannot remove Data Center which contains active/locked Storage Domains. -Please deactivate all domains and wait for tasks to finish before removing the Data Center." 5. I can't set the hosted engine storage to maintenance What should I do ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : iSCSI LUN not detected
> Did you deployed the engine from scratch or did your restored there a backup? From scratch > In 3.5 we were registering an hosted-engine iSCSI storage domain as a > (fake) direct LUN into the engine to prevent any misuse. I have this problem for a data domain but not for the hosted_storage :) - Mail original - De: "Simone Tiraboschi" À: "Alexis HAUSER" Cc: "users" Envoyé: Mercredi 10 Août 2016 11:37:15 Objet: Re: [ovirt-users] 3.6 : iSCSI LUN not detected On Wed, Aug 10, 2016 at 10:38 AM, Alexis HAUSER wrote: > Hi, > > I am reinstalling a new Node with a new hosted-engine and I would like to > import an iSCSI storage from a previous ovirt installation. > However, I can see all LUN present on that iSCSI but the one I want... I > checked from the iSCSI array and this disk still exists, it's just not > detected from Ovirt (3.6)... > I tried to make a new data domain and chosed that same iSCSI and it's also > not detected. > > Any ideas ? Did you deployed the engine from scratch or did your restored there a backup? In 3.5 we were registering an hosted-engine iSCSI storage domain as a (fake) direct LUN into the engine to prevent any misuse. > I didn't remove the storage from the Engine interface on the previous > installation, just just turned off all VMs accessing the iSCSI and unplugged > the cable. Is it possible there is still a lock file or something from the > previous hypervisor ? > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] 3.6 : iSCSI LUN not detected
Hi, I am reinstalling a new Node with a new hosted-engine and I would like to import an iSCSI storage from a previous ovirt installation. However, I can see all LUN present on that iSCSI but the one I want... I checked from the iSCSI array and this disk still exists, it's just not detected from Ovirt (3.6)... I tried to make a new data domain and chosed that same iSCSI and it's also not detected. Any ideas ? I didn't remove the storage from the Engine interface on the previous installation, just just turned off all VMs accessing the iSCSI and unplugged the cable. Is it possible there is still a lock file or something from the previous hypervisor ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : Hosted_Storage unattached
Actually, I solved my problem by solving a bug I was affected by (SELinux preventing to add storage domain), removing the unattached hosted_storage and restarting ovirt-engine. It added it automatically with the VM as usual :) - Mail original - De: "Alexis HAUSER" À: "users" Envoyé: Mardi 9 Août 2016 11:50:48 Objet: [ovirt-users] 3.6 : Hosted_Storage unattached Hi, I installed a new node with a new hosted engine, version 3.6, added a data domain, but I can't see the hosted_storage. I tried to use the "import storage" on it but it keeps having unattached status, and in the logs I can see : "2016-08-09 05:39:32,821 WARN [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) [] Correlation ID: 1d9c8f67, Job ID: 6e75d61e-3140-4f1c-a301-e683ddc28b1f, Call Stack: null, Custom Event ID: -1, Message: This Data center compatibility version does not support importing a data domain with its entities (VMs and Templates). The imported domain will be imported without them." Any ideas ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] 3.6 : Hosted_Storage unattached
Hi, I installed a new node with a new hosted engine, version 3.6, added a data domain, but I can't see the hosted_storage. I tried to use the "import storage" on it but it keeps having unattached status, and in the logs I can see : "2016-08-09 05:39:32,821 WARN [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) [] Correlation ID: 1d9c8f67, Job ID: 6e75d61e-3140-4f1c-a301-e683ddc28b1f, Call Stack: null, Custom Event ID: -1, Message: This Data center compatibility version does not support importing a data domain with its entities (VMs and Templates). The imported domain will be imported without them." Any ideas ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 3.6 : Moving the hosted-engine to another storage
>Unfortunately we know that migrating from HE to HE is not as simple as >from physical to HE: >https://bugzilla.redhat.com/show_bug.cgi?id=1240466#c21 >In general the issue is that the DB backup form the old hosted-engine >VM contains a lot of references to the previous hosted-engine env and >you cannot simply remove/edit them from the engine since they are lock >so you have to manually remove them from the DB which is quite >risky/error prone. This is a bit scaring. In case of issue with engine and trying to recover, it could also happen. What other way would you suggest for backing the engine VM and being sure to be able to restore it as it was without errors ? Have you ever tried to backup/restore from rsync ? If there are data in the DB written when you're performing it, do you think it can cause issues ? If ovirt-engine service is stopped, is that problem avoided ? >In the mean time I'd suggest, if feasible, to redeploy a new >hosted-engine env and reattach there your storage domains and your >hosts. >This will imply a downtime. Ok, I think I'll do that. A downtime isn't a problem right now, as I'm still at a pre-production step. (preparing it for production soon) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] 3.6 : Moving the hosted-engine to another storage
Hi, I'm currently using an NFS storage for my hosted-engine. However, this NFS server will be removed soon. I'd like to move the hosted-engine to an iSCSI storage. How can I proceed ? The options for moving/copying VM disk don't seem to be available for the hosted engine in the web interface. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Network settings for multiple hosts
Ok I start to understand where was the problem : [81387.469731] CPU: 1 PID: 20688 Comm: umount Tainted: G I 3.10.0-327.13.1.el7.x86_64 #1 [81387.469733] Hardware name: Dell Inc. PowerEdge R610/086HF8, BIOS 1.2.6 07/17/2009 [81387.469734] 240ade23 880b2d44bda0 816356f4 [81387.469737] 880b2d44bdd8 8107b1e0 880c582997b0 880c58299838 [81387.469740] 819c1900 0083 880b2d44bde8 [81387.469742] Call Trace: [81387.469748] [] dump_stack+0x19/0x1b [81387.469752] [] warn_slowpath_common+0x70/0xb0 [81387.469754] [] warn_slowpath_null+0x1a/0x20 [81387.469756] [] bdev_inode_switch_bdi+0x7a/0x90 [81387.469758] [] __blkdev_put+0x74/0x1a0 [81387.469760] [] blkdev_put+0x4e/0x140 [81387.469764] [] kill_block_super+0x44/0x70 [81387.469767] [] deactivate_locked_super+0x49/0x60 [81387.469769] [] deactivate_super+0x46/0x60 [81387.469772] [] mntput_no_expire+0xc5/0x120 [81387.469775] [] SyS_umount+0x9f/0x3c0 [81387.469778] [] system_call_fastpath+0x16/0x1b [81387.469780] ---[ end trace 24243ae635253c84 ]--- [81387.649850] blk_update_request: I/O error, dev dm-11, sector 5769216 [81387.649874] blk_update_request: I/O error, dev dm-11, sector 5770240 [81388.150048] blk_update_request: I/O error, dev dm-11, sector 5769216 [81388.150074] blk_update_request: I/O error, dev dm-11, sector 5770240 [83839.025136] bnx2: fw sync timeout, reset code = 502002d [83839.025146] bnx2 :02:00.0 em3: <--- start MCP states dump ---> [83839.025152] bnx2 :02:00.0 em3: DEBUG: MCP_STATE_P0[0003650e] MCP_STATE_P1[0003600e] [83839.025158] bnx2 :02:00.0 em3: DEBUG: MCP mode[b880] state[8000] evt_mask[0500] [83839.025164] bnx2 :02:00.0 em3: DEBUG: pc[080032d8] pc[08003568] instr[a462] [83839.025166] bnx2 :02:00.0 em3: DEBUG: shmem states: [83839.025172] bnx2 :02:00.0 em3: DEBUG: drv_mb[0502002d] fw_mb[002b] link_status[006f] [83839.025175] drv_pulse_mb[3bd8] [83839.025179] bnx2 :02:00.0 em3: DEBUG: dev_info_signature[44564903] reset_type[01005254] [83839.025182] condition[0003650e] [83839.025188] bnx2 :02:00.0 em3: DEBUG: 01c0: 01005254 42530088 0003650e [83839.025195] bnx2 :02:00.0 em3: DEBUG: 03cc: 0a28 [83839.025202] bnx2 :02:00.0 em3: DEBUG: 03dc: 0004 [83839.025209] bnx2 :02:00.0 em3: DEBUG: 03ec: 0[83839.025136] bnx2: fw sync timeout, reset code = 502002d [83839.025146] bnx2 :02:00.0 em3: <--- start MCP states dump ---> [83839.025152] bnx2 :02:00.0 em3: DEBUG: MCP_STATE_P0[0003650e] MCP_STATE_P1[0003600e] [83839.025158] bnx2 :02:00.0 em3: DEBUG: MCP mode[b880] state[8000] evt_mask[0500] [83839.025164] bnx2 :02:00.0 em3: DEBUG: pc[080032d8] pc[08003568] instr[a462] [83839.025166] bnx2 :02:00.0 em3: DEBUG: shmem states: [83839.025172] bnx2 :02:00.0 em3: DEBUG: drv_mb[0502002d] fw_mb[002b] link_status[006f] [83839.025175] drv_pulse_mb[3bd8] [83839.025179] bnx2 :02:00.0 em3: DEBUG: dev_info_signature[44564903] reset_type[01005254] [83839.025182] condition[0003650e] [83839.025188] bnx2 :02:00.0 em3: DEBUG: 01c0: 01005254 42530088 0003650e [83839.025195] bnx2 :02:00.0 em3: DEBUG: 03cc: 0a28 [83839.025202] bnx2 :02:00.0 em3: DEBUG: 03dc: 0004 [83839.025209] bnx2 :02:00.0 em3: DEBUG: 03ec: [83839.025212] bnx2 :02:00.0 em3: DEBUG: 0x3fc[] [83839.025214] bnx2 :02:00.0 em3: <--- end MCP states dump ---> 000 [83839.025212] bnx2 :02:00.0 em3: DEBUG: 0x3fc[] [83839.025214] bnx2 :02:00.0 em3: <--- end MCP states dump ---> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Network settings for multiple hosts
Hi, Since I use several hosts with ovirt, I get very unstable reactions everytime I change anything about networks... What are the requirement for networks when using multiple hosts ? If I add a logical network to a NIC to my first host, the second host becomes non operationnal...Do I really need to have the exact same logical network on both hosts ? If I add the same network on my second hosts with no IP adress, it still becomes non operationnal...Also there are unrelated errors with iSCSI disk when I do that, VDSM etc...But my main interface on that second host is still up and working with ovirtmgmt on it...And the new interface I try to add is checked as "non required". Another weird thing is that ifconfig doesn't show my new logical network on my first host, even if it has a new logical network shown as up and working in the web interface (this one has a correct IP addressing). Restarting vdsmd on that host doesn't change anything. Any idea of what is going on, and how I should proceed ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-3.6 : Hosted-engine crashed and can't restart
