Re: [ovirt-users] connecting to windows 10 vm with tdp

[Yair Zaslavsky]

Maybe this can help 

http://www.ovirt.org/documentation/internal/guest-agent/understanding-guest-agents-and-other-tools/
 


- Original Message -

From: "Yair Zaslavsky"  
To: "Zeev Mindali"  
Cc: users@ovirt.org 
Sent: Monday, 18 April, 2016 4:42:17 PM 
Subject: Re: [ovirt-users] connecting to windows 10 vm with tdp 

Out of curiosity, did you try to use spice? 
I assume your VM is running windows OS, based on the mentioning of RDP? 



- Original Message -

From: "Zeev Mindali"  
To: users@ovirt.org 
Sent: Monday, 18 April, 2016 3:54:28 PM 
Subject: [ovirt-users] connecting to windows 10 vm with tdp 



Dear all, 



I have ovirt 3.6 on centos 7.2. 

I would like to connect with rdp to my vm , but I didn't found how I can enable 
this option, it's allways in gray 

Thanks for the help 









Zeev Mindali 
Windows & Mobile Developer 
Chip PC, 5 Nahum Hat St. 
Haifa 
Israel 3508504 

Tel +972-4-8501121 
Fax +972-4-8501088 
Cell +972-52-4043142 
Email ze...@chippc.com 
Web www.chippc.com 



___ 
Users mailing list 
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] connecting to windows 10 vm with tdp

[Yair Zaslavsky]

Out of curiosity, did you try to use spice? 
I assume your VM is running windows OS, based on the mentioning of RDP? 



- Original Message -

From: "Zeev Mindali"  
To: users@ovirt.org 
Sent: Monday, 18 April, 2016 3:54:28 PM 
Subject: [ovirt-users] connecting to windows 10 vm with tdp 



Dear all, 



I have ovirt 3.6 on centos 7.2. 

I would like to connect with rdp to my vm , but I didn't found how I can enable 
this option, it's allways in gray 

Thanks for the help 









Zeev Mindali 
Windows & Mobile Developer 
Chip PC, 5 Nahum Hat St. 
Haifa 
Israel 3508504 

Tel +972-4-8501121 
Fax +972-4-8501088 
Cell +972-52-4043142 
Email ze...@chippc.com 
Web www.chippc.com 



___ 
Users mailing list 
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Educational use case question

[Yair Zaslavsky]

- Original Message -

From: "Alex Crow"  
To: users@ovirt.org 
Sent: Thursday, 14 April, 2016 3:15:44 PM 
Subject: Re: [ovirt-users] Educational use case question 

This certainly works. Console can be reached via a browser plugin or 
Virt-Viewer (available for Windows). Self-hosted engine is the way to 
go, and is production-ready, especially if you want to add more nodes later. 

On 14/04/16 03:33, Michael Hall wrote: 
> Yes but what about the student sitting on the Windows machine in the 
> lab who wants to install and interact with her VM via it's GUI ... 
> like is possible in Virtual Machine Manager on RHEL/CentOS 7 ... 
> except she'd be doing it remotely via an in-browser console ... like 
> Digital Ocean do for example. 

I dont think digital ocean is the correct analogy. 
As a digital ocean user, I have console in which I can create vms, right? But 
who installed the virtualization software for that? 
If you're thinking of a digital ocean, the analogy should be a provider that 
exposes ovirt web admin/user portal as management console to its customers. 

> 

-- 
This message is intended only for the addressee and may contain 
confidential information. Unless you are that person, you may not 
disclose its contents or use it in any way and are requested to delete 
the message along with any attachments and notify us immediately. 
This email is not intended to, nor should it be taken to, constitute advice. 
The information provided is correct to our knowledge & belief and must not 
be used as a substitute for obtaining tax, regulatory, investment, legal or 
any other appropriate advice. 

"Transact" is operated by Integrated Financial Arrangements Ltd. 
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. 
(Registered office: as above; Registered in England and Wales under 
number: 3727592). Authorised and regulated by the Financial Conduct 
Authority (entered on the Financial Services Register; no. 190856). 
___ 
Users mailing list 
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Educational use case question

[Yair Zaslavsky]

Be advised that after installation is done, you can manage VMs using the ovirt 
webadmin. 


- Original Message -

From: "Michael Hall"  
To: users@ovirt.org 
Sent: Thursday, 14 April, 2016 12:19:28 PM 
Subject: Re: [ovirt-users] Educational use case question 

Thanks Julian, I'm in Mildura in VIC. 

I was hoping for a "pure" web-based client console solution, not something like 
the VMware desktop client. 


Anyway, I'm not going to get too hung up on this. Even if we go VMware because 
it "just works" and everyone's happy with it, we'll still do plenty of 
CentOS/Fedora. 

There is also a case to be made that our students are much more likely to 
encounter VMware in a corporate environment that KVM. And Windows. And iPads. 
Yawn. 

Thanks 

On Thu, Apr 14, 2016 at 11:22 AM, Julian De Marchi < jul...@jdcomputers.com.au 
> wrote: 


Hey Michael, 

> I am teaching IT subjects in TAFE (a kind of post-secondary technical 
> college) in Australia. 

Great news for this tech to be in tafe. I remember my time at Logan tafe got me 
into linux. 




We are currently looking for a virtualisation platform that will allow 
students to install and manage VMs via web interface. 

VMware is being proposed but I am trying to get KVM and the RedHat 
ecosystem in the lab as much as possible. 

I have reasonable experience with running virt manager on CentOS 7, but 
oVirt is new. I have it installed and running OK but am not sure how to 
proceed with configuration. 

I basically want to run a single physical server which will be the KVM 
host, the ISO and data store, and the home of oVirt engine ... in other 
words a complete oVirt-managed KVM virtualisation platform running on one 
physical machine (32GB RAM). It will only ever need to run a handful of VMs 
with little or no real data or load. Is this possible/feasible? 

If possible/feasible, where should oVirt engine go ... on the host itself, 
or into a VM guest? 



If it was me, I would do the engine install on the metal host itself. Will be a 
lot easier for you, as long as you _know_ you will not be adding more metal 
nodes to the oVirt setup. 

I would also be looking into the "VM Pool" feature for your student. This will 
give you a pool of VMs which after use can be reset to a default configuration. 



The web interface is what is making oVirt an attractive option at this 
stage, as students will be working from Windows clients on a corporate 
network. Do VM GUI display well in the browser? 



I have no experience using oVirt from Windows, but if there is a splice client 
available I see no reason why it shouldn't work. 

If you're local to QLD, I am more then happy to help in person. 

--julian 

___ 
Users mailing list 
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 





___ 
Users mailing list 
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Educational use case question

[Yair Zaslavsky]

As far as I remember, oVirt does come with an all in one configuration , but 
looks like it was deprecated at 3.6, So can you try out the self hosted engine? 

https://www.ovirt.org/develop/release-management/features/engine/self-hosted-engine/
 



- Original Message -

From: "Michael Hall"  
To: users@ovirt.org 
Sent: Thursday, 14 April, 2016 11:10:03 AM 
Subject: [ovirt-users] Educational use case question 

Hi 

I am teaching IT subjects in TAFE (a kind of post-secondary technical college) 
in Australia. 

We are currently looking for a virtualisation platform that will allow students 
to install and manage VMs via web interface. 

VMware is being proposed but I am trying to get KVM and the RedHat ecosystem in 
the lab as much as possible. 

I have reasonable experience with running virt manager on CentOS 7, but oVirt 
is new. I have it installed and running OK but am not sure how to proceed with 
configuration. 

I basically want to run a single physical server which will be the KVM host, 
the ISO and data store, and the home of oVirt engine ... in other words a 
complete oVirt-managed KVM virtualisation platform running on one physical 
machine (32GB RAM). It will only ever need to run a handful of VMs with little 
or no real data or load. Is this possible/feasible? 

If possible/feasible, where should oVirt engine go ... on the host itself, or 
into a VM guest? 

The web interface is what is making oVirt an attractive option at this stage, 
as students will be working from Windows clients on a corporate network. Do VM 
GUI display well in the browser? 

Thanks for any advice 

Mike Hall 

___ 
Users mailing list 
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] delete hang task

[Yair Zaslavsky]

When I worked on Ovirt (a year ago) there was a tool that did it, please look 
for some cleaner tool or something like that. 
In addition, last itme I touched the code I was strongly against such a 
solution, are you sure that the task is not running on VDSM side? 


CC'ing some relevant people. 


- Original Message -

From: "Nathanaël Blanchet"  
To: users@ovirt.org 
Sent: Friday, February 19, 2016 12:51:06 AM 
Subject: Re: [ovirt-users] delete hang task 

Hello, 

I met the same issue, so I worked a little bit for you :) 
On the engine : 

* QUERY : -q 

PGPASSWORD=X /usr/share/ovirt-engine/setup/dbutils/unlock_entity.sh -q -t 
snapshot -u engine 
296c010e-3c1d-4008-84b3-5cd39cff6aa1 | 525a4dda-dbbb-4872-a5f1-8ac2aed48392 

* REMOVE 

PGPASSWORD=X /usr/share/ovirt-engine/setup/dbutils/unlock_entity.sh -t 
snapshot -u engine 525a4dda-dbbb-4872-a5f1-8ac2aed48392 

Ref : 
http://lists.ovirt.org/pipermail/users/2015-November/035686.html 


Le 18/02/2016 14:25, p...@email.cz a écrit : 


Hello, 
I'm testing oVirt 3.6 for failover and have total issue. 
Snapshot VM will hang on ZFS filesystem. 
But the main questionis is : how can I cancel any unfinished tasks in ovirt ??? 
I didn't find any "normal" solution, except deleting record from ovirt DB 
manually 

any idea ? - no one is missing this functionality ??? 
regs. 
Pa. 


___
Users mailing list Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 



-- 
Nathanaël Blanchet

Supervision réseau
Pôle Infrastrutures Informatiques
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5   
Tél. 33 (0)4 67 54 84 55
Fax  33 (0)4 67 54 84 14 blanc...@abes.fr 

___ 
Users mailing list 
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirt live + user/groups/roles management

[Yair Zaslavsky]

- Original Message -

From: "Sandro Bonazzola"  
To: "Yair Zaslavsky"  
Cc: "Doron Fediuck" , "users" , "Yaniv 
Kaul" , "Lev Veyde"  
Sent: Wednesday, December 16, 2015 1:48:54 AM 
Subject: Re: [ovirt-users] ovirt live + user/groups/roles management 



On Tue, Dec 15, 2015 at 12:36 AM, Yair Zaslavsky < yzaslav...@aconex.com > 
wrote: 






From: "Doron Fediuck" < dfedi...@redhat.com > 
To: "Yair Zaslavsky" < yzaslav...@aconex.com > 
Cc: "users" < users@ovirt.org >, "Yaniv Kaul" < yk...@redhat.com >, "Lev Veyde" 
< lve...@redhat.com >, "Sandro Bonazzola" < sbona...@redhat.com > 
Sent: Tuesday, December 15, 2015 10:16:27 AM 
Subject: Re: [ovirt-users] ovirt live + user/groups/roles management 




On Dec 11, 2015 03:39, "Yair Zaslavsky" < yzaslav...@aconex.com > wrote: 
> 
> Hi all, 
Hello Yair. 

> I am interested in installing oVirt live , I am currently not interested to 
> spawn actual VMs, but rather interested to check roles/groups/users 
> management : 
> 
> a. Is there a built in JDBC support for users/groups management, or do I need 
> to configure freeIPA/openLdap as my external provider? 
> 
oVirt live is running in memory as a live CD. Anything you do will be gone once 
the machine power off. So you may want to decide if this is right for you. To 
the point there's a new AAA framework which allows you to use jdbc extension: 
http://www.ovirt.org/Features/AAA 

> b. If I do not wish to run VMs at the moment, do I need to have nested 
> virtualization configured? 
No. This is running in memory but not in a VM. 






I figured that much by now, i wanted to refresh my memory how the 
users/roles/groups thing works 

I am perfectly well with the fact everything will be wiped out when i turn the 
machine off. This means that if I want to configure AAA, i should do that every 
time i start the machine (of course create my own live cd ). 

The installation of ovirt live looks nice, good job on that, however I did 
encounter an error at installation , I am attaching logs 

I tried to install it on a VM that i created with VirtualBox 










looks like the engine wasn't yet ready when the host-deploy part started trying 
to connect to it. 


Is this a known issue or would you like me to a file a bug? 

In addition, are new RFEs accepted to ovirt-live? after the installation and 
thoughts about AAA I have some ideas. 













> 
> 
> Cheers, 
> Yair Zaslavsky 
> Senior SW Engineer, Aconex 
> 
> 
> ___ 
> Users mailing list 
> Users@ovirt.org 
> http://lists.ovirt.org/mailman/listinfo/users 
> 







-- 
Sandro Bonazzola 
Better technology. Faster innovation. Powered by community collaboration. 
See how it works at redhat.com 

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] ovirt live + user/groups/roles management

[Yair Zaslavsky]

Hi all, 
I am interested in installing oVirt live , I am currently not interested to 
spawn actual VMs, but rather interested to check roles/groups/users management 
: 

a. Is there a built in JDBC support for users/groups management, or do I need 
to configure freeIPA/openLdap as my external provider? 

b. If I do not wish to run VMs at the moment, do I need to have nested 
virtualization configured? 


Cheers, 
Yair Zaslavsky 
Senior SW Engineer, Aconex 

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Debug Environment for RHEVM

[Yair Zaslavsky]

- Original Message -
> From: "Vered Volansky" 
> To: "Chao Xie" 
> Cc: users@ovirt.org
> Sent: Monday, December 22, 2014 8:26:56 AM
> Subject: Re: [ovirt-users] Debug Environment for RHEVM
> 
> Hi,
> 
> It's not that you can't debug RHEV at all, it's just that the instructions in
> the link you cited is will not work as is.
> The packaging, hierarchy and even file names are different.
> 
> Regards,
> Vered

It is possible to open the remote debug port for RHEV-M.
The (not so ) tricky part will be to get the exact code-base as of the version 
(i.e - find the proper git tag).
In addition, are you sure you want to debug RHEVM and not oVirt?

Cheers,
Yair

> 
> - Original Message -
> > From: "Chao Xie" 
> > To: users@ovirt.org
> > Sent: Monday, December 22, 2014 3:55:13 AM
> > Subject: [ovirt-users] Debug Environment for RHEVM
> > 
> > 
> > 
> > HI,
> > 
> > 
> > 
> > I found there is a debug environment for oVirt:
> > http://wiki.ovirt.org/OVirt_Engine_Development_Environment
> > 
> > Is it also useful for RHEVM source code?
> > 
> > 
> > 
> > Best Regards,
> > 
> > Xie
> > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] templates and freeipa

[Yair Zaslavsky]

- Original Message -
> From: "Jim Kinney" 
> To: users@ovirt.org
> Sent: Friday, October 31, 2014 8:55:46 PM
> Subject: [ovirt-users] templates and freeipa
> 
> Ovirt 3.5 is running well for me and I have freeIPA controlling access to
> the user portal. I would like to provide templates of various linux setups
> that all have freeipa for user authentication in the VM for my developers
> to be able to create a new VM from and then log in using their freeIPA
> access and sudo control. I'm wanting to group developers by project and use
> freeIPA to set sudo commands as needed (group A get oracle, group B get
> postgresql, etc). Wanting to maximize developer ability while minimizing my
> clean up time :-) They will be able to delete VMs they create.
> 
> It's possible to do a kickstart deploy with freeIPA registration but a
> template from that will be a problem as it will have the same keys for all
> VMs.
> 
> Is there a post-creation scripting process I can attach to in ovirt or
> should I look at a default root user  and script that personalizes the new
> VM?

טYou mean something like the vdsm hooks?
Bare in mind that the create verb in VDSM is more about running a VM. the 
creation of its "metadata" is done at engine.

> 
> --
> --
> James P. Kinney III
> 
> Every time you stop a school, you will have to build a jail. What you gain
> at one end you lose at the other. It's like feeding a dog on his own tail.
> It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> 
> 
> *http://heretothereideas.blogspot.com/
> *
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Ovirt Engine Clear All tasks

[Yair Zaslavsky]

- Original Message -
> From: "Donny Davis" 
> To: "users" 
> Sent: Saturday, January 3, 2015 12:00:43 AM
> Subject: [ovirt-users] Ovirt Engine Clear All tasks
> 
> I tried to migrate disks from one storage domain to another, and it is
> taking an unreasonable amount of time to complete. The disks have been
> migrating for 6 hours, and is bringing my system to it's knees.
> 
> I have used the taskcleaner utility when the engine was stopped, and
> when I start the engine, it starts trying to migrate the disks again.
> 
> How can I fix this

I wonder if the command_entities table in the DB included any entries.
In addition, I wonder what was the status of tasks at SPM at that time.

> 
> Thanks
> 
> --
> Donny Davis
> CloudSpin.me
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] How can I add usernames in ovirt? i.e., is admin account

[Yair Zaslavsky]

- Original Message -
> From: "Sandvik Agustin" 
> To: users@ovirt.org
> Sent: Monday, January 5, 2015 8:47:30 PM
> Subject: Re: [ovirt-users] How can I add usernames in ovirt? i.e.,is 
> admin account
> 
> Hi,
> 
> 
> Thanks guys for the quick reply and I really appreciate it, I'll look upon
> your suggestions right now. By the way, I forgot to mention that I'm
> using oVirt
> Engine Version: 3.5.0.1-1.el6. Thanks Again, I'll update you guys about my
> progress.

That should work (i.e - as long as you use version 3.5.x, we had the ability to 
add users at the past as well, but it would be better to use the path Alon 
suggested).
Regarding FreeIPA - depends on the amount of machines you have to spare, it is 
possible to set the FreeIPA server on a different machine (i.e, not have engine 
and FreeIPA co-hosted).
But as suggested before , 389ds works just fine.

Cheers,
Yair

> 
> Thanks Again.
> 
> On Tue, Jan 6, 2015 at 2:39 AM, Donny Davis  wrote:
> 
> > Ensure you don't try to install freeipa to the manager machine, there will
> > be conflicts.
> >
> > 389ds works and is really easy to setup
> >
> > Regards
> > DonnyOn Jan 5, 2015 11:36 AM, Donny Davis  wrote:
> > >
> > > I did a write up on AAA LDAP.
> > >
> > > https://cloudspin.me/ovirt-simple-ldap-aaa/
> > >
> > > Hope its helpful
> > >
> > > DonnyOn Jan 5, 2015 11:26 AM, Alon Bar-Lev  wrote:
> > > >
> > > > Hello,
> > > >
> > > > For now you need to use somekind of LDAP with
> > ovirt-engine-extension-ldap[1][2] package.
> > > > In future we will support database based repository.
> > > >
> > > > Until someone from infra will have the time to publish the latest
> > version of the package, please download it directly from here[3], please
> > note that until engine-3.5.1 is out you will need to specify full path in
> > config.profile.file.1 variable at authn and authz extension configuration.
> > > >
> > > > Regards,
> > > > Alon
> > > >
> > > > [1]
> > http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
> > > > [2] http://www.ovirt.org/Features/AAA
> > > > [3]
> > http://jenkins.ovirt.org/job/ovirt-engine-extension-aaa-ldap_any_create-rpms_manual/6/
> > > >
> > > > - Original Message -
> > > > > From: "Sandvik Agustin" 
> > > > > To: users@ovirt.org
> > > > > Sent: Monday, January 5, 2015 8:14:27 PM
> > > > > Subject: [ovirt-users] How can I add usernames in ovirt? i.e., is
> > admin account
> > > > >
> > > > > Hi guys,
> > > > >
> > > > > Good day, I just want to know if how can I add usernames in ovirt?
> > i.e., is
> > > > > admin account is already exist and I want to create another account
> > i.e.,
> > > > > users or clients account.
> > > > >
> > > > >
> > > > > TIA
> > > > >
> > > > > ___
> > > > > Users mailing list
> > > > > Users@ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > >
> > > > ___
> > > > Users mailing list
> > > > Users@ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> >
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Adding domain to oVirt to 3.5 issue

[Yair Zaslavsky]

We will also need log of the generic ldap extensin, can you please provide it?

Thanks!


