[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha
+ users@ovirt.org
On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
> 
>  
> 
> I would just like to make sure I am following correctly, comparing your
> entries against mine.
> 
> 
>  
> 
> Your setup:
> 
> ...
> 
> config.mapAuthRecord.regex.pattern =
> ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> 
> ...
> 
> 
> 
> 
> 
> My setup:
> 
> …
> 
> config.mapAuthRecord.regex.pattern =
> ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> 
> …
> 
>  
> 
> Should I add the additional 2 “\\” in on my side?

Yes, please try  adding it. In my case I learned about this issue by debugging
the code because the real exception generated by incorrect regexp syntax was
hidden behind  generic error message giving no clues about the true cause.
>  
> 
> Your setup:
> 
> ...
> 
>  http-auth)|^/ovirt-engine/callback>
> 
> 
> 
>  
> 
> Require valid-user
> 
> AuthType openid-connect
> 
> 
> 
> ErrorDocument 401 " engine/sso/login-unauthorized\"/> unauthorized\">Here"
> 
> 
> 
> 
> 
> …
> 
>  
> 
> My setup:
> 
> …
> 
>  http-auth)|^/ovirt-engine/callback>
> 
> 
> 
>  
> 
>   Require valid-user
> 
>   AuthType openid-connect
> 
>  
> 
>   ErrorDocument 401 "Here"
> 
> 
> 
> 
> 
> …
> 
>  
> 
> I remember I had syntax errors, but mine was changed.
> 
>  
> 
> Does this look fine to you?
> 

Yeah, your version looks good too. You have ' instead of  "  so that is ok. 
> Thanks
>  
>  
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Anton Louw
> 
> 
> Sent: 22 April 2020 10:07
> 
> To: Artur Socha 
> 
> Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> 
> 
>  
> Hi Artur,
>  
> Great, I will try the below and let you know. I appreciate your efforts.
> 
>  
> Sure, you may report it, I was in such a rush that I only hit “reply” and not
> “Reply All”
>  
> I do recall that I had to make some changes to the below as the it complained
> about syntax errors:
>  
> ErrorDocument 401 " 
> content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> 
> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> 
> 
> 
> 
>  
> I will let you know the outcome when I change the below as you suggested.
>  
> Cheers
>  
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 22 April 2020 09:51
> 
> To: Anton Louw 
> 
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> 
> 
>  
> I checked your logs and I did not notice anything suspicious.
> 
> 
> However, now I recall I made some changes compared to blog post
> 
> example:
> 
> 
> 
> 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties 
> 
> I added escaping in regexp for '\'
> 
> ...
> 
> config.mapAuthRecord.regex.pattern =
> 
> ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> 
> ...
> 
> 
> 
> 2) /etc/httpd/ovirt-openidc.conf
> 
> Escaping for '"' in error document snippet
> 
> ...
> 
>  
> negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
> 
> 
> 
> 
> 
> Require valid-user
> 
> AuthType openid-connect
> 
> 
> 
> ErrorDocument 401 " 
> content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> 
> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> 
> 
> 
> 
> 
> 
> 
> ...
> 
> 
> 
> These two issues were most probably caused by the blog site rendering.
> 
> 
> 
> 
> 
> You might want to check engine.log (or server.log not really sure which
> 
> one was that) for aaa extension initialization logs. They should 
> 
> appear at the beginning just after restarting engine.
> 
> 
> 
> Unfortunately, at the moment I do not have running keycloak setup (I
> 
> used to have a local VM) but I will try to find some time to set it up
> 
> again once I'm done with another work item that actually consumes
> 
> almost entire disk space

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha
On Wed, 2020-04-22 at 12:28 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
> 
>  
> 
> You are a champion! I can access oVirt now. Thank you so much.
> 
You're welcome!I am happy it worked  because I had no more ideas what to check
next :)
> One last question, can I create additional groups in ie. Read Only, etc? And
> then will this be done in KeyCloak or in the oVIrt UI?

This ovirt-administrator group is only for accessing(authentication & sso) ovirt
engine admin panel and, as far as I understand it, it does restrict access
to  particular engine's admin functions. I think that proper authorization is
done only at the engine's UI level.  See  'User Authorization' under 
https://ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html
>  
> 
> Thank you
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
>     
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 22 April 2020 13:21
> 
> To: Anton Louw ; users@ovirt.org
> 
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> 
> 
>  
> On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
> 
> > On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> 
> > > 
> 
> > > Ok so this is definitely looking better. I get an error, but at least now
> it
> 
> > > is saying : “The user admin@openidchttp is not authorized to perform
> login”
> 
> > > 
> 
> > > This is strange though, because admin in by default should be allowed
> 
> > > access?
> 
> > 
> 
> > Well, yes and no :)
> 
> > 
> 
> > In order for user to be considered admin (for ovirt engine) it must belong
> to
> 
> > keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
> 
> > > Groups->Members)
> 
> 
> 
> Small clarification:
> 
> 
> 
> In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' -> Members
> 
> 
> 
> Note that the group must have the exact name: ovirt-administrator 
> 
> 
> 
> 
> 
> > 
> 
> > I think you are very close to have it up-and-running.
> 
> > 
> 
> > 
> 
> > > 
> 
> > > From: Anton Louw 
> 
> > > Sent: 22 April 2020 12:38
> 
> > > To: Artur Socha ; 
> users@ovirt.org
> 
> > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> 
> > > 
> 
> > > Perfect, I’ll test and let you know.
> 
> > > 
> 
> > > Thanks
> 
> > > 
> 
> > > From: Artur Socha  
> 
> > > Sent: 22 April 2020 12:32
> 
> > > To: Anton Louw ;
> users@ovirt.org
> 
> > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> 
> > > 
> 
> > > + users@ovirt.org
> 
> > > 
> 
> > > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> 
> > > > 
> 
> > > > 
> 
> > > > Hi Artur,
> 
> > > > 
> 
> > > > I would just like to make sure I am following correctly, comparing your
> 
> > > > entries against mine.
> 
> > > > 
> 
> > > > Your setup:
> 
> > > > ...
> 
> > > > config.mapAuthRecord.regex.pattern =
> 
> > > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> 
> > > > ...
> 
> > > > 
> 
> > > > 
> 
> > > > My setup:
> 
> > > > …
> 
> > > > config.mapAuthRecord.regex.pattern =
> 
> > > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> 
> > > > …
> 
> > > > 
> 
> > > > Should I add the additional 2 “\\” in on my side?
> 
> > > 
> 
> > > 
> 
> > > Yes, please try adding it. In my case I learned about this issue by
> 
> > > debugging
> 
> > > the code because the real exception generated by incorrect regexp syntax
> was
> 
> > > hidden behind generic error message giving no clues about the true cause.
> 
> > > 
> 
> > > > 
> 
> > > > Your setup:
> 
> > > > ...
> 
> > > >  
> > &

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha
On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
> On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> > 
> > Ok so this is definitely looking better. I get an error, but at least now it
> > is saying : “The user admin@openidchttp is not authorized to perform login”
> >  
> > This is strange though, because admin in by default should be allowed
> > access?
> 
> Well, yes and no :)
> 
> In order for user to be considered admin (for ovirt engine) it must belong to
> keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
> > Groups->Members)

Small clarification:

In keycloak admin panel see Manage-> Groups->  'ovirt-administrator' -> Members

Note that the group must have the exact name: ovirt-administrator 


> 
> I think you are very close to have it up-and-running.
> 
> 
> >  
> > From: Anton Louw 
> > Sent: 22 April 2020 12:38
> > To: Artur Socha ; users@ovirt.org
> > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> >  
> > Perfect, I’ll test and let you know.
> >  
> > Thanks
> >  
> > From: Artur Socha  
> > Sent: 22 April 2020 12:32
> > To: Anton Louw ; users@ovirt.org
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> >  
> > + users@ovirt.org
> >  
> > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> > >  
> > > 
> > > Hi Artur,
> > >  
> > > I would just like to make sure I am following correctly, comparing your
> > > entries against mine.
> > >  
> > > Your setup:
> > > ...
> > > config.mapAuthRecord.regex.pattern =
> > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> > > ...
> > > 
> > > 
> > > My setup:
> > > …
> > > config.mapAuthRecord.regex.pattern =
> > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> > > …
> > >  
> > > Should I add the additional 2 “\\” in on my side?
> > 
> >  
> > Yes, please try adding it. In my case I learned about this issue by
> > debugging
> > the code because the real exception generated by incorrect regexp syntax was
> > hidden behind generic error message giving no clues about the true cause.
> >  
> > >  
> > > Your setup:
> > > ...
> > >  > > negotiate|oauth/token-
> > > http-auth)|^/ovirt-engine/callback>
> > > 
> > >  
> > > Require valid-user
> > > AuthType openid-connect
> > > 
> > > ErrorDocument 401 " > > url=/ovirt-engine/sso/login-unauthorized\"/> > > engine/sso/login-unauthorized\">Here"
> > > 
> > > 
> > > …
> > >  
> > > My setup:
> > > …
> > >  > > negotiate|oauth/token-
> > > http-auth)|^/ovirt-engine/callback>
> > > 
> > >  
> > >   Require valid-user
> > >   AuthType openid-connect
> > >  
> > >   ErrorDocument 401 "Here"
> > > 
> > > 
> > > …
> > >  
> > > I remember I had syntax errors, but mine was changed.
> > >  
> > > Does this look fine to you?
> > 
> >  
> > Yeah, your version looks good too. You have ' instead of " so that is ok. 
> >  
> > 
> > Anton Louw
> > Cloud Engineer: Storage and Virtualization at Vox
> > T:  087 805  | D: 087 805 1572
> > M: N/A
> > E: anton.l...@voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > www.vox.co.za
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > > Thanks
> > >  
> > >  
> > >  
> > > Anton Louw
> > > Cloud Engineer: Storage and Virtualization at Vox
> > > T:  087 805  | D: 087 805 1572
> > > M: N/A
> > > E: anton.l...@voxtelecom.co.za
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > > www.vox.co.za
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > > From: Anton Louw 
> > > Sent: 22 April 2020 10:07
> > > To: Artur Socha 
> > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> > >  
> > > Hi Artur,
> > >  
> > > Great, I will try the below and let you know. I appreciate your efforts.
> > &g

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha
On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> 
> 
> Ok so this is definitely looking better. I get an error, but at least now it
> is saying : “The user admin@openidchttp is not authorized to perform login”
>  
> This is strange though, because admin in by default should be allowed access?