> The issue seams here: please ensure that you can correctly connect > your storage server. > Can you please attach vdsm logs? Yes actually I figured out it was a DNS problem : as mentioned in the messages from the log I provided, it wasn't able to reach the NFS where the engine was (as it uses FQDN not IP with NFS it seems, I will fix that for not depending on DNS). This is actually my setup : only Em1 is plugged, it has ovirtmgmt + one other logical VLAN network. This VLAN network as in DHCP and never had an IP, everything was working fine. Since I added an IP address to that interface, the manager crashed. Actually it is trying to use that VLAN interface as the default route, I have no idea why, and cause DNS issue (one of the DNS was on another network, the the second was on the game network...it should actually have worked anyway...). The only way I found to resolve this was ifdown of that interface, and route add default gw ovirtmgmt After that, I had errors like "unknown stale data" and "failed to reinitilize lockspace" ; removing the lockfile with hosted-engine command, and removing manually __DIRECT_IO__ file on the engine storage didn't fix it. I actually found out what was happening : ovirt-ha-agent had errors in his status (with systemctl), ovirt-ha-broker had errors related to ha-agent and vdsdm had errors related to those 2 previous services. I resolved my issue by restarting the service in the good order : # systemctl restart ovirt-ha-agent.service # systemctl restart ovirt-ha-broker.service # systemctl restart vdsmd Anyway thanks for your answer, I hope this topic will help people with similar issues ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] ovirt-3.6 : Hosted-engine crashed and can't restart
After assigning an IP adress to a VLAN network (it was using DHCP by default) that was on the same NIC than ovirtmgmt, my hosted-engine crashed and can't start again...I have no idea how to fix this. I had a similar issue some months ago but with a different error. I tried to restart the ha agent that seems to be linked with this error, also restarted the host. I also tried to remove the _DIRECT_IO_ lockfile on the engine storage as it fixed my problem last time but it didn't help... Any ideas ? Do you think editing manually the logical network in the host and reverting them at it was before crash can help ? hosted-engine --vm-status Traceback (most recent call last): File "/usr/lib64/python2.7/runpy.py", line 162, in _run_module_as_main "__main__", fname, loader, pkg_name) File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code exec code in run_globals File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_setup/vm_status.py", line 117, in if not status_checker.print_status(): File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_setup/vm_status.py", line 60, in print_status all_host_stats = ha_cli.get_all_host_stats() File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/client/client.py", line 160, in get_all_host_stats return self.get_all_stats(self.StatModes.HOST) File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/client/client.py", line 103, in get_all_stats self._configure_broker_conn(broker) File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/client/client.py", line 180, in _configure_broker_conn dom_type=dom_type) File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/lib/brokerlink.py", line 176, in set_storage_domain .format(sd_type, options, e)) ovirt_hosted_engine_ha.lib.exceptions.RequestError: Failed to set storage domain FilesystemBackend, options {'dom_type': 'nfs3', 'sd_uuid': 'e41807e5-ee68-40a2-a642-cc226ba0e82d'}: Request failed: vdsClient -s 0 list 16450089-911e-4bad-a8b7-98e84a79ef3a Status = Down nicModel = rtl8139,pv statusTime = 4295559350 exitMessage = Unable to get volume size for domain e41807e5-ee68-40a2-a642-cc226ba0e82d volume 053df3a6-db18-445a-8f75-61c630ab0003 emulatedMachine = rhel6.5.0 pid = 0 vmName = HostedEngine devices = [{'index': '0', 'iface': 'virtio', 'format': 'raw', 'bootOrder': '1', 'address': {'slot': '0x06', 'bus': '0x00', 'domain': '0x', 'type': 'pci', 'function': '0x0'}, 'volumeID': '053df3a6-db18-445a-8f75-61c630ab0003', 'imageID': 'b6daa50d-adad-46a5-8f5f-accfb155a1e1', 'readonly': 'false', 'domainID': 'e41807e5-ee68-40a2-a642-cc226ba0e82d', 'deviceId': 'b6daa50d-adad-46a5-8f5f-accfb155a1e1', 'poolID': '----', 'device': 'disk', 'shared': 'exclusive', 'propagateErrors': 'off', 'type': 'disk'}, {'nicModel': 'pv', 'macAddr': '00:16:3e:1c:4b:81', 'linkActive': 'true', 'network': 'ovirtmgmt', 'deviceId': '0aeaea2f-a419-43cc-92d7-8422f6aa9223', 'address': 'None', 'device': 'bridge', 'type': 'interface'}, {'index': '2', 'iface': 'ide', 'readonly': 'true', 'deviceId': '8c3179ac-b322-4f5c-9449-c52e3665e0ae', 'address': {'bus': '1', 'controller': '0', 'type': 'drive', 'target': '0', 'unit': '0'}, 'device': 'cdrom', 'shared': 'false', 'path': '', 'type': 'disk'}, {'device': 'scsi', 'model': 'virtio-scsi', 'type': 'controller', 'deviceId': '21db0c6e-071c-48ff-b905-95478b37c384', 'address': {'slot': '0x04', 'bus': '0x00', 'domain': '0x', 'type': 'pci', 'function': '0x0'}}, {'device': 'usb', 'type': 'controller', 'deviceId': 'c0384f68-d0c9-4ebb-a779-8dc9911ce2f8', 'address': {'slot': '0x01', 'bus': '0x00', 'domain': '0x', 'type': 'pci', 'function': '0x2'}}, {'device': 'ide', 'type': 'controller', 'deviceId': 'd5a2dd13-138a-482b-9bc3-994b10ec4100', 'address': {'slot': '0x01', 'bus': '0x00', 'domain': '0x', 'type': 'pci', 'function': '0x1'}}, {'device': 'virtio-serial', 'type': 'controller', 'deviceId': '9e695172-c9b0-47df-bc76-8170219dec28', 'address': {'slot': '0x05', 'bus': '0x00', 'domain': '0x', 'type': 'pci', 'function': '0x0'}}] guestDiskMapping = {} vmType = kvm displaySecurePort = -1 exitReason = 1 memSize = 6000 displayPort = -1 clientIp = spiceSecureChannels = smain,sdisplay,sinputs,scursor,splayback,srecord,ssmartcard,susbredir smp = 4 displayIp = 0 display = vnc exitCode = 1 systemctl status ovirt-ha-agent.service -l ● ovirt-ha-agent.service - oVirt Hosted Engine High Availability Monitoring Agent Loaded: loaded (/usr/lib/systemd/system/ovirt-ha-agent.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2016-07-20 14:56:22 UTC; 2min 29s ago Main PID: 20236 (ovirt-ha-agent) CGroup: /system.slice/ovirt-ha-agent.service └─20236 /usr/bin/python /u
Re: [ovirt-users] Migration Failure Due to network
> Use "Clusters" -> "Logical Networks" -> "Manage Networks" for assigning > network for migrations. It's ovirtmgmt by default. Note that migration > network has to have IPs on hosts. Nice, do you think I should dedicate a link only for migration, for safety ? >Hosts have VDSM configuration option - [vars]/migration_max_bandwidth >in /etc/vdsm/vdsm.conf. It's 52MB/s by default. So it looks like your >network is already highly used. It's not highly used, it's yet on a 10/100 Mb switch...But it's just temporary. Anyway it's interesting because it simulates a highly use network, which can happen. >Your VM migration fails because migration is so slow so it just can't >migrate without downtime. You can adjust "Use custom migration >downtime" VM option to make any VM migrated over any network. Please >note it's a maximal value. Actually it starts with a value 10 times >lower and increases it automatically. 5000 is good value to start in >your case. Thanks, but it doesn't seem to change anything : I added max_outgoing_migrations = 1 migration_max_bandwidth = 5 in /etc/vdsm/vdsm.conf on my concerned host, but it still goes to 98% use of network and migration fail...I restart vdsmd.service but it doesn't seem to change anything. Any idea ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Migration Failure Due to network
Here are the two Events I can see : Host Hypervisor has network interface which exceeded the defined threshold [95%] (em1: transmit rate[98%], receive rate [4%]) Migration failed (VM: Clone-ubuntu, Source: Hypervisor, Destination: hypervisor22). Any ideas ? It it not the first time I have this kind of network saturation issue... My current temporary setup is this : 2 hosts with only one network physical interface used and assigned to ovirtmgmt, used by all VM. Do migration of a running VM from one host to the other use the network assigned to that VM for migration ? Or does it use ovirtmgmt in all cases ? What minimum network architecture setup would you advice me to avoid this kind of issues ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Host non operationnal due to an iSCSI problem
>Normally you should not have to do that. It could be that it was not >allowed access, and you'd have to leave it a while for the host to retry. It looped on retrying to make it work for 24 hours...It was authorized. But actually when I first add the host, it didn't have authorization. I added authorization, then it looped on retrying without success...Until I did what I told you. >At least you have it working now! Yes thank you, but I'm a bit disappointed by this instability and I'd really like to understand what happened...In case it reproduce again. > > > >> If you only have one physical interface on each host, there's not much >> point doing multipath, as you don't stand to gain any performance or >> resilience. > I didn't choose if it was multipath or not, someone only gave me access to > this storage, but I understand what you mean. However, I'll certainly add > bonding later. > > > Do you have any idea what setting maintenance mode and reactivating does on a > host ? Does it restart some services ? I don't really understand what just > happened actually... > All I know is that it is used for backup, reinstall and update. Maintenance mode will migrate any running VMs off that host and enable you to do some tasks (including the ones you mention) that you can't do when it's running VMs. I believe it stops certain services as well, not sure which ones. It's perfectly safe and routine thing to do in RHEV/oVirt. Thanks, that's certainly what solved the issue then...Or the Dell Bay doing weird random stuff who knows ^^ I've often heard people telling others setting up a host or engine to maintenance mode then reactivate in case of a lot of various issues, it seems to be a method to keep in mind. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Host non operationnal due to an iSCSI problem