- Original Message -
> From: "Juan Jose" 
> To: "Alon Bar-Lev" 
> Cc: "Ondra Machacek" , "Yair Zaslavsky" 
> , users@ovirt.org
> Sent: Friday, December 5, 2014 1:10:06 PM
> Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> 
> Hello Alon,
> 
> I have deleted Legacy domain with engine-manage-domain, and I have changed
> configuration to absolute file name as you can see:
> 
> /etc/ovirt-engine/extensions.d/siee-local-authn.properties:
> 
> ovirt.engine.extension.name = siee-local-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = siee
> ovirt.engine.aaa.authn.authz.plugin = siee-local-authz
> config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties
> 
> /etc/ovirt-engine/extensions.d/siee-local-authz.properties:
> 
> ovirt.engine.extension.name = siee-local-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties
> 
> I had configured relative file name because the example
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties
> has a relative file name.
> 
> I have done the same: delete engine.log, restart ovirt-engine and try log
> in and the same error is showed, "General command validation failure."
> 
> Attach engine.log file.
> 
> Thanks,
> 
> Juanjo.
> 
> 
> On Fri, Dec 5, 2014 at 9:52 AM, Alon Bar-Lev  wrote:
> 
> >
> > Hi!
> >
> > You have the following errors:
> >
> > 2014-12-05 09:32:31,778 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-5) Loading extension 'siee-local-authn'
> > 2014-12-05 09:32:31,819 ERROR
> > [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC
> > service thread 1-5) Could not load extension based on configuration file
> > '/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check
> > the configuration file is valid. Exception message is: Error loading
> > extension 'siee-local-authn': /aaa/siee.properties (No such file or
> > directory)
> > 2014-12-05 09:32:31,823 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-5) Loading extension 'siee-local-authz'
> > 2014-12-05 09:32:31,824 ERROR
> > [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC
> > service thread 1-5) Could not load extension based on configuration file
> > '/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check
> > the configuration file is valid. Exception message is: Error loading
> > extension 'siee-local-authz': /aaa/siee.properties (No such file or
> > directory)
> >
> > Per my last message, you should provide absolute file names if you use
> > 3.5.0.
> > Please see inline comments bellow.
> >
> > Also, you are trying to authenticate with the legacy provider:
> >
> > 2014-12-05 09:33:04,871 ERROR
> > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> > (ajp--127.0.0.1-8702-5) Failed ldap search server
> > ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
> > Authentication Failed. Please verify the username and password.. We should
> > not try the next server
> >
> > Can you please use engine-manage-domains to remove the legacy (old)
> > domain, so we reduce confusion?
> >
> > Thanks!
> >
> > - Original Message -
> > > From: "Juan Jose" 
> > > To: "Alon Bar-Lev" 
> > > Cc: "Ondra Machacek" , "Yair Zaslavsky" <
> > yzasl...@redhat.com>, users@ovirt.org
> > > Sent: Friday, December 5, 2014 10:43:01 AM
> > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> > >
> > > Hello Alon,
> > >
> > 

Re: [ovirt-users] Adding domain to oVirt to 3.5 issue

[Yair Zaslavsky]

- Original Message -
> From: "Juan Jose" 
> To: "Yair Zaslavsky" , "Ondra Machacek" 
> , alo...@redhat.com,
> users@ovirt.org
> Sent: Wednesday, November 26, 2014 1:01:37 PM
> Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> 
> Hello everybody,
> 
> I will try to configure ovirt-engine-extension-aaa-ldap package as Alon
> says.

+1 please do.

> 
> By other side, I have executed the command kinit and the response is:
> 
> kinit: Client not found in Kerberos database while getting initial
> credentials

I am sure you did tht, but just to be on the safe side - did u perform kinit 
principal@REALM?

> 
> My /etc/krb5.conf files is (adserver.siee.local is my AD server based in
> Samba 4), I have modified this file to exchange EXAMPLE.COM by siee.local
> and adserver.siee.local:
> 
> /etc/krb5.conf:
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = SIEE.LOCAL
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
> 
> [realms]
>  SIEE.LOCAL = {
>   kdc = adserver.siee.local
>   admin_server = adserver.siee.local
>  }
> 
> [domain_realm]
>  .siee.local = SIEE.LOCAL
>  siee.local = SIEE.LOCAL
> 
> 
> My /etc/ovirt-engine/krb5.conf:
> 
> [libdefaults]
> 
> default_realm = SIEE.LOCAL
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = no
> default_tkt_enctypes = arcfour-hmac-md5
> udp_preference_limit = 1
> 
> #realms
> 
> #domain_realm
> 
> This last file is the same that I had before my upgrade to oVirt 3.5.
> 
> Many thanks again,
> 
> Juanjo.
> 
> 
> On Wed, Nov 26, 2014 at 5:37 AM, Yair Zaslavsky  wrote:
> 
> >
> >
> > - Original Message -
> > > From: "Juan Jose" 
> > > To: "Ondra Machacek" , "Yair Zaslavsky" <
> > yzasl...@redhat.com>, alo...@redhat.com,
> > > users@ovirt.org
> > > Sent: Tuesday, November 25, 2014 6:09:18 PM
> > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> > >
> > > Hello again,
> > >
> > > Yes the password is correct, I can login in a Windows machine to my
> > domain
> > > siee.local with the user Juanjo. Moreover I have chanbged this user
> > > password to simpler one and the result is the same.
> > >
> > > I have logged in administration portal with internal admin user and I try
> > > to navigate through the domain to find user to assign some user in a VM
> > but
> > > nothing is showed as you can see in the attached screen  image and any
> > > error is faced in administration portal, but the
> > > /var/log/ovirt-engine/engine.log show this:
> > >
> > > 2014-11-25 17:02:05,355 ERROR
> > >
> > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
> > > (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information
> > was
> > > invalid (24)
> > > 2014-11-25 17:02:05,356 ERROR
> > >
> > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
> > > (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username
> > > and password.
> > > 2014-11-25 17:02:05,357 ERROR
> > > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> > > (ajp--127.0.0.1-8702-5) Failed ldap search server
> > > ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
> > > Authentication Failed. Please verify the username and password.. We
> > should
> > > not try the next server
> > > 2014-11-25 17:02:05,359 ERROR
> > >
> > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
> > > (ajp--127.0.0.1-8702-5) Failed to run command
> > LdapSearchUserByQueryCommand.
> > > Domain is siee.local. User is juanjo@SIEE.LOCAL.
> > > 2014-11-25 17:02:05,402 ERROR
> > >
> > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
> > > (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information
> > was
> > > invalid (24)
> > > 2014-11-25 17:02:05,404 ERROR
> > >
> > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
> > > (ajp--127.0.0.1-8702-5) 

Re: [ovirt-users] Adding domain to oVirt to 3.5 issue

[Yair Zaslavsky]

- Original Message -
> From: "Juan Jose" 
> To: "Ondra Machacek" , "Yair Zaslavsky" 
> , alo...@redhat.com,
> users@ovirt.org
> Sent: Tuesday, November 25, 2014 6:09:18 PM
> Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> 
> Hello again,
> 
> Yes the password is correct, I can login in a Windows machine to my domain
> siee.local with the user Juanjo. Moreover I have chanbged this user
> password to simpler one and the result is the same.
> 
> I have logged in administration portal with internal admin user and I try
> to navigate through the domain to find user to assign some user in a VM but
> nothing is showed as you can see in the attached screen  image and any
> error is faced in administration portal, but the
> /var/log/ovirt-engine/engine.log show this:
> 
> 2014-11-25 17:02:05,355 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
> (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was
> invalid (24)
> 2014-11-25 17:02:05,356 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
> (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username
> and password.
> 2014-11-25 17:02:05,357 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-5) Failed ldap search server
> ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
> Authentication Failed. Please verify the username and password.. We should
> not try the next server
> 2014-11-25 17:02:05,359 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
> (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchUserByQueryCommand.
> Domain is siee.local. User is juanjo@SIEE.LOCAL.
> 2014-11-25 17:02:05,402 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
> (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was
> invalid (24)
> 2014-11-25 17:02:05,404 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy]
> (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username
> and password.
> 2014-11-25 17:02:05,406 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-5) Failed ldap search server
> ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
> Authentication Failed. Please verify the username and password.. We should
> not try the next server
> 2014-11-25 17:02:05,408 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase]
> (ajp--127.0.0.1-8702-5) Failed to run command
> LdapSearchGroupsByQueryCommand. Domain is siee.local. User is
> juanjo@SIEE.LOCAL.
> 
> every time I click "Go" button. Moreover I haven't changed anything from my
> Samba4 AD and it is working handling my siee.local domain. This error is
> showed since oVirt 3.5 upgrade.
> 
> Many thanks in advance,
> 
> Juanjo.

As Alon suggested, you can try the next provider for 3.5
However, until you do so, can you use kinit in order to perform kerberos 
authentication with the problematic user?

Cheers,
Yair

> 
> 
> 
> On Tue, Nov 25, 2014 at 2:29 PM, Ondra Machacek  wrote:
> 
> > Also, can you please try to search within this domain,
> > not only login to it? Does it fail or works good?
> >
> > (in webadmin go to users tab and click add,
> >  select your domain and search for users).
> >
> > - Original Message -
> > > From: "Alon Bar-Lev" 
> > > To: "Juan Jose" 
> > > Cc: "Ondra Machacek" , "Yair Zaslavsky" <
> > yzasl...@redhat.com>, users@ovirt.org
> > > Sent: Tuesday, November 25, 2014 1:49:20 PM
> > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> > >
> > > 2014-11-25 12:54:10,687 ERROR
> > > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> > > (ajp--127.0.0.1-8702-5) Failed ldap search server
> > > ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to
> > > Authentication Failed. Please verify the username and password.. We
> > should
> > > not try the next server
> > >
> > >
> > > - Original Message -
> > > > From: "Juan Jose" 
> > > > To: "Ondra Machacek" , alo...@redhat.com, "Yair
> > > > Zaslavsky" ,
> > > > users@ovirt.org
> > > > Sent: Tuesday, November 25, 2014 2:29:26 PM
&

Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA

[Yair Zaslavsky]

- Original Message -
> From: "Ondra Machacek" 
> To: "Yair Zaslavsky" 
> Cc: "cameron christensen" , "Alon Bar-Lev" 
> , users@ovirt.org
> Sent: Thursday, November 20, 2014 6:09:53 PM
> Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
> 
> Hi,
> 
> just tried it too.
> I was not successfull to reproduce, but the problem is that
> the domain part of LDAPSecurityAuthentication is uppercase
> as Cameron wrote.
> 
> In 3.4 it is OK when it's upper case - everything works OK,
> but in 3.5 it's not.
> 
> I checked differences and something like this would be enough, Yair?
> 
> diff --git
> a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java
> b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExte
> index f5ab28d..ccaf04a 100644
> ---
> a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java
> +++
> b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java
> @@ -240,7 +240,7 @@ public class EngineExtensionsManager extends
> ExtensionsManager {
>  )
>  );
>  }
> -if (nameValue[0].equals(domain)) {
> +if (nameValue[0].equalsIgnoreCase(domain)) {
>  result = nameValue[1];
>  break;
>  }
> 
> 
> Ondra

Looks fine, but please email me in private a testing environment where I can 
check that.

Thanks!

P.S:
Another option worth trying is simply remove and add the domain, but hey, if 
you're already in 3.5, and removed the domain, why not use he generic ldap 
provider?

> 
> 
> - Original Message -
> > From: "Alon Bar-Lev" 
> > To: "Cameron Christensen" , "Yair
> > Zaslavsky" 
> > Cc: users at ovirt.org
> > Sent: Monday, November 17, 2014 11:48:15 PM
> > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > IPA
> > 
> > 
> > 
> > - Original Message -
> > > From: "Cameron Christensen" 
> > > To: "Alon Bar-Lev" 
> > > Cc: users at ovirt.org
> > > Sent: Monday, November 17, 2014 11:43:34 PM
> > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > > IPA
> > > 
> > > 
> > > 
> > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
> > > > 
> > > > - Original Message -
> > > > > From: "Cameron Christensen" 
> > > > > To: users at ovirt.org
> > > > > Sent: Friday, November 14, 2014 5:39:54 PM
> > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > > > > IPA
> > > > > 
> > > > > Hello,
> > > > > 
> > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA.
> > > > > Starting up ovrit-engine the extension manager fails to properly load
> > > > > the service that handles Kerberos/LDAP.
> > > > 
> > > > This is probably a bug, can you please execute the following and paste
> > > > result:
> > > > 
> > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from
> > > > vdc_options where option_name='LDAPSecurityAuthentication'"
> > > > 
> > > 
> > >  option_id |option_name |   option_value| version
> > > ---++---+-
> > >165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
> > > 
> > > I replaced my domain name with 'example.org'
> > > 
> > 
> > I thought it will be empty... and it contains valid value. Yair?
> 
> No, this is fine actually.
> 
> > 
> > Any I truly suggest you try out the new provider... Much easier to resolve
> > any issue, current and future, including easier to debug.
> > 
> > Alon
> > 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP

[Yair Zaslavsky]

- Original Message -
> From: "Koen Vanoppen" 
> To: users@ovirt.org
> Sent: Thursday, November 20, 2014 10:51:06 AM
> Subject: [ovirt-users] LDAP
> 
> Hello everybody,
> 
> We updated our ovirt to 3.5, but now we see some errors concerning LDAP. I
> already searched oonline for a guide for the AAA config, but can't seem to
> find something...
> Does anybody already has a clear how-to for the AAA config?
> 
> This is the error we get sometimes in our engine.log (we are still able to
> login with ldap btw):
> 
> 2014-11-20 06:42:06,539 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-32) Failed ldap search server
> ldap://***.brussels.airport:*** using user @BRUSSELS.AIRPORT due to :
> [LDAP: error code 34 - 208F: LdapErr: DSID-0C09074B, comment: Error
> processing name, data 0, v23f0]; nested exception is
> javax.naming.InvalidNameException: : [LDAP: error code 34 - 208F:
> LdapErr: DSID-0C09074B, comment: Error processing name, data 0, v23f0];
> remaining name ''. We should try the next server
> 
> Kind regards,
> 
> Koen

So i understand this is not 100% right?
Can you share more on the upgrade? Are you working with openldap? Have you 
upgraded anything else?

> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA

[Yair Zaslavsky]

- Original Message -
> From: "Cameron Christensen" 
> To: "Alon Bar-Lev" 
> Cc: "Yair Zaslavsky" , users@ovirt.org
> Sent: Tuesday, November 18, 2014 6:21:18 PM
> Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
> 
> On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote:
> > 
> > - Original Message -
> > > From: "Cameron Christensen" 
> > > To: "Alon Bar-Lev" 
> > > Cc: users@ovirt.org
> > > Sent: Monday, November 17, 2014 11:43:34 PM
> > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > > IPA
> > > 
> > > 
> > > 
> > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
> > > > 
> > > > - Original Message -
> > > > > From: "Cameron Christensen" 
> > > > > To: users@ovirt.org
> > > > > Sent: Friday, November 14, 2014 5:39:54 PM
> > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > > > > IPA
> > > > > 
> > > > > Hello,
> > > > > 
> > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA.
> > > > > Starting up ovrit-engine the extension manager fails to properly load
> > > > > the service that handles Kerberos/LDAP.
> > > > 
> > > > This is probably a bug, can you please execute the following and paste
> > > > result:
> > > > 
> > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from
> > > > vdc_options where option_name='LDAPSecurityAuthentication'"
> > > > 
> > > 
> > >  option_id |option_name |   option_value| version
> > > ---++---+-
> > >165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
> > > 
> > > I replaced my domain name with 'example.org'
> > > 
> > 
> > I thought it will be empty... and it contains valid value. Yair?
> > 
> Looking through the vdc_options table I noticed that many of the LDAP*
> and Ad* settings use two different spellings for the Kerberos/LDAP
> domain. One in all upper case letters, EXAMPLE.ORG and one in all lower
> case, example.org. (I'm guessing this is to handle either spelling of
> the domain?)
> 
> I updated LDAPSecurityAuthentication and set the option_value to use
> both the upper case and lower case domain name,
> 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'.
> 
> select * from vdc_options where option_name =
> 'LDAPSecurityAuthentication';
>  option_id |option_name |option_value
> | version
> ---++-+-
>165 | LDAPSecurityAuthentication |
> EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general

Just so we can continue to investigate -
if u would like to get your ldap and kerberos SRV records , to which domain 
will you send them in your setup?

dig SRV _ldap._tcp.EXAMPLE.ORG

or

dig SRV _ldap._tcp.example.org?


same goes to

_kerberos._tcp.example.org and _kerberos._tcp.EXAMPLE.ORG

Cheers,
Yair

> 
> Using both domain names I am able to authenticate, authorize and pull
> account information from the IPA server once again.
> 
> Thanks for pointing me at the right location.
> 
> Cameron
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA

[Yair Zaslavsky]

- Original Message -
> From: "Alon Bar-Lev" 
> To: "Cameron Christensen" , "Yair 
> Zaslavsky" 
> Cc: users@ovirt.org
> Sent: Monday, November 17, 2014 11:48:15 PM
> Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
> 
> 
> 
> - Original Message -
> > From: "Cameron Christensen" 
> > To: "Alon Bar-Lev" 
> > Cc: users@ovirt.org
> > Sent: Monday, November 17, 2014 11:43:34 PM
> > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > IPA
> > 
> > 
> > 
> > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote:
> > > 
> > > - Original Message -
> > > > From: "Cameron Christensen" 
> > > > To: users@ovirt.org
> > > > Sent: Friday, November 14, 2014 5:39:54 PM
> > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to
> > > > IPA
> > > > 
> > > > Hello,
> > > > 
> > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA.
> > > > Starting up ovrit-engine the extension manager fails to properly load
> > > > the service that handles Kerberos/LDAP.
> > > 
> > > This is probably a bug, can you please execute the following and paste
> > > result:
> > > 
> > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from
> > > vdc_options where option_name='LDAPSecurityAuthentication'"
> > > 
> > 
> >  option_id |option_name |   option_value| version
> > ---++---+-
> >165 | LDAPSecurityAuthentication | example.org:GSSAPI | general
> > 
> > I replaced my domain name with 'example.org'
> > 
> 
> I thought it will be empty... and it contains valid value. Yair?

No, this is fine actually.

> 
> Any I truly suggest you try out the new provider... Much easier to resolve
> any issue, current and future, including easier to debug.
> 
> Alon
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] webhook

[Yair Zaslavsky]

- Original Message -
> From: "Vojtech Szocs" 
> To: "Yair Zaslavsky" 
> Cc: "Barak Azulay" , "Oved Ourfali" , 
> users@ovirt.org
> Sent: Friday, November 7, 2014 5:16:48 PM
> Subject: Re: [ovirt-users] webhook
> 
> 
> 
> - Original Message -
> > From: "Yair Zaslavsky" 
> > To: "Vojtech Szocs" 
> > Cc: "Barak Azulay" , "Oved Ourfali" ,
> > users@ovirt.org
> > Sent: Thursday, November 6, 2014 2:59:53 PM
> > Subject: Re: [ovirt-users] webhook
> > 
> > 
> > 
> > - Original Message -
> > > From: "Vojtech Szocs" 
> > > To: "Barak Azulay" 
> > > Cc: "Oved Ourfali" , users@ovirt.org
> > > Sent: Thursday, November 6, 2014 3:38:56 PM
> > > Subject: Re: [ovirt-users] webhook
> > > 
> > > 
> > > 
> > > - Original Message -
> > > > From: "Barak Azulay" 
> > > > To: "Vojtech Szocs" 
> > > > Cc: "Einav Cohen" , "Oved Ourfali"
> > > > ,
> > > > users@ovirt.org
> > > > Sent: Tuesday, November 4, 2014 5:15:35 PM
> > > > Subject: Re: [ovirt-users] webhook
> > > > 
> > > > 
> > > > 
> > > > - Original Message -
> > > > > From: "Vojtech Szocs" 
> > > > > To: "Einav Cohen" 
> > > > > Cc: "Oved Ourfali" , users@ovirt.org
> > > > > Sent: Tuesday, November 4, 2014 2:12:05 PM
> > > > > Subject: Re: [ovirt-users] webhook
> > > > > 
> > > > > 
> > > > > 
> > > > > - Original Message -
> > > > > > From: "Einav Cohen" 
> > > > > > To: "Vojtech Szocs" 
> > > > > > Cc: "Oved Ourfali" , users@ovirt.org
> > > > > > Sent: Friday, October 31, 2014 8:01:34 PM
> > > > > > Subject: Re: [ovirt-users] webhook
> > > > > > 
> > > > > > > - Original Message -
> > > > > > > From: "Vojtech Szocs" 
> > > > > > > Sent: Friday, October 31, 2014 11:51:53 AM
> > > > > > > 
> > > > > > > Hi,
> > > > > > > 
> > > > > > > if I get this correctly, you'd like to be notified when certain
> > > > > > > event
> > > > > > > happens (VM created/deleted/etc.) and react upon that. I see
> > > > > > > multiple
> > > > > > > possible approaches here:
> > > > > > > 
> > > > > > > 0, improve Engine extension API (refer to Alon Bar-Lev for
> > > > > > > details)
> > > > > > >- if extensions can be packaged as JARs and these JARs could
> > > > > > >include
> > > > > > >  web fragments [1] it would mean the possibility to deploy
> > > > > > >  custom
> > > > > > >  servlets onto existing Engine instance (in context of webapp
> > > > > > >  that
> > > > > > >  processes extensions)
> > > > > > >- your custom Java servlet could query REST interface (or be
> > > > > > >notified
> > > > > > >  once something happens, but AFAIK we don't have that
> > > > > > >  implemented
> > > > > > >  yet)
> > > > > > >  and do whatever logic is needed
> > > > > > >- once I asked Alon about ^^ but never got response from him
> > > > > > >- IMHO this would be a nice way to deploy custom Java code on
> > > > > > >Engine
> > > > > > > 
> > > > > > > [1]
> > > > > > > https://blogs.oracle.com/swchan/entry/servlet_3_0_web_fragment
> > > > > > > 
> > > > > > > 1, improve UI plugin API
> > > > > > >- add "VirtualMachineDataLoaded" event fired upon each refresh
> > > > > > >of
> > > > > > >  VM data in UI table (generalization -> "{Entity}DataLoaded")
> > > > > > >- this is similar to existing "{Entity}SelectionChange" events
> > > > > > 
> &g

Re: [ovirt-users] how to 'reset' a failed install?