Well, yes and no :)

In order for user to be considered admin (for ovirt engine) it must belong to
keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
>Groups->Members)

I think you are very close to have it up-and-running.


>  
> From: Anton Louw 
> Sent: 22 April 2020 12:38
> To: Artur Socha ; users@ovirt.org
> Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>  
> Perfect, I’ll test and let you know.
>  
> Thanks
>  
> From: Artur Socha  
> Sent: 22 April 2020 12:32
> To: Anton Louw ; users@ovirt.org
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>  
> + users@ovirt.org
>  
> On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> >  
> > 
> > Hi Artur,
> >  
> > I would just like to make sure I am following correctly, comparing your
> > entries against mine.
> >  
> > Your setup:
> > ...
> > config.mapAuthRecord.regex.pattern =
> > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> > ...
> > 
> > 
> > My setup:
> > …
> > config.mapAuthRecord.regex.pattern =
> > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> > …
> >  
> > Should I add the additional 2 “\\” in on my side?
> 
>  
> Yes, please try adding it. In my case I learned about this issue by debugging
> the code because the real exception generated by incorrect regexp syntax was
> hidden behind generic error message giving no clues about the true cause.
>  
> >  
> > Your setup:
> > ...
> >  > http-auth)|^/ovirt-engine/callback>
> > 
> >  
> > Require valid-user
> > AuthType openid-connect
> > 
> > ErrorDocument 401 " > url=/ovirt-engine/sso/login-unauthorized\"/> > engine/sso/login-unauthorized\">Here"
> > 
> > 
> > …
> >  
> > My setup:
> > …
> >  > http-auth)|^/ovirt-engine/callback>
> > 
> >  
> >   Require valid-user
> >   AuthType openid-connect
> >  
> >   ErrorDocument 401 "Here"
> > 
> > 
> > …
> >  
> > I remember I had syntax errors, but mine was changed.
> >  
> > Does this look fine to you?
> 
>  
> Yeah, your version looks good too. You have ' instead of " so that is ok. 
>  
> 
> Anton Louw
> Cloud Engineer: Storage and Virtualization at Vox
> T:  087 805  | D: 087 805 1572
> M: N/A
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
> 
> 
>   
> 
>   
> 
>   
> 
>   
> 
>  
> 
> > Thanks
> >  
> >  
> >  
> > Anton Louw
> > Cloud Engineer: Storage and Virtualization at Vox
> > T:  087 805  | D: 087 805 1572
> > M: N/A
> > E: anton.l...@voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > www.vox.co.za
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> > From: Anton Louw 
> > Sent: 22 April 2020 10:07
> > To: Artur Socha 
> > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> >  
> > Hi Artur,
> >  
> > Great, I will try the below and let you know. I appreciate your efforts.
> >  
> > Sure, you may report it, I was in such a rush that I only hit “reply” and
> > not “Reply All”
> >  
> > I do recall that I had to make some changes to the below as the it
> > complained about syntax errors:
> >  
> > ErrorDocument 401 " > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> > href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> > 
> > 
> >  
> > I will let you know the outcome when I change the below as you suggested.
> >  
> > Cheers
> >  
> > From: Artur Socha  
> > Sent: 22 April 2020 09:51
> > To: Anton Louw 
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> >  
> > I checked your logs and I did not notice anything suspicious. 
> > However, now I recall I made some changes compared to blog post
> > example:
> > 
> > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties 
> > I added escaping in regexp for '\'
>

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha
On Wed, 2020-04-22 at 14:43 +0200, Artur Socha wrote:
> On Wed, 2020-04-22 at 12:28 +, Anton Louw wrote:
> > 
> > 
> > 
> > Hi Artur,
> > 
> >  
> > 
> > You are a champion! I can access oVirt now. Thank you so much.
> > 
> You're welcome!
> I am happy it worked  because I had no more ideas what to check next :)
> 
> > One last question, can I create additional groups in ie. Read Only, etc? And
> > then will this be done in KeyCloak or in the oVIrt UI?
typo fixed:
> This ovirt-administrator group is only for accessing(authentication & sso)
> ovirt engine admin panel and, as far as I understand it, it *** does NOT ***
> restrict access to  particular engine's admin functions. I think that proper 
> authorization is done only at the engine's UI level.  See  'User 
> Authorization' under 
> https://ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html
> >  
> > 
> > Thank you
> > 
> > 
> > 
> > 
> > 
> >   
> >   
> >   
> > Anton Louw
> >  
> >   
> > Cloud Engineer: Storage and Virtualization at Vox
> > 
> >   
> >   
> > 
> >   
> >   
> > T:  087 805  | D: 087 805 1572
> > M: N/A
> > 
> > E: anton.l...@voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > 
> > www.vox.co.za
> >   
> > 
> > 
> > 
> > 
> > 
> >   
> >   
> >   
> >       
> >   
> > 
> > 
> > 
> >   
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > From: Artur Socha 
> > 
> > 
> > Sent: 22 April 2020 13:21
> > 
> > To: Anton Louw ; users@ovirt.org
> > 
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> > 
> > 
> >  
> > On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
> > 
> > > On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> > 
> > > > 
> > 
> > > > Ok so this is definitely looking better. I get an error, but at least
> > now it
> > 
> > > > is saying : “The user admin@openidchttp is not authorized to perform
> > login”
> > 
> > > > 
> > 
> > > > This is strange though, because admin in by default should be allowed
> > 
> > > > access?
> > 
> > > 
> > 
> > > Well, yes and no :)
> > 
> > > 
> > 
> > > In order for user to be considered admin (for ovirt engine) it must belong
> > to
> > 
> > > keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
> > 
> > > > Groups->Members)
> > 
> > 
> > 
> > Small clarification:
> > 
> > 
> > 
> > In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' ->
> > Members
> > 
> > 
> > 
> > Note that the group must have the exact name: ovirt-administrator 
> > 
> > 
> > 
> > 
> > 
> > > 
> > 
> > > I think you are very close to have it up-and-running.
> > 
> > > 
> > 
> > > 
> > 
> > > > 
> > 
> > > > From: Anton Louw 
> > 
> > > > Sent: 22 April 2020 12:38
> > 
> > > > To: Artur Socha ; 
> > users@ovirt.org
> > 
> > > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> > 
> > > > 
> > 
> > > > Perfect, I’ll test and let you know.
> > 
> > > > 
> > 
> > > > Thanks
> > 
> > > > 
> > 
> > > > From: Artur Socha  
> > 
> > > > Sent: 22 April 2020 12:32
> > 
> > > > To: Anton Louw ;
> > users@ovirt.org
> > 
> > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> > 
> > > > 
> > 
> > > > + users@ovirt.org
> > 
> > > > 
> > 
> > > > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> > 
> > > > > 
> > 
> > > > > 
> > 
> > > > > Hi Artur,
> > 
> > > > > 
> > 
> > > > > I would just like to make sure I am following correctly, comparing
> > your
> > 
> > > > > entries against mine.
> > 
> > > > > 
> > 
> > > > 

[ovirt-users] Re: Node Unresponsive

2020-05-07 Thread Artur Socha
On Thu, 2020-05-07 at 13:07 +, Anton Louw via Users wrote:
> 
> 
> 
> Hi All,
> 
>  
> 
> One of my nodes went into a unresponsive state, but the VMs running on that
> host are still up. I just want to know, can I restart VDSM on that node, or
> will it impact the running VMs? In another article, somebody restarted
>  the engine, and that resolved their issue. I would like to first test the
> VDSM and if that does not work, I will restart the engine.
> 

Hi Anton,Would it be possible to post /var/log/vdsm.logfrom that affected
host + relevant engine.log?  I am currently investigating engine-to-host
connectivity issue that may or may not be related [1].  What are the exact
versions of engine  and vdsm packages?( dnf list  --installed | egrep
"ovirt|vdsm|jsonrpc" ) 
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1828669

thanks!Artur
>  
> Thanks
> 
> 
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
>  
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> Disclaimer
> The contents of this email are confidential to the sender and the intended
> recipient. Unless the contents are clearly and entirely of a personal nature,
> they are subject to copyright in favour of the holding company of the Vox
> group of companies. Any recipient who receives this email in error should
> immediately report the error to the sender and permanently delete this email
> from all storage devices.
> 
> This email has been scanned for viruses and malware, and may have been
> automatically archived by Mimecast Ltd, an innovator in Software as a Service
> (SaaS) for business.  Providing a safer and more useful place for your human
> generated data.  Specializing in; Security, archiving and compliance. To find
> out more Click Here.
> 
> 
> 
> 
> 
> 
> 
>   
> 
> ___Users mailing list -- 
> users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives: 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/2SDQ32OZPQ7KGL2U6PPA6ZYCXOVA57WY/


signature.asc
Description: This is a digitally signed message part
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YWWZGHK6VHL7GLLNPSG5O6EB35RQC55A/


[ovirt-users] Re: KeyCloak Integration

2020-09-07 Thread Artur Socha
Hi Anton,
Just to let you know. I investigated this issue. If you want to use
keycloak in version >=10  you would need to define all additional scopes as
'optional client scopes' in your client configuration.
In my case, on my test environment, I only had to add
'ovirt-ext=auth:sequence-priority=~' but in your case you may need all
listed in error_description:
*{"error_description":"Cannot authenticate user Invalid scopes:
ovirt-app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
ovirt-ext=token:password-access.","error":"access_denied"}*
This configuration change is required because it has been changed/fixed how
'unknown' scopes are handled in keycloak. Now keycloak must always be aware
of all scopes and previously unknown ones were simply ignored.