>I'm still finding this hard to understand. If you are using iSCSI, you >/are/ using a server (called the "Target" in SCSI speak). Is the iSCSI >storage actually on the first host? It's a Dell bay (or "storage array", I think that's the correct name in english...) > How did you actually do the >discovery and assign the LUNs? In the storage domain properties you >should be able to see the IP and port of the Targets, something like >"iqn.2012-02:foo-target1,192.168.10.10,3260", and you need to ensure the >second host can reach that IP and port to be able to see the storage. Actually I jutt made a test : authorize access only to the second host (on the Dell bay), it works but only after setting it to maintenance mode and reactivate it. Then authorizing both of the hosts (as initially) make them both working now...It doesn't really makes sense... It is a very strange behavior. Maybe the second host needed to be set in maintenance mode then reactivated ? >If you only have one physical interface on each host, there's not much >point doing multipath, as you don't stand to gain any performance or >resilience. I didn't choose if it was multipath or not, someone only gave me access to this storage, but I understand what you mean. However, I'll certainly add bonding later. Do you have any idea what setting maintenance mode and reactivating does on a host ? Does it restart some services ? I don't really understand what just happened actually... All I know is that it is used for backup, reinstall and update. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Host non operationnal due to an iSCSI problem
> I don't understand. iSCSI is a network storage protocol. What do you > mean by "I access it directly"? When you set up the first host with an > iSCSI storage domain, you would have had to point it to an IP address, > "discover" the LUNs and then attach to them. This sets up the domain. As I explained, I don't use an iSCSI server, that's what I call accessing it "directly". Yes, my iSCSI storage is working on my first Host, it has been discovered successfully, some VM are working on it etc... The second host can discover it so I don't think it's a network issue. >From the vdsm logs from second host ("the non working one") it looks like it >can even see the LVM on it, right ? Thread-32::DEBUG::2016-07-19 08:41:37,935::lvm::290::Storage.Misc.excCmd::(cmd) FAILED: = ' Volume group "091e0526-1ff3-4ca3-863c-b911cf69277b" not found\n Cannot process volume group 091e0526-1ff3-4ca3-863c-b911cf69277b\n'; = 5 > On the second host, to access iSCSI storage you will have to have an > interface (defined in "Networks" in oVirt) that can connect to the same > IP and port the first host used. Yes I have an network interface working on the second host, which is ovirtmgmt. I can access all other storage correctly from that host without errors. I can discover the iSCSI. As it is a multipath iSCSI, does it need to acces one different path for each host ? I didn't set anything about iSCSI bonding, I use only one single interface on each host. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Host non operationnal due to an iSCSI problem
>Sounds like a possible networking problem. Have you assigned IP >addresses to the storage interfaces on this new host? hum, What do you mean by storage interfaces ? The other host on the same network can access it. > If you're using > VLANs, are they set up correctly on your switch ports for the SAN network? Yes I don't use a server to share the iSCSI storage to the hosts, (I access it directly). Do I need it ? I saw that in the RHEV doc, on first part of the iSCSI section... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Host non operationnal due to an iSCSI problem
Hi, I just added a second host but it can't become operational, because it can't access to the iSCSI storage domain. My first question : is it normal or not, is RHEV really able to manage the fact an iSCSI LUN can be accessed from multiple hosts ? I don't find anything in the logs, except vdsm logs that seem to give some clue : https://bpaste.net/show/e06a11d79040 It seems there are LVM related errors, so does it mean it can access to the iSCSI ... ? By the way it's a multipath iSCSI. Any ideas ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Importing QCOW2 into ovirt-3.6
Hi, I downloaded a linux appliance "for KVM" in .QCOW2 extension. How can I import it ? I tried adding it manually to a NFS share but it doesn't seem detected by ovirt 3.6 Any ideas ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Kernel related errors with Fedora 24 Guest
This doesn't looks really good, right ? Should I report that somewhere ? I actually had this bug when using RHEL7 profile for a Fedora 24 (to provide enough vram, because the default with other profiles is really lower). [Wed Jul 13 11:00:12 2016] [ cut here ] [Wed Jul 13 11:00:12 2016] WARNING: CPU: 2 PID: 1750 at drivers/gpu/drm/drm_irq.c:689 drm_calc_timestamping_constants+0x15b/0x160 [drm]() [Wed Jul 13 11:00:12 2016] Modules linked in: uinput fuse nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp llc ebtable_nat ip6table_security ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_raw ip6table_mangle iptable_security iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_raw iptable_mangle ebtable_filter ebtables ip6table_filter ip6_tables crct10dif_pclmul crc32_pclmul ghash_clmulni_intel ppdev joydev i2c_piix4 virtio_balloon parport_pc parport acpi_cpufreq tpm_tis tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc virtio_console virtio_scsi virtio_blk virtio_net qxl drm_kms_helper ttm crc32c_intel drm serio_raw virtio_pci virtio_ring virtio ata_generic pata_acpi [Wed Jul 13 11:00:12 2016] CPU: 2 PID: 1750 Comm: Xorg Tainted: GW 4.5.5-300.fc24.x86_64 #1 [Wed Jul 13 11:00:12 2016] Hardware name: Red Hat RHEV Hypervisor, BIOS seabios-1.7.5-11.el7 04/01/2014 [Wed Jul 13 11:00:12 2016] 0286 9e0fbed4 880074e93978 813d35af [Wed Jul 13 11:00:12 2016] a009b9dc 880074e939b0 810a5f12 [Wed Jul 13 11:00:12 2016] 8800360b7800 880036b92800 880036b92b78 0001 [Wed Jul 13 11:00:12 2016] Call Trace: [Wed Jul 13 11:00:12 2016] [] dump_stack+0x63/0x84 [Wed Jul 13 11:00:12 2016] [] warn_slowpath_common+0x82/0xc0 [Wed Jul 13 11:00:12 2016] [] warn_slowpath_null+0x1a/0x20 [Wed Jul 13 11:00:12 2016] [] drm_calc_timestamping_constants+0x15b/0x160 [drm] [Wed Jul 13 11:00:12 2016] [] drm_crtc_helper_set_mode+0x42f/0x510 [drm_kms_helper] [Wed Jul 13 11:00:12 2016] [] drm_crtc_helper_set_config+0xa43/0xb90 [drm_kms_helper] [Wed Jul 13 11:00:12 2016] [] drm_mode_set_config_internal+0x62/0x100 [drm] [Wed Jul 13 11:00:12 2016] [] drm_mode_setcrtc+0x2ef/0x520 [drm] [Wed Jul 13 11:00:12 2016] [] drm_ioctl+0x152/0x540 [drm] [Wed Jul 13 11:00:12 2016] [] ? drm_mode_setplane+0x1b0/0x1b0 [drm] [Wed Jul 13 11:00:12 2016] [] do_vfs_ioctl+0xa3/0x5d0 [Wed Jul 13 11:00:12 2016] [] SyS_ioctl+0x79/0x90 [Wed Jul 13 11:00:12 2016] [] entry_SYSCALL_64_fastpath+0x12/0x6d [Wed Jul 13 11:00:12 2016] ---[ end trace d65ce2e725b31419 ]--- [Wed Jul 13 11:00:12 2016] input: spice vdagent tablet as /devices/virtual/input/input12 [Wed Jul 13 11:00:18 2016] input: spice vdagent tablet as /devices/virtual/input/input13 [Wed Jul 13 11:00:20 2016] input: spice vdagent tablet as /devices/virtual/input/input14 [Wed Jul 13 11:00:38 2016] input: spice vdagent tablet as /devices/virtual/input/input15 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Changing video memory size
> That's right. You can add similar lines for other OSes as needed. Is there a way to change it for all os in a row ? something like "os.all.devices.display.vramMultiplier.value = 2" How is that memory used on the hypervisor ? Will this use the physical vram for the same amount or will it use the physical RAM ? i.e. if I set all VM to 32, can I reach the limit of the resources from my hypervisor quickly ? So basically, I must create a 01-defaults.properties file ? Will it ovewrite only parameters I change in that file, or will it totally replace the whole configuration with my new file ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Changing video memory size
> Look for vramMultiplier in osinfo-defaults.properties file. > The following formula applies: vram_size = vramMultiplier * vgamem > You must restart Engine to apply the new setting. The only thin I found about it in that file is : os.rhel_7x64.devices.display.vramMultiplier.value = 2 I am not sure this file is what I want : from what it seems to only affects some parameters at the creation of the OS. i.e. if I take an ubuntu but I set it up as RHEL7, it won't have more vram. With centOS7 however (that I have set as RHEL7 at its creation), it has more vram, but not 2*, really more : centOS has : "vram_size=33554432" from what qemu says and all others VM have 8 instead of...33 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Changing video memory size
Hi, I would like to change the video memory size (vram_size parameter), how can I proceed ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Stuck process in the "Tasks" tab (webadmin interface)