[Yair Zaslavsky]

- Original Message -
> From: "Robert Story" 
> To: users@ovirt.org
> Sent: Saturday, November 8, 2014 3:09:02 AM
> Subject: [ovirt-users] how to 'reset' a failed install?
> 
> I've been doing lots of unsuccessful 3.5 hosted-engine installs in my lab,
> where it's easy for me to re-install the OS if I need to start over. Now I
> need to try an install in a remote datacenter where I won't be able to
> re-install the OS. So I was wondering if there is a way to 'reset' a failed
> install so that another install can be attempted...
> 
> My thoughts so far are:
> 
> - stop vdsm, supervdsm, and libvirt
> - use etckeeper to reset everything under /etc
> - delete old log files
> - delete hosted_engine storage domain on storage (if install got that far)
> - restart vdsm, supervdsm, and libvirt
> 
> What am I missing? Maybe some remnants in /var (hmm, probably the vdsm
> persistent config)? Anything else?

The VDSM log to be erased?

Out of curiosity, do you want to automate this process?

CC'ing Alon and Sandro who can probably give more meaningful advice than me.

Cheers,
Yair


> 
> 
> Robert
> 
> --
> Senior Software Engineer @ Parsons
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] User management

[Yair Zaslavsky]

- Original Message -
> From: "Koen Vanoppen" 
> To: users@ovirt.org
> Sent: Friday, November 7, 2014 1:01:13 PM
> Subject: [ovirt-users] User management
> 
> Dear all,
> 
> I have a question concerning the creation of VM's. Is there a way to see
> which user (Ldap login) created wich VM? Can we somehow query this trough
> the API?

Well, at first I thought this should be done by browsing the permissions 
collection in REST-API, but then I realized that we can get this info from the 
events
for example -

:/api/events

then you will see something like -

Vm my-vm-13 was created by a...@acme.com

Cheers,
Yair

> 
> Kind regards,
> 
> Koen
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] webhook

[Yair Zaslavsky]

 oVirt system would be sent
> > > to some event bus, we could easily implement different notification
> > > mechanisms (like websocket in addition to email), and web apps living
> > > in Engine EAR context could also register to that event bus (imagine
> > > WebAdmin servlet that listens for changes and pushes them to clients).
> > 
> > This can/should be done through the notification service,
> > currently it supports email & snmp traps ... but it could be extended (very
> > easily)
> 
> Cool, maybe something we could do in future as part of UX improvement,
> i.e. change notification (push changes to client) to drive UI data update,
> instead of periodic polling.

Bare ind mind the notification service works with audit log (the user marks 
what will be notified).
I think you might be after  for something else? Or did you refer to audit 
log/events only?


> 
> > 
> > 
> > > 
> > > > 
> > > > > 
> > > > > 2, write UI plugin that uses oVirtJS to periodically check VM events
> > > > 
> > > > not sure if this is referring to VM-related events in the code (e.g.
> > > > hooking to the click on "OK" within the New VM / Remove VM dialog,
> > > > or hooking to the "Success" callback of the action response, or
> > > > something similar), or to the VM-related "Events" (i.e. the ones that
> > > > are displayed in the GUI within the Events main-tab / bottom section).
> > > > If the former: can be done, I assume, though not sure how complex it
> > > > would be to implement the infrastructure for that.
> > > > If the latter: this will "catch" actions that were performed either
> > > > via the GUI or outside the GUI; in this case, it would probably be
> > > > better to use an Engine extension API (solution "0" above) rather
> > > > than a UI plugin, since it will be more reliable, will be active
> > > > even when the GUI is not in use, etc.
> > > 
> > > It was meant simply as polling Engine via oVirtJS / REST API.
> > > 
> > > But then again, any UI plugin-based solution has the drawback that
> > > web GUI must be active (open) in order for plugin to be active.
> > > 
> > > > 
> > > > > 
> > > > > The disadvantage of 1, and 2, is that WebAdmin GUI must be open.
> > > > > In any case, if you'd like to explore the possibility of doing this
> > > > > via UI plugin, I'm here to help.
> > > > > 
> > > > > Vojtech
> > > > > 
> > > > > 
> > > > > - Original Message -
> > > > > > From: "Oved Ourfali" 
> > > > > > To: "Yair Zaslavsky" 
> > > > > > Cc: "Koen Vanoppen" , users@ovirt.org,
> > > > > > "Vojtech
> > > > > > Szocs" 
> > > > > > Sent: Thursday, October 30, 2014 2:10:12 PM
> > > > > > Subject: Re: [ovirt-users] webhook
> > > > > > 
> > > > > > Hi
> > > > > > 
> > > > > > CC-ing also Vojtech, the "father" of the UI plugins.
> > > > > > 
> > > > > > Anyway, the only way to accomplish that via UI plugins at the
> > > > > > moment
> > > > > > is
> > > > > > via
> > > > > > adding a new "action menu item", that in the background deleted the
> > > > > > VM,
> > > > > > and
> > > > > > reports to Foreman.
> > > > > > I would be nice to have a "hook" for different UI action items, but
> > > > > > it
> > > > > > isn't
> > > > > > available at the moment.
> > > > > > There are plenty code samples for UI plugins, most of them
> > > > > > available
> > > > > > at:
> > > > > > http://www.ovirt.org/Features/UIPlugins
> > > > > > 
> > > > > > I must say that I'm not sure webhooks are the right approach for
> > > > > > that,
> > > > > > as
> > > > > > I
> > > > > > guess it is relevant only in environments in which one doesn't use
> > > > > > the
> > > > > > API/CLI/SDK
> > > > > > but.. it will be a cool feature!
> > > > > > 
> > > > > > Regards,
> > > > > > Oved
> > > > > > 
> > > > > > - Original Message -
> > > > > > > From: "Yair Zaslavsky" 
> > > > > > > To: "Koen Vanoppen" 
> > > > > > > Cc: "Oved Ourfali" , users@ovirt.org
> > > > > > > Sent: Thursday, October 30, 2014 1:44:38 PM
> > > > > > > Subject: Re: [ovirt-users] webhook
> > > > > > > 
> > > > > > > Oved - can we implement something like this using ui-plugins?
> > > > > > > 
> > > > > > > 
> > > > > > > - Original Message -
> > > > > > > > From: "Koen Vanoppen" 
> > > > > > > > To: users@ovirt.org
> > > > > > > > Sent: Monday, October 27, 2014 4:06:40 PM
> > > > > > > > Subject: [ovirt-users] webhook
> > > > > > > > 
> > > > > > > > Hi all,
> > > > > > > > 
> > > > > > > > Just a quick question. Is it possible to set a webhook on the
> > > > > > > > removal
> > > > > > > > and
> > > > > > > > creation of a new vm? So we can send to foreman a delete action
> > > > > > > > when
> > > > > > > > the
> > > > > > > > VM
> > > > > > > > is deleted...
> > > > > > > > 
> > > > > > > > Kind regards,
> > > > > > > > 
> > > > > > > > Koen
> > > > > > > > 
> > > > > > > > ___
> > > > > > > > Users mailing list
> > > > > > > > Users@ovirt.org
> > > > > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > > > > 
> > > > > > > ___
> > > > > > > Users mailing list
> > > > > > > Users@ovirt.org
> > > > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > > > 
> > > > > > 
> > > > > ___
> > > > > Users mailing list
> > > > > Users@ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > 
> > > > 
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > > 
> > > 
> > > 
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Cancelling a running task

[Yair Zaslavsky]

- Original Message -
> From: "Liron Aravot" 
> To: "Eli Mesika" 
> Cc: users@ovirt.org
> Sent: Wednesday, November 5, 2014 2:51:37 PM
> Subject: Re: [ovirt-users] Cancelling a running task
> 
> 
> 
> - Original Message -
> > From: "Eli Mesika" 
> > To: "Daniel Lang" 
> > Cc: users@ovirt.org
> > Sent: Wednesday, November 5, 2014 2:23:00 PM
> > Subject: Re: [ovirt-users] Cancelling a running task
> > 
> > 
> > 
> > - Original Message -
> > > From: "Daniel Lang" 
> > > To: "users@ovirt.org" 
> > > Sent: Tuesday, November 4, 2014 6:24:48 PM
> > > Subject: [ovirt-users] Cancelling a running task
> > > 
> > > 
> > > 
> > > I am creating a VM and the copy from template operation has gone haywire
> > > causing significant performance issues on the host server. I’d like to
> > > cancel the copying image action (it’s been running ~3hours on a 3GB disk
> > > image copy) but I cannot find anything in the web UI to cancel a task. Is
> > > there a command line tool to cancel the running task?
> > 
> > login to your SPM host and run the following
> > 
> > vdsClient -s 0 getAllTasksStatuses
> > 
> > You can than use
> > 
> > stopTask
> > 
> > stop async task
> > 
> > and then
> > 
> > clearTask
> > 
> > clear async task
> > 
> > 
> > 
> I suggest to only stop the task/tasks and let the ovirt engine to perform the
> clearance of the tasks.

+1 - I agree with Liron.
Let AsyncTaskManager handle the task clearing - it will also remove relevant 
entries from db.
Ravi, what do you think?

> 
> > > 
> > > 
> > > 
> > > The oVirt version is 3.4 and vdsm version 4.14.
> > > 
> > > 
> > > 
> > > Thanks for any advice or links to documentation/man pages.
> > > 
> > > 
> > > 
> > > Daniel Lang
> > > 
> > > © Copyright 2014 REDI Global Technologies LLC (“REDI”), member FINRA,
> > > SIPC.
> > > All rights reserved. The information contained in and accompanying this
> > > communication may be confidential, subject to legal privilege, or
> > > otherwise
> > > protected from disclosure, and is intended solely for the use of the
> > > intended recipient(s). If you are not the intended recipient of this
> > > communication, please delete and destroy all copies in your possession,
> > > notify the sender that you have received this communication in error, and
> > > note that any review or dissemination of, or the taking of any action in
> > > reliance on, this communication is expressly prohibited. E-mail messages
> > > may
> > > contain computer viruses or other defects, may not be accurately
> > > replicated
> > > on other systems, or may be intercepted, deleted or interfered with
> > > without
> > > the knowledge of the sender or the intended recipient. REDI makes no
> > > warranties in relation to these matters. Please note that REDI reserves
> > > the
> > > right to intercept, monitor, and retain e-mail messages to and from its
> > > systems as permitted by applicable law. If you are not comfortable with
> > > the
> > > risks associated with e-mail messages, you may decide not to use e-mail
> > > to
> > > communicate with REDI.
> > > 
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] webhook

[Yair Zaslavsky]

- Original Message -
> From: "Einav Cohen" 
> To: "Vojtech Szocs" 
> Cc: "Oved Ourfali" , users@ovirt.org
> Sent: Friday, October 31, 2014 9:01:34 PM
> Subject: Re: [ovirt-users] webhook
> 
> > - Original Message -
> > From: "Vojtech Szocs" 
> > Sent: Friday, October 31, 2014 11:51:53 AM
> > 
> > Hi,
> > 
> > if I get this correctly, you'd like to be notified when certain event
> > happens (VM created/deleted/etc.) and react upon that. I see multiple
> > possible approaches here:
> > 
> > 0, improve Engine extension API (refer to Alon Bar-Lev for details)
> >- if extensions can be packaged as JARs and these JARs could include
> >  web fragments [1] it would mean the possibility to deploy custom
> >  servlets onto existing Engine instance (in context of webapp that
> >  processes extensions)
> >- your custom Java servlet could query REST interface (or be notified
> >  once something happens, but AFAIK we don't have that implemented yet)
> >  and do whatever logic is needed
> >- once I asked Alon about ^^ but never got response from him
> >- IMHO this would be a nice way to deploy custom Java code on Engine

Please allow me to step in as someone who worked on the extensions API as well,
There are more "missing bits" here.
You are referring to the "webapp side", but this is not enough.
We have also the engine side which has to become more pluggable.
In addition, we will probably need to handle all kinds of issues that rise from 
our singletons at engine - class loading might be an issue here, no?
You don't want the "X-ton" (doubleton, tripleton, etc..) phenomena in your 
setup - you don't want for example X instances of AsyncTaskManager.
I think that in general we should strive to turn engine into way more 
pluggable/modular than it is now, imagine an "engine microkernel" (for those of 
you who did not hear the term microkernel, I am referring you to jboss 
architecture) - we should have a "thin microkernel" and the rest of the code 
should be pluggable, using the extension API (and perhaps web fragments as 
well).
What do you think?

> > 
> > [1] https://blogs.oracle.com/swchan/entry/servlet_3_0_web_fragment
> > 
> > 1, improve UI plugin API
> >- add "VirtualMachineDataLoaded" event fired upon each refresh of
> >  VM data in UI table (generalization -> "{Entity}DataLoaded")
> >- this is similar to existing "{Entity}SelectionChange" events
> 
> relying on changes in the UI table is a bad idea:
> 
> (1) potentially missing events:
> the UI displays paginated data; if my VMs are sorted by name, and
> I have 1000 VMs in my setup, and I just added a VM named "z", it will
> be added to the last "page" which is not displayed right now, so I
> wouldn't even be aware that something was added.
> 
> (2) potentially "creating" "fake" events:
> changes in the displayed data in the UI can occur due to change in the
> Search query; if I have 50 VMs in my setup, and I initially had the
> "Vms:" search query, and now I change it to "VMs: name = a*", which
> results in displaying only 10 VMs, this may falsely hint on removal
> of 40 VMs from the system.
> 
> > 
> > 2, write UI plugin that uses oVirtJS to periodically check VM events
> 
> not sure if this is referring to VM-related events in the code (e.g.
> hooking to the click on "OK" within the New VM / Remove VM dialog,
> or hooking to the "Success" callback of the action response, or
> something similar), or to the VM-related "Events" (i.e. the ones that
> are displayed in the GUI within the Events main-tab / bottom section).
> If the former: can be done, I assume, though not sure how complex it
> would be to implement the infrastructure for that.
> If the latter: this will "catch" actions that were performed either
> via the GUI or outside the GUI; in this case, it would probably be
> better to use an Engine extension API (solution "0" above) rather
> than a UI plugin, since it will be more reliable, will be active
> even when the GUI is not in use, etc.
> 
> > 
> > The disadvantage of 1, and 2, is that WebAdmin GUI must be open.
> > In any case, if you'd like to explore the possibility of doing this
> > via UI plugin, I'm here to help.
> > 
> > Vojtech
> > 
> > 
> > - Original Message -
> > > From: "Oved Ourfali" 
> > > To: "Yair Zaslavsky" 
> > > Cc

[ovirt-users] Any way I can obtain an oVirt T-shirt?

[Yair Zaslavsky]

Hi guys,
I signed up to some meetups in my residential area, and I am considering to 
give lecture that relates to oVirt.
Can I obtain an oVirt t-shirt somehow so I can wear for the presentation? 
(Well, I can wear one of my Red-Hat T-shirts, but as I plan it be in context of 
open source, I would prefer oVirt)

Cheers,
Yair
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] [ovirt-devel] [RFC] oVirt mobile client

[Yair Zaslavsky]

- Original Message -
> From: "Yair Zaslavsky" 
> To: "Greg Sheremeta" 
> Cc: "users" , de...@ovirt.org
> Sent: Friday, October 31, 2014 12:16:33 PM
> Subject: Re: [ovirt-users] [ovirt-devel] [RFC] oVirt mobile client
> 
> 
> 
> - Original Message -
> > From: "Yair Zaslavsky" 
> > To: "Greg Sheremeta" 
> > Cc: "users" , de...@ovirt.org
> > Sent: Friday, October 31, 2014 8:03:58 AM
> > Subject: Re: [ovirt-users] [ovirt-devel] [RFC] oVirt mobile client
> > 
> > 
> > 
> > - Original Message -
> > > From: "Greg Sheremeta" 
> > > To: "users" , de...@ovirt.org
> > > Sent: Friday, October 31, 2014 3:49:11 AM
> > > Subject: [ovirt-devel] [RFC] oVirt mobile client
> > > 
> > > Hi,
> > > 
> > > The focus of our OPW internship program starting in December will be
> > > mobile and/or lightweight engine clients -- hopefully integrating the
> > > new ovirt.js project.
> > 
> > +100
> > 
> > Sorry for the ignorant question - does this mean the technology will be web
> > based or native? (i.e - java on top of android, Swift/Objective-C on top of
> > IOS)
> > 
> > 
> > > 
> > > I see that there are some already existing mobile clients for oVirt.
> > > I'm trying to grasp what we have and what the needs are.
> > > 
> > > moVirt: https://github.com/matobet/moVirt (mbetak)
> > > This appears to be more of a lightweight webadmin. No console access,
> > > but I believe it's planned as part of OPW. (?)
> > 
> > I spoke with mbetak about this a few months ago.
> > When you speak of console, you mean to actually view the VM using spice?
> > sounds very interesting.
> > If I recall, Alon levy (a former red hatter) worked on some spice
> > implementation for html5 or something like that.
> > 
> > Anyway, back in TLV I also had some ideas around that. Do you have some IRC
> > meetings or something that I can join?
> > 
> > Cheers,
> > Yair
> > 
> > 
> > > 
> > > nomad: http://www.ovirt.org/Project_Proposal_-_Nomad and
> > > https://github.com/Vizuri/ovirt-nomad
> > > Looks dead -- last commit 3 years ago.
> > > Anyone know more about this one?
> > > 
> > > That's all I see on the first few pages of google.
> > > 
> > > When I think of a mobile client for oVirt, I think the most useful
> > > part would be the user portal -- simple operations for start, stop,
> > > and the ability to view the console of vms. moVirt mentions it wants
> > > to support some basic management operations, though. I think it would
> > > be difficult to do complex management in a mobile client. (I'm biased
> > > towards huge screens, though.)
> 
> Sorry, I was very excited about the news, so I forgot to answer the rest.
> I agree about "user portal" - sounds good to begin with.
> Another idea I had in the past is to have an app (push-based) that will push
> events to a special client.
> We will have a push sever that will get notifications from the event
> notifier, and this server will push the events to registered clients.
> 
> > > 
> > > I'd like to see an official subproject started that coordinates our
> > > mobile efforts.
> > > 
> > > Is this possible? What would it take to start it?
> 
> What do you mean "is that possible"? technically sounds feasible to me (well,
> we'll need to figure out about the console, but an mgmt app without the
> console, why not?) )
> 
> > > 
> > > What would people like to see in such an app?