Here is BZ with details:
https://bugzilla.redhat.com/show_bug.cgi?id=1849569

best,
Artur


On Tue, Jun 23, 2020 at 5:03 PM Artur Socha  wrote:

> On Tue, 2020-06-23 at 14:41 +, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> Apologies for the late response. So we have downgraded the version of
> KeyCloak, and all seems to be working 100% again, I can obtain a token, and
> do API calls.
>
> Hi Anton,
> I'm glad it works now. This keycloak version (9.0.x) will stay for some
> time the recommended & supported choice for oVirt because it is part of
> 'Red Hat SSO' just like oVirt is part of 'Red Hat Virtualization'.
> Artur
>
>
>
> Thank you very much for all the help
>
>
>
> *From:* Artur Socha 
> *Sent:* 22 June 2020 16:52
> *To:* Anton Louw ; users@ovirt.org
> *Cc:* Stephen Hutchinson 
> *Subject:* Re: [ovirt-users] KeyCloak Integration
>
>
>
> On Mon, 2020-06-22 at 15:14 +0200, Artur Socha wrote:
>
> Anton,
>
> I managed to re-create the issue on my local environment.
>
> Previously I tested it against Keycloak 8.0.1 with users loaded from LDAP.
> Currently I have users/groups created via Keycloak management panel. I need
> to investigate it further which of the two changes is the root cause (it
> works fine with the old setup)
>
>
>
> One more update: it seems the issue is keycloak version related. Trying to
> figure out what was changed and how it affected engine sso integration.
>
>
>
> Latest keycloak version I tested and verified that works is 9.0.3. Perhaps
> it could be possible for you to use it until we fully support 10.0.x ?
>
> Artur
>
>
>
> *Anton Louw*
> *Cloud Engineer: Storage and Virtualization* at *Vox*
> --
> *T:*  087 805  | *D:* 087 805 1572
> *M:* N/A
> *E:* anton.l...@voxtelecom.co.za
> *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
> [image: F] <https://www.facebook.com/voxtelecomZA>
> [image: T] <https://www.twitter.com/voxtelecom>
> [image: I] <https://www.instagram.com/voxtelecomza/>
> [image: L] <https://www.linkedin.com/company/voxtelecom>
> [image: Y] <https://www.youtube.com/user/VoxTelecom>
>
> Artur
>
>
>
> On Mon, 2020-06-22 at 11:05 +, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> Great, thanks a lot! 
>
>
>
>
>
> *Anton Louw*
>
> *Cloud Engineer: Storage and Virtualization* at *Vox*
> --
>
> *T:*  087 805  | *D:* 087 805 1572
> *M:* N/A
> *E:* anton.l...@voxtelecom.co.za
> *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
>
>
> [image: F] <https://www.facebook.com/voxtelecomZA>
>
>
>
> [image: T] <https://www.twitter.com/voxtelecom>
>
>
>
> [image: I] <https://www.instagram.com/voxtelecomza>
>
>
>
> [image: L] <https://www.linkedin.com/company/voxtelecom>
>
>
>
> [image: Y] <https://www.youtube.com/user/VoxTelecom>
>
>
>
>
>
> *From:* Artur Socha 
> *Sent:* 22 June 2020 11:23
> *To:* Anton Louw ; users@ovirt.org
> *Cc:* Stephen Hutchinson 
> *Subject:* Re: [ovirt-users] KeyCloak Integration
>
>
>
> Hi Anton,
>
> Thanks for the specs. I have create BZ issue for tracking:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1849569
>
> Feel free to add comments/change it when needed.
>
>
>
> Artur
>
>
>
> On Fri, 2020-06-19 at 10:57 +, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> Please see below:
>
>
>
> ovirt-engine.noarch 4.3.10.4-1.el7@ovirt-4.3
>
> ovirt-engine-extension-aaa-misc.noarch  1.0.4-1.el7   @ovirt-4.3
>
> mod_auth_openidc.x86_64 1.8.8-5.el7   @base
>
>
&

[ovirt-users] Re: java.lang.reflect.UndeclaredThrowableException - oVirt engine UI

2020-10-01 Thread Artur Socha
Hi Jeremey,
Could you please post some relevant piece of :

1) HE VM
/var/log/ovirt-engine/engine.log
Plus:
# dnf list --installed | grep ovirt-engine

2) Host with HE VM
/var/log/ovirt-hosted-engine-ha/{agent.log,broker.log}
/var/log/vdsm/vdsm.log
Plus:
$  dnf list --installed | egrep "(vdsm|ovirt-engine-appliance)"

The issue you found in BugZilla seems to be quite old and was fixed in
version 4.1x.

Artur


On Wed, Sep 30, 2020 at 4:36 PM Jeremey Wise  wrote:

> I tried to post on website but .. it did not seem to work... so sorry if
> this is double posting.
>
> oVirt login this AM. accepted username and password but got java error.
>
> Restarted oVirt engine
> ##
>
> hosted-engine --set-maintenance --mode=global
>
> hosted-engine --vm-shutdown
>
> hosted-engine --vm-status
>
> #make sure that the status is shutdown before restarting
>
> hosted-engine --vm-start
>
> hosted-engine --vm-status
>
> #make sure the status is health before leaving maintenance mode
>
> hosted-engine --set-maintenance --mode=none
> ##
> [root@thor ~]# hosted-engine --vm-status
>
>
> --== Host thor.penguinpages.local (id: 1) status ==--
>
> Host ID: 1
> Host timestamp : 65342
> Score  : 3400
> Engine status  : {"vm": "down", "health": "bad",
> "detail": "unknown", "reason": "vm not running on this host"}
> Hostname   : thor.penguinpages.local
> Local maintenance  : False
> stopped: False
> crc32  : 824c29fd
> conf_on_shared_storage : True
> local_conf_timestamp   : 65342
> Status up-to-date  : True
> Extra metadata (valid at timestamp):
> metadata_parse_version=1
> metadata_feature_version=1
> timestamp=65342 (Wed Sep 30 08:11:45 2020)
> host-id=1
> score=3400
> vm_conf_refresh_time=65342 (Wed Sep 30 08:11:45 2020)
> conf_on_shared_storage=True
> maintenance=False
> state=EngineDown
> stopped=False
>
>
> --== Host medusa.penguinpages.local (id: 3) status ==--
>
> Host ID: 3
> Host timestamp : 87556
> Score  : 3400
> Engine status  : {"vm": "up", "health": "good",
> "detail": "Up"}
> Hostname   : medusa.penguinpages.local
> Local maintenance  : False
> stopped: False
> crc32  : 63296a70
> conf_on_shared_storage : True
> local_conf_timestamp   : 87556
> Status up-to-date  : True
> Extra metadata (valid at timestamp):
> metadata_parse_version=1
> metadata_feature_version=1
> timestamp=87556 (Wed Sep 30 08:11:39 2020)
> host-id=3
> score=3400
> vm_conf_refresh_time=87556 (Wed Sep 30 08:11:39 2020)
> conf_on_shared_storage=True
> maintenance=False
> state=EngineUp
> stopped=False
> [root@thor ~]# yum update -y
> Last metadata expiration check: 0:31:17 ago on Wed 30 Sep 2020 09:17:03 AM
> EDT.
> Dependencies resolved.
> Nothing to do.
> Complete!
> [root@thor ~]#
>
>
> Gogled around ..  just found this thread.
> ##
> https://bugzilla.redhat.com/show_bug.cgi?id=1378045
>
>
> # pgadmin connect to ovirte01.penguinpages.com as engine to db engine
> select mac_addr from  vm_interface
> "00:16:3e:57:0d:47"
> "56:6f:86:41:00:01"
> "56:6f:86:41:00:00"
> "56:6f:86:41:00:02"
> "56:6f:86:41:00:03"
> "56:6f:86:41:00:04"
> "56:6f:86:41:00:05"
> "56:6f:86:41:00:15"
>
> "56:6f:86:41:00:16"
> "56:6f:86:41:00:17"
> "56:6f:86:41:00:18"
> "56:6f:86:41:00:19"
>
>
> # Note one field is "null"
>
> Question:
> 1) is this bad?
> 2) How do I fix?
> 3) Any idea on root cause?
>
> --
> p enguinpages
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/DJZ6RCDN6UB4VTACKZN6YVISKQGLCWPH/
>


-- 
Artur Socha
Senior Software Engineer, RHV
Red Hat
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PA56NRXMCMUMJGQ3QJHIIA2JU2GEDK7V/


[ovirt-users] Re: Random hosts disconnects

2020-09-18 Thread Artur Socha
Hi Anton,
I am not sure if changing this value would fix the issue. Defaults are
pretty high. For example vdsHeartbeatInSeconds=30seconds,
vdsTimeout=180seconds, vdsConnectionTimeout=20seconds.

Do you still have relevant logs from the affected hosts:
* /var/logs/vdsm/vdsm.log*
* /var/logs/vdsm/supervdsm.log*
Please look for any jsonrpc errors ie. write/read errors or (connection)
timeouts.  Storage related warnings/errors might also be relevant.

Plus system logs if possible:
*journalctl -f /usr/share/vdsm/vdsmd*
*journalctl  -f /usr/sbin/libvirtd*

In order to get system logs from particular time period please combine it
with the following example using -S  -U options:

*journalctl -S "2020-01-12 07:00:00" -U "2020-01-12 07:15:00"  *
I haven't a clue what to look there for besides any warnings/errors or
anything else that seems  unusual.

Artur


On Thu, Sep 17, 2020 at 8:09 AM Anton Louw via Users 
wrote:

>
>
> Hi Everybody,
>
>
>
> Did some digging around, and saw a few things regarding 
> “vdsHeartbeatInSeconds”
>
> I had a look at the properties file located at 
> /etc/ovirt-engine/engine-config/engine-config.properties, and do not see an 
> entry for “vdsHeartbeatInSeconds.type=Integer”.
>
> Seeing as these data centers are geographically split, could the 
> “vdsHeartbeatInSeconds” potentially be the issue? Is it safe to increase this 
> value after I add “vdsHeartbeatInSeconds.type=Integer” into my 
> engine-config.properties file?
>
>
>
> Thanks
>
>
>
> *Anton Louw*
> *Cloud Engineer: Storage and Virtualization* at *Vox*
> --
> *T:*  087 805  | *D:* 087 805 1572
> *M:* N/A
> *E:* anton.l...@voxtelecom.co.za
> *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
> [image: F] <https://www.facebook.com/voxtelecomZA>
> [image: T] <https://www.twitter.com/voxtelecom>
> [image: I] <https://www.instagram.com/voxtelecomza/>
> [image: L] <https://www.linkedin.com/company/voxtelecom>
> [image: Y] <https://www.youtube.com/user/VoxTelecom>
>
> *From:* Anton Louw via Users 
> *Sent:* 16 September 2020 09:01
> *To:* users@ovirt.org
> *Subject:* [ovirt-users] Random hosts disconnects
>
>
>
>
>
> Hi All,
>
>
>
> I have a strange issue in my oVirt environment. I currently have a
> standalone manager which is running in VMware. In my oVirt environment, I
> have two Data Centers. The manager is currently sitting on the same subnet
> as DC1. Randomly, hosts in DC2 will say “Not Responding” and then 2 seconds
> later, the hosts will activate again.
>
>
>
> The strange thing is, when the manager was sitting on the same subnet as
> DC2, hosts in DC1 will randomly say “Not Responding”
>
>
>
> I have tried going through the logs, but I cannot see anything out of the
> ordinary regarding why the hosts would drop connection. I have attached the
> engine.log for anybody that would like to do a spot check.
>
>
>
> Thanks
>
>
>
> *Anton Louw*
>
> *Cloud Engineer: Storage and Virtualization* at *Vox*
> --
>
> *T:*  087 805  | *D:* 087 805 1572
> *M:* N/A
> *E:* anton.l...@voxtelecom.co.za
> *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
>
>
> [image: F] <https://www.facebook.com/voxtelecomZA>
>
>
>
> [image: T] <https://www.twitter.com/voxtelecom>
>
>
>
> [image: I] <https://www.instagram.com/voxtelecomza>
>
>
>
> [image: L] <https://www.linkedin.com/company/voxtelecom>
>
>
>
> [image: Y] <https://www.youtube.com/user/VoxTelecom>
>
>
>
>
>
> [image: #VoxBrand]
> <https://www.vox.co.za/fibre/fibre-to-the-home/?prod=HOME>
>
>
> *Disclaimer*
>
> The contents of this email are confidential to the sender and the intended
> recipient. Unless the contents are clearly and entirely of a personal
> nature, they are subject to copyright in favour of the holding company of
> the Vox group of companies. Any recipient who receives this email in error
> should immediately report the error to the sender and permanently delete
> this email from all storage devices.
>
> This email has been scanned for viruses and malware, and may have been
> automatically archived by *Mimecast Ltd*, an innovator in Software as a
> Service (SaaS) for business. Providing a *safer* and *more useful* place
> for your human generated data. Specializing in; Security, archiving and
> compliance. To find out more Click Here
> <https://www.voxtelecom.co.za/security/mimecast/?prod=Enterprise>.
>
>
>
> ___
>