3.6.5 So this is a bug ? - Mail original - De: "Arman Khalatyan" À: "Alexis HAUSER" Cc: "users" Envoyé: Vendredi 8 Juillet 2016 09:38:21 Objet: Re: [ovirt-users] Stuck process in the "Tasks" tab (webadmin interface) Which version of ovirt? This sholdbe fixed in 3.6.7. Am 06.07.2016 5:51 nachm. schrieb "Alexis HAUSER" < alexis.hau...@telecom-bretagne.eu>: > > > Restart engine, or run engine-setup it will clear Zombie tasks. > > Still having this stuck task since may 20, restarting engine didn't fix it. > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Stuck process in the "Tasks" tab (webadmin interface)
> Restart engine, or run engine-setup it will clear Zombie tasks. Still having this stuck task since may 20, restarting engine didn't fix it. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Can't move VMs from a data domain to another
Hi, I was using a NFS storage and I'm now moving all VMs from there to an iSCSI. I successfully moved most VMs disks but now when I try to move those made from template using thin and VMs from pool, I get the following error : "the template that this VM is based on doesn't exit on any storage domain" When I check, I can see that the template still exist, none have been removed...Any idea how to solve this ? Should I use a different method to move those VMs (I'm currently trying to use the "move" option from the disks interface.) ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Ovirt-guest-agent intégration in Ubuntu 16.04 Xenial
Sorry it's a standard Ubuntu, not Ubuntu-Mate ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Ovirt-guest-agent intégration in Ubuntu 16.04 Xenial
This is what happens when I try to start the ovirt-guest-agent in Ubuntu-Mate 16.04 Xenial, any ideas ? /etc/init.d/ovirt-guest-agent status ● ovirt-guest-agent.service - oVirt Guest Agent Loaded: loaded (/lib/systemd/system/ovirt-guest-agent.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since mer. 2016-07-06 10:30:44 CEST; 11min ago Process: 20753 ExecStart=/usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py (code=exited, status=1/FAILURE) Process: 20747 ExecStartPre=/bin/chown ovirtagent:ovirtagent /run/ovirt-guest-agent.pid (code=exited, status=0/SUCCESS) Process: 20742 ExecStartPre=/bin/touch /run/ovirt-guest-agent.pid (code=exited, status=0/SUCCESS) Process: 20739 ExecStartPre=/sbin/modprobe virtio_console (code=exited, status=0/SUCCESS) Main PID: 20753 (code=exited, status=1/FAILURE) juil. 06 10:30:44 ubuntu-RHEV-Hypervisor python[20753]: File "/usr/lib/python2.7/logging/handlers.py", line 64, in __init__ juil. 06 10:30:44 ubuntu-RHEV-Hypervisor python[20753]: logging.FileHandler.__init__(self, filename, mode, encoding, delay) juil. 06 10:30:44 ubuntu-RHEV-Hypervisor python[20753]: File "/usr/lib/python2.7/logging/__init__.py", line 913, in __init__ juil. 06 10:30:44 ubuntu-RHEV-Hypervisor python[20753]: StreamHandler.__init__(self, self._open()) juil. 06 10:30:44 ubuntu-RHEV-Hypervisor python[20753]: File "/usr/lib/python2.7/logging/__init__.py", line 943, in _open juil. 06 10:30:44 ubuntu-RHEV-Hypervisor python[20753]: stream = open(self.baseFilename, self.mode) juil. 06 10:30:44 ubuntu-RHEV-Hypervisor python[20753]: IOError: [Errno 13] Permission denied: '/var/log/ovirt-guest-agent/ovirt-guest-agent.log' juil. 06 10:30:44 ubuntu-RHEV-Hypervisor systemd[1]: ovirt-guest-agent.service: Main process exited, code=exited, status=1/FAILURE juil. 06 10:30:44 ubuntu-RHEV-Hypervisor systemd[1]: ovirt-guest-agent.service: Unit entered failed state. juil. 06 10:30:44 ubuntu-RHEV-Hypervisor systemd[1]: ovirt-guest-agent.service: Failed with result 'exit-code'. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] VDI experience to share?
>On that same note... I would love to deploy several Thin clients around my >house using a single Centos Server for my kids to use. >Is this still not possible? >Do I still have to assign each of my kids a vm? >Regards, >-- >Fernando Fuentes >ffuen...@txweather.org >http://www.txweather.org >On Wed, Jun 15, 2016, at 12:20 PM, Gianluca Cecchi wrote: This depend on what you implement on server side and how you configure it. If you thought about a centos server with ovirt, then you can do as you want : assign each kid a VM, or makes VM they can both access. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Stuck process in the "Tasks" tab (webadmin interface)
hi, I realized that I still have a process of creating a VM pool in the Tasks since...May 20... How can I check if there is a stuck job or something still trying to do it ? If nothing is going on, how can I clear this from the event logs ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] VDI experience to share?
>we were looking for a prepackaged solution because of the lack of >human resources to devote to the project. >But if pursuing this research becomes too exhausting we would probably >develop a linux solution and in that case the kind of terminal you >suggested is interesting indeed. Hi, I'm currently trying to find a solution based on linux too. If you're interested in details about my research and tests, I can make you a summary : On most linux thin client distributions, spicec and spicy are intergrated. Sadly, they are not real spice clients. As you can find on the spice documentation "spicec is an obsolete legacy client, and spicy is only a test application". The only real Spice client yet is remote-viewer (part of virt-viewer package), by default it works with VNC, but if you want it also to support spice, you need spice-client-gtk (the name of this package can maybe vary betweem distributions). Before developing a solution, you should maybe check Thinstation, which is a prepackaged solution that make you able to create your own ISO files for client. I made once some 65 MB client images. Yet it support very well RDP, ICA and VNC. The only bad point with his solution is the fact remote-viewer and spice-client gtk aren't integrated yet. But it should be integrated soon (I'll work on that when I'll have time) but you can still compile it. However, it takes time to understand how to deal with Thinstation, but the result is really impressive. There are also some other solutions like Netpoldo, but it's using old debian/ubuntu versions and doesn't seem to be still really alive... (and old remote-viewer versions don't really work properly, or when it does there is no sound, cf debian jessie) I hope this helps. I'll try to post here when I will have a working setup from client side. I guess this is still in the topic as Giorgio was asking for sharing experience :) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] RHEV-M installation failure
It is telling you where is the log file to check : Log file is located at /var/log/ovirt-hosted-engine-setup/ovirt-hosted-engine-setup-20160614145427-u8mxun.log That would give more details ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Problem accessing to hosted-engine after wrong network config
>Thanks for the report. >Can you please summarize how you solved the wrong-vlan issue? Thanks. Actually, this isn't very clear. After changing the ovirtmgmt VLAN, I wasn't able to access the web interface anymore (or even to ping the FQDN of the hosted-engine VM). After trying a lot of different things with no success, I decided to reboot the hypervisor. I don't know if this reboot was a wrong idea, but I started to realize the VM wasn't really started : - hosted-engine --vm-status was showing as if the VM was started but with "unkown stale data" - vdsClient -s 0 list was showing the VM as down with "exitMessage = Failed to acquire lock: No space left on device" I tried everything about maintenance mode / stopping VM / starting it with ovirt commands, but the VM was not starting, it was crashing with this error message above (and unreachable from network of course) I found out there was an option in hosted-engine command to reinitialze lockspace but I still had the same error. Before deleting everything on my NFS data domain, I tried to delete the file called __DIRECT_IO_TEST__ which seems to be a lock file (there is no documentation at all concerning this, from what I can see) and I've been lucky : the VM started again, with a good status and was accessible. So there are 3 points I don't understand : 1) On the hypervisor, every config file and configuration I could get related to ovirtmgmt didn't have any VLAN option : does it mean from the moment I changed this VLAN option on the VM its link with the hypervisor has been cut and the information about the VLAN in the VM didn't come back to the hypervisor ? 2) The fact hosted-engine --reinitialize-lockspace didn't reinitialize-lockspace correctly and had to do it manually...And only deleting this file manually make everything work again 3) After this file was deleted, why I was able to ping and contact again my VM while it was still configured on another wrong VLAN, I should have lost connectivity completely Maybe some of these behaviors are bugs, but it's hard to guess what part to be able to fill a new bug report... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] hosted-engine vm-status stale data and cluster seems "broken"
> http://imgur.com/a/6xkaS I had similar errors with one single host and a hosted-engine VM. My case should be totally different, but one thing you could try first is to check VM is really up. In my issues, VM was shown by hosted-engine command as up, but was down. with vdsClient command, you can check if it's status with more details. What is the result for you of the following command ? vdsClient -s 0 list ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Problem accessing to hosted-engine after wrong network config
Actually I found my answer : it was just a problem on the NFS share, no relationship with ovirt itself, sorry about that. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Problem accessing to hosted-engine after wrong network config