Regarding console - I guess this link has to do with how to display a web page 
in native app (I asked a mobile developer friend of mine)  -

http://developer.android.com/reference/android/webkit/WebView.html

And this ovirt page can help with spice client for html5 ?

http://www.ovirt.org/Features/SpiceHTML5

Cheers,
Yair


> > > 
> > > Greg Sheremeta
> > > Red Hat, Inc.
> > > Sr. Software Engineer, RHEV
> > > Cell: 919-807-1086
> > > gsher...@redhat.com
> > > ___
> > > Devel mailing list
> > > de...@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/devel
> > > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] [ovirt-devel] [RFC] oVirt mobile client

[Yair Zaslavsky]

- Original Message -
> From: "Yair Zaslavsky" 
> To: "Greg Sheremeta" 
> Cc: "users" , de...@ovirt.org
> Sent: Friday, October 31, 2014 8:03:58 AM
> Subject: Re: [ovirt-users] [ovirt-devel] [RFC] oVirt mobile client
> 
> 
> 
> - Original Message -
> > From: "Greg Sheremeta" 
> > To: "users" , de...@ovirt.org
> > Sent: Friday, October 31, 2014 3:49:11 AM
> > Subject: [ovirt-devel] [RFC] oVirt mobile client
> > 
> > Hi,
> > 
> > The focus of our OPW internship program starting in December will be
> > mobile and/or lightweight engine clients -- hopefully integrating the
> > new ovirt.js project.
> 
> +100
> 
> Sorry for the ignorant question - does this mean the technology will be web
> based or native? (i.e - java on top of android, Swift/Objective-C on top of
> IOS)
> 
> 
> > 
> > I see that there are some already existing mobile clients for oVirt.
> > I'm trying to grasp what we have and what the needs are.
> > 
> > moVirt: https://github.com/matobet/moVirt (mbetak)
> > This appears to be more of a lightweight webadmin. No console access,
> > but I believe it's planned as part of OPW. (?)
> 
> I spoke with mbetak about this a few months ago.
> When you speak of console, you mean to actually view the VM using spice?
> sounds very interesting.
> If I recall, Alon levy (a former red hatter) worked on some spice
> implementation for html5 or something like that.
> 
> Anyway, back in TLV I also had some ideas around that. Do you have some IRC
> meetings or something that I can join?
> 
> Cheers,
> Yair
> 
> 
> > 
> > nomad: http://www.ovirt.org/Project_Proposal_-_Nomad and
> > https://github.com/Vizuri/ovirt-nomad
> > Looks dead -- last commit 3 years ago.
> > Anyone know more about this one?
> > 
> > That's all I see on the first few pages of google.
> > 
> > When I think of a mobile client for oVirt, I think the most useful
> > part would be the user portal -- simple operations for start, stop,
> > and the ability to view the console of vms. moVirt mentions it wants
> > to support some basic management operations, though. I think it would
> > be difficult to do complex management in a mobile client. (I'm biased
> > towards huge screens, though.)

Sorry, I was very excited about the news, so I forgot to answer the rest.
I agree about "user portal" - sounds good to begin with. 
Another idea I had in the past is to have an app (push-based) that will push 
events to a special client.
We will have a push sever that will get notifications from the event notifier, 
and this server will push the events to registered clients.

> > 
> > I'd like to see an official subproject started that coordinates our
> > mobile efforts.
> > 
> > Is this possible? What would it take to start it?

What do you mean "is that possible"? technically sounds feasible to me (well, 
we'll need to figure out about the console, but an mgmt app without the 
console, why not?) )

> > 
> > What would people like to see in such an app?
> > 
> > Greg Sheremeta
> > Red Hat, Inc.
> > Sr. Software Engineer, RHEV
> > Cell: 919-807-1086
> > gsher...@redhat.com
> > ___
> > Devel mailing list
> > de...@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/devel
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] [ovirt-devel] [RFC] oVirt mobile client

[Yair Zaslavsky]

- Original Message -
> From: "Greg Sheremeta" 
> To: "users" , de...@ovirt.org
> Sent: Friday, October 31, 2014 3:49:11 AM
> Subject: [ovirt-devel] [RFC] oVirt mobile client
> 
> Hi,
> 
> The focus of our OPW internship program starting in December will be
> mobile and/or lightweight engine clients -- hopefully integrating the
> new ovirt.js project.

+100

Sorry for the ignorant question - does this mean the technology will be web 
based or native? (i.e - java on top of android, Swift/Objective-C on top of IOS)


> 
> I see that there are some already existing mobile clients for oVirt.
> I'm trying to grasp what we have and what the needs are.
> 
> moVirt: https://github.com/matobet/moVirt (mbetak)
> This appears to be more of a lightweight webadmin. No console access,
> but I believe it's planned as part of OPW. (?)

I spoke with mbetak about this a few months ago.
When you speak of console, you mean to actually view the VM using spice? sounds 
very interesting.
If I recall, Alon levy (a former red hatter) worked on some spice 
implementation for html5 or something like that.

Anyway, back in TLV I also had some ideas around that. Do you have some IRC 
meetings or something that I can join?

Cheers,
Yair


> 
> nomad: http://www.ovirt.org/Project_Proposal_-_Nomad and
> https://github.com/Vizuri/ovirt-nomad
> Looks dead -- last commit 3 years ago.
> Anyone know more about this one?
> 
> That's all I see on the first few pages of google.
> 
> When I think of a mobile client for oVirt, I think the most useful
> part would be the user portal -- simple operations for start, stop,
> and the ability to view the console of vms. moVirt mentions it wants
> to support some basic management operations, though. I think it would
> be difficult to do complex management in a mobile client. (I'm biased
> towards huge screens, though.)
> 
> I'd like to see an official subproject started that coordinates our
> mobile efforts.
> 
> Is this possible? What would it take to start it?
> 
> What would people like to see in such an app?
> 
> Greg Sheremeta
> Red Hat, Inc.
> Sr. Software Engineer, RHEV
> Cell: 919-807-1086
> gsher...@redhat.com
> ___
> Devel mailing list
> de...@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] webhook

[Yair Zaslavsky]

- Original Message -
> From: "Barak Azulay" 
> To: "Omer Frenkel" , "vanoppen koen" 
> , "Mooli Tayer"
> 
> Cc: "Oved Ourfali" , users@ovirt.org
> Sent: Thursday, October 30, 2014 11:10:55 PM
> Subject: Re: [ovirt-users] webhook
> 
> 
> 
> - Original Message -
> > From: "Barak Azulay" 
> > To: "Omer Frenkel" , "vanoppen koen"
> > 
> > Cc: "Oved Ourfali" , users@ovirt.org
> > Sent: Thursday, October 30, 2014 10:55:56 PM
> > Subject: Re: [ovirt-users] webhook
> > 
> > 
> > 
> > - Original Message -
> > > From: "Omer Frenkel" 
> > > To: "Oved Ourfali" , "Yair Zaslavsky"
> > > 
> > > Cc: users@ovirt.org
> > > Sent: Thursday, October 30, 2014 3:54:37 PM
> > > Subject: Re: [ovirt-users] webhook
> > > 
> > > can't the event-notifications be used?
> > > notify some email on delete operation (not sure there is a notification
> > > for
> > > this today..)
> > > and hook on the email to run the script?
> > 
> > I agree that notification sounds like the best option,
> > Although I would use the SNMP traps for that.
> > If you already have a SNMP monitoring system you can catch the trap there
> > and
> > do your foreman magic.
> 
> 
> I assume the relevant notification is USER_REMOVE_VM_FINISHED(113)
> Mooli / Omer please approve .

+1
>From what I saw this is the relevant event.
Which has the textual represenation of "VM ${VmName} was successfully removed"

> 
> > 
> > > 
> > > - Original Message -
> > > > From: "Oved Ourfali" 
> > > > To: "Yair Zaslavsky" 
> > > > Cc: users@ovirt.org
> > > > Sent: Thursday, October 30, 2014 3:10:12 PM
> > > > Subject: Re: [ovirt-users] webhook
> > > > 
> > > > Hi
> > > > 
> > > > CC-ing also Vojtech, the "father" of the UI plugins.
> > > > 
> > > > Anyway, the only way to accomplish that via UI plugins at the moment is
> > > > via
> > > > adding a new "action menu item", that in the background deleted the VM,
> > > > and
> > > > reports to Foreman.
> > > > I would be nice to have a "hook" for different UI action items, but it
> > > > isn't
> > > > available at the moment.
> > > > There are plenty code samples for UI plugins, most of them available
> > > > at:
> > > > http://www.ovirt.org/Features/UIPlugins
> > > > 
> > > > I must say that I'm not sure webhooks are the right approach for that,
> > > > as
> > > > I
> > > > guess it is relevant only in environments in which one doesn't use the
> > > > API/CLI/SDK
> > > > but.. it will be a cool feature!
> > > > 
> > > > Regards,
> > > > Oved
> > > > 
> > > > - Original Message -
> > > > > From: "Yair Zaslavsky" 
> > > > > To: "Koen Vanoppen" 
> > > > > Cc: "Oved Ourfali" , users@ovirt.org
> > > > > Sent: Thursday, October 30, 2014 1:44:38 PM
> > > > > Subject: Re: [ovirt-users] webhook
> > > > > 
> > > > > Oved - can we implement something like this using ui-plugins?
> > > > > 
> > > > > 
> > > > > - Original Message -
> > > > > > From: "Koen Vanoppen" 
> > > > > > To: users@ovirt.org
> > > > > > Sent: Monday, October 27, 2014 4:06:40 PM
> > > > > > Subject: [ovirt-users] webhook
> > > > > > 
> > > > > > Hi all,
> > > > > > 
> > > > > > Just a quick question. Is it possible to set a webhook on the
> > > > > > removal
> > > > > > and
> > > > > > creation of a new vm? So we can send to foreman a delete action
> > > > > > when
> > > > > > the
> > > > > > VM
> > > > > > is deleted...
> > > > > > 
> > > > > > Kind regards,
> > > > > > 
> > > > > > Koen
> > > > > > 
> > > > > > ___
> > > > > > Users mailing list
> > > > > > Users@ovirt.org
> > > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > > 
> > > > > ___
> > > > > Users mailing list
> > > > > Users@ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > 
> > > > ___
> > > > Users mailing list
> > > > Users@ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > 
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > > 
> > > 
> > > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] webhook

[Yair Zaslavsky]

Oved - can we implement something like this using ui-plugins?


- Original Message -
> From: "Koen Vanoppen" 
> To: users@ovirt.org
> Sent: Monday, October 27, 2014 4:06:40 PM
> Subject: [ovirt-users] webhook
> 
> Hi all,
> 
> Just a quick question. Is it possible to set a webhook on the removal and
> creation of a new vm? So we can send to foreman a delete action when the VM
> is deleted...
> 
> Kind regards,
> 
> Koen
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Live snapshot failed but still there ??

[Yair Zaslavsky]

- Original Message -
> From: "Punit Dambiwal" 
> To: users@ovirt.org
> Sent: Wednesday, October 29, 2014 4:59:12 AM
> Subject: [ovirt-users] Live snapshot failed but still there ??
> 
> Hi,
> 
> I try to create the live snapshot it failed because of the VM filesystem
> inconsistency but in the engine dashboard it shows it created ??
> 
> Screen shots attached

Can you attach relevant engine.log and server.log?

> 
> Thanks,
> Punit
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] [Fwd: options for root and password]

[Yair Zaslavsky]

- Original Message -
> From: "Alon Bar-Lev" 
> To: "Sven Kieske" 
> Cc: users@ovirt.org
> Sent: Tuesday, October 21, 2014 10:49:02 AM
> Subject: Re: [ovirt-users] [Fwd: options for root and password]
> 
> 
> 
> - Original Message -
> > From: "Sven Kieske" 
> > To: users@ovirt.org
> > Sent: Tuesday, October 21, 2014 10:40:39 AM
> > Subject: Re: [ovirt-users] [Fwd: options for root and password]
> > 
> > 
> > On 21/10/14 09:21, Sven Kieske wrote:
> > > I don't know if this is still valid, I don't find any
> > > options regarding public/private keys in ovirt 3.3. but
> > > I would be very interested in this topic to tighten security.
> > 
> > It just turns out this already works in ovirt 3.3.2
> > maybe even earlier, but I would like to know
> > if the point about host key validation on the mentioned wiki
> > page is still true, as I think this would be cve-worthy.
> 
> When host is added its ssh fingerprint is recorded in database, and is
> enforced from this point on.
> Only at Edit Host dialog it can be modified.
> You can also pre-fetch the fingerprint before adding the host at Add Host
> dialog in order to confirm that it is the correct host, it will add this
> fingerprint to database and enforce it when adding the host too.


CC'ing Yaniv Bronheim who was the feature owner for ssh fingerprint usage 
during host addition.
I guess Yaniv can confirm exactly which version it was added.


> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirt presentation template -- google docs format?

[Yair Zaslavsky]

- Original Message -
> From: "Lior Vernia" 
> To: "Greg Sheremeta" 
> Cc: "Dave Neary" , "users" 
> Sent: Wednesday, October 15, 2014 2:51:16 AM
> Subject: Re: [ovirt-users] ovirt presentation template -- google docs format?
> 
> Speaking of which, may I hijack this thread in order to ask why we don't
> have a slideshow template that looks like a slideshow template? With
> non-white background, colors in general, some graphics/patterns,
> thought-out bullet design, etc.?

+1 here, you're more UI oriented person than I am , Lior , but now that you 
raised it, it suddenly popped into me as well - I would also like to see some 
improvement in that area.
Thanks for the initiative!

Yair

> 
> This template just doesn't look like it means "business". Not business
> as in the money-making way, business as in talking about a serious
> project with a serious brand. But maybe that's just me...
> 
> On 14/10/14 16:06, Greg Sheremeta wrote:
> > Anyone have a Google Docs format of this? [1]
> > 
> > Alternatively, I can make one if someone can find me that logo. I can't
> > find a
> > high-res logo anywhere.
> > 
> > [1] http://www.ovirt.org/File:OVirt-Template.odp
> > 
> > Thanks,
> > Greg
> > 
> > Greg Sheremeta
> > Red Hat, Inc.
> > Sr. Software Engineer, RHEV
> > Cell: 919-807-1086
> > gsher...@redhat.com
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] How to mapping LDAP users in AAA

[Yair Zaslavsky]

- Original Message -
> From: "lofyer" 
> To: "users" 
> Sent: Tuesday, October 14, 2014 5:10:56 AM
> Subject: [ovirt-users] How to mapping LDAP users in AAA
> 
> I've got a LDAP server without kerberos and I am trying to intergrate
> its users to oVirt-3.5 with AAA.
> ==

Which ldap server is that, what vendor?

> /etc/ovirt-engine/aaa/example.properties:
> 
> include = 
> 
> vars.user = cn=directory manager
> vars.password = mypassword
> vars.server = example.com
> 
> #pool.default.ssl.startTLS = false
> #pool.default.ssl.truststore.file = /etc/ldap_tls/ca_cert.pem
> #pool.default.ssl.truststore.password = admin
> 
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> ==
> 
> This is my basic ldap infomation:
> 
> ou=Groups
> |
> + cn=UserGroup1
> |
> + cn=UserGroup2
> 
> ou=UserGroup1
> |
> + cn=user1
> |
> + cn=user2
> 
> 
> ou=UserGroup2
> |
> + cn=user3
> |
> + cn=user4
> 
> ==
> 
> Now I can see example.com in web portal but I cannot list users in UG1
> or UG2.
> 
> I find that I could map DN, ID NAME, DISPLAY in the config file. What
> should I add in the config file then?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] New Feature: engine NIC health check

[Yair Zaslavsky]

- Original Message -
> From: "Martin Mucha" 
> To: engine-de...@ovirt.org, users@ovirt.org
> Sent: Wednesday, October 8, 2014 2:33:06 PM
> Subject: [ovirt-users] New Feature: engine NIC health check
> 
> Hi,
> 
> here's link for new feature, related to monitoring engine's NIC, trying to
> detect failure on engine itself and it that case block fencing.
> http://www.ovirt.org/Features/engine_NIC_health_check
> 
> thanks for every input, namely for one addressing some of opened issues.
> 
> M.

I was curious  on how you perform the health check, so I read the feature page 
- good to learn more Java :)
Regarding open issues -
a. Yes, IMHO the scanning interval should be configured via engine-config - do 
you see a reason why not to do that? Maybe we should set a minimal interval 
value and enforSce it?
b. Same for the "no faiures since.." interval
c. I dont like the name of the table you're suggesting. Please consider an 
alternative. Also you may want to consider having a view that returns you the 
"static infomration" of the nic + the "stats" part (dynamic part? maybe just 
nic_state ? ) Why would u like to purge old data and not just hold a record per 
nic and update per each interval? in this case, no purging is required.
Maybe for DWH you will want some info on the history of the status of the 
nics... but I'm not sure if this is relevant for now.
d. If you go with my view suggestion, you  might consider displaying the 
"state" at REST-API

Yair

> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 3.4 + Ipa Server

[Yair Zaslavsky]

- Original Message -
> From: "Marcelo Donato" 
> To: "Yair Zaslavsky" 
> Cc: "Alon Bar-Lev" , users@ovirt.org
> Sent: Friday, October 10, 2014 3:20:57 PM
> Subject: Re: [ovirt-users] oVirt 3.4 + Ipa Server
> 
> Below is result.
> 
> 
> # dig SRV _kerberos._ tcp.din.uem.br
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _kerberos._
> tcp.din.uem.br
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55207
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;_kerberos._. IN SRV
> 
> ;; AUTHORITY SECTION:
> . 10668 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014101000 1800
> 900 604800 86400

The resutlt is invalid -
I have tried it myself with an unexisting DNS entry - got the same.
You probably have some issue with your IPA setup, I'm afraid.

The result should contain answer section

; ANSWER SECTION:
_kerberos._tcp.yair.test. 600 IN SRV 0 100 88 machine1.yair.test.
_kerberos._tcp.yair.test. 600 IN SRV 0 100 88 machine2.yair.test.

Notice the number 88 - that's the default port number for kerberos.


> 
> ;; Query time: 1 msec
> ;; SERVER: 10.30.0.15#53(10.30.0.15)
> ;; WHEN: Fri Oct 10 09:15:56 2014
> ;; MSG SIZE  rcvd: 104
> 
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9293
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;tcp.din.uem.br. IN SRV
> 
> ;; AUTHORITY SECTION:
> din.uem.br. 3468 IN SOA ns2.din.uem.br. analistas.din.uem.br. 2014032613
> 1800 900 60480 3600
> 
> ;; Query time: 0 msec
> ;; SERVER: 10.30.0.15#53(10.30.0.15)
> ;; WHEN: Fri Oct 10 09:15:56 2014
> ;; MSG SIZE  rcvd: 82
> 
> 
> 
> 
> --
> Ao encaminhar esta mensagem, por favor:
> 1. Apague o meu e-mail e o meu nome.
> 2. Apague também os endereços dos amigos antes de reenviar
> 3. Use Cco ou Bcc para enviar mensagens!
> Dificulte a disseminação de vírus e spam.
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 3.4 + Ipa Server

[Yair Zaslavsky]

- Original Message -
> From: "Alon Bar-Lev" 
> To: "Marcelo Donato" 
> Cc: users@ovirt.org
> Sent: Thursday, October 9, 2014 8:30:47 PM
> Subject: Re: [ovirt-users] oVirt 3.4 + Ipa Server
> 
> 
> Can't help you with this one, but be aware that these kind of issues are all
> solved in 3.5 in which we do not mix kerberos and ldap.
> 
> - Original Message -
> > From: "Marcelo Donato" 
> > To: users@ovirt.org
> > Sent: Thursday, October 9, 2014 8:25:34 PM
> > Subject: [ovirt-users] oVirt 3.4 + Ipa Server
> > 
> > 
> > Hello,
> > I've problems for utilization IPA Server with oVirt.
> > Below is the error log and corresponding access, commands and log entries.
> > Thanks for helping me.
> > * Ipa
> > Server - 10.30.0.25
> > LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch
> > Distributor ID: CentOS
> > Description: CentOS release 6.5 (Final)
> > Release: 6.5
> > Codename: Final
> > # rpm -qa | grep ipa
> > ipa-server-3.0.0-37.el6.x86_64
> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > ipa-python-3.0.0-37.el6.x86_64
> > ipa-pki-common-theme-9.0.3-7.el6.noarch
> > ipa-admintools-3.0.0-37.el6.x86_64
> > ipa-server-selinux-3.0.0-37.el6.x86_64
> > ipa-client-3.0.0-37.el6.x86_64
> > 
> > 
> > # dig _kerberos._ tcp.din.uem.br

Shouldn't this be dig SRV _kerberos._ tcp.din.uem.br ?