[ovirt-users] Re: Random hosts disconnects

2020-09-18 Thread Artur Socha
On Fri, Sep 18, 2020 at 1:54 PM Anton Louw 
wrote:

>
>
> Hi Artur,
>
>
>
> Thanks for the reply. I have attached the system logs. There was a
> disconnect at 10:54, but no error that is different to the rest. I do see a
> whole lot of QEMU Guest Agent and block_io errors in the system logs. Not
> entirely sure what this means.
>

After a very quick search on the internet the first one does not seem to be
severe at all - this guest agent provides only some information to VMs
about the host.
*Sep 18 10:50:41 node05.kvm.voxvm.co.za <http://node05.kvm.voxvm.co.za>
libvirtd[23603]: 2020-09-18 08:50:41.493+: 23729: error :
qemuDomainAgentAvailable:9133 : Guest agent is not responding: QEMU guest
agent is not connected*

The second one is unknown to me at all:
ISep 18 10:50:52 node05.kvm.voxvm.co.za libvirtd[23603]: 2020-09-18
08:50:52.802+: 23729: error : qemuMonitorJSONBlockIoThrottleInfo:5005 :
internal error: block_io_throttle inserted entry was not in expected format
Sep 18
Perhaps someone with more libvirt/qemu background will comment on that.


>
> Checking the vdsm logs at the time or the error, the only entry is the
> below:
>
>
>
> “2020-09-18 10:55:57,081+ WARN  (qgapoller/2)
> [virt.periodic.VmDispatcher] could not run  at
> 0x7f2170395578> on ['d3838612-70bb-4731-a0d4-8f65d31b40a6',
> '59a2f394-48fe-4bd9-91d6-08115f2eec0a',
> 'f81e3ab8-c1a9-4674-b238-7e229fd43e7c',
> '42189fa1-4381-02c7-d830-20eac408da2c',
> '423f1c57-f98e-707f-c0f9-d4958d3f0fec',
> '64d1eabc-20ff-4288-98ff-dcfd120fe7d2',
> '4218baf0-e2a1-42c7-2efd-077407f47b4d',
> '42184650-5a60-5403-d758-840bdbf92dd8',
> '492ea3fe-0a27-4dde-abf9-7d146ee1b988',
> '4218df00-15cd-bdf9-efd9-c5ead49fd89c',
> '9c373379-718b-4906-abc1-960fb1820c2d',
> 'b9441c7a-0bfd-4d41-a8de-ee24e4259b36',
> 'd810325a-1a45-4054-a870-c8c052a22354',
> '42189d3f-4570-45ea-6e5a-94c85a5885a1'] (periodic:289)”
>
>
This WARN does not seem to be the cause ... it may be be the result because
VM failed to be dispatched (perhaps due to lack of suitable hosts that got
disconnected at a moment)


>
> I am stumped. Do you think it is worth a shot increasing the 
> vdsConnectionTimeout
> and vdsHeartbeatInSeconds to 40 for testing purposes?
>

I still don't think it will change anything unless your network between
those 2 DC is 'tcp over pigeons' kind of setup :)
Now, more seriously. Even if increasing timeouts would fix the connectivity
I suspect the core issue would still remain ... in the best case scenario
it could be postponed a bit.

Am I correct assuming those 2 DC are  located in 2 different physical
locations?   If so then I would closely check the network itself first
(including hardware like routers/switches).

Artur

>
>
> Thanks
>
>
>
> *Anton Louw*
> *Cloud Engineer: Storage and Virtualization* at *Vox*
> --
> *T:*  087 805  | *D:* 087 805 1572
> *M:* N/A
> *E:* anton.l...@voxtelecom.co.za
> *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
> [image: F] <https://www.facebook.com/voxtelecomZA>
> [image: T] <https://www.twitter.com/voxtelecom>
> [image: I] <https://www.instagram.com/voxtelecomza/>
> [image: L] <https://www.linkedin.com/company/voxtelecom>
> [image: Y] <https://www.youtube.com/user/VoxTelecom>
>
> *From:* Artur Socha 
> *Sent:* 18 September 2020 13:27
> *To:* Anton Louw 
> *Cc:* users@ovirt.org
> *Subject:* Re: [ovirt-users] Re: Random hosts disconnects
>
>
>
> Hi Anton,
>
> I am not sure if changing this value would fix the issue. Defaults are
> pretty high. For example vdsHeartbeatInSeconds=30seconds,
> vdsTimeout=180seconds, vdsConnectionTimeout=20seconds.
>
>
>
> Do you still have relevant logs from the affected hosts:
>
> * /var/logs/vdsm/vdsm.log*
>
> * /var/logs/vdsm/supervdsm.log*
>
> Please look for any jsonrpc errors ie. write/read errors or (connection)
> timeouts.  Storage related warnings/errors might also be relevant.
>
>
>
> Plus system logs if possible:
>
> *journalctl -f /usr/share/vdsm/vdsmd*
>
> *journalctl  -f /usr/sbin/libvirtd*
>
>
>
> In order to get system logs from particular time period please combine it
> with the following example using -S  -U options:
>
> *journalctl -S "2020-01-12 07:00:00" -U "2020-01-12 07:15:00"  *
>
> I haven't a clue what to look there for besides any warnings/errors or
> anything else that seems  unusual.
>
>
>
> Artur
>
>
>
>
>
> On Thu, Sep 17, 2020 at 8:09 AM Anton Louw via Users 
> wrote:
>
>
>
> Hi Everybody,
>
>
>
> Did some digging around, and saw a few things regarding 
> “vdsHeartbeatInSeconds”
&

[ovirt-users] Re: Unassigned hosts

2020-08-07 Thread Artur Socha
Hi Nardus,
There is one more thing to be checked.

1) could you check if there are any packets sent from the affected host to
the engine?
on host:
# outgoing traffic
 sudo  tcpdump -i  -c 1000 -nnvvS dst


2) same the other way round. Check if there are packets received on engine
side from affected host
on engine:
# incoming traffic
sudo  tcpdump -i  -c 1000 -nnvvS src


Artur


On Thu, Aug 6, 2020 at 4:51 PM Artur Socha  wrote:

> Thanks Nardus,
> After a quick look I found what I was suspecting - there are way too many
> threads in Blocked state. I don't know yet the reason but this is very
> helpful. I'll let you know about the findings/investigation. Meanwhile, you
> may try restarting the engine as (a very brute and ugly) workaround).
> You may try to setup slightly bigger thread pool - may save you some time
> until the next hiccup. However, please be aware that this may come with the
> cost in memory usage and higher cpu usage (due to increased context
> switching)
> Here are some docs:
>
> # Specify the thread pool size for jboss managed scheduled executor service 
> used by commands to periodically execute
> # methods. It is generally not necessary to increase the number of threads in 
> this thread pool. To change the value
> # permanently create a conf file 99-engine-scheduled-thread-pool.conf in 
> /etc/ovirt-engine/engine.conf.d/
> ENGINE_SCHEDULED_THREAD_POOL_SIZE=100
>
>
> A.
>
>
> On Thu, Aug 6, 2020 at 4:19 PM Nardus Geldenhuys 
> wrote:
>
>> Hi Artur
>>
>> Please find attached, also let me know if I need to rerun. They 5 min
>> apart
>>
>> [root@engine-aa-1-01 ovirt-engine]#  ps -ef | grep jboss | grep -v grep
>> | awk '{ print $2 }'
>> 27390
>> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
>> your_engine_thread_dump_1.txt
>> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
>> your_engine_thread_dump_2.txt
>> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
>> your_engine_thread_dump_3.txt
>>
>> Regards
>>
>> Nar
>>
>> On Thu, 6 Aug 2020 at 15:55, Artur Socha  wrote:
>>
>>> Sure thing.
>>> On engine host please find  jboss pid. You can use this command:
>>>
>>>  ps -ef | grep jboss | grep -v grep | awk '{ print $2 }'
>>>
>>> or jps tool from jdk. Sample output on my dev environment is:
>>>
>>> ± % jps
>>>!2860
>>> 64853 jboss-modules.jar
>>> 196217 Jps
>>>
>>> Then use jstack from jdk:
>>> jstack   > your_engine_thread_dump.txt
>>> 2 or 3 dumps taken in approximately 5 minutes intervals would be even
>>> more useful.
>>>
>>> Here you can find even more options
>>> https://www.baeldung.com/java-thread-dump
>>>
>>> Artur
>>>
>>> On Thu, Aug 6, 2020 at 3:15 PM Nardus Geldenhuys 
>>> wrote:
>>>
>>>> Hi
>>>>
>>>> Can create thread dump, please send details on howto.
>>>>
>>>> Regards
>>>>
>>>> Nardus
>>>>
>>>> On Thu, 6 Aug 2020 at 14:17, Artur Socha  wrote:
>>>>
>>>>> Hi Nardus,
>>>>> You might have hit an issue I have been hunting for some time ( [1]
>>>>> and  [2] ).
>>>>> [1] could not be properly resolved because at a time was not able to
>>>>> recreate an issue on dev setup.
>>>>> I suspect [2] is related.
>>>>>
>>>>> Would you be able to prepare a thread dump from your engine instance?
>>>>> Additionally, please check for potential libvirt errors/warnings.
>>>>> Can you also paste the output of:
>>>>> sudo yum list installed | grep vdsm
>>>>> sudo yum list installed | grep ovirt-engine
>>>>> sudo yum list installed | grep libvirt
>>>>>
>>>>> Usually, according to previous reports, restarting the engine helps to
>>>>> restore connectivity with hosts ... at least for some time.
>>>>>
>>>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1845152
>>>>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1846338
>>>>>
>>>>> regards,
>>>>> Artur
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Aug 6, 2020 at 8:01 AM Nardus Geldenhuys 
>>>>> wrote:
>>>>>
>>>>>> Also see this in engine:
>>>>>>
>>>>>> Aug

[ovirt-users] Re: Unassigned hosts

2020-08-06 Thread Artur Socha
Hi Nardus,
You might have hit an issue I have been hunting for some time ( [1] and
[2] ).
[1] could not be properly resolved because at a time was not able to
recreate an issue on dev setup.
I suspect [2] is related.