I actually found out the problem was somewhere else. By deleting the file, which seems to be the lockfile in the data domain called "__DIRECT_IO_TEST__". The VM can now start again without crashing. Anyway, datacenter is in "non responsive" mode and data domain are now "inavtive" and "unknown" Any ideas ? - Mail original - De: "Alexis HAUSER" À: "Martin Polednik" Cc: "users" Envoyé: Mercredi 8 Juin 2016 23:20:51 Objet: Re: [ovirt-users] Problem accessing to hosted-engine after wrong network config >Wouldn't there be another way to access console from the hypervisor to the >hosted-engine (without X) ? >Not really if you don't have network afaik. Have you done the virsh >command with root permissions? >sudo virsh list >sudo virsh console vm >If list even under root permissions doesn't show anything, make sure >that the qemu process is running. I can't see it with "virsh list" but I can see it with vdsClient -s 0 list However the status id "Down" with "exitMessage = Failed to acquire lock: No space left on device" I can't actually run the VM anymore since I changed the VLAN of ovirtmgmt... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Problem accessing to hosted-engine after wrong network config
>Wouldn't there be another way to access console from the hypervisor to the >hosted-engine (without X) ? >Not really if you don't have network afaik. Have you done the virsh >command with root permissions? >sudo virsh list >sudo virsh console vm >If list even under root permissions doesn't show anything, make sure >that the qemu process is running. I can't see it with "virsh list" but I can see it with vdsClient -s 0 list However the status id "Down" with "exitMessage = Failed to acquire lock: No space left on device" I can't actually run the VM anymore since I changed the VLAN of ovirtmgmt... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Problem accessing to hosted-engine after wrong network config
Wouldn't there be another way to access console from the hypervisor to the hosted-engine (without X) ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Problem accessing to hosted-engine after wrong network config
>I'm not sure about first part, but it should be accessible from >engine's hypervisor using QEMU console. You can list VMs running on >the host with >$ virsh -r list That would be nice, but the list is empty...However I can see it with vdsClient -s 0 list and hosted-engine --vm-status after setting it in maintenance mode. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Problem accessing to hosted-engine after wrong network config
hi, I made a terrible and stupid mistake : I changed the VLAN of the wrong ovirt network interface : ovirtmgmt... I now don't have anymore access to my hosted engine. I can still access to the host hypervisor anyway. Any idea how I can change the ovirtmgmt VLAN (disabling the option enable VLAN tagging at all) without accessing the hosted-engine ? If there is no way, how can I access the hosted engine console ? I tried with remote-viewer and ssh forwarding with no success... Is there other ways using hosted-engine --console and ssh X forwarding ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Changing ticket duration for VMs
Hi, I'm looking for a way to change the duration of all tickets from all VMs. How can I do this ? I'd like to change it to 5 min instead of 2 min. It seems it is possible to change these parameters using the RestAPI, with "action.grace_period.expiry" or "action.ticket.value"... Anyway, these parameters seems to be accessible only using POST but not GET. How can you retrieve their value then, using POST ? These parameters seem to be available for each VM, is there a way to set it for all VMs in general, even next VM created ? Do they work for all tickets created, or only one single generated ticket where you define its value ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Automated users/groups creation and updating them
Hi, I'm trying to find what are the different ways / approaches to automated users/groups creation, based on a LDAP/AD database. This is my first problematic : when a LDAP/AD provider is joined, and a user is created in ovirt from this provider, the user heritates a part of the attributes from this LDAP database. Now if I change one attribute on the LDAP side (for example "first name"), it isn't updated on the ovirt user. Would there be other way to update this information than creating / deleting the user ? My second problematic is what should I use to automate creation of users. It seems possible with : - shell scripting : using ovirt-aaa-jdbc-tool - python SDK - java SDK - rest API Which one of these approaches would be the most simple ? I'm more familiar with shell scripting than other languages. That would be nice to find a way with it. Concerning ovirt-aaa-jdbc-tool, I've heard it was only adding/deleting users from the internal DB, not the others. In that case, is there a way in shell scripting to interact with other profiles than internal ? Is there files somewhere containing users and their informations I could modify ? What would happen if a user is in use and it is modified/deleted at the same time ? I know it makes a lot of questions, but I can't really get started before having those answers. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Hiding extended user interface
Hi, Is there a way to hide the "extended" user interface, and show only the "basic" one ? Is it also possible to show only the extended and hide the basic ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>> Thank you, this actually works. Yes, I'll remove it as soon as possible. >> Now with RHEV + AD, it seems better than RHEV + LDAP for groups : it finds >> most of the groups a user belongs to. RHEV + LDAP is only able to find one >> group a user belongs to >>(which is not the same group found when I search >> the same user with ldapsearch...Still not able to solve that mystery) >That's very strange, we test it and it works for us. But you said you >use more namingContexts >than one, right? It could be the problem as we support only one. Which attribute is used by RHEV/ovirt to guess which user a group belong (or the controry), in the case of LDAP and in the case of AD ? I can see that not all attributes are filled in the AD/LDAP database here. >Run this command: >$ keytool -storepasswd -keystore /path/to/jks/x.jks >It will ask you for old and new password. Thank you, I'll ask rhev-docs to add this to the documentation, as they make you generate a new certificate even when using the automatic setup, which makes the automatically generated certificate useless. By the way, is there a list of all the possible options/values of .properties file ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>Until administrators will fix AD servers, in order to use SSL you can >temporarily use following setup: > pool.default.serverset.single.server = AD1 > pool.default.dc-resolve.enable = false > pool.default.ssl.startTLS = true >But this is only temporary solution and you should switch back to >'srvrecord' until AD is fixed. Thank you, this actually works. Yes, I'll remove it as soon as possible. Now with RHEV + AD, it seems better than RHEV + LDAP for groups : it finds most of the groups a user belongs to. RHEV + LDAP is only able to find one group a user belongs to (which is not the same group found when I search the same user with ldapsearch...Still not able to solve that mystery) By the way, how would you change the default password associated with the .jks certificate automatically generated from the interactive setup ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>Oh, I see it, we was blind all the time. The problem is in AD2 and AD3. >AD1 and AD4 are fine. >So yes the problem is on AD side but only for AD2 and AD3, that's why it >worked for >aaa-ldap-setup :) >So actually this command shouldn't work for you: > LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H >ldap://AD2.mydomain.com -x -D 'CN=Something,DC=myserver,DC=come' -w >'mypaswd' -b 'CN=users,DC=something,DC=com' >but this should: > LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H >ldap://AD4.mydomain.com -x -D 'CN=Something,DC=myserver,DC=come' -w >'mypaswd' -b 'CN=users,DC=something,DC=com' Nice catch ! I made tests on the 4 servers, with ldapsearch : OK : ldaps://AD1:636 Not working : ldaps://AD2:636 Not working : ldaps://AD3:636 OK : ldaps://AD4:636 So, half of AD don't like ldaps... Without using ldaps, it was working for the 3 first of them, but not AD3...(the search user was disabled on this one, I asked for it to be enabled, now ldapsearch works on this one, but only with ldap, not ldaps), so now : ldapsearch works using ldap:AD1,2,3,4, even when using LDAPTLS_PROTOCOL_MIN=3.2 In the SRV records when using dig _ldap._tcp.mydomain.com, there are 5 AD...One of them has been disabled but not removed from the SRV records. (but when using dig @AD1,2,3,4 _ldap_tcp.mydomain, I can see this 5th AD has been removed) Now the thing is : I don't have access to SRV records, I don't have access to AD configuration. For a strange reason it now works with "insecure", but not pool.default.ssl.enable or StartTLS. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>Default password is 'changeit' (without quotes). >Hmm, can you please try use the .jks file generated by aaa-ldap-setup >tool? Just to be sure. I still have the same error with the default jks >Anyway, the strange thing is that aaa-ldap-setup tool passes, but >extension don't work later. >My guess is that it could be unsupported TLS version. >Can you please try running: > LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -Z -H >ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w >'mypaswd' -b 'CN=users,DC=something,DC=com' >and > LDAPTLS_PROTOCOL_MIN=3.2 LDAPTLS_CACERT=/somewhere/myca.pem -Z -H >ldap://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w >'mypaswd' -b 'CN=users,DC=something,DC=com' >Does both commands succed? Yes, they both succeed. >If the later one don't work then probably your AD don't accept TLSv1. >You can change it byt this configuration options: > pool.default.ssl.startTLSProtocol=TLSv1 >to secure: > pool.default.ssl.startTLSProtocol=TLSv1.2 >or: > pool.default.ssl.startTLSProtocol=SSLv3 >But, you should use TLSv1.2. >If none of this is true, then I would try to enable insecure connection: > pool.default.ssl.insecure = true I still get the same SSL error with all these options (even insecure) >If it will work, then the problem is most probably with certificate. >If it won't work, then the problem is most probably with startTLS >configuration on AD side. So, do you think it's startTLS on AD side ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>This is output of installation script >'ovirt-engine-extension-aaa-ldap-setup', which is written in python, but >aaa-ldap extension in Java. So the strange thing is that you can connect >via >startTLS in python script, but later you can't connect with aaa-ldap >Java extension. >Can you please also share output of this command: > $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=login.log >aaa login-user --profile=AD2 --user-name=mysearchuser >--password=pass:password >Hopefully it tell more. Thanks. Yes, Here it is : https://bpaste.net/show/4530b8075e1d I don't see much more than these SSL errors. What about you ? By the way, I've never found out what password should be used for the automatically generated .jks files from the ovirt-engine-extension-aaa-ldap-setup. That's why I use a generated .jks file (with keytool command). Anyway, I don't think there could be any problem with that, as I can use this cert for ldapsearch, I was just wondering what that default password of that automatically generated file could... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>'ovirt-engine-extensions-tool' logs would be more helpfull. Here it is : https://bpaste.net/show/a166df875909 I can't see anything else than this SSL error and what seems to be a missing python module : "ImportError: No module named dnf" Can you see something else or do you have any idea of what I could do to solve this StartTLS problem ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>Well startTLS is prefered always before ldaps, not only in AD. So maybe >you can open >documentation bug, so we will properly describe how this DNS SRV server >set works and what >needs to be done, to get it properly working. Ok, I'll do that. I counted : that will be my 18th bug in my list (counting also the RFE and docs bugs, not only the software bugs, I didn't report all of them yet) for RHEV/ovirt... I should be payed by Red Hat team ;) (by the way, I hope the stability of RHEV will increase) >Unfortunatelly no, I can only see that's something wrong with SSL. That's also the only thing I saw. >'ovirt-engine-extensions-tool' logs would be more helpfull. Here it is : https://bpaste.net/show/a166df875909 >Btw, did you installed it via 'ovirt-engine-extension-aaa-ldap-setup'? >There you can choose startTLS, so you can avoid typos in configuration. Yes that's what I did, I made a different profile for all cases, using the tool. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>you use '_ldaps._tcp' in ovirt not '_ldap._tcp' as in dig. >And '_ldaps' is what's missing in your DNS. Oh ! you're right, I didn't even see that ! I was confused by all this. I'll ask someone to add these SRV records. >Unfortunatelly using '_ldaps._tcp' is not any standart. But that's what >usually people do if they can't use startTLS. So, in a way we could say that Ovirt expect users to use Start_TLS with AD, but not ldaps ? Should I open a RFE about this ? >This message doesn't say much. Can you please send full Java exception >stack trace? Yes, here is the full log when trying to use StartTLS : https://bpaste.net/show/5719b47c45e5 Please tell me if it gives you see anything in it. (and again, thanks for all your help) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
This is really weird : If I manually run : dig _ldap._tcp.my_forst_name.com SRV I can see the 4 AD servers in ANSWER, AUTHORITY and ADDITIONAL SECTION If I use : pool.default.serverset.srvrecord.service = ldaps In the logs I see this : "An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldaps._tcp.my_forest_name.com':" The same happens with : dig @any_of_the_4_AD_server _ldap._tcp.my_forest_name.com SRV So why dig can resolve it but not ovirt ? >If I understand correctly, you misunderstood meaning of 'vars.dns' variable. >This variables says what DNS server(s) should be used to send DNS >queries, instead of the >default one from /etc/resolv.conf. >So if you specify: > vars.dns = dns://ad_server.mydomain.com >then aaa-ldap do following: > $ dig @ad_server.mydomain.com >_ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV >if you remove 'vars.dns' varibale then aaa-ldap does following: > $ dig _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV >so default DNS servers are used. Interesting, now I understand better... >In config files no. The correct approach is configure DNS properly. >Because SRV record >provides you port on which that service operates. So I would suggest you >either create new SRV record named 'ldaps' with port 636(in your AD >DNS), or use startTLS with port 389. "ldaps" is also a kind of conventional "microsoft SRV record" like _ldaps_tcp ? With startTLS I didn't have any success (and I don't really get why) : "2016-05-26 17:23:36,535 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/127.0.0.1:8702-6) [] [ovirt-engine-extension-aaa-ldap.authn::AD2-authn] Cannot initialize LDAP framework, deferring initialization. Error: : LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece" "{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=: LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece, Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}" ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>So it means that aaa-ldap then tries to do following: >LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -H >ldaps://mydomain.com:389 -x -D 'CN=Something,DC=myserver,DC=come' -w >'mypaswd' -b 'CN=users,DC=something,DC=com' >Which won't work, because you do ldaps on 389 port. (I guess it don't >work, unless you changed default AD configuration) >What you need to do is to specify a port for ldaps service. It's >ussually done as I said before. Yes that's true, it would work only with 636, not 389. Yes, I understood that, and I said before, when I set "pool.default.serverset.srvrecord.service = ldaps", the parameter "vars.dns" is ignored by ovirt... When I use "vars.dns = dns://ad_server.mydomain.com", restart ovirt-engine, attempt to login and then check the logs, I see in the logs it is still trying to use "_ldaps._tcp.university.mydomain.com" instead... It really totally ignore the vars.dns parameter ! Now if use only "vars.dns = dns://ad_server.mydomain.com", and disable (comment) "pool.default.serverset.srvrecord.service = ldaps", in the logs, I see the right DNS used (ad_server.mydomain.com), but as you said, on the wrong port. If I specify the port with "vars.dns = dns://ad_server.mydomain.com:636", I still see in the log it's trying to use port 389. Which mean the port number is totally ignore in "vars.dns" parameter. >To get more info how the >DNSSRVRecordServerSet works you can read this: >https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/DNSSRVRecordServerSet.html Interesting, but here _ldap_tcp is not used. And I'm not a java delopper, I won't know how to do with these classes etc... >> It seems to confirm what I said : this DNS entry doesn't seem to exist. >Yes, and it should, or you need to change >_ldap._tcp.university.mydomain.com SRV record to point on 636, or >configure 389 port to accept ldaps. That's just my guess. So does it mean there is no way to specify to ovirt config files that I want to use another DNS on 636 port ? >Configurations looks OK, so you hit some bug, can you please opent a bz >for it? Thanks. Ok, no problem, I'll do that. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>> Where should I add this ? in /etc/hosts ? Somewhere in the ovirt config ? On >> the DNS server I'm using ? >On DNS you are using, usually on AD DNS. Well actually this DNS name doesn't exist and seem to be only an unspecified variable in ovirt...I have no reason to create a DNS entry for it. I think you missed my previous mail (with the error logs with different parameters for DNS) :) >> Actually, it's using ldaps yes. It doesnt solve my issue but I don't know >> where this DNS server comes from, I think it doesn't exist... >In AD startTLS usually works by default, strange. Why you disable it? Here we're using ldaps > > I tried to configure it by adding vars.dns = dns://one_of_the_adservers.com > and the same with ":636" at the end, but none of them works, it's still > trying to reach this weird address with underlines : > _ldaps._tcp.university.mydomain.com >This error means, that you don't have SRV record for >'_ldaps._tcp.university.mydomain.com'. You need to create first, before >changing aaa-ldap configuration. >You can check if it's resolvable, by running following command: > $ dig @one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV dig @one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> @one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29630 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;_ldaps._tcp.university.mydomain.com. INSRV ;; AUTHORITY SECTION: university.mydomain.com. 3600 IN SOA one_of_the_adservers.com. another_server.com. 36174 900 600 86400 3600 ;; Query time: 5 msec ;; SERVER: X.X.X.X#53(X.X.X.X) ;; WHEN: Thu May 26 11:36:43 2016 ;; MSG SIZE rcvd: 134 It seems to confirm what I said : this DNS entry doesn't seem to exist. >> Actually that's what I said : only .properties file are detected. The >> problem is about the namespaces : when LDAP.properties file and >> AD.properties file are activated, the >>namespace suggested in the web >> interface in the user tab, when choosing AD, is the DN of the LDAP...Which >> seems to be a bugNamespaces of everything are mixed...And if I >>select >> internal and then select again AD, a new namespace appears : * (from >> internal). >> This a weird behavior, right ? >> >Yes, that's weird, but I guess it's misconfigured. Doesn't your names of >extensions conflict? >I think that you combine values(names) 'ovirt.engine.extension.name' for >both AD and OpenLDAP. It should differ. Can you post those configurations? Actually I don't have any ovirt.engine.extension.name parameter in the aaa/.properties If you mean the authn and authz files, here they are (is that single line with ovirt-engine/ at the end of the first (AD) authz a normal thing...?) : AD : ovirt.engine.extension.name = AD-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/AD.properties ovirt-engine/ ovirt.engine.extension.name = AD-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = AD ovirt.engine.aaa.authn.authz.plugin = AD-authz config.profile.file.1 = ../aaa/AD.properties LDAP : ovirt.engine.extension.name = public-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/public.properties ovirt.engine.extension.name = public-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = public ovirt.engine.aaa.authn.authz.plugin = public-authz config.profile.file.1 = ../aaa/public.properties ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>Please don't port 636 for DNS server, 636 is only for LDAPS protocol: >vars.dns = dns://one.of.adservers.com Ok, but as I explained, even without using 636, the result is the same. When using the option "pool.default.serverset.srvrecord.service = ldaps" and "dns://one.of.adservers.com" I get the following error (it still trying to point to the wrong adress) "{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=An error occurred while attempting to query DNS in order to retrieve SRV records with name 'ldaps._tcp.university.mydomain.com': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name 'ldaps._tcp.university.mydomain.com', Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}" when disabling (commenting the line) "pool.default.serverset.srvrecord.service = ldaps" I get the following error : "{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=An error occurred while attempting to connect to server one.of.adservers.com:389: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'one.of.adservers.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'one.of.adservers.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'one.of.adservers.com:389' because an unexpected error was encountered during validation processing: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated, Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}" So I think I need a way to combine both of them, but using the right dns, what option can do that ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>You use 389 with SSL? I guess you wrongly specified it. >But, if you want to use SSL and you have it on 636, then you should >create new SRV dns >records for example: _ldaps._tcp.university.mydomain.com ... 636 Where should I add this ? in /etc/hosts ? Somewhere in the ovirt config ? On the DNS server I'm using ? >and then change: > pool.default.serverset.srvrecord.service=ldaps >But I guess you wanted to use startTLS with 389, which you can enable by >adding: > pool.default.ssl.startTLS=true >and remove line: > pool.default.ssl.enable=true >Does it solve your issue? Actually, it's using ldaps yes. It doesnt solve my issue but I don't know where this DNS server comes from, I think it doesn't exist... I tried to configure it by adding vars.dns = dns://one_of_the_adservers.com and the same with ":636" at the end, but none of them works, it's still trying to reach this weird address with underlines : _ldaps._tcp.university.mydomain.com "2016-05-26 09:54:52,872 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/127.0.0.1:8702-7) [] [ovirt-engine-extension-aaa-ldap.authn::AD-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to query DNS in order to retrieve SRV records with name '_ldaps._tcp.university.mydomain.com': javax.naming.NameNotFoundException: DNS name not found [response code 3]; remaining name '_ldaps._tcp.campus.enst-bretagne.fr'" >> I meant I had to disable the LDAP (openLDAP) profile, renaming the file with >> .save so ovirt doesn't detect them. If both profiles are activated, >> ovirt-web interface propose >>me the DN of the LDAP into AD (in namespace >> field)... Is that a bug or normal behavior ? >> >Hmm, that's strange, because only files with *.properties suffix should >be detected and used. So yes please open bz that also other suffixes are >loaded. Actually that's what I said : only .properties file are detected. The problem is about the namespaces : when LDAP.properties file and AD.properties file are activated, the namespace suggested in the web interface in the user tab, when choosing AD, is the DN of the LDAP...Which seems to be a bugNamespaces of everything are mixed...And if I select internal and then select again AD, a new namespace appears : * (from internal). This a weird behavior, right ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can't perform search after setting up an Active Directory
>Can you please send what's happening during initialization of engine? >(logs right after ovirt-engine is restarted). >Or run this command and send output of file 'login.log': > $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=login.log >aaa login-user --profile=ad --user-name=some_user >--password=pass:some_user_password Yes, these are the logs when using the command you gave me, using the search user : https://bpaste.net/show/bbb0bc319765 >> By the way, if I didn't rename my .profile and auth* files from my LDAP >> configuration, I had the LDAP namespace suggested by the web interface in my >> AD domain when trying to >>perform a search. Is that a bug ? >Not sure I understand. The name of the profile could be whatever, so it >doesn't matter what is the name. I meant I had to disable the LDAP (openLDAP) profile, renaming the file with .save so ovirt doesn't detect them. If both profiles are activated, ovirt-web interface propose me the DN of the LDAP into AD (in namespace field)... Is that a bug or normal behavior ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Can't perform search after setting up an Active Directory
Hi, I added an Active Directory server to RHEV, but I can't perform any search and I don't see any namespace in the interface. I'm able to perform search using with the same search user DN / passwd and certificate : LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -H ldaps://myserver.com -x -D 'CN=Something,DC=myserver,DC=come' -w 'mypaswd' -b 'CN=users,DC=something,DC=com' in the engine.log, if I grep warn, I can see the following messages : 2016-05-25 05:54:55,840 WARN [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-3) [] Illegal search: ADUSER@AD-authz:undefined: allnames=*: null 2016-05-25 05:54:55,843 WARN [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-3) [] Illegal search: ADGROUP@AD-authz:undefined: name=*: null 2016-05-25 05:54:58,160 WARN [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-9) [] Illegal search: ADUSER@AD-authz:undefined: allnames=*: null 2016-05-25 05:54:58,162 WARN [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-9) [] Illegal search: ADGROUP@AD-authz:undefined: name=*: null I also tried adding the following configuration but it didn't solve my problem : sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = CN=Users,DC=something,DC=com Any ideas ? By the way, if I didn't rename my .profile and auth* files from my LDAP configuration, I had the LDAP namespace suggested by the web interface in my AD domain when trying to perform a search. Is that a bug ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Clone, template, pools : how does it uses disk space ?
>Regarding your examples, I cannot say exactly because of lack of some >details. What storage type are you using? How do you measure the space used >on the physical disk? simply df -h on the PC sharing the NFS storage. >> For example, when making a VM from template, using pre-allocated disk >> option, for a 50GB Virtual disk, it only uses 3GB on the physical disk. > 3GB is the VM's disk? What about the disk of the template? 3GB is the difference using df -h betweem before making the template, and after making it and running the VM. >Generally, 50GB pre-allocated disk will take 50GB of physical space. A 50GB >sparse disk will take as many 1GB chunks as needed to store all the >information that was written to it, maximum 50GB. so "pre-allocated" doesn't use pre-allocation but sparse instead ? I don't really get it, sorry. >When you create a VM by cloning another VM or create a VM from a template >in "clone" mode, a copy of the source disk will be created. The new disk >will take as much space as the source disk did. What happens if you clone a source VM which is using "thin" ? >When you create a VM from a template in "thin provision" mode or creating a >VM in a pool, the new disk will be initially only a reference to the source >disk. Reading from it will read the source disk. Writing to it will write >to the new disk, not touching the source. Thus, all disk fragments that >were overwritten after disk creation will be physically stored in the new >disk and read from it, those that were not overwritten, will be read from >the source disk. Interesting. Is there a way to "merge" the changes ? (I mean to change it from being "thin provision" after its creation and make it an independent VM) When you create a template for the first time, it seems you can't choose between clone and thin, which one is used ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Clone, template, pools : how does it uses disk space ?