> > 
> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> _kerberos._
> > tcp.din.uem.br
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34293
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> > 
> > ;; QUESTION SECTION:
> > ;_kerberos._ tcp.din.uem.br . IN A
> > 
> > ;; AUTHORITY SECTION:
> > din.uem.br . 3600 IN SOA ns1.din.uem.br . root.din.uem.br . 2014100841 1800
> > 900 60480 3600
> > 
> > ;; Query time: 1 msec
> > ;; SERVER: 186.233.152.33#53(186.233.152.33)
> > ;; WHEN: Thu Oct 9 14:19:05 2014
> > ;; MSG SIZE rcvd: 88
> > 
> > 
> > 
> > 
> > # dig _ldap._ tcp.din.uem.br
> > 
> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> _ldap._
> > tcp.din.uem.br
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21167
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> > 
> > ;; QUESTION SECTION:
> > ;_ldap._ tcp.din.uem.br . IN A
> > 
> > ;; AUTHORITY SECTION:
> > din.uem.br . 3600 IN SOA ns1.din.uem.br . root.din.uem.br . 2014100841 1800
> > 900 60480 3600
> > 
> > ;; Query time: 1 msec
> > ;; SERVER: 186.233.152.33#53(186.233.152.33)
> > ;; WHEN: Thu Oct 9 14:20:16 2014
> > ;; MSG SIZE rcvd: 84
> > 
> > 
> > /var/log/dirsrv/slapd-DIN-UEM-BR/access
> > -
> > conn=3 op=210 SRCH base="dc=din,dc=uem,dc=br" scope=2
> > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=
> > ad...@din.uem.br ))" attrs="krbPrincipalName krbCanonicalName
> > ipaKrbPrincipalAlias krbUPEnabled k
> > conn=3 op=210 RESULT err=0 tag=101 nentries=1 etime=0
> > conn=3 op=211 SRCH base="cn= DIN.UEM.BR ,cn=kerberos,dc=din,dc=uem,dc=br"
> > scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> > krbMaxRenewableAge krbTicketFlags"
> > conn=3 op=211 RESULT err=0 tag=101 nentries=1 etime=0
> > conn=3 op=212 SRCH base="dc=din,dc=uem,dc=br" scope=2
> > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/
> > din.uem...@din.uem.br )(krbPrincipalName=krbtgt/DIN.UEM
> > conn=3 op=212 RESULT err=0 tag=101 nentries=1 etime=0
> > conn=3 op=213 SRCH base="cn=global_policy,cn= DIN.UEM.BR
> > ,cn=kerberos,dc=din,dc=uem,dc=br" scope=0 filter="(objectClass=*)"
> > attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength
> > krbPwdHistoryLength krbPwdMaxFailure krbPwdF
> > conn=3 op=213 RESULT err=0 tag=101 nentries=1 etime=0
> > conn=50 fd=66 slot=66 connection from 10.30.0.23 to 10.30.0.25
> > conn=50 op=-1 fd=66 closed error 34 (Numerical result out of range) - B2
> > 
> > 
> > /var/log/ovirt-engine/engine-manage-domains.log
> > -
> > 2014-10-09 11:23:05,901 INFO [org.ovirt.engine.core.utils.LocalConfig]
> > Loaded
> > file "/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.conf".
> > 2014-10-09 11:23:05,903 INFO [org.ovirt.engine.core.utils.LocalConfig] The
> > file "/etc/ovirt-engine/engine.conf" doesn't exist or isn't readable. Will
> > return an empty set of properties.
> > 2014-10-09 11:23:05,904 INFO [org.ovirt.engine.core.utils.LocalConfig]
> > Loaded
> > file "/etc/ovirt-engine/engine.conf.d/10-setup-database.conf".
> > 2014-10-09 11:23:05,905 INFO [org.ovirt.engine.core.utils.LocalConfig]
> > Loaded
> > file "/etc/o

Re: [ovirt-users] Getting Started with oVirt

[Yair Zaslavsky]

Hi Saloni,
Welcome to oVirt :)
Several answers to get you started -
First of all, check out the project homepage -

http://www.ovirt.org/Home

Look at the download page -

http://www.ovirt.org/Download

For development (including "how to get the code") - look here -

http://www.ovirt.org/Develop

And also subscribe to de...@ovirt.org mailing list

You can also find many useful youtube videos that were created by my 
colleagues, for example this one,
a lecture held by one of the manintainers -

https://www.youtube.com/watch?v=O6LAQxBzf6g

You can also find us on IRC - irc.oftc.net , #ovirt (for example,my nick there 
is yzaslavs) - feel free to drop by and ask questions


I hope all this helps,

Yair




- Original Message -
> From: "Saloni Baweja" 
> To: users@ovirt.org
> Sent: Friday, October 3, 2014 6:14:10 PM
> Subject: [ovirt-users] Getting Started with oVirt
> 
> I am an aspirant for OPW and found oVirt interesting. But, I don't
> know much about virtualized networks, storage etc and am just a
> beginner. It would be great if I get guidance about how to start
> understanding about oVirt, what exactly is oVirt. How can I get
> acquainted with oVirt and understand its code, working ( as a mere
> beginner ) so that I can start contributing towards this ?
> --
> Build your own dreams, or someone else will hire you to build theirs. ;)
> 
> Saloni Baweja
> 
> Blog: salonibaweja10.wordpress.com/
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirt-engine admin GUI

[Yair Zaslavsky]

- Original Message -
> From: "Eli Mesika" 
> To: "Simon Barrett" 
> Cc: users@ovirt.org
> Sent: Tuesday, September 30, 2014 5:31:00 PM
> Subject: Re: [ovirt-users] ovirt-engine admin GUI
> 
> 
> 
> - Original Message -
> > From: "Simon Barrett" 
> > To: users@ovirt.org
> > Sent: Tuesday, September 30, 2014 3:37:37 PM
> > Subject: [ovirt-users] ovirt-engine admin GUI
> > 
> > 
> > 
> > Is there a way to configure the “pause” button to prompt with a
> > confirmation
> > dialog box in the same way that the “shutdown” button does (Are you sure
> > you
> > want to Shut down the following Virtual Machines?) . VM’s with large
> > amounts
> > of memory in use take a while to pause so could be out of action for a
> > while
> > if pause was clicked by mistake.
> > 
> > 
> > 
> > I looked through the engine-config options but couldn’t see anything.

IMHO, I think the word "configure" is somewhat misleading, hence I would not 
expect this to be at engine-config, this should probably be pure UI stuff.
> 
> Seems like it is not supported in 3.5 , you can open a RFE on oVirt
> https://bugzilla.redhat.com/enter_bug.cgi?product=oVirt

+1

> 
> > 
> > 
> > 
> > Thanks,
> > 
> > 
> > 
> > Simon
> > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] error to add domain in rhevm

[Yair Zaslavsky]

- Original Message -
> From: "linisha m" 
> To: users@ovirt.org
> Sent: Thursday, September 18, 2014 3:08:20 PM
> Subject: [ovirt-users] error to add domain in rhevm
> 
> Sir
>  I can’t  add domain using the command rhevm-manage-domains. The command
> that I executed is rhevm-manage-domains –action=add –domain=example.com
> –user=rhevadmin –provider=IPA –interactive.
> The error is Failed to find example.com domain, client not find un
> Kerberos database.
> Can u please tell me the solution for this problem as far as possible.
> 
> 
> 
> Thanks
> Linisha M


Hi Linisha, can you please first state what versio nof ovirt you're using?
Second, looks like for some reason your "example.com" domain cannot be found. 
can you please try and
dig _ldap._tcp.example.com 

and 

dig _kerberos._tcp.example.com

and provide us the results?

Many thanks,
Yair


> 
> 
> 
> 
> DISCLAIMER: The information contained in this communication, including any
> attachments (‘email’) is privileged, confidential or otherwise protected by
> disclosure and is intended only for the individuals or entities named above
> and any others who have been specifically authorized to receive it. Any
> unauthorized dissemination, copying or use of the contents of this email is
> strictly prohibited and may be in violation of law. If you are not the
> intended recipient, please do not read, copy and use or disclose to others
> the contents of this communication. Please notify the sender that you have
> received this e-mail in error by replying to this e-mail copying to
> i...@cms.com and thereafter please delete the e-mail from your system.
> Nothing contained in this disclaimer shall be construed in any way to grant
> permission to transmit confidential information via CMS Group’s e-mail
> system or as a waiver of any confidentiality or privilege. CMS Info Systems
> Pvt. Ltd. (including its group companies) shall not be liable for the
> improper or incomplete transmission of the information contained in this
> communication nor for any delay in its receipt or damage to your system. You
> will appreciate that e-mail transmission cannot be guaranteed to be secure
> or error-free as its contents are susceptible to loss, damage, interception,
> destruction, etc. Before opening any attachments please check them for
> viruses and defects. Please note that any views or opinions presented in
> this email are those of the author and do not necessarily represent those of
> CMS Info Systems Pvt. Ltd. (including its group companies).
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] [RFI] oVirt 3.6 Planning

[Yair Zaslavsky]

Switch our providers (i.e - neutron) to extapi based extensions.



- Original Message -
> From: "Itamar Heim" 
> To: users@ovirt.org
> Sent: Friday, September 12, 2014 3:22:41 PM
> Subject: [ovirt-users] [RFI] oVirt 3.6 Planning
> 
> With oVirt 3.5 nearing GA, time to ask for "what do you want to see in
> oVirt 3.6"?
> 
> Thanks,
> Itamar
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] adding machine to openldap + kerberos with a keytab

[Yair Zaslavsky]

- Original Message -
> From: "William Law" 
> To: "Yair Zaslavsky" 
> Cc: "users" 
> Sent: Thursday, September 11, 2014 2:11:08 AM
> Subject: Re: [ovirt-users] adding machine to openldap + kerberos with a keytab
> 
> OK, thanks.  Is there a way to perform it without manage-domains currently or
> in 3.5?

in 3.5  - you can add new authn (authentication) and authz (authorization) 
providers by using configuration files.

> 
> Regards,
> 
> Will
> 
> On Sep 10, 2014, at 4:07 PM, Yair Zaslavsky  wrote:
> 
> > 
> > 
> > - Original Message -
> >> From: "William Law" 
> >> To: "users" 
> >> Sent: Thursday, September 11, 2014 1:53:04 AM
> >> Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
> >> 
> >> Hi,
> >> 
> >> When I try to use engine-manage-domains it seems to expect an account to
> >> sign
> >> in with.  Is there any way to use a key tab?  It seems like it does all
> >> this
> >> under the surface eventually; I'd just like to do it up front.
> >> 
> >> Even a pointer to "manual" adding instructions would be very helpful.
> >> 
> >> Thanks,
> >> 
> >> Will
> > 
> > Hi Will,
> > No way to perform this with manage domains at the moment.
> > 
> > Not sure if we will invest in this, as in oVirt 3.5 we introduce a
> > pluggable architecture for AAA, based on extensions + configuration files
> > managed-domains should be used to support existing setups that will undergo
> > upgrade to 3.5 (or of course, will remain in their current versions).
> > 
> >> ___
> >> Users mailing list
> >> Users@ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >> 
> 
> 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] adding machine to openldap + kerberos with a keytab

[Yair Zaslavsky]

- Original Message -
> From: "William Law" 
> To: "users" 
> Sent: Thursday, September 11, 2014 1:53:04 AM
> Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab
> 
> Hi,
> 
> When I try to use engine-manage-domains it seems to expect an account to sign
> in with.  Is there any way to use a key tab?  It seems like it does all this
> under the surface eventually; I'd just like to do it up front.
> 
> Even a pointer to "manual" adding instructions would be very helpful.
> 
> Thanks,
> 
> Will

Hi Will,
No way to perform this with manage domains at the moment.

Not sure if we will invest in this, as in oVirt 3.5 we introduce a pluggable 
architecture for AAA, based on extensions + configuration files 
managed-domains should be used to support existing setups that will undergo 
upgrade to 3.5 (or of course, will remain in their current versions).

> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Engine Hardware Crash

[Yair Zaslavsky]

Just to make sure, this means that when it comes to file system , etc.. you 
also have your storage resources available, right?

You lost the engine with the db, am I correct ?

I'm CCing someone that might have the exact answer for that.


- Original Message -
> From: "Maurice James" 
> To: "users" 
> Sent: Wednesday, September 10, 2014 3:46:35 PM
> Subject: [ovirt-users] Engine Hardware Crash
> 
> I just recently had the hardware that acts as the engine crash. I have a
> blinking amber light on the server. I have servers on the remaining hosts.
> How do I, or can I use vdsm to interact with the VMs that are still present
> on those hosts without the engine?
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Ovirt and Fedora 20

[Yair Zaslavsky]

- Original Message -
> From: "Jamie Bohr" 
> To: Users@ovirt.org
> Sent: Wednesday, August 27, 2014 6:15:48 AM
> Subject: Re: [ovirt-users] Ovirt and Fedora 20
> 
> I had an error of "Failed to parse configuration" of which
> https://bugzilla.redhat.com/show_bug.cgi?id=1062318 indicated to download
> http://download.jboss.org/jbossas/7.1/jboss-as-7.1.1.Final/jboss-as-7.1.1.Final.zip

Hi Jamie,
Your setup indicates you're trying to setup to some other version, and not 
jboss-as-7.1.1
As you wrote , you ran -
engine-setup --jboss-home=/opt/jboss-as-web-7.0.2.Final

Therefore I suggest to try and install the correct jboss version and run setup 
again.
I hope this helps,
Yair


> .
> 
> 
> On Tue, Aug 26, 2014 at 9:59 PM, Jamie Bohr  wrote:
> 
> > I followed the instructions on
> > http://www.ovirt.org/Quick_Start_Guide#Install_oVirt_Engine_.28Fedora_.2F_Red_Hat_Enterprise_Linux_.2F_CentOS.29
> > for installing ovirt on a Fedora 20 instance.  I
> > expanded jboss-as-web-7.0.2.Final into /opt/jboss-as-web-7.0.2.Final and
> > ran "engine-setup --jboss-home=/opt/jboss-as-web-7.0.2.Final".
> >
> > Everything appeared fine however the web interface will not start, the
> > following appear in the console.log file:
> >
> > Could not load Logmanager "org.jboss.logmanager"
> >
> > I looked for that error in reference to ovirt but did not find anything
> > relevant,  hoping someone on this list can point me in the right direction.
> >
> > Sorry if this was double posted, it was not in my sent item and it was
> > late yesterday when I thought I sent it.
> >
> > --
> > Jamie Bohr
> >
> 
> 
> 
> --
> Jamie Bohr
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Ovirt and Fedora 20

[Yair Zaslavsky]

- Original Message -
> From: "Jamie Bohr" 
> To: Users@ovirt.org
> Sent: Wednesday, August 27, 2014 5:59:07 AM
> Subject: [ovirt-users] Ovirt and Fedora 20
> 
> I followed the instructions on
> http://www.ovirt.org/Quick_Start_Guide#Install_oVirt_Engine_.28Fedora_.2F_Red_Hat_Enterprise_Linux_.2F_CentOS.29
> for installing ovirt on a Fedora 20 instance.  I
> expanded jboss-as-web-7.0.2.Final into /opt/jboss-as-web-7.0.2.Final and
> ran "engine-setup --jboss-home=/opt/jboss-as-web-7.0.2.Final".

Can you please elaborate why this is the jboss version you're using and where 
did you download from?
AFAIK this is not the correct jboss version that should be used, but
jboss-as-7.1.1

Thanks,
Yair


> 
> Everything appeared fine however the web interface will not start, the
> following appear in the console.log file:
> 
> Could not load Logmanager "org.jboss.logmanager"
> 
> I looked for that error in reference to ovirt but did not find anything
> relevant,  hoping someone on this list can point me in the right direction.
> 
> Sorry if this was double posted, it was not in my sent item and it was late
> yesterday when I thought I sent it.
> 
> --
> Jamie Bohr
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] HELP - Storage Domains dot not active anymore.

[Yair Zaslavsky]

- Original Message -
> From: "Fagner Patricio" 
> To: "users" 
> Sent: Monday, August 25, 2014 5:29:50 PM
> Subject: Re: [ovirt-users] HELP - Storage Domains dot not active anymore.
> 
> Here my logs
> 
> vdms.log
> 
> https://mega.co.nz/#!8EJRWSLC!AhYjR0_jplgjl4alK_L8LaRdoofH3bslAS4slUZilkE
> 
> engine.log
> 
> https://mega.co.nz/#!1dwQ1RqB!9jHMdwM-6hxYoWavioFjEzvoO39MdSQnw1axuVDw9Ig
> 
> Thanks for any help.


From a quick glance I can see you had some connectivity issues with your vdsm 
host? this is probably the reboot you refer to.
After that I see at engine log the following -

OneVGReturnForXmlRpc [mStatus=StatusForXmlRpc [mCode=506, mMessage=Volume Group 
does not exist: ('vg_uuid: 7OKSEI-SprM-3NlZ-dl5y-4vTp-2mFd-zrcPY7',)]]

Looks like you have an issue with one of your VGs?

CC'ing someone who might be more of a help


> 
> 
> 
> 2014-08-25 11:06 GMT-03:00 Yair Zaslavsky :
> 
> >
> >
> > - Original Message -
> > > From: "Fagner Patricio" 
> > > To: "users" 
> > > Sent: Monday, August 25, 2014 5:04:17 PM
> > > Subject: [ovirt-users] HELP - Storage Domains dot not active anymore.
> > >
> > > Hello everybody, i have a big trouble here.
> > > After a reboot in my ovirt datacenter two of three storage domain do not
> > > active anymore.
> > > I have very important VM in there.
> > >
> > > What can i do, please help me.
> > >
> > > Whats log I search for a clue what is going on?
> >
> > You should search engine.log and vdsm.log
> >
> > Is it possible you send us the logs to help you out?
> >
> > Thanks,
> > Yair
> >
> > >
> > > The storage domains are fedora 20 machines with tgtd service on it.
> > >
> > > --
> > > Fagner Patrício
> > > João Pessoa - PB
> > > Brasil
> > >
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
> 
> 
> 
> --
> Fagner Patrício
> João Pessoa - PB
> Brasil
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] HELP - Storage Domains dot not active anymore.

[Yair Zaslavsky]

- Original Message -
> From: "Fagner Patricio" 
> To: "users" 
> Sent: Monday, August 25, 2014 5:04:17 PM
> Subject: [ovirt-users] HELP - Storage Domains dot not active anymore.
> 
> Hello everybody, i have a big trouble here.
> After a reboot in my ovirt datacenter two of three storage domain do not
> active anymore.
> I have very important VM in there.
> 
> What can i do, please help me.
> 
> Whats log I search for a clue what is going on?

You should search engine.log and vdsm.log

Is it possible you send us the logs to help you out?

Thanks,
Yair

> 
> The storage domains are fedora 20 machines with tgtd service on it.
> 
> --
> Fagner Patrício
> João Pessoa - PB
> Brasil
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirt with 389 server inactive groups

[Yair Zaslavsky]

- Original Message -
> From: "Paul Robert Marino" 
> To: "Yair Zaslavsky" 
> Cc: users@ovirt.org
> Sent: Sunday, August 17, 2014 6:32:15 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> I think we now have enough for a proper ticket.
> I will create one latter today. also since I have RHEV support for my
> production instances I will also create a matching case with Red Hat.

Thank you very much for your help here!
Please add a link to this mailing list thread when you open the ticket.