Would you be able to prepare a thread dump from your engine instance?
Additionally, please check for potential libvirt errors/warnings.
Can you also paste the output of:
sudo yum list installed | grep vdsm
sudo yum list installed | grep ovirt-engine
sudo yum list installed | grep libvirt

Usually, according to previous reports, restarting the engine helps to
restore connectivity with hosts ... at least for some time.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1845152
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1846338

regards,
Artur



On Thu, Aug 6, 2020 at 8:01 AM Nardus Geldenhuys  wrote:

> Also see this in engine:
>
> Aug 6, 2020, 7:37:17 AM
> VDSM someserver command Get Host Capabilities failed: Message timeout
> which can be caused by communication issues
>
> On Thu, 6 Aug 2020 at 07:09, Strahil Nikolov 
> wrote:
>
>> Can you fheck for errors on the affected host. Most probably you need the
>> vdsm logs.
>>
>> Best Regards,
>> Strahil Nikolov
>>
>> На 6 август 2020 г. 7:40:23 GMT+03:00, Nardus Geldenhuys <
>> nard...@gmail.com> написа:
>> >Hi Strahil
>> >
>> >Hope you are well. I get the following error when I tried to confirm
>> >reboot:
>> >
>> >Error while executing action: Cannot confirm 'Host has been rebooted'
>> >Host.
>> >Valid Host statuses are "Non operational", "Maintenance" or
>> >"Connecting".
>> >
>> >And I can't put it in maintenance, only option is "restart" or "stop".
>> >
>> >Regards
>> >
>> >Nar
>> >
>> >On Thu, 6 Aug 2020 at 06:16, Strahil Nikolov 
>> >wrote:
>> >
>> >> After rebooting the node, have you "marked" it that it was rebooted ?
>> >>
>> >> Best Regards,
>> >> Strahil Nikolov
>> >>
>> >> На 5 август 2020 г. 21:29:04 GMT+03:00, Nardus Geldenhuys <
>> >> nard...@gmail.com> написа:
>> >> >Hi oVirt land
>> >> >
>> >> >Hope you are well. Got a bit of an issue, actually a big issue. We
>> >had
>> >> >some
>> >> >sort of dip of some sort. All the VM's is still running, but some of
>> >> >the
>> >> >hosts is show "Unassigned" or "NonResponsive". So all the hosts was
>> >> >showing
>> >> >UP and was fine before our dip. So I did increase
>> >vdsHeartbeatInSecond
>> >> >to
>> >> >240, no luck.
>> >> >
>> >> >I still get a timeout on the engine lock even thou I can connect to
>> >> >that
>> >> >host from the engine using nc to test to port 54321. I also did
>> >restart
>> >> >vdsmd and also rebooted the host with no luck.
>> >> >
>> >> > nc -v someserver 54321
>> >> >Ncat: Version 7.50 ( https://nmap.org/ncat )
>> >> >Ncat: Connected to 172.40.2.172:54321.
>> >> >
>> >> >2020-08-05 20:20:34,256+02 ERROR
>> >>
>> >>[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> >> >(EE-ManagedThreadFactory-engineScheduled-Thread-70) [] EVENT_ID:
>> >> >VDS_BROKER_COMMAND_FAILURE(10,802), VDSM someserver command Get Host
>> >> >Capabilities failed: Message timeout which can be caused by
>> >> >communication
>> >> >issues
>> >> >
>> >> >Any troubleshoot ideas will be gladly appreciated.
>> >> >
>> >> >Regards
>> >> >
>> >> >Nar
>> >>
>>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/C4HB2J3MH76FI2325Z4AV4VCCEKH4M3S/
>


-- 
Artur Socha
Senior Software Engineer, RHV
Red Hat
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RZPEGTZ6WD35MMSHF357RQI34E66N7MB/


[ovirt-users] Re: Unassigned hosts

2020-08-06 Thread Artur Socha
Thanks Nardus,
After a quick look I found what I was suspecting - there are way too many
threads in Blocked state. I don't know yet the reason but this is very
helpful. I'll let you know about the findings/investigation. Meanwhile, you
may try restarting the engine as (a very brute and ugly) workaround).
You may try to setup slightly bigger thread pool - may save you some time
until the next hiccup. However, please be aware that this may come with the
cost in memory usage and higher cpu usage (due to increased context
switching)
Here are some docs:

# Specify the thread pool size for jboss managed scheduled executor
service used by commands to periodically execute
# methods. It is generally not necessary to increase the number of
threads in this thread pool. To change the value
# permanently create a conf file 99-engine-scheduled-thread-pool.conf
in /etc/ovirt-engine/engine.conf.d/
ENGINE_SCHEDULED_THREAD_POOL_SIZE=100


A.


On Thu, Aug 6, 2020 at 4:19 PM Nardus Geldenhuys  wrote:

> Hi Artur
>
> Please find attached, also let me know if I need to rerun. They 5 min apart
>
> [root@engine-aa-1-01 ovirt-engine]#  ps -ef | grep jboss | grep -v grep |
> awk '{ print $2 }'
> 27390
> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
> your_engine_thread_dump_1.txt
> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
> your_engine_thread_dump_2.txt
> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
> your_engine_thread_dump_3.txt
>
> Regards
>
> Nar
>
> On Thu, 6 Aug 2020 at 15:55, Artur Socha  wrote:
>
>> Sure thing.
>> On engine host please find  jboss pid. You can use this command:
>>
>>  ps -ef | grep jboss | grep -v grep | awk '{ print $2 }'
>>
>> or jps tool from jdk. Sample output on my dev environment is:
>>
>> ± % jps
>>  !2860
>> 64853 jboss-modules.jar
>> 196217 Jps
>>
>> Then use jstack from jdk:
>> jstack   > your_engine_thread_dump.txt
>> 2 or 3 dumps taken in approximately 5 minutes intervals would be even
>> more useful.
>>
>> Here you can find even more options
>> https://www.baeldung.com/java-thread-dump
>>
>> Artur
>>
>> On Thu, Aug 6, 2020 at 3:15 PM Nardus Geldenhuys 
>> wrote:
>>
>>> Hi
>>>
>>> Can create thread dump, please send details on howto.
>>>
>>> Regards
>>>
>>> Nardus
>>>
>>> On Thu, 6 Aug 2020 at 14:17, Artur Socha  wrote:
>>>
>>>> Hi Nardus,
>>>> You might have hit an issue I have been hunting for some time ( [1]
>>>> and  [2] ).
>>>> [1] could not be properly resolved because at a time was not able to
>>>> recreate an issue on dev setup.
>>>> I suspect [2] is related.
>>>>
>>>> Would you be able to prepare a thread dump from your engine instance?
>>>> Additionally, please check for potential libvirt errors/warnings.
>>>> Can you also paste the output of:
>>>> sudo yum list installed | grep vdsm
>>>> sudo yum list installed | grep ovirt-engine
>>>> sudo yum list installed | grep libvirt
>>>>
>>>> Usually, according to previous reports, restarting the engine helps to
>>>> restore connectivity with hosts ... at least for some time.
>>>>
>>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1845152
>>>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1846338
>>>>
>>>> regards,
>>>> Artur
>>>>
>>>>
>>>>
>>>> On Thu, Aug 6, 2020 at 8:01 AM Nardus Geldenhuys 
>>>> wrote:
>>>>
>>>>> Also see this in engine:
>>>>>
>>>>> Aug 6, 2020, 7:37:17 AM
>>>>> VDSM someserver command Get Host Capabilities failed: Message timeout
>>>>> which can be caused by communication issues
>>>>>
>>>>> On Thu, 6 Aug 2020 at 07:09, Strahil Nikolov 
>>>>> wrote:
>>>>>
>>>>>> Can you fheck for errors on the affected host. Most probably you need
>>>>>> the vdsm logs.
>>>>>>
>>>>>> Best Regards,
>>>>>> Strahil Nikolov
>>>>>>
>>>>>> На 6 август 2020 г. 7:40:23 GMT+03:00, Nardus Geldenhuys <
>>>>>> nard...@gmail.com> написа:
>>>>>> >Hi Strahil
>>>>>> >
>>>>>> >Hope you are well. I get the following error when I tried to confirm
>>>>>&g

[ovirt-users] Re: Unassigned hosts

2020-08-06 Thread Artur Socha
Sure thing.
On engine host please find  jboss pid. You can use this command:

 ps -ef | grep jboss | grep -v grep | awk '{ print $2 }'

or jps tool from jdk. Sample output on my dev environment is:

± % jps
   !2860
64853 jboss-modules.jar
196217 Jps

Then use jstack from jdk:
jstack   > your_engine_thread_dump.txt
2 or 3 dumps taken in approximately 5 minutes intervals would be even more
useful.