Hi, I would like to know what happens to storage when using the different method of cloning or generating VMs using templates / pools. I'd like to know also in what case VM and virtual disks are totally independent and in what case they are not. Sadly the RHEV documentation doesn't really provide these informations and I don't find any explicit informations about it. For example, when making a VM from template, using pre-allocated disk option, for a 50GB Virtual disk, it only uses 3GB on the physical disk. Another example, when making a pool of 10 VMs, based on a VM with a 50 GB virtual disk, only 2GB more space is used on the physical disk. What is exactly done when this happens ? Here are the case I would like to have informations about (physical storage, and independence of VMs) : - using simple "clone function" - making VM from template with "clone" mode - making VM from template with "thin" mode - making VM in pools Is there modes calculating only the difference from the original VM, and other modes copying totally the informations from the virtual disk from the original VM ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
> As I explained, my groups are not in the same dn path than my users. As it > is not possible to add multiple dn path, my only solution is to use users. > Well, that's the 1st time I've heard about LDAP setup where users and > groups of one domain are not under same baseDN. Usually all LDAP setups > have some baseDN (for example 'dc=company,dc=com') and somewhere under this > baseDN (not necessarily directly under it) we could find users and groups. >The only exception to this is ActiveDirectory with multi-domain trust >inside single forrest (which we currently support and user of domainA can >be a member of a group from domainB) and multi-forrest trust (which we >don't support). Oh thank you, it actually helped a lot : I just realize the search was "recursive" and now it actually works and seem to solve my problem. Now I only have to check if adding permissions to group apply to users who belong to this group, but I guess it should. > Those users have attributes like "member of" which still keep the > information about what group they belong too. I didn't find any way using > the interface to filter by attribute, for example to show all users member > of group "foo". > >" > We don't support LDAP searches in the webadmin UI, because we don't > distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database > (ovirt-engine-extension-aaa-jdbc) providers, both of them provides users > and groups for oVirt using same AAA interface. And only a part of the attributes are imported to the database (it doesn't seem to be able to display them from the web interface) ? That would be a nice feature to be able to filter from any attribute of users. Do you think I should open a new RFE bug about it ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> Is their a way to search for attributes into the ovirt web interface, for >> example "memberof" ? >> >> I can't imagine adding hundreds or thousand of users one by one...What >> would be the solutions ? >> >You can assign specific permission to the group that relevant users are >member of (we support also nested groups if needed) >and of course you can select multiple users/groups when you assign >permissions. >If the above is not option for you, could you try to describe what exactly >are you trying to achieve? >Thanks >Martin Perina As I explained, my groups are not in the same dn path than my users. As it is not possible to add multiple dn path, my only solution is to use users. Those users have attributes like "member of" which still keep the information about what group they belong too. I didn't find any way using the interface to filter by attribute, for example to show all users member of group "foo". I could do that with ldapsearch, but then how would I inject the result to ovirt configuration to add those users to specific ovirt roles ("ovirt permission groups") ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
> > > > Is it possible now to search for groups instead of users / manipulate > > groups in the web interface ? > Sure, if you type some search term into UI users/permissions dialog it > will also search for groups. Is their a way to search for attributes into the ovirt web interface, for example "memberof" ? I can't imagine adding hundreds or thousand of users one by one...What would be the solutions ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
> > > > Is it possible now to search for groups instead of users / manipulate > > groups in the web interface ? > Sure, if you type some search term into UI users/permissions dialog it > will also search for groups. Thank you for all your answers, we can say my problem is now solved >Note in 4.0 we have split groups and users, and you have to select which type >you want to search for. This is to reduce the number of queries to the LDAP >server. Interesting, I'll have a look at all the features. > > In that case, the dn would be different, is it possible to specify > > multiple dn namespaces ? > Unfortunatelly, it's not currently possible, but feel free to open an > RFE in bugzilla for this feature, we can implement it in future version > if needed. I already spend my days on the bugzilla for both ovirt and RHEV, but I'll add this to my list :) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>Or do you use rfc2307? You can find out running this command: > LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b >'ou=people,o=unix,dc=somewhere,dc=any' -D >'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W >'(&(objectClass=posixAccount)(uid=*)(uid=myuser))' >If ^this command will find your user then just change in >/etc/ovirt-engine/aaa/your_profile.properties: >include = > to >include = Actually you pointed exactly on the problem : this LDAP was using rfc2307 but I ignored it ! Thanks a lot, now I can login with users, that's almost perfect ! Is it possible now to search for groups instead of users / manipulate groups in the web interface ? In that case, the dn would be different, is it possible to specify multiple dn namespaces ? One quick question unrelated to this topic (as I can see an @redhat in your mail) : I'm trying to set up in parallel a RHEV server with only the free 60 days evaluation, do you have any idea where I should ask for help (as support only applies if you pay, if I understand), a similar mailing list or something ? >Thanks, >for some reason it can't find the user 'myuser'. Yes, I changed all informations about users, domain name etc for confidentiality. >The search command that is executed is: > LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b >'ou=people,o=unix,dc=somewhere,dc=any' -D >'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W >'(&(objectClass=uidObject)(uid=*)(uid=myuser))' >Is that searchbase(-b param) ok? Yes >Does 'cn=mysearchuser' user have appropriate permissions to see users? Yes ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> However, I can't login with any user...But with ldapsearch I can find those >> users with uid=user >> >> I used ovirt-engine-extensions-tool aaa login-user --profile=xxx >> --user-name=xxx >> and I realize now what is the problem : the available namespaces shows the >> wrong dn. It should be instead one level >above (or it will not possible to >> find the users) >> >> Any idea how I can change that in the configuration ? >> >You can specify custom base DN, which overrides the one which is >automatically resolved if >you add following lines into /etc/ovirt-engine/aaa/your_profile.properties: > > sequence-init.init.100-my-basedn-init-vars = my-basedn-init > sequence.my-basedn-init.010.description = set custom baseDN > sequence.my-basedn-init.010.type = var-set > sequence.my-basedn-init.010.var-set.variable = simple_baseDN > sequence.my-basedn-init.010.var-set.value = dc=your,dc=different,dc=dn Thank you, now I see the correct namespace shown, but still no way to login with any user...Any idea ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>Are you sure you've specified correct CA? > >Can you try running this command: > LDAPTLS_CACERT=your_ldap_ca_cert.crt ldapsearch -H ldaps://@HOST@ -x >-D '@USERDN@' -w '@USERPW@' -b '@BASEDN@' > >If it fail then most probably you have incorrect CA certificate. >If it succeed, please open bug in bugzilla with logs of setup tool if >possible. Oh I'm sorry, that was actually a certificate problem... With the right certificate, I can now join the LDAP provider. However, I can't login with any user...But with ldapsearch I can find those users with uid=user I used ovirt-engine-extensions-tool aaa login-user --profile=xxx --user-name=xxx and I realize now what is the problem : the available namespaces shows the wrong dn. It should be instead one level above (or it will not possible to find the users) Any idea how I can change that in the configuration ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>>I am unsure I understand. What is missing in interactive setup to >>properly setup TLS? >>You just enter CA certificte path/url/system and Java keystore file is >>created for you by the tool. >I'll try to generate a new file with the interactive setup and tell you if the >result is different. So, here is my problem when using the interactive setup : [ INFO ] Connecting to LDAP using 'ldaps://:636' [WARNING] Cannot connect using 'ldaps://:636': {'info': "TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", 'desc': "Can't contact LDAP server"} [ ERROR ] Cannot connect using any of available options ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> Yes this is actually the tool I used first, then I modified manually as on >> the documentation. >> >> The problem in this approach is the fact you need a .profile file to be able >> to set up a TLS connection between the LDAP >and the engine. But this file >> is generated after the interactive setup. But the interactive setup doesn't >> allow you to >setup things properly as the TLS isn't set up... >I am unsure I understand. What is missing in interactive setup to >properly setup TLS? >You just enter CA certificte path/url/system and Java keystore file is >created for you by the tool. Interesting, so it's only an error in the Red Hat Documentation. If you check on the administrative guide, the prerequisite for using the interactive tool is to have a TLS connection set up betweem LDAP and the engine : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Configuring_an_External_LDAP_Provider.html But when you follow the link to set up this TLS connection, it makes you create the java keystore and modify the "profile1.properties" manually...Which doesn't exist because the interactive setup hasn't been done yet... I'll report this on their bugzilla. I'll try to generate a new file with the interactive setup and tell you if the result is different. >> >>So I had to setup things with "insecure" mode and then edit it manually... >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> Should I report this on the bugzilla ? >> >You can, but I beleive this is not bug, but some misconfiguration, many >times I've tried completelly simillar setup and it worked. > >Btw.. did you used 'ovirt-engine-extension-aaa-ldap-setup'? If not you >can install it. > $ yum install ovirt-engine-extension-aaa-ldap-setup > >Then just run: > $ ovirt-engine-extension-aaa-ldap-setup > >And follow the steps. This tool handle for you all perms and typos >issues, which could be introduces by manually creating those properties >files. Yes this is actually the tool I used first, then I modified manually as on the documentation. The problem in this approach is the fact you need a .profile file to be able to set up a TLS connection between the LDAP and the engine. But this file is generated after the interactive setup. But the interactive setup doesn't allow you to setup things properly as the TLS isn't set up... So I had to setup things with "insecure" mode and then edit it manually... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> pool.default.ssl.truststore.file = /tmp/.jks > > Maybe trailing space here ^ ? > >> pool.default.ssl.truststore.password = >> > > Sadly it doesn't help > >So please ensure also that file '/tmp/.jks' is readable by ovirt >user. The configuration looks fine. > All permissions are given. The problem is still the same... Should I report this on the bugzilla ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> pool.default.ssl.truststore.file = /tmp/.jks > > Maybe trailing space here ^ ? > >> pool.default.ssl.truststore.password = >> > > Sadly it doesn't help > >So please ensure also that file '/tmp/.jks' is readable by ovirt >user. The configuration looks fine. All permissions are given. The problem is still the same... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
> pool.default.ssl.truststore.file = /tmp/.jks Maybe trailing space here ^ ? > pool.default.ssl.truststore.password = > Sadly it doesn't help ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Errors while trying to join an external LDPA provider
Hi, I'm using 3.6.3.4-1.el7.centos and I'm having troubles joining an LDAP provider. When I try to login into the new profile, I get a "general command validation failure" error. This is what I can get from ovirt-engine/engine.log : tail -n 400 /var/log/ovirt-engine/engine.log | grep -i error 2016-04-28 09:27:08,355 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-56) [] [ovirt-engine-extension-aaa-ldap.authn::public-authn] Cannot initialize LDAP framework, deferring initialization. Error: /etc/ovirt-engine/aaa/.jks (No such file or directory) 2016-04-28 09:27:08,356 ERROR [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-56) [] Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException 2016-04-28 09:27:13,941 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-58) [] [ovirt-engine-extension-aaa-ldap.authn::public-authn] Cannot initialize LDAP framework, deferring initialization. Error: /etc/ovirt-engine/aaa/.jks (No such file or directory) 2016-04-28 09:27:13,941 ERROR [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-58) [] Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException I checked the permissions of the file and it's path and they are allright. Changing the path to /tmp/xxx.jks didn't help too. Here is my .profile : include = vars.server = vars.user = cn=,ou=,o=,dc=,dc= vars.password = pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.enable = true pool.default.serverset.single.port = 636 pool.default.ssl.truststore.file = /tmp/.jks pool.default.ssl.truststore.password = Any idea how to deal with that problem ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users