Many thanks,
Yair

> 
> 
> 
> On Sun, Aug 17, 2014 at 11:27 AM, Paul Robert Marino
>  wrote:
> > Ok
> > I dug in a little further it looks like them memberof plugin in 389
> > server is making them lowercase which from an LDAP and or Posix
> > perspective is not a problem but this seems to be the root cause of
> > the issue of the difference.
> > while this behavior is strange it is not invalid because DN's are case
> > insensitive.
> >
> > The easiest way to fix this is to change the query of the group from
> > the ad_groups table to an ilike. The potential problem here is it
> > conflicts with SAM in windows where group names are case sensitive.
> > This is definitely a conflict in design between AD and LDAP's core design.
> > Interestingly I can add roles to the group and there is no problem it
> > sets it correctly so somewhere else in the code an ilike is being uses
> > to query the groups table.
> >
> >
> > On Sun, Aug 17, 2014 at 11:05 AM, Paul Robert Marino
> >  wrote:
> >> I found why the group_ids field is wrong
> >>
> >> If you look at the ad_groups table then mane for the group is " >> here>/Groups/sysadmin" however if you look at the groups field in the
> >> users table it says "/groups/sysadmin"
> >> I tried updating the name field in the ad_groups table to match
> >> "/groups/sysadmin" then removed and added a user now the
> >> if for that group in the group_ids field is being set correctly.
> >>
> >> This is at least a usable workaround for now. now we need to find the
> >> root cause.
> >>
> >>
> >> On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino
> >>  wrote:
> >>> confirmed that does seem to be the cause I updated the group_ids field
> >>> of a user to the appropriate Id's from ad_groups and it fixed that
> >>> user.
> >>> in answer to your question "Did you first add the goup, and then added
> >>> users (that belong to a group) either by adding users, or by adding a
> >>> permission?" Ive tried it ever different way I can think of the
> >>> results are always the same.
> >>>
> >>>
> >>> On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky 
> >>> wrote:
> >>>>
> >>>>
> >>>> - Original Message -
> >>>>> From: "Paul Robert Marino" 
> >>>>> To: "Yair Zaslavsky" 
> >>>>> Cc: "Itamar Heim" , users@ovirt.org
> >>>>> Sent: Sunday, August 17, 2014 4:33:30 PM
> >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>>>>
> >>>>> here are the results of the queries you asked for
> >>>>>
> >>>>>
> >>>>> group_ids
> >>>>>
> >>>>>   |
> >>>>>
> >>>>>  groups
> >>>>>
> >>>>> ---+-
> >>>>> -
> >>>>> 
> >>>>>  
> >>>>> ----,----,----,----,----,----
> >>>>> | /groups/sysadmin,/groups/pmarino, >>>>> here>/groups/pd managers,/groups/qa managers, >>>>> here>/group

Re: [ovirt-users] ovirt with 389 server inactive groups

[Yair Zaslavsky]

- Original Message -
> From: "Paul Robert Marino" 
> To: "Yair Zaslavsky" 
> Cc: "Itamar Heim" , users@ovirt.org
> Sent: Sunday, August 17, 2014 4:33:30 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> here are the results of the queries you asked for
> 
> 
> group_ids
> 
>   |
> 
>  groups
> 
> ---+-
> -
> 
>  
> ----,----,----,----,----,----
> | core.ux.medi
> a.cbs.net/groups/sysadmin,/groups/pmarino, here>/groups/pd managers,/groups/qa managers, here>/groups/accounting managers,/directory administrat
> ors
> (1 row)
> 
> 
> engine=# select id, name from ad_groups;
>   id  | name
> --+---
>  eee0----123456789eee | Everyone
>  2a8a8401-fc9e-11e3-8742-861538ea406a | /Groups/sysadmin
> (2 rows)

It does look that there is something wrong in the association of users to their 
group IDS.
Just to make sure I'm not missing anything -
Did you first add the goup, and then added users (that belong to a group) 
either by adding users, or by adding a permission?

Yair

> 
> 
> 
> On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky  wrote:
> >
> >
> > - Original Message -
> >> From: "Paul Robert Marino" 
> >> To: "Yair Zaslavsky" 
> >> Cc: "Itamar Heim" , users@ovirt.org
> >> Sent: Wednesday, August 13, 2014 11:47:40 PM
> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>
> >> Ok so before I open a bug ticket I want to confirm I'm not doing any
> >> thing wrong here.
> >> I upgraded to 3.4
> >> now it says "Active:false " on LDAP groups.
> >>
> >> Again I tried to add the sysadmin group from the directory server and
> >> set the power user and super user roles on the group
> >> it shows up as "/Groups/sysadmin"
> >> I adder the permisions by clicking on the configure link on the top of
> >> the screen and set them in the "System Permissions" tab
> >
> > Sounds good so far.
> > I assume also you see the permissiosn in the permissions sub tab when you
> > click the group.
> >
> >>
> >> I added a user (pmarino) to the system which shows in the "Directory
> >> Group" tab shows "sysadmingroups   " among others
> >> however it only shows in the Permissions tab the permissions inherited
> >> by "Everyone" it does not show any permissions inherited by the
> >> sysadmin group.
> >
> > This is not good - I mean, should have worked.
> >
> >>
> >> just to prove it didnt work I logged out and attempted to log back in
> >> as the user (pmarino) it wouldn't let me log in
> >>
> >> I logged back in as the internal admin user then I added the SuperUser
> >> permissions directly to the pmarino account and logged back out again.
> >> Now when I logged in as pmarino it gave me the access I expected.
> >
> > Can I please ask you to provide some database info ?
> >
> > It will be awesome if you can provide the following SQL queries results -
> >
> > select group_ids, groups from users where username ilike '%pmarino%';
> >
> > In addition, please perform - select id, name from ad_groups;
> >
> > Thanks for your help.
> >
> > P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the
> > solution to the bugs) should have fixed your issue as well.
> >
> >
> >
> >>
> >>
> >>
> >> Here is the relevant portion of the engine log
> >> "
> >> 2014-08-13 16:00:38,801 INFO
> >> [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5)
> >> [1e

Re: [ovirt-users] ovirt with 389 server inactive groups

[Yair Zaslavsky]

- Original Message -
> From: "Paul Robert Marino" 
> To: "Yair Zaslavsky" 
> Cc: "Itamar Heim" , users@ovirt.org
> Sent: Wednesday, August 13, 2014 11:47:40 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> Ok so before I open a bug ticket I want to confirm I'm not doing any
> thing wrong here.
> I upgraded to 3.4
> now it says "Active:false " on LDAP groups.
> 
> Again I tried to add the sysadmin group from the directory server and
> set the power user and super user roles on the group
> it shows up as "/Groups/sysadmin"
> I adder the permisions by clicking on the configure link on the top of
> the screen and set them in the "System Permissions" tab

Sounds good so far.
I assume also you see the permissiosn in the permissions sub tab when you click 
the group.

> 
> I added a user (pmarino) to the system which shows in the "Directory
> Group" tab shows "sysadmingroups   " among others
> however it only shows in the Permissions tab the permissions inherited
> by "Everyone" it does not show any permissions inherited by the
> sysadmin group.

This is not good - I mean, should have worked.

> 
> just to prove it didnt work I logged out and attempted to log back in
> as the user (pmarino) it wouldn't let me log in
> 
> I logged back in as the internal admin user then I added the SuperUser
> permissions directly to the pmarino account and logged back out again.
> Now when I logged in as pmarino it gave me the access I expected.

Can I please ask you to provide some database info ?

It will be awesome if you can provide the following SQL queries results -

select group_ids, groups from users where username ilike '%pmarino%';

In addition, please perform - select id, name from ad_groups;

Thanks for your help.

P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the 
solution to the bugs) should have fixed your issue as well.



> 
> 
> 
> Here is the relevant portion of the engine log
> "
> 2014-08-13 16:00:38,801 INFO
> [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5)
> [1e7fa420] Running command: AddGroupCommand internal: false. Entities
> affected :  ID: aaa0----123456789aaa Type: System
> 2014-08-13 16:00:38,813 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call
> Stack: null, Custom Event ID: -1, Message: User ' name>/Groups/sysadmin' was added successfully to the system.
> 2014-08-13 16:09:01,352 INFO
> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command:
> AddSystemPermissionCommand internal: false. Entities affected :  ID:
> aaa0----123456789aaa Type: System,  ID:
> aaa0----123456789aaa Type: System
> 2014-08-13 16:09:01,371 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID:
> 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group
> /Groups/sysadmin was granted permission for Role
> SuperUser on System by admin.
> 2014-08-13 16:10:40,963 INFO
> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command:
> AddSystemPermissionCommand internal: false. Entities affected :  ID:
> aaa0----123456789aaa Type: System,  ID:
> aaa0----123456789aaa Type: System
> 2014-08-13 16:10:40,979 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb,
> Call Stack: null, Custom Event ID: -1, Message: User/Group  name>/Groups/sysadmin was granted permission for Role PowerUserRole on
> System by admin.
> 2014-08-13 16:20:53,891 INFO
> [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4)
> [58e00be1] Running command: AddUserCommand internal: false. Entities
> affected :  ID: aaa0----123456789aaa Type: System
> 2014-08-13 16:20:53,919 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call
> Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added
> successfully to the system.
> 2014-08-13 16:35:52,202 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null,
> Custom Event ID: -1, Message: User pmarino failed to log in.
> 2014-08-13 16:35:52,202 WARN
> [org.o

Re: [ovirt-users] ovirt with 389 server inactive groups

[Yair Zaslavsky]

- Original Message -
> From: "Yair Zaslavsky" 
> To: "Itamar Heim" 
> Cc: users@ovirt.org
> Sent: Monday, August 11, 2014 8:13:53 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> I have checked the codebase of 3.3 -
> the "active" field is used for presentation purpose only.

Presentation wise only - means that it is not used for our permissions 
calculation , for example.

> Alon has addressed our plans for this in his previous comments.
> I hope this clarifies more..
> 
> Yair
> 
> 
> - Original Message -
> > From: "Itamar Heim" 
> > To: "Alon Bar-Lev" , "Paul Robert Marino"
> > 
> > Cc: users@ovirt.org
> > Sent: Sunday, August 10, 2014 11:54:05 PM
> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > 
> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
> > >
> > >
> > > - Original Message -
> > >> From: "Paul Robert Marino" 
> > >> To: "Alon Bar-Lev" 
> > >> Cc: "Maurice James" , users@ovirt.org
> > >> Sent: Sunday, August 10, 2014 10:43:14 PM
> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > >>
> > >> Sorry for my delayed response to this
> > >>
> > >> I am using ovirt 3.3.
> > >> I am using Kerberos 5, and all of the DNS requirements are in place.
> > >> Finally 389 server is the upstream project for RHDS and one of the
> > >> upstream projects for IPA.
> > >> So I chose to set it as RHDS because its an identical match.
> > >>
> > >> User authentication works just fine my problem is adding roles to
> > >> groups.
> > >> I can assign a role to a group but the group always shows an inactive
> > >> status; however if I assign a role directly to to a user it works
> > >> fine.
> > >> In addition if I drill down into a user it knows what groups in the
> > >> 389 server the user is a member of.
> > >>
> > >> finally I can't see any error in the logs when adding a role to a group
> > >>
> > >
> > > Please open a bug, I am unsure that it will be addressed before 3.5, as
> > > we
> > > have done major rework for the authentication and authorization to make
> > > it
> > > much more versatile. Even if there will be a fix it will be provided to
> > > 3.4.z.
> > >
> > > It will be best if you want to test this scenario in 3.5 release
> > > candidate
> > > and the new ldap provider, so we can address the issue before 3.5 release
> > > if exists.
> > >
> > 
> > could also be one of these fixed in 3.4:
> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it
> > does not inherit the group permissions
> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to
> > a group indirectly, it does not inherit the group permissions
> > 
> > >>
> > >>
> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev  wrote:
> > >>>
> > >>>
> > >>> - Original Message -
> > >>>> From: "Maurice James" 
> > >>>> To: "Alon Bar-Lev" 
> > >>>> Cc: "Itamar Heim" , users@ovirt.org
> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM
> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > >>>>
> > >>>> Does this still require the use of kerberos? Will 389-ds work on its
> > >>>> own?
> > >>>
> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap
> > >>> mix.
> > >>>
> > >>> It will be great to receive feedback[2].
> > >>>
> > >>> 389ds is not supported directly, I think it is similar to IPA as it
> > >>> uses
> > >>> 389. Maybe I should rename the profile of ipa to 389 if it works
> > >>> properly.
> > >>>
> > >>> Regards,
> > >>> Alon
> > >>>
> > >>> [1]
> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
> > >>> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> > >>>
> > >>>>
> > >>>> - Original 

Re: [ovirt-users] ovirt with 389 server inactive groups

[Yair Zaslavsky]

I have checked the codebase of 3.3 -
the "active" field is used for presentation purpose only.
Alon has addressed our plans for this in his previous comments.
I hope this clarifies more..

Yair


- Original Message -
> From: "Itamar Heim" 
> To: "Alon Bar-Lev" , "Paul Robert Marino" 
> 
> Cc: users@ovirt.org
> Sent: Sunday, August 10, 2014 11:54:05 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
> >
> >
> > - Original Message -
> >> From: "Paul Robert Marino" 
> >> To: "Alon Bar-Lev" 
> >> Cc: "Maurice James" , users@ovirt.org
> >> Sent: Sunday, August 10, 2014 10:43:14 PM
> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >>
> >> Sorry for my delayed response to this
> >>
> >> I am using ovirt 3.3.
> >> I am using Kerberos 5, and all of the DNS requirements are in place.
> >> Finally 389 server is the upstream project for RHDS and one of the
> >> upstream projects for IPA.
> >> So I chose to set it as RHDS because its an identical match.
> >>
> >> User authentication works just fine my problem is adding roles to groups.
> >> I can assign a role to a group but the group always shows an inactive
> >> status; however if I assign a role directly to to a user it works
> >> fine.
> >> In addition if I drill down into a user it knows what groups in the
> >> 389 server the user is a member of.
> >>
> >> finally I can't see any error in the logs when adding a role to a group
> >>
> >
> > Please open a bug, I am unsure that it will be addressed before 3.5, as we
> > have done major rework for the authentication and authorization to make it
> > much more versatile. Even if there will be a fix it will be provided to
> > 3.4.z.
> >
> > It will be best if you want to test this scenario in 3.5 release candidate
> > and the new ldap provider, so we can address the issue before 3.5 release
> > if exists.
> >
> 
> could also be one of these fixed in 3.4:
> 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it
> does not inherit the group permissions
> 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to
> a group indirectly, it does not inherit the group permissions
> 
> >>
> >>
> >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev  wrote:
> >>>
> >>>
> >>> - Original Message -
>  From: "Maurice James" 
>  To: "Alon Bar-Lev" 
>  Cc: "Itamar Heim" , users@ovirt.org
>  Sent: Saturday, August 9, 2014 3:47:04 AM
>  Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
>  Does this still require the use of kerberos? Will 389-ds work on its
>  own?
> >>>
> >>> In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap
> >>> mix.
> >>>
> >>> It will be great to receive feedback[2].
> >>>
> >>> 389ds is not supported directly, I think it is similar to IPA as it uses
> >>> 389. Maybe I should rename the profile of ipa to 389 if it works
> >>> properly.
> >>>
> >>> Regards,
> >>> Alon
> >>>
> >>> [1]
> >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
> >>> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> >>>
> 
>  - Original Message -
>  From: "Alon Bar-Lev" 
>  To: "Itamar Heim" 
>  Cc: users@ovirt.org
>  Sent: Friday, August 8, 2014 3:45:07 PM
>  Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> 
> 
>  - Original Message -
> > From: "Itamar Heim" 
> > To: "Paul Robert Marino" , users@ovirt.org
> > Sent: Friday, August 8, 2014 10:37:11 PM
> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >
> > On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
> >> I have ovirt engine running and connected to a 389 server with the
> >> memberof plugin enabled and working properly.
> >>
> >> I can add users and assign them to roles without any issues.
> >>
> >> when I look at a user I can see all the LDAP groups they are a member
> >> of.
> >>
> >> when I run engine-manage-domains  -action=validate it tells me the
> >> domain is valid.
> >>
> >> here is my problem when I try to assign a role to an LDAP group it
> >> looks like it works but in the general tab when under the group it
> >> tells me the status is Inactive.
> >>
> >> dose any one know how to enable the group?
> >> ___
> >> Users mailing list
> >> Users@ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> >
> > 3.4 or new 3.5 Generic LDAP provider?
> 
> 
>  On case this is 3.5 it is known issue, all groups will be seen as
>  inactive,
>  this field will probably be removed from UI, as groups are no longer
>  fetched
>  periodically.
>  This field is totally ignored.
> 
>  Alon
>  _

Re: [ovirt-users] ovirt with 389 server inactive groups

[Yair Zaslavsky]

- Original Message -
> From: "Alon Bar-Lev" 
> To: "Maurice James" 
> Cc: users@ovirt.org
> Sent: Saturday, August 9, 2014 9:33:16 AM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> 
> 
> 
> - Original Message -
> > From: "Maurice James" 
> > To: "Alon Bar-Lev" 
> > Cc: "Itamar Heim" , users@ovirt.org
> > Sent: Saturday, August 9, 2014 3:47:04 AM
> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > 
> > Does this still require the use of kerberos? Will 389-ds work on its own?
> 
> In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix.
> 
> It will be great to receive feedback[2].
> 
> 389ds is not supported directly, I think it is similar to IPA as it uses 389.
> Maybe I should rename the profile of ipa to 389 if it works properly.
> 

Sorry for the very late response, I was on PTO -
Prior to 3.5 - 389ds was supported via the RHDS provider 
AFAIK,
389ds is "upstream" version for RHDS...

> Regards,
> Alon
> 
> [1]
> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master
> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> 
> > 
> > - Original Message -
> > From: "Alon Bar-Lev" 
> > To: "Itamar Heim" 
> > Cc: users@ovirt.org
> > Sent: Friday, August 8, 2014 3:45:07 PM
> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > 
> > 
> > 
> > - Original Message -
> > > From: "Itamar Heim" 
> > > To: "Paul Robert Marino" , users@ovirt.org
> > > Sent: Friday, August 8, 2014 10:37:11 PM
> > > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > > 
> > > On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
> > > > I have ovirt engine running and connected to a 389 server with the
> > > > memberof plugin enabled and working properly.
> > > >
> > > > I can add users and assign them to roles without any issues.
> > > >
> > > > when I look at a user I can see all the LDAP groups they are a member
> > > > of.
> > > >
> > > > when I run engine-manage-domains  -action=validate it tells me the
> > > > domain is valid.
> > > >
> > > > here is my problem when I try to assign a role to an LDAP group it
> > > > looks like it works but in the general tab when under the group it
> > > > tells me the status is Inactive.
> > > >
> > > > dose any one know how to enable the group?
> > > > ___
> > > > Users mailing list
> > > > Users@ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > >
> > > 
> > > 3.4 or new 3.5 Generic LDAP provider?
> > 
> > 
> > On case this is 3.5 it is known issue, all groups will be seen as inactive,
> > this field will probably be removed from UI, as groups are no longer
> > fetched
> > periodically.
> > This field is totally ignored.
> > 
> > Alon
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Relationship bw storage domain uuid/images/children and VM's

[Yair Zaslavsky]

- Original Message -
> From: "Steve Dainard" 
> To: "users" 
> Sent: Thursday, July 17, 2014 7:51:31 PM
> Subject: [ovirt-users] Relationship bw storage domain uuid/images/children
> and VM's
> 
> Hello,
> 
> I'd like to get an understanding of the relationship between VM's using a
> storage domain, and the child directories listed under .../ name>//images/.
> 
> Running through some backup scenarios I'm noticing a significant difference
> between the number of provisioned VM's using a storage domain (21) +
> templates (6) versus the number of child directories under images/ (107).

Can you please elaborate (if possible) on the number of images per VM that 
you're having in your setup?

> 
> Running RHEV 3.4 trial.
> 
> Thanks,
> Steve
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Help....

[Yair Zaslavsky]

Please provide full engine.log and full server.log

Thanks!

In addition, what version did you upgrade from?