Here you can find even more options
https://www.baeldung.com/java-thread-dump

Artur

On Thu, Aug 6, 2020 at 3:15 PM Nardus Geldenhuys  wrote:

> Hi
>
> Can create thread dump, please send details on howto.
>
> Regards
>
> Nardus
>
> On Thu, 6 Aug 2020 at 14:17, Artur Socha  wrote:
>
>> Hi Nardus,
>> You might have hit an issue I have been hunting for some time ( [1] and
>> [2] ).
>> [1] could not be properly resolved because at a time was not able to
>> recreate an issue on dev setup.
>> I suspect [2] is related.
>>
>> Would you be able to prepare a thread dump from your engine instance?
>> Additionally, please check for potential libvirt errors/warnings.
>> Can you also paste the output of:
>> sudo yum list installed | grep vdsm
>> sudo yum list installed | grep ovirt-engine
>> sudo yum list installed | grep libvirt
>>
>> Usually, according to previous reports, restarting the engine helps to
>> restore connectivity with hosts ... at least for some time.
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1845152
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1846338
>>
>> regards,
>> Artur
>>
>>
>>
>> On Thu, Aug 6, 2020 at 8:01 AM Nardus Geldenhuys 
>> wrote:
>>
>>> Also see this in engine:
>>>
>>> Aug 6, 2020, 7:37:17 AM
>>> VDSM someserver command Get Host Capabilities failed: Message timeout
>>> which can be caused by communication issues
>>>
>>> On Thu, 6 Aug 2020 at 07:09, Strahil Nikolov 
>>> wrote:
>>>
>>>> Can you fheck for errors on the affected host. Most probably you need
>>>> the vdsm logs.
>>>>
>>>> Best Regards,
>>>> Strahil Nikolov
>>>>
>>>> На 6 август 2020 г. 7:40:23 GMT+03:00, Nardus Geldenhuys <
>>>> nard...@gmail.com> написа:
>>>> >Hi Strahil
>>>> >
>>>> >Hope you are well. I get the following error when I tried to confirm
>>>> >reboot:
>>>> >
>>>> >Error while executing action: Cannot confirm 'Host has been rebooted'
>>>> >Host.
>>>> >Valid Host statuses are "Non operational", "Maintenance" or
>>>> >"Connecting".
>>>> >
>>>> >And I can't put it in maintenance, only option is "restart" or "stop".
>>>> >
>>>> >Regards
>>>> >
>>>> >Nar
>>>> >
>>>> >On Thu, 6 Aug 2020 at 06:16, Strahil Nikolov 
>>>> >wrote:
>>>> >
>>>> >> After rebooting the node, have you "marked" it that it was rebooted ?
>>>> >>
>>>> >> Best Regards,
>>>> >> Strahil Nikolov
>>>> >>
>>>> >> На 5 август 2020 г. 21:29:04 GMT+03:00, Nardus Geldenhuys <
>>>> >> nard...@gmail.com> написа:
>>>> >> >Hi oVirt land
>>>> >> >
>>>> >> >Hope you are well. Got a bit of an issue, actually a big issue. We
>>>> >had
>>>> >> >some
>>>> >> >sort of dip of some sort. All the VM's is still running, but some of
>>>> >> >the
>>>> >> >hosts is show "Unassigned" or "NonResponsive". So all the hosts was
>>>> >> >showing
>>>> >> >UP and was fine before our dip. So I did increase
>>>> >vdsHeartbeatInSecond
>>>> >> >to
>>>> >> >240, no luck.
>>>> >> >
>>>> >> >I still get a timeout on the engine lock even thou I can connect to
>>>> >> >that
>>>> >> >host from the engine using nc to test to port 54321. I also did
>>>> >restart
>>>> >> >vdsmd and also rebooted the host with no luck.
>>>> >> >
>>>> >> > nc -v someserver 54321
>>>> >> >Ncat: Version 7.50 ( https://nmap.org/ncat )
>>>> >&

[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Artur Socha
On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
> 
>  
> 
> Sure, please see below output:
> 
>  
> 
> [root@virt ~]# curl -vvv -H "Accept:application/json" '
> https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
> 
> * About to connect() to virt.example.co.za port 443 (#0)
> 
> *   Trying 127.0.0.1...
> 
> * Connected to virt.example.co.za (127.0.0.1) port 443 (#0)
> 
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> 
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> 
>   CApath: none
> 
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> 
> * Server certificate:
> 
> *   subject: CN=*.example.co.za,OU=Domain Control Validated
> 
> *   start date: Sep 25 07:46:12 2019 GMT
> 
> *   expire date: Oct 02 07:39:01 2020 GMT
> 
> *   common name: *.example.co.za
> 
> *   issuer: CN=Starfield Secure Certificate Authority - G2,OU=
> http://certs.starfieldtech.com/repository/,O="Starfield Technologies,
> Inc.",L=Scottsdale,ST=Arizona,C=US
> 
> > GET /ovirt-
> engine/sso/oauth/token?grant_type=password=myuser=mypass
> pe=ovirt-app-api HTTP/1.1
> 
> > User-Agent: curl/7.29.0
> 
> > Host: virt.example.co.za
> 
> > Accept:application/json
> 
> > 
> 
> < HTTP/1.1 400 Bad Request
> 
> < Date: Fri, 19 Jun 2020 09:52:11 GMT
> 
> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
> 
> < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647;
> Expires=Wed, 07-Jul-2088 13:06:18 GMT
> 
> < X-XSS-PROTECTION: 1; MODE=BLOCK
> 
> < X-CONTENT-TYPE-OPTIONS: NOSNIFF
> 
> < X-FRAME-OPTIONS: SAMEORIGIN
> 
> < Content-Type: application/json
> 
> < Content-Length: 233
> 
> < Connection: close
> 
> < 
> 
> * Closing connection 0
> 
> {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate ovirt-
> ext=token:password-access."}
> 
>  
> 
> 1) Test connection using python script (from the blog post ) using sdk. I
> suspect it will not work either.
> 
> Testing from Python gives me the same error as well.
> 
>  
> 
> 2) I saw some errors in the log on revoking token. Please go to keycloak admin
> panel, and under users kill all its active sessions. Then, please without
> logging in to engine admin UI, use that curl
>  to obtain token.
> 
> Tested this again, but still getting the below:
> 
> {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate
>  ovirt-ext=token:password-access."}
> 
>  
Thanks for these test ... unfortunately nothing helped

> 3) Does it work without OVN integration enabled?
> 
> Can you explain a bit more? How can I disable OVN integration to test this?

I had in mind reverting OVN vs Keycloak integration done according to
"Configuring OVN" chapter in 
https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
   Unless, of course, you skipped it. 
Most likely you found a bug.  Have you ever been able to obtain token for api
access with keycloak integration (even with you previous environments)? I am now
trying to understand what happened and how to reproduce it before submitting the
bug into http://bugzilla.redhat.com id="-x-evo-selection-start-marker">
>  
> Thanks
>  
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 19 June 2020 11:40
> 
> To: Anton Louw ; users@ovirt.org
> 
> Cc: Stephen Hutchinson 
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> On Fri, 2020-06-19 at 08:34 +, Anton Louw wrote:
> 
> >  
> > Hi Artur,
> >  
> > Thank you for the quick response. 
> >  
> &

[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Artur Socha
On Fri, 2020-06-19 at 07:35 +, Anton Louw via Users wrote:
> 
> 
> 
> Hi Everybody,

Hi Anton,
>  
> 
> So I have implemented KeyCloak into our oVirt environment, which works, up
> until a point. So WebUI access works, but when calling the API, using:
> 
> 
> curl -k -H "Accept: application/json" '
> https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=admin@openidchttp=mypass=ovirt-app-api'
> 
>  
> 
> I get the below error:
> 
>  
> 
> {"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-api
> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate ovirt-
> ext=token:password-access.","error":"access_denied"}
> 
>  
> 
> If my configs are removed, and I use “admin@internal” for my username, then it
> works.
> 
>  
> 
> I followed the below article step by step, and I double checked that all the
> scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)
> 
> 
>  
> 
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> 
>  
> 
> Anybody have any ideas?

It is my blind shot but could create & check  another user?
One more thing to check please use curl -vvv to check if there are any redirects
along the way.  I will check keycloak settings on my setup - perhaps there is
something non-obvious that could have been missed.
Any chance to get a bit more logs from engine.log and even from keycloak?
Perhaps there is something there that could help.
Artur
>  
> Thank you
> 
> 
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
>  
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> Disclaimer
> The contents of this email are confidential to the sender and the intended
> recipient. Unless the contents are clearly and entirely of a personal nature,
> they are subject to copyright in favour of the holding company of the Vox
> group of companies. Any recipient who receives this email in error should
> immediately report the error to the sender and permanently delete this email
> from all storage devices.
> 
> This email has been scanned for viruses and malware, and may have been
> automatically archived by Mimecast Ltd, an innovator in Software as a Service
> (SaaS) for business.  Providing a safer and more useful place for your human
> generated data.  Specializing in; Security, archiving and compliance. To find
> out more Click Here.
> 
> 
> 
> 
> 
> 
> 
>   
> 
> ___Users mailing list -- 
> users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives: 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJYE2B3NP4LT4TN4CJX4C7BU/


signature.asc
Description: This is a digitally signed message part
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CXYLGC5W5EYD3LO54FPWYOWX6ZCMLYMB/


[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Artur Socha
On Fri, 2020-06-19 at 08:34 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
> 
>  
> 
> Thank you for the quick response. 
> 
>  
> 
> I have actually tried creating another user, but I still get the same error. I
> have attached the output of curl -vvv as well as the logs the engine and
> keycloak logs.

This `curl -vvv ...`  is actually is incorrect because it is missing -H before
'Accept' header.   However, previous attempts that led to this error seemed to
be fine. Could you just re-send output of the correct curl? 
There are few things we can test to try to narrow down the root cause:
1) Test connection using python script  (from the blog post ) using sdk. I
suspect it will not work either.
2) I saw some errors  in the log on revoking token. Please go to keycloak admin
panel, and under users kill all its active sessions. Then, please without
logging in to engine admin UI, use that curl to obtain token.
3) Does it work without OVN integration enabled?
Artur

>  
> Thank you
>  
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
>     
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 19 June 2020 10:23
> 
> To: Anton Louw ; users@ovirt.org
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> O
> 
> 
> n Fri, 2020-06-19 at 07:35 +, Anton Louw via Users wrote:
> 
> >  
> > Hi Everybody,
> 
>  
> 
> 
> Hi Anton,
> 
> >  
> > So I have implemented KeyCloak into our oVirt environment, which works, up
> > until a point. So WebUI access works, but when calling the API, using:
> > 
> > curl -k -H "Accept: application/json" '
> > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=admin@openidchttp=mypass=ovirt-app-api'
> >  
> > I get the below error:
> >  
> > {"error_description":"Cannot authenticate user Invalid scopes: 
> > ovirt-app-api 
> > ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-
> > ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-
> > ext=token:password-access.","error":"access_denied"}
> >  
> > If my configs are removed, and I use “admin@internal” for my username, then
> > it works.
> >  
> > I followed the below article step by step, and I double checked that all the
> > scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)
> > 
> >  
> > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> >  
> > Anybody have any ideas?
> 
>  
> 
> 
> It is my blind shot but could create & check another user?
> 
> 
>  
> 
> 
> One more thing to check please use curl -vvv to check if there are any
> redirects along the way.
> 
> 
> 
> I will check keycloak settings on my setup - perhaps there is something non-
> obvious that could have been missed.
> 
> 
>  
> 
> 
> Any chance to get a bit more logs from engine.log and even from keycloak?
> Perhaps there is something there that could help.
> 
> 
>  
> 
> 
> Artur
> 
> 
>  
> 
> >  
> > Thank you
> >  
> > 
> > 
> > 
> > 
> > Anton Louw
> > 
> > 
> > 
> > 
> > Cloud Engineer: Storage and Virtualization
> >  at Vox
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > T:
> >  087 805  |
> > D: 087 805 1572
> > 
> > M: N/A
> > 
> > E:
> > anton.l...@voxtelecom.co.za
> > 
> > A: Rutherford Estate,
> >  1 Scott Street, Waverley, Johannesburg
> > 
> > www.vox.co.za
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
&