- Original Message -
> From: "Koen Vanoppen" 
> To: users@ovirt.org
> Sent: Wednesday, June 18, 2014 7:55:15 AM
> Subject: [ovirt-users] Help
> 
> This happend after the update to 3.4.2 when I start the engine. I can't
> login anymore... This is the error. Any Idea's? PLease
> 
> 2014-06-18 06:51:45,728 ERROR
> [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo]
> (DefaultQuartzScheduler_Worker-79) ResourceManager::refreshVdsRunTimeInfo:
> Error: IllegalStateException: JBAS011049: Component is stopped, vds =
> b34902ea-ad11-45d3-96ee-47de1864e4e0 : mercury1
> 2014-06-18 06:51:45,736 ERROR
> [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo]
> (DefaultQuartzScheduler_Worker-79) IllegalStateException: JBAS011049:
> Component is stopped: java.lang.IllegalStateException: JBAS011049:
> Component is stopped
> at
> org.jboss.as.ee.component.BasicComponent.waitForComponentStart(BasicComponent.java:104)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ee.component.BasicComponent.constructComponentInstance(BasicComponent.java:127)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ee.component.BasicComponent.createInstance(BasicComponent.java:85)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ejb3.component.stateless.StatelessSessionComponent$1.create(StatelessSessionComponent.java:66)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ejb3.component.stateless.StatelessSessionComponent$1.create(StatelessSessionComponent.java:63)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at org.jboss.as.ejb3.pool.AbstractPool.create(AbstractPool.java:60)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ejb3.pool.strictmax.StrictMaxPool.get(StrictMaxPool.java:123)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:47)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> at
> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
> [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> at
> org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> at
> org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> at
> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
> [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> at
> org.ovirt.engine.core.common.businessentities.IVdsEventListener$$$view6.addExternallyManagedVms(Unknown
> Source)
> at
> org.o

Re: [ovirt-users] problem engine-manage-domains add ldap domain

[Yair Zaslavsky]

I helped Lucas resolve this over IRC.
This was an issue with his kerberos setup.
Lucas, care to share here what issue did you discover?

Yair


- Original Message -
> From: "lucas castro" 
> To: users@ovirt.org
> Sent: Wednesday, June 11, 2014 9:50:48 PM
> Subject: [ovirt-users] problem engine-manage-domains add ldap domain
> 
> I'm trying to add a ldap domain to ovirt-engine,
> but getting problem with that.
> 
> I sent three files with the engine-manage-domains log
> the krb5 config generated for testing
> and the tcpdump port 53 from my dns server
> 
> can anybody help me to find what is happening?
> --
> contatos:
> Celular: ( 99 ) 9143-5954 - Vivo
> skype: lucasd3castro
> msn: lucascastrobor...@hotmail.com
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Delete snapshots

[Yair Zaslavsky]

>From what I see in the code of the remove snapshot command,
the vm should be in DOWN state in order for the snapshot to be removed (well, 
this is of course just one of the conditions).


- Original Message -
> From: "Maurice James" 
> To: "users" 
> Sent: Sunday, May 11, 2014 2:53:39 AM
> Subject: [ovirt-users] Delete snapshots
> 
> 
> Is it possible to delete snapshots on running VMs?
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Users losing permissions when user portal session times out

[Yair Zaslavsky]

Jeff, which ovrit version are you using?
Thanks.


- Original Message -
> From: "Yair Zaslavsky" 
> To: "Jeff Clay" 
> Cc: "Oved Ourfalli" , "paul thornton" 
> , users@ovirt.org
> Sent: Thursday, May 8, 2014 10:05:46 AM
> Subject: Re: [ovirt-users] Users losing permissions when user portal  session 
> times out
> 
> 
> 
> - Original Message -
> > From: "Jeff Clay" 
> > To: users@ovirt.org, "paul thornton"
> > 
> > Sent: Thursday, May 8, 2014 9:09:00 AM
> > Subject: [ovirt-users] Users losing permissions when user portal session
> > times out
> > 
> > I finally have everything working pretty good. I have noticed that if I log
> > in to the user portal as a user with the regular "UserRole" granted and
> > only the the pool objects and the user portal session times I can not log
> > back in. The user portal shows the message the the user is not authorized
> > to perform this function. When I log in as admin and go to "users" then
> > view the permissions for the user I was just logged in as, the user no
> > longer shows the "UserRole" role even though the permissions on the pool
> > objects still show the role is granted. I have to delete the user from the
> > "Users" list and logging back in will refresh the permissions. I have ovirt
> > integrated with my active directory for logins. I am granting permissions
> > based on active directory groups. To grant the permissions, I am selecting
> > the object (usually a pool), then selecting the "permissions" tab and then
> > clicking "add"; I do a search for the group, i click the check box next to
> > it and click ok. The group permissions seem to remain on the object when
> > the user portal session times out, but the actual user that timed out loses
> > all permissions/roles. I have no idea what could be causing this other than
> > some sort of bug. Any ideas?
> > 
> > Thanks in advance.
> 
> This is a known issue, and IIRC was resolved by Oved.
> Oved, am I correct here?
> 
> > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Users losing permissions when user portal session times out

[Yair Zaslavsky]

- Original Message -
> From: "Jeff Clay" 
> To: users@ovirt.org, "paul thornton" 
> Sent: Thursday, May 8, 2014 9:09:00 AM
> Subject: [ovirt-users] Users losing permissions when user portal session  
> times out
> 
> I finally have everything working pretty good. I have noticed that if I log
> in to the user portal as a user with the regular "UserRole" granted and
> only the the pool objects and the user portal session times I can not log
> back in. The user portal shows the message the the user is not authorized
> to perform this function. When I log in as admin and go to "users" then
> view the permissions for the user I was just logged in as, the user no
> longer shows the "UserRole" role even though the permissions on the pool
> objects still show the role is granted. I have to delete the user from the
> "Users" list and logging back in will refresh the permissions. I have ovirt
> integrated with my active directory for logins. I am granting permissions
> based on active directory groups. To grant the permissions, I am selecting
> the object (usually a pool), then selecting the "permissions" tab and then
> clicking "add"; I do a search for the group, i click the check box next to
> it and click ok. The group permissions seem to remain on the object when
> the user portal session times out, but the actual user that timed out loses
> all permissions/roles. I have no idea what could be causing this other than
> some sort of bug. Any ideas?
> 
> Thanks in advance.

This is a known issue, and IIRC was resolved by Oved.
Oved, am I correct here?

> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" - feature pages

[Yair Zaslavsky]

- Original Message -
> From: "Gilad Chaplik" 
> To: "Arthur Berezin" 
> Cc: "users" , "Yair Zaslavsky" 
> Sent: Monday, May 5, 2014 11:52:25 AM
> Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" - 
> feature  pages
> 
> - Original Message -
> > From: "Arthur Berezin" 
> > To: "Gilad Chaplik" 
> > Cc: "users" , "Yair Zaslavsky" 
> > Sent: Monday, May 5, 2014 11:30:24 AM
> > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" -
> > feature pages
> > 
> > - Original Message -
> > 
> > > From: "Yair Zaslavsky" 
> > > To: "Gilad Chaplik" 
> > > Cc: "Arthur Berezin" , "users" 
> > > Sent: Monday, May 5, 2014 11:10:10 AM
> > > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" -
> > > feature pages
> > 
> > > - Original Message -
> > > > From: "Gilad Chaplik" 
> > > > To: "Yair Zaslavsky" 
> > > > Cc: "Arthur Berezin" , "users" 
> > > > Sent: Monday, May 5, 2014 10:57:01 AM
> > > > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check"
> > > > -
> > > > feature pages
> > > >
> > > > - Original Message -
> > > > > From: "Yair Zaslavsky" 
> > > > > To: "Arthur Berezin" 
> > > > > Cc: "Gilad Chaplik" , "users" 
> > > > > Sent: Monday, May 5, 2014 6:39:02 AM
> > > > > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health
> > > > > Check"
> > > > > -
> > > > > feature pages
> > > > >
> > > > >
> > > > >
> > > > > - Original Message -
> > > > > > From: "Arthur Berezin" 
> > > > > > To: "Gilad Chaplik" 
> > > > > > Cc: "users" 
> > > > > > Sent: Sunday, May 4, 2014 5:35:59 PM
> > > > > > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health
> > > > > > Check"
> > > > > > -
> > > > > > feature pages
> > > > > >
> > > > > > In this case engine periodically checks health of hosts' power
> > > > > > management
> > > > > > as
> > > > > > HA relies on it.
> > > > > >
> > > > > > Arthur
> > > > > >
> > > > > > - Original Message -
> > > > > >
> > > > > > > From: "Gilad Chaplik" 
> > > > > > > To: "Eli Mesika" 
> > > > > > > Cc: "users" , "Arthur Berezin"
> > > > > > > 
> > > > > > > Sent: Sunday, May 4, 2014 5:26:45 PM
> > > > > > > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health
> > > > > > > Check"
> > > > > > > -
> > > > > > > feature pages
> > > > > >
> > > > > > > Hi Eli,
> > > > > >
> > > > > > > Here is my comment :)
> > > > > > > Why engine needs to send the status health check, isn't there any
> > > > > > > 3rd
> > > > > > > parties
> > > > > > > that does it, that we can integrate with?
> > > > > > > If found, it probably has /less (known) bugs/more features/ and
> > > > > > > it's
> > > > > > > already
> > > > > > > written, tested, documented, allows further integration and
> > > > > > > probably
> > > > > > > deals
> > > > > > > with scale.
> > > > > >
> > > > > > > btw, fixed some typos in your pages :-)
> > > > > >
> > > > > > > Thanks,
> > > > > > > Gilad.
> > > > >
> > > > > Hi, what 3rd party for example do you refer to?
> > > > > The PM code already exists at engine,
> > > > > And you're also using quartz for scheduling.
> > > > >
> > > >
> > > > Ya

Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" - feature pages

[Yair Zaslavsky]

- Original Message -
> From: "Gilad Chaplik" 
> To: "Yair Zaslavsky" 
> Cc: "Arthur Berezin" , "users" 
> Sent: Monday, May 5, 2014 10:57:01 AM
> Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" - 
> feature      pages
> 
> - Original Message -
> > From: "Yair Zaslavsky" 
> > To: "Arthur Berezin" 
> > Cc: "Gilad Chaplik" , "users" 
> > Sent: Monday, May 5, 2014 6:39:02 AM
> > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" -
> > feature pages
> > 
> > 
> > 
> > - Original Message -
> > > From: "Arthur Berezin" 
> > > To: "Gilad Chaplik" 
> > > Cc: "users" 
> > > Sent: Sunday, May 4, 2014 5:35:59 PM
> > > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" -
> > > feature   pages
> > > 
> > > In this case engine periodically checks health of hosts' power management
> > > as
> > > HA relies on it.
> > > 
> > > Arthur
> > > 
> > > - Original Message -
> > > 
> > > > From: "Gilad Chaplik" 
> > > > To: "Eli Mesika" 
> > > > Cc: "users" , "Arthur Berezin" 
> > > > Sent: Sunday, May 4, 2014 5:26:45 PM
> > > > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check"
> > > > -
> > > > feature pages
> > > 
> > > > Hi Eli,
> > > 
> > > > Here is my comment :)
> > > > Why engine needs to send the status health check, isn't there any 3rd
> > > > parties
> > > > that does it, that we can integrate with?
> > > > If found, it probably has /less (known) bugs/more features/ and it's
> > > > already
> > > > written, tested, documented, allows further integration and probably
> > > > deals
> > > > with scale.
> > > 
> > > > btw, fixed some typos in your pages :-)
> > > 
> > > > Thanks,
> > > > Gilad.
> > 
> > Hi, what 3rd party for example do you refer to?
> > The PM code already exists at engine,
> > And you're also using quartz for scheduling.
> > 
> 
> Yair,
> 
> You're are raising some good points, but imo the entire host monitoring (inc
> getVdsStats, etc.) should be externalized.
> There are 2 major issues that we still don't cover:
> - No HA for monitoring, who checks the hosts when the engine is down.
> - No scale - the engine is a bottle-neck in network and compute.
> Although the above is a huge arch change, we need to start somewhere, this
> feature sounds like a candidate to introduce it.
> 
> About the examples:
> http://sixrevisions.com/tools/10-free-server-network-monitoring-tools-that-kick-ass/
> The main goal of the feature if my suggestion is taken, is to select to most
> appropriate one.
> 
> Thanks,
> Gilad.


Well, Nagios is being considered to be used or used by Gluster guys.
However, it will still require (AFAIK) to code some nagios plugin to perfrom 
the health check.
In addition, you will have to report somehow the state change to engine.
IMHO, this a bit of an overkill (look also at the time that the check is run - 
once in an hour, so it can't be compared to getVmStats).


> 
> > 
> > > 
> > > > - Original Message -
> > > > > From: "Eli Mesika" 
> > > > > To: "users" 
> > > > > Cc: "Arthur Berezin" 
> > > > > Sent: Sunday, May 4, 2014 12:18:47 PM
> > > > > Subject: [ovirt-users] oVirt 3.5 : "Power Management Health Check" -
> > > > > feature pages
> > > > >
> > > > > Hi
> > > > >
> > > > > The following wiki pages were added to the "Power Management Health
> > > > > Check"
> > > > > feature planned for oVirt 3.5
> > > > >
> > > > > http://www.ovirt.org/Features/PMHealthCheck
> > > > > http://www.ovirt.org/Features/Design/DetailedPMHealthCheck
> > > > >
> > > > > Your comments/questions are mostly welcomed.
> > > > >
> > > > > Thanks
> > > > > Eli Mesika
> > > > > ___
> > > > > Users mailing list
> > > > > Users@ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > >
> > > 
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > > 
> > 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" - feature pages

[Yair Zaslavsky]

- Original Message -
> From: "Arthur Berezin" 
> To: "Gilad Chaplik" 
> Cc: "users" 
> Sent: Sunday, May 4, 2014 5:35:59 PM
> Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" - 
> feature  pages
> 
> In this case engine periodically checks health of hosts' power management as
> HA relies on it.
> 
> Arthur
> 
> - Original Message -
> 
> > From: "Gilad Chaplik" 
> > To: "Eli Mesika" 
> > Cc: "users" , "Arthur Berezin" 
> > Sent: Sunday, May 4, 2014 5:26:45 PM
> > Subject: Re: [ovirt-users] oVirt 3.5 : "Power Management Health Check" -
> > feature pages
> 
> > Hi Eli,
> 
> > Here is my comment :)
> > Why engine needs to send the status health check, isn't there any 3rd
> > parties
> > that does it, that we can integrate with?
> > If found, it probably has /less (known) bugs/more features/ and it's
> > already
> > written, tested, documented, allows further integration and probably deals
> > with scale.
> 
> > btw, fixed some typos in your pages :-)
> 
> > Thanks,
> > Gilad.

Hi, what 3rd party for example do you refer to?
The PM code already exists at engine,
And you're also using quartz for scheduling.


> 
> > - Original Message -
> > > From: "Eli Mesika" 
> > > To: "users" 
> > > Cc: "Arthur Berezin" 
> > > Sent: Sunday, May 4, 2014 12:18:47 PM
> > > Subject: [ovirt-users] oVirt 3.5 : "Power Management Health Check" -
> > > feature pages
> > >
> > > Hi
> > >
> > > The following wiki pages were added to the "Power Management Health
> > > Check"
> > > feature planned for oVirt 3.5
> > >
> > > http://www.ovirt.org/Features/PMHealthCheck
> > > http://www.ovirt.org/Features/Design/DetailedPMHealthCheck
> > >
> > > Your comments/questions are mostly welcomed.
> > >
> > > Thanks
> > > Eli Mesika
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirt 3.4 and FreeIPA authentication

[Yair Zaslavsky]

- Original Message -
> From: "Yair Zaslavsky" 
> To: "Peter Harris" 
> Cc: Users@ovirt.org, "Sven Kieske" 
> Sent: Wednesday, April 30, 2014 12:19:57 PM
> Subject: Re: [ovirt-users] ovirt 3.4 and FreeIPA authentication
> 
> 
> As mentioned by Sven,
> As far as I know all these bugs were solved for 3.4.1
> However,
> 
> if possible, I would like to get the following information -
> 
> a. select user_id, username, group_ids from users where username =
> '';
> b. select id, name from ad_groups;

of course this should be collected from the database.

> 
> 
> 
> - Original Message -
> > From: "Peter Harris" 
> > To: Users@ovirt.org
> > Sent: Wednesday, April 30, 2014 11:55:04 AM
> > Subject: [ovirt-users] ovirt 3.4 and FreeIPA authentication
> > 
> > I have just create an oVirt 3.4 server as part of my test environment prior
> > to moving from my production 3.3 environment.
> > 
> > I authenticate against FreeIPA 3.0.0
> > 
> > I generally add a group in IPA, add the permissions in ovirt against the
> > group, and then add/remove users from the groups in IPA.
> > 
> > With oVirt3.4, I have justed added my vmadmin IPA group to ovirt, and given
> > it the SuperUser role.
> > 
> > I try to log in to oVirt 3.4 as myself (I am in the vmadmin group), and I
> > can authenticate fine, but I do not have SuperUser privileges. If I log in
> > to my live Ovirt (3.3), I do have SuperUser privileges.
> > 
> > Has something changed? Or is there an extra step I have to take that I have
> > missed to propogate privileges.
> > 
> > Thanks
> > 
> > Peter
> > 
> > P.S. All work done in the ovirt Admin portal gui so far, not tried the CLI
> > yet.
> > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirt 3.4 and FreeIPA authentication

[Yair Zaslavsky]

As mentioned by Sven,
As far as I know all these bugs were solved for 3.4.1
However,

if possible, I would like to get the following information -

a. select user_id, username, group_ids from users where username = 
'';
b. select id, name from ad_groups;



- Original Message -
> From: "Peter Harris" 
> To: Users@ovirt.org
> Sent: Wednesday, April 30, 2014 11:55:04 AM
> Subject: [ovirt-users] ovirt 3.4 and FreeIPA authentication
> 
> I have just create an oVirt 3.4 server as part of my test environment prior
> to moving from my production 3.3 environment.
> 
> I authenticate against FreeIPA 3.0.0
> 
> I generally add a group in IPA, add the permissions in ovirt against the
> group, and then add/remove users from the groups in IPA.
> 
> With oVirt3.4, I have justed added my vmadmin IPA group to ovirt, and given
> it the SuperUser role.
> 
> I try to log in to oVirt 3.4 as myself (I am in the vmadmin group), and I
> can authenticate fine, but I do not have SuperUser privileges. If I log in
> to my live Ovirt (3.3), I do have SuperUser privileges.
> 
> Has something changed? Or is there an extra step I have to take that I have
> missed to propogate privileges.
> 
> Thanks
> 
> Peter
> 
> P.S. All work done in the ovirt Admin portal gui so far, not tried the CLI
> yet.
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] does SPM can run over ovirt-engine host ?

[Yair Zaslavsky]

Hi Tamer,
Are you familiar with the all in one feature?

http://www.ovirt.org/Feature/AllInOne

I'm not sure if this can help you now, as you probably  don't want to 
re-install ovirt, right?


- Original Message -
> From: "Tamer Lima" 
> To: users@ovirt.org
> Sent: Monday, April 14, 2014 5:13:12 PM
> Subject: [ovirt-users] does SPM can run over ovirt-engine host ?
> 
> Hello,
> 
> When I create virtual machine from a template (centos6.5, 2 cores, 8GB mem,
> 500GB hd)  this process takes almost 2 hours.   I click on "New VM" button
> and just select the template and click ok.
> 
> engine.log show me high network consumption (98%)  between  engine-server
> host and SPM host.
> 
> I tried to make my engine-server host a spm host too, but without sucess.
> 
> 
> Does SPM can run over on the same ovirt-engine machine ?
> 
> Am I make something wrong? Or create VM from template is really slow ?
> 
> 
> my servers :
> srv-0202  = ovirt-engine  , vdsm
> srv-0203 = spm , vdsm
> srv-0204 = vdsm
> These servers are dell blades connected on a 100GB switch.
> 
> 
> 
> thanks
> 
> 
> 
> 
> This is what I know about SPM:
> http://www.ovirt.org/Storage_-_oVirt_workshop_November_2011
> 
> = Storage Pool Manager (SPM) A role assigned to one host in a data center
> granting it sole authority over:
> 
>- Creation, deletion, an dmanipulation of virtula disk images, snapshots
>and templates
>   - Templates: you can create on VM as a golden image and provision to
>   multiple VMs (QCOW layers)
>- Allocation of storage for sparse block devices (on SAN)
>   - Thin provisinoing (see below)
>- Single metadata writer:
>   - SPM lease mechanism (Chockler and Malkhi 2004, Light-Weight Leases
>   for Storage-Cnntric Coordination)
>   - Storage-centric mailbox
>- This role can be migrated to any host in data center
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Error creating Disks

[Yair Zaslavsky]

Hi Federico, 
Can you please take a look? 