[ovirt-users] Re: KeyCloak Integration

2020-06-19 Thread Artur Socha
On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote:
> 
> 
> 
> Yes I didn’t get to the OVN part yet, as I first wanted to test the if the
> token can be obtained.
> 
>  
> 
> This is the first time we are testing KeyCloak in any environment, so we have
> never been able to obtain a token for API access.
> 
>  
Please post the exact versions of:
- ovirt-engine* :   
yum list --installed | grep ovirt-engine 
yum list --intalled | grep ovirt-engine-extension-aaa-misc

yum list --installed | grep mod_auth_openidc
- keycloak
- OS
cat /etc/*elease

I'll submit a bug ... which, most likely, I will assign to myself anyway :)

Artur

> Thanks
>  
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 19 June 2020 12:16
> 
> To: Anton Louw ; users@ovirt.org
> 
> Cc: Stephen Hutchinson 
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote:
> 
> >  
> > Hi Artur,
> >  
> > Sure, please see below output:
> >  
> > [root@virt ~]# curl -vvv -H "Accept:application/json" '
> > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
> > * About to connect() to 
> > virt.example.co.za port 443 (#0)
> > *   Trying 
> > 127.0.0.1...
> > * Connected to 
> > virt.example.co.za (127.0.0.1) port 443 (#0)
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> >   CApath: none
> > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> > * Server certificate:
> > *   subject: CN=*.example.co.za,OU=Domain Control Validated
> > *   start date: Sep 25 07:46:12 2019 GMT
> > *   expire date: Oct 02 07:39:01 2020 GMT
> > *   common name: *example.co.za
> > *   issuer: CN=Starfield Secure Certificate Authority - G2,OU=
> > http://certs.starfieldtech.com/repository/,O="Starfield Technologies,
> >  Inc.",L=Scottsdale,ST=Arizona,C=US
> > > GET /ovirt-
> > engine/sso/oauth/token?grant_type=password=myuser=mypass
> > cope=ovirt-app-api HTTP/1.1
> > > User-Agent: curl/7.29.0
> > > Host: 
> > virt.example.co.za
> > > Accept:application/json
> > > 
> > < HTTP/1.1 400 Bad Request
> > < Date: Fri, 19 Jun 2020 09:52:11 GMT
> > < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
> > < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647;
> > Expires=Wed, 07-Jul-2088 13:06:18 GMT
> > < X-XSS-PROTECTION: 1; MODE=BLOCK
> > < X-CONTENT-TYPE-OPTIONS: NOSNIFF
> > < X-FRAME-OPTIONS: SAMEORIGIN
> > < Content-Type: application/json
> > < Content-Length: 233
> > < Connection: close
> > < 
> > * Closing connection 0
> > {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> > info:public-authz-search ovirt-ext=token-info:validate ovirt-
> > ext=token:password-access."}
> >  
> > 1) Test connection using python script (from the blog post ) using sdk. I
> > suspect it will not work either.
> > Testing from Python gives me the same error as well.
> >  
> > 2) I saw some errors in the log on revoking token. Please go to keycloak
> > admin panel, and under users kill all its active sessions. Then, please
> > without logging in to engine admin UI, use that curl
> >  to obtain token.
> > Tested this again, but still getting the below:
> > {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> > info:public-authz-search ovirt-ext=token-info:validate
> >  ovirt-ext=token:password-access."}
> >  
> 
> Thanks for these test ... unfortunately nothing helped
> 
> 
>  
> 
> 
>  
> 
> > 3) Does it work without OVN integration enabled?
> > Can you explain a bit more? How can I disable OVN integration to test this?
> 
>  
> 
> 
> I had in mind reverting OVN vs Keycloak integration done according to
> "Configuring OVN" chapter in
> 
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> 
> 
> 
> Unless, of course, you skipped it.
> 
> 
> 
>  
> 
> 
> Most likely you found a bug. Have you ever been able to obtain token for api
> access with keycloak integration (even w

[ovirt-users] Re: KeyCloak Integration

2020-06-22 Thread Artur Socha
Hi Anton,Thanks for the specs. I have create BZ issue for tracking:
https://bugzilla.redhat.com/show_bug.cgi?id=1849569Feel free to add
comments/change it when needed.
Artur
On Fri, 2020-06-19 at 10:57 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
>  
> Please see below:
>  
> ovirt-engine.noarch 4.3.10.4-1.el7@ovirt-4.3
> ovirt-engine-extension-aaa-misc.noarch  1.0.4-1.el7   @ovirt-4.3
> mod_auth_openidc.x86_64 1.8.8-5.el7   @base
>  
> [root@virt ~]# cat /etc/*elease
> CentOS Linux release 7.7.1908 (Core)
> NAME="CentOS Linux"
> VERSION="7 (Core)"
> ID="centos"
> ID_LIKE="rhel fedora"
> VERSION_ID="7"
> PRETTY_NAME="CentOS Linux 7 (Core)"
> ANSI_COLOR="0;31"
> CPE_NAME="cpe:/o:centos:centos:7"
> HOME_URL="https://www.centos.org/;
> BUG_REPORT_URL="https://bugs.centos.org/;
>  
> CENTOS_MANTISBT_PROJECT="CentOS-7"
> CENTOS_MANTISBT_PROJECT_VERSION="7"
> REDHAT_SUPPORT_PRODUCT="centos"
> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>  
> CentOS Linux release 7.7.1908 (Core)
> CentOS Linux release 7.7.1908 (Core)
>  
> KeyCloak – 
>  
> 
> 
> 
> 
> 
> Server Version
> 
> 
> 
> 10.0.1
> 
> 
> 
> 
>  
> Thanks a lot for your help Artur. Please let me know if you need anything
> else.
>  
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 19 June 2020 12:39
> 
> To: Anton Louw ; users@ovirt.org
> 
> Cc: Stephen Hutchinson 
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote:
> 
> >  
> > Yes I didn’t get to the OVN part yet, as I first wanted to test the if the
> > token can be obtained.
> >  
> > This is the first time we are testing KeyCloak in any environment, so we
> > have never been able to obtain a token for API access.
> >  
> 
> 
> Please post the exact versions of:
> 
> 
> - ovirt-engine* :   
> 
> 
> yum list --installed | grep ovirt-engine 
> 
> 
> yum list --intalled | grep
> ovirt-engine-extension-aaa-misc
> 
> 
> yum list --installed | grep
> mod_auth_openidc
> 
> 
> - keycloak
> 
> 
> - OS
> 
> 
> cat /etc/*elease
> 
> 
>  
> 
> 
> I'll submit a bug ... which, most likely, I will assign to myself anyway :)
> 
> 
>  
> 
> 
> Artur
> 
> 
>  
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> > Thanks
> >  
> > 
> > 
> > From: Artur Socha 
> > 
> > 
> > Sent: 19 June 2020 12:16
> > 
> > To: Anton Louw ;
> > users@ovirt.org
> > 
> > Cc: Stephen Hutchinson 
> > 
> > Subject: Re: [ovirt-users] KeyCloak Integration
> > 
> > 
> >  
> > 
> > On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote:
> > 
> > >  
> > > Hi Artur,
> > >  
> > > Sure, please see below output:
> > >  
> > > [root@virt ~]# curl -vvv -H "Accept:application/json" '
> > > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
> > > * About to connect() to 
> > > virt.example.co.za port 443 (#0)
> > > *   Trying 
> > > 127.0.0.1...
> > > * Connected to 
> > > virt.example.co.za (127.0.0.1) port 443 (#0)
> > > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > > *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
> > >   CApath: none
> > > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> > > * Server certificate:
> > > *   subject: CN=*.example.co.za,OU=Domain Control Validated
> > > *   start date: Sep 25 07:46:12 2019 GMT
> > > *   expire date: Oct 02 07:39:01 2020 GMT
> > > *   common name: *example.co.za
> > > *   issuer: CN=Starfield Secure Certificate Authority - G2,OU=
> > > http://certs.starfieldtech.com/repository/,O="Starfield Technologies,
> > >  Inc.&qu

[ovirt-users] Re: KeyCloak Integration

2020-06-22 Thread Artur Socha
Anton,I managed to re-create the issue on my local environment. Previously I
tested it against Keycloak 8.0.1 with users loaded from LDAP. Currently I have
users/groups created via Keycloak management panel. I need to investigate it
further which of the two changes is the root cause (it works fine with the old
setup)Artur
On Mon, 2020-06-22 at 11:05 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
>  
> Great, thanks a lot! 
> 
>  
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 22 June 2020 11:23
> 
> To: Anton Louw ; users@ovirt.org
> 
> Cc: Stephen Hutchinson 
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> Hi Anton,
> 
> 
> Thanks for the specs. I have create BZ issue for tracking:
> 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1849569
> 
> 
> Feel free to add comments/change it when needed.
> 
> 
>  
> 
> 
> Artur
> 
> 
>  
> 
> 
> On Fri, 2020-06-19 at 10:57 +, Anton Louw wrote:
> 
> >  
> > Hi Artur,
> >  
> > Please see below:
> >  
> > ovirt-engine.noarch 4.3.10.4-1.el7@ovirt-4.3
> > ovirt-engine-extension-aaa-misc.noarch  1.0.4-1.el7   @ovirt-4.3
> > mod_auth_openidc.x86_64 1.8.8-5.el7   @base
> >  
> > [root@virt ~]# cat /etc/*elease
> > CentOS Linux release 7.7.1908 (Core)
> > NAME="CentOS Linux"
> > VERSION="7 (Core)"
> > ID="centos"
> > ID_LIKE="rhel fedora"
> > VERSION_ID="7"
> > PRETTY_NAME="CentOS Linux 7 (Core)"
> > ANSI_COLOR="0;31"
> > CPE_NAME="cpe:/o:centos:centos:7"
> > HOME_URL="https://www.centos.org/;
> > BUG_REPORT_URL="https://bugs.centos.org/;
> >  
> > CENTOS_MANTISBT_PROJECT="CentOS-7"
> > CENTOS_MANTISBT_PROJECT_VERSION="7"
> > REDHAT_SUPPORT_PRODUCT="centos"
> > REDHAT_SUPPORT_PRODUCT_VERSION="7"
> >  
> > CentOS Linux release 7.7.1908 (Core)
> > CentOS Linux release 7.7.1908 (Core)
> >  
> > KeyCloak – 
> >  
> > 
> > 
> > 
> > 
> > 
> > Server Version
> > 
> > 
> > 
> > 10.0.1
> > 
> > 
> > 
> > 
> >  
> > Thanks a lot for your help Artur. Please let me know if you need anything
> > else.
> >  
> > 
> > 
> > From: Artur Socha 
> > 
> > 
> > Sent: 19 June 2020 12:39
> > 
> > To: Anton Louw ;
> > users@ovirt.org
> > 
> > Cc: Stephen Hutchinson 
> > 
> > Subject: Re: [ovirt-users] KeyCloak Integration
> > 
> > 
> >  
> > 
> > On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote:
> > 
> > >  
> > > Yes I didn’t get to the OVN part yet, as I first wanted to test the if the
> > > token can be obtained.
> > >  
> > > This is the first time we are testing KeyCloak in any environment, so we
> > > have never been able to obtain a token for API access.
> > >  
> > 
> > 
> > Please post the exact versions of:
> > 
> > 
> > - ovirt-engine* :   
> > 
> > 
> > yum list --installed | grep ovirt-engine 
> > 
> > 
> > yum list --intalled | grep
> > ovirt-engine-extension-aaa-misc
> > 
> > 
> > yum list --installed | grep
> > mod_auth_openidc
> > 
> > 
> > - keycloak
> > 
> > 
> > - OS
> > 
> > 
> > cat /etc/*elease
> > 
> > 
> >  
> > 
> > 
> > I'll submit a bug ... which, most likely, I will assign to myself anyway :)
> > 
> > 
> >  
> > 
> > 
> > Artur
> > 
> > 
> >  
> >  
> > 
> > 
> > 
> > 
> > Anton Louw
> > 
> > 
> > 
> > 
> > Cloud Engineer: Storage and Virtualization
> >  at Vox
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 

[ovirt-users] Re: KeyCloak Integration

2020-06-22 Thread Artur Socha
On Mon, 2020-06-22 at 15:14 +0200, Artur Socha wrote:
> Anton,
> I managed to re-create the issue on my local environment. 
> Previously I tested it against Keycloak 8.0.1 with users loaded from LDAP.
> Currently I have users/groups created via Keycloak management panel. I need to
> investigate it further which of the two changes is the root cause (it works
> fine with the old setup)

One more update:  it seems the issue is keycloak version related. Trying to
figure out what was changed and how it affected engine sso integration.
Latest keycloak version I tested and verified that works is 9.0.3. Perhaps it
could be possible for you to use it until we fully support 10.0.x ? Artur 
> Artur
> On Mon, 2020-06-22 at 11:05 +, Anton Louw wrote:
> > 
> > 
> > 
> > Hi Artur,
> >  
> > Great, thanks a lot! 
> > 
> >  
> > 
> > 
> >   
> >   
> >   
> > Anton Louw
> >  
> >   
> > Cloud Engineer: Storage and Virtualization at Vox
> > 
> >   
> >   
> > 
> >   
> >   
> > T:  087 805  | D: 087 805 1572
> > M: N/A
> > 
> > E: anton.l...@voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > 
> > www.vox.co.za
> >   
> > 
> > 
> > 
> > 
> > 
> >   
> >   
> >   
> >   
> >   
> > 
> > 
> > 
> >   
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > From: Artur Socha 
> > 
> > 
> > Sent: 22 June 2020 11:23
> > 
> > To: Anton Louw ; users@ovirt.org
> > 
> > Cc: Stephen Hutchinson 
> > 
> > Subject: Re: [ovirt-users] KeyCloak Integration
> > 
> > 
> >  
> > 
> > Hi Anton,
> > 
> > 
> > Thanks for the specs. I have create BZ issue for tracking:
> > 
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1849569
> > 
> > 
> > Feel free to add comments/change it when needed.
> > 
> > 
> >  
> > 
> > 
> > Artur
> > 
> > 
> >  
> > 
> > 
> > On Fri, 2020-06-19 at 10:57 +, Anton Louw wrote:
> > 
> > >  
> > > Hi Artur,
> > >  
> > > Please see below:
> > >  
> > > ovirt-engine.noarch 4.3.10.4-1.el7@ovirt-4.3
> > > ovirt-engine-extension-aaa-misc.noarch  1.0.4-1.el7   @ovirt-4.3
> > > mod_auth_openidc.x86_64 1.8.8-5.el7   @base
> > >  
> > > [root@virt ~]# cat /etc/*elease
> > > CentOS Linux release 7.7.1908 (Core)
> > > NAME="CentOS Linux"
> > > VERSION="7 (Core)"
> > > ID="centos"
> > > ID_LIKE="rhel fedora"
> > > VERSION_ID="7"
> > > PRETTY_NAME="CentOS Linux 7 (Core)"
> > > ANSI_COLOR="0;31"
> > > CPE_NAME="cpe:/o:centos:centos:7"
> > > HOME_URL="https://www.centos.org/;
> > > BUG_REPORT_URL="https://bugs.centos.org/;
> > >  
> > > CENTOS_MANTISBT_PROJECT="CentOS-7"
> > > CENTOS_MANTISBT_PROJECT_VERSION="7"
> > > REDHAT_SUPPORT_PRODUCT="centos"
> > > REDHAT_SUPPORT_PRODUCT_VERSION="7"
> > >  
> > > CentOS Linux release 7.7.1908 (Core)
> > > CentOS Linux release 7.7.1908 (Core)
> > >  
> > > KeyCloak – 
> > >  
> > > 
> > > 
> > > 
> > > 
> > > 
> > > Server Version
> > > 
> > > 
> > > 
> > > 10.0.1
> > > 
> > > 
> > > 
> > > 
> > >  
> > > Thanks a lot for your help Artur. Please let me know if you need anything
> > > else.
> > >  
> > > 
> > > 
> > > From: Artur Socha 
> > > 
> > > 
> > > Sent: 19 June 2020 12:39
> > > 
> > > To: Anton Louw ;
> > > users@ovirt.org
> > > 
> > > Cc: Stephen Hutchinson 
> > > 
> > > Subject: Re: [ovirt-users] KeyCloak Integration
> > > 
> > > 
> > >  
> > > 
> > > On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote:
> > > 
> > > >  
&

[ovirt-users] Re: Create new user, but why cannot login ?

2021-01-15 Thread Artur Socha
Hi  Tommy,
It looks you are missing some permissions (roles)?  Are you trying to login
to the administration panel(that's my guess) or to VM portal?
Anyway, to resolve this issue assign relevant roles to that newly created
user using your admin account.

Artur


On Fri, Jan 15, 2021 at 7:10 AM tommy  wrote:

> I just create a new user:
>
>
>
> [root@oeng ~]# ovirt-aaa-jdbc-tool user add cuitao
>
> adding user cuitao...
>
> user added successfully
>
>
>
> [root@oeng ~]# ovirt-aaa-jdbc-tool user password-reset cuitao
>
> Password:
>
> Reenter password:
>
> updating user cuitao...
>
> user updated successfully
>
>
>
> [root@oeng ~]# ovirt-aaa-jdbc-tool user edit cuitao
> --password-valid-to="2221-01-15 05:23:41Z"
>
> updating user cuitao...
>
> user updated successfully
>
>
>
> [root@oeng ~]# ovirt-aaa-jdbc-tool user show cuitao
>
> -- User cuitao(300163db-8352-4fbd-86ac-d25014364f08) --
>
> Namespace: *
>
> Name: cuitao
>
> ID: 300163db-8352-4fbd-86ac-d25014364f08
>
> Display Name:
>
> Email: sz_cui...@163.com
>
> First Name: tommy
>
> Last Name: cui
>
> Department:
>
> Title:
>
> Description:
>
> Account Disabled: false
>
> Account Locked: false
>
> Account Unlocked At: 1970-01-01 00:00:00Z
>
> Account Valid From: 2021-01-15 05:23:41Z
>
> Account Valid To: 2221-01-15 05:23:41Z
>
> Account Without Password: false
>
> Last successful Login At: 2021-01-15 05:54:49Z
>
> Last unsuccessful Login At: 2021-01-15 05:32:12Z
>
> Password Valid To: 2221-01-15 05:23:41Z
>
>
>
>
>
> And I give VmCreator Role to the new account.
>
>
>
>
>
>
>
>
>
> But why cannot login ?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/YSYU4LSH42ENIVVKE6FDVR4KCDUOQIRX/
>


-- 
Artur Socha
Senior Software Engineer, RHV
Red Hat
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OSHRCZN4IU34H3MCBYNOED725SIVKW7Q/


[ovirt-users] Re: VM Portal. User can't access the details box

2021-02-24 Thread Artur Socha
Hi Nicolás,
First thing would be to check engine's logs
/var/log/ovirt-engine/engine.log. Would it be possible to post here a
snippet from the time this issue occurred?

There might be something in audit log as well (from the admin's account)

cheers,
Artur


On 24.02.2021 11:48, Nicolás wrote:
> Hi,
> 
> We're running oVirt 4.1.8. We make an intense use of the VM Portal, as
> our students use it to access and handle their machines. We're currently
> having an issue with just one of our users. He claims that he created a
> VM, and when tried to edit its details (clicking on the pencil), a
> screen stating that the "VM Portal is experiencing some issues" is shown
> (screenshot added).
> 
> I granted a UserRole permission on a user I handle, and I don't
> experience that problem, I can edit the VM with no issues. The user also
> states that this happens on any VM he creates.
> 
> I see nothing relevant in the log regarding this issue.
> 
> Please, any hint how to debug this?
> 
> Thanks.
> 
> Nicolás
> 
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives: 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/BVKO35XCMMUIYZHWTFBSJ6Q6ET7UGCZO/
> 



OpenPGP_signature
Description: OpenPGP digital signature
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ICUOW7B3XDIZMFR3NRHTDSSML7IH2XZL/