- Original Message -
> From: "Maurice James" 
> To: "Yair Zaslavsky" 
> Cc: users@ovirt.org
> Sent: Monday, April 14, 2014 5:44:44 PM
> Subject: Re: [ovirt-users] Error creating Disks
> 
> Logs attached
> 
> - Original Message -
> From: "Yair Zaslavsky" 
> To: "Maurice James" 
> Cc: users@ovirt.org
> Sent: Monday, April 14, 2014 10:33:03 AM
> Subject: Re: [ovirt-users] Error creating Disks
> 
> Hi,
> IMHO not enough info is provided,
> Can you please provide full engine.log and relevant vdsm.log?
> 
> THanks,
> Yair
> 
> 
> - Original Message -
> > From: "Maurice James" 
> > To: users@ovirt.org
> > Sent: Monday, April 14, 2014 5:00:37 PM
> > Subject: [ovirt-users] Error creating Disks
> > 
> > oVirt Engine Version: 3.4.1-0.0.master.20140412010845.git43746c6.el6
> > 
> > 
> > While attempting to create a disk on an NFS storage domain, it fails with
> > the
> > following error in the engine.log
> > 
> > 
> > 
> > 
> > 2014-04-14 09:58:12,127 ERROR
> > [org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksStatusesVDSCommand]
> > (DefaultQuartzScheduler_Worker-72) Failed in HSMGetAllTasksStatusesVDS
> > method
> > 2014-04-14 09:58:12,139 ERROR [org.ovirt.engine.core.bll.SPMAsyncTask]
> > (DefaultQuartzScheduler_Worker-72) BaseAsyncTask::LogEndTaskFailure: Task
> > ee6ce682-bd76-467a-82d2-d227229cb9de (Parent Command AddDisk, Parameters
> > Type org.ovirt.engine.core.common.asynctasks.AsyncTaskParameters) ended
> > with
> > failure:
> > 2014-04-14 09:58:12,159 ERROR [org.ovirt.engine.core.bll.AddDiskCommand]
> > (org.ovirt.thread.pool-6-thread-9) [483e53d6] Ending command with failure:
> > org.ovirt.engine.core.bll.AddDiskCommand
> > 2014-04-14 09:58:12,212 ERROR
> > [org.ovirt.engine.core.bll.AddImageFromScratchCommand]
> > (org.ovirt.thread.pool-6-thread-9) [ab1e0be] Ending command with failure:
> > org.ovirt.engine.core.bll.AddImageFromScratchCommand
> > 
> > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Error creating Disks

[Yair Zaslavsky]

Hi,
IMHO not enough info is provided,
Can you please provide full engine.log and relevant vdsm.log?

THanks,
Yair


- Original Message -
> From: "Maurice James" 
> To: users@ovirt.org
> Sent: Monday, April 14, 2014 5:00:37 PM
> Subject: [ovirt-users] Error creating Disks
> 
> oVirt Engine Version: 3.4.1-0.0.master.20140412010845.git43746c6.el6
> 
> 
> While attempting to create a disk on an NFS storage domain, it fails with the
> following error in the engine.log
> 
> 
> 
> 
> 2014-04-14 09:58:12,127 ERROR
> [org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksStatusesVDSCommand]
> (DefaultQuartzScheduler_Worker-72) Failed in HSMGetAllTasksStatusesVDS
> method
> 2014-04-14 09:58:12,139 ERROR [org.ovirt.engine.core.bll.SPMAsyncTask]
> (DefaultQuartzScheduler_Worker-72) BaseAsyncTask::LogEndTaskFailure: Task
> ee6ce682-bd76-467a-82d2-d227229cb9de (Parent Command AddDisk, Parameters
> Type org.ovirt.engine.core.common.asynctasks.AsyncTaskParameters) ended with
> failure:
> 2014-04-14 09:58:12,159 ERROR [org.ovirt.engine.core.bll.AddDiskCommand]
> (org.ovirt.thread.pool-6-thread-9) [483e53d6] Ending command with failure:
> org.ovirt.engine.core.bll.AddDiskCommand
> 2014-04-14 09:58:12,212 ERROR
> [org.ovirt.engine.core.bll.AddImageFromScratchCommand]
> (org.ovirt.thread.pool-6-thread-9) [ab1e0be] Ending command with failure:
> org.ovirt.engine.core.bll.AddImageFromScratchCommand
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Disable auth basic in API

[Yair Zaslavsky]

- Original Message -
> From: "Jose Manuel Marquez Alhambra" 
> To: users@ovirt.org
> Sent: Saturday, April 12, 2014 12:28:31 AM
> Subject: [ovirt-users] Disable auth basic in API
> 
> Hi,
> 
> I’m testing a connection broker that uses oVirt's API. At the moment, the
> connection broker doesn’t work because it doesn’t send the basic
> authentication to oVirt's API. I contacted the developers and they're
> investigating the error. While they solve the error, I would like to
> continue testing the connection broker. Is there any way to disable auth
> basic in oVirt's API?
> 
> I’m using it in a testing environment (oVirt 3.4 at CentOS 6), so I’m not
> worried about security risks.
> 
> Thank you.
> 
> Regards,
> 
> Jose

Please elaborate more on what you're trying to achieve,
I'm not sure I fully understood.

Thanks in advance,

Yair

> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] help.. vm trapped in limbo aka can't acquire exclusive lock

[Yair Zaslavsky]

Can you please attach full engine.log?

Many thanks,
Yair


- Original Message -
> From: "Jeremiah Jahn" 
> To: users@ovirt.org
> Sent: Thursday, April 10, 2014 2:18:48 AM
> Subject: [ovirt-users] help.. vm trapped in limbo aka can't acquire   
> exclusive lock
> 
> I can't start it, I can't migrate it. I tried to migrate it before,
> but the machine was stuck in a read only state. The migration failed
> because the machine it was being migrated to was also in a read only
> state. somewhere  in the process the lock obviously got lost, and I
> can't get it back...
> 
> 
> 
> 2014-04-09 18:11:16,675 INFO  [org.ovirt.engine.core.bll.RunVmCommand]
> (ajp--127.0.0.1-8702-3) [58b40832] Failed to Acquire Lock to object
> EngineLock [exclusiveLocks= key: b0108933-deb2-4fa0-ae74-e10cefbb0cea
> value: VM
> , sharedLocks= ]
> 
> 
> 2014-04-09 18:11:16,676 WARN  [org.ovirt.engine.core.bll.RunVmCommand]
> (ajp--127.0.0.1-8702-3) [58b40832] CanDoAction of action RunVm failed.
> Reasons:VAR__ACTION__RUN,VAR__TYPE__VM,ACTION_TYPE_FAILED_VM_IS_BEING_MIGRATED,$VmName
> web.judici
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] [Users] A mobile monitoring application for oVirt

[Yair Zaslavsky]

Awesome,
Do you need help in developing that?
Are you getting the information via notification of events, or are you polling?



- Original Message -
> From: "Martin Betak" 
> To: users@ovirt.org
> Sent: Thursday, April 3, 2014 5:37:05 PM
> Subject: [Users] A mobile monitoring application for oVirt
> 
> Hello oVirt users,
> 
> I'm in the process of developing a simple monitoring application for oVirt on
> the Android platform.
> This is still under heavy development, but first usable version can be found
> at [1]
> Please note that this is still a development preview so it can be a little
> unstable and the UI design is not yet perfect
> (well ... design by programmer :-)) but I hope it could be useful. All
> comments, remarks,
> feature requests and general feedback are very welcome. You can file any
> issues directly at [2].
> 
> Below follow the details of using and configuring the app.
> 
> Description:
> 
> The goal of this project was to create a simple Android app that would enable
> oVirt admins to configure conditions on Vms, Clusters,
> or whole datacenter upon which they want to be notified. At the moment you
> can configure 3 types of "Triggers":
> - when Vm CPU is over given level
> - when Vm Memory usage is over given level
> - when Vm enters given state (Down, Unknown ...)
> You can also choose if you want just simple standard android notification or
> also want the device to vibrate.
> 
> You can also define all these triggers on per-Vm, per-Cluster or "global"
> level.
> 
> Configuration:
> 
> On first run the app will prompt you to enter connection parameters of your
> running oVirt engine instance.
> API URL should be in the form of http://host:port/ovirt-engine/api
> Username is user@domain i.e. admin@internal
> Password is ... well the above user's password :-)
> 
> sadly only http (not https) is supported so far for endpoint url.
> 
> If you have any more questions feel free to use this thread and I'll do my
> best to answer them :-)
> 
> Best regards,
> 
> Martin
> 
> 
> [1] https://github.com/matobet/moVirt/blob/master/moVirt/moVirt.apk
> [2] https://github.com/matobet/moVirt/issues
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Login Error using AD domain

[Yair Zaslavsky]

Hi,
Seems you still have some issue in your environment if this error is reported, 
you can try to kinit yourself and check.
For that you will need an appropriate krb5.conf file to be placed at 
/etc/krb5.conf - and to perform

kinit user@REALM

the content of the krb5.conf file can be:


[libdefaults]
default_realm = 
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
no-addresses = false
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1 


- Original Message -
> From: "Jeff Clay" 
> To: users@ovirt.org
> Sent: Tuesday, April 8, 2014 12:09:23 AM
> Subject: [Users] Login Error using AD domain
> 
> This was working fine, now I get the error below in engine.log when I try
> to log in. The clock times are the same. I even changed the time service on
> the domain controller to use the same NTP source as the engine server. I
> have rebooted the domain controller to make sure that all settings were
> applied, but I still get this error. I can log into our other AD domain
> without issue, the problem is just with this particular domain.
> 
> 
> 2014-04-07 16:05:07,453 ERROR
> [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
> (ajp--127.0.0.1-8702-7) Kerberos error: Clock skew too great (37)
> 2014-04-07 16:05:07,454 ERROR
> [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy]
> (ajp--127.0.0.1-8702-7) Authentication Failed. The Engine clock is not
> synchronized with directory services (must be within 5 minutes difference).
> Please verify the clocks are synchronized
> 2014-04-07 16:05:07,456 ERROR
> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
> (ajp--127.0.0.1-8702-7) Failed ldap search server ldap://par-dc1:389 using
> user jc...@corporate.wellsco.net due to Authentication Failed. The Engine
> clock is not synchronized with directory services (must be within 5 minutes
> difference). Please verify the clocks are synchronized. We should try the
> next server
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Unable to log into user portal with user account

[Yair Zaslavsky]

- Original Message -
> From: "Jeff Clay" 
> To: "Yair Zaslavsky" , users@ovirt.org
> Sent: Monday, April 7, 2014 4:28:09 AM
> Subject: Re: [Users] Unable to log into user portal with user account
> 
> I added the domain using engine-manage-domains and then I went into the
> engine admin portal and added the groups I mentioned and assigned those
> groups to the UserRole for ovirt. I'm not familiar with psql at all, every
> iteration of running the queries you requested has failed.

Ok, after you fail to login to userportal, can you login to the admin portal, 
and check for the user you tried to login with what are the permissions he has?

Thanks,
Yair

> 
> 
> On Sun, Apr 6, 2014 at 7:27 PM, Yair Zaslavsky  wrote:
> 
> > Hi,
> > 1. When you log in to to the admin portal, and check the permissions the
> > user have, does it have the UserRole?
> > 2. Can you please provide us the following SQL queries (using psql)
> >
> > select user_name, groupIds from users;

Should be select username, group_ids from users;  - sorry, my bad.

> >
> > select id,name from ad_groups;
> >
> >
> > 3. In addition - have you manually added your user to oVirt before the
> > login attempt, or did you just add the mentioned group + gave it
> > permissions?
> >
> > Thanks,
> > Yair
> >
> >
> >
> > - Original Message -
> > > From: "Jeff Clay" 
> > > To: users@ovirt.org
> > > Sent: Monday, April 7, 2014 3:01:55 AM
> > > Subject: [Users] Unable to log into user portal with user account
> > >
> > > I have attached an AD domain. I can log in to the admin and user portals
> > > with the credentials used to add the domain. I made a new user on the AD
> > > for testing. I have added BuiltIn\Users and Domain\Users to the UserRole
> > in
> > > Ovirt. When I try to log in to the UserPortal with a regular user
> > account I
> > > get the error that the user isn't authorized to perform the action.
> > >
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Unable to log into user portal with user account

[Yair Zaslavsky]

Hi,
1. When you log in to to the admin portal, and check the permissions the user 
have, does it have the UserRole?
2. Can you please provide us the following SQL queries (using psql)

select user_name, groupIds from users;

select id,name from ad_groups;


3. In addition - have you manually added your user to oVirt before the login 
attempt, or did you just add the mentioned group + gave it permissions?

Thanks,
Yair



- Original Message -
> From: "Jeff Clay" 
> To: users@ovirt.org
> Sent: Monday, April 7, 2014 3:01:55 AM
> Subject: [Users] Unable to log into user portal with user account
> 
> I have attached an AD domain. I can log in to the admin and user portals
> with the credentials used to add the domain. I made a new user on the AD
> for testing. I have added BuiltIn\Users and Domain\Users to the UserRole in
> Ovirt. When I try to log in to the UserPortal with a regular user account I
> get the error that the user isn't authorized to perform the action.
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Error removing external group

[Yair Zaslavsky]

Gilad, I suspect this is with users and groups upgraded from 3.3.
Did you install engine of ovirt 3.3 and upgrade it to 3.4?


- Original Message -
> From: "Gilad Chaplik" 
> To: "Kobi Ianku" 
> Cc: "Yair Zaslavsky" , users@ovirt.org, "Maurice James" 
> 
> Sent: Sunday, March 30, 2014 2:08:35 AM
> Subject: Re: [Users] Error removing external group
> 
> - Original Message -
> > From: "Maurice James" 
> > To: "Yair Zaslavsky" 
> > Cc: "Gilad Chaplik" , users@ovirt.org
> > Sent: Saturday, March 29, 2014 5:18:58 PM
> > Subject: RE: [Users] Error removing external group
> > 
> > I will give that a try
> 
> let's test it tomorrow morning. we have the setup :-)
> 
> > 
> > -Original Message-
> > From: Yair Zaslavsky [mailto:yzasl...@redhat.com]
> > Sent: Friday, March 28, 2014 10:22 PM
> > To: Maurice James
> > Cc: Gilad Chaplik; users@ovirt.org
> > Subject: Re: [Users] Error removing external group
> > 
> > Maurice,
> > What happens if you add the same group again and try to remove it again?
> > 
> > 
> > - Original Message -
> > > From: "Maurice James" 
> > > To: "Yair Zaslavsky" 
> > > Cc: "Gilad Chaplik" , users@ovirt.org
> > > Sent: Friday, March 28, 2014 8:07:37 PM
> > > Subject: RE: [Users] Error removing external group
> > > 
> > > Yes it was in there from 3.3
> > > 
> > > > Date: Thu, 27 Mar 2014 22:11:58 -0400
> > > > From: yzasl...@redhat.com
> > > > To: midnightst...@msn.com
> > > > CC: gchap...@redhat.com; users@ovirt.org
> > > > Subject: Re: [Users] Error removing external group
> > > > 
> > > > Maurice,
> > > > Is the group that you removed was added from 3.3 , before you
> > > > upgraded to 3.4?
> > > > 
> > > > 
> > > > - Original Message -
> > > > > From: "Maurice James" 
> > > > > To: "Gilad Chaplik" 
> > > > > Cc: users@ovirt.org
> > > > > Sent: Thursday, March 27, 2014 5:52:04 PM
> > > > > Subject: Re: [Users] Error removing external group
> > > > > 
> > > > > 
> > > > > I yanked it out of the database. That part is all good now. Im not
> > > > > sure how it got stuck though
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > > Date: Thu, 27 Mar 2014 11:34:58 -0400
> > > > > > From: gchap...@redhat.com
> > > > > > To: midnightst...@msn.com
> > > > > > CC: users@ovirt.org; kia...@redhat.com
> > > > > > Subject: Re: [Users] Error removing external group
> > > > > > 
> > > > > > we're there for quota, we will take a look as well, it's 'on our
> > > > > > way'
> > > > > > :-)
> > > > > > 
> > > > > > Thanks,
> > > > > > Gilad.
> > > > > > 
> > > > > > - Original Message -
> > > > > > > From: "Maurice James" 
> > > > > > > To: users@ovirt.org
> > > > > > > Sent: Thursday, March 27, 2014 4:01:25 PM
> > > > > > > Subject: [Users] Error removing external group
> > > > > > > 
> > > > > > > Version 3.4.0-1.el6
> > > > > > > 
> > > > > > > I'm attempting to remove a group from the users tab in the UI
> > > > > > > and I'm seeing the following error in the engine.log
> > > > > > > 
> > > > > > > 
> > > > > > > 2014-03-27 09:59:01,247 ERROR
> > > > > > > [org.ovirt.engine.core.bll.MultipleActionsRunner]
> > > > > > > (ajp--127.0.0.1-8702-8)
> > > > > > > [30e4f6c2] Failed to execute multiple actions of type:
> > > > > > > RemoveGroup:
> > > > > > > java.lang.NullPointerException at
> > > > > > > org.ovirt.engine.core.authentication.provisional.ProvisionalDi
> > > > > > > rectory.mapGroup(ProvisionalDirectory.java:211)
> > > > > > > [bll.jar:]
> > > > > > > at
> > > > > > > org.ovirt.engine.core.authentication.provisional.

Re: [Users] Cannot login with AD user after upgrade 3.3->3.4

[Yair Zaslavsky]

Markus, which version of ovirt 3.3 did you upgrade from? and to which version 
of 3.4?


- Original Message -
> From: "Yair Zaslavsky" 
> To: "Markus Stockhausen" 
> Cc: "ovirt-users" 
> Sent: Saturday, March 29, 2014 6:01:24 AM
> Subject: Re: [Users] Cannot login with AD user after upgrade 3.3->3.4
> 
> Looks like a bug in upgrade from 3.3 to 3.4
> I will file a bug on that.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1082195
> 
> 
> - Original Message -
> > From: "Markus Stockhausen" 
> > To: "ovirt-users" 
> > Sent: Friday, March 28, 2014 11:56:32 PM
> > Subject: Re: [Users] Cannot login with AD user after upgrade 3.3->3.4
> > 
> > > Hello,
> > >
> > > my upgrade from 3.3 to 3.4 went quite well. Only problem
> > > afterwards is I'm unable to log into the engine with one of
> > > my attached AD users. Internal admin user works fine.
> > >
> > > system permissions before and after the upgrade are as follows:
> > >
> > > mydomain.com/builtin/Administrators SuperUser
> > > mydomain.com/builtin/Administrators PowerUserRole
> > 
> > sorry for the noise. User/group assignments in the domain
> > were changed in parallel. So user had effectively no access
> > rights.
> > 
> > Markus
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Cannot login with AD user after upgrade 3.3->3.4

[Yair Zaslavsky]

Looks like a bug in upgrade from 3.3 to 3.4
I will file a bug on that.

https://bugzilla.redhat.com/show_bug.cgi?id=1082195


- Original Message -
> From: "Markus Stockhausen" 
> To: "ovirt-users" 
> Sent: Friday, March 28, 2014 11:56:32 PM
> Subject: Re: [Users] Cannot login with AD user after upgrade 3.3->3.4
> 
> > Hello,
> >
> > my upgrade from 3.3 to 3.4 went quite well. Only problem
> > afterwards is I'm unable to log into the engine with one of
> > my attached AD users. Internal admin user works fine.
> >
> > system permissions before and after the upgrade are as follows:
> >
> > mydomain.com/builtin/Administrators SuperUser
> > mydomain.com/builtin/Administrators PowerUserRole
> 
> sorry for the noise. User/group assignments in the domain
> were changed in parallel. So user had effectively no access
> rights.
> 
> Markus
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Error removing external group

[Yair Zaslavsky]

Maurice,
What happens if you add the same group again and try to remove it again?


- Original Message -
> From: "Maurice James" 
> To: "Yair Zaslavsky" 
> Cc: "Gilad Chaplik" , users@ovirt.org
> Sent: Friday, March 28, 2014 8:07:37 PM
> Subject: RE: [Users] Error removing external group
> 
> Yes it was in there from 3.3
> 
> > Date: Thu, 27 Mar 2014 22:11:58 -0400
> > From: yzasl...@redhat.com
> > To: midnightst...@msn.com
> > CC: gchap...@redhat.com; users@ovirt.org
> > Subject: Re: [Users] Error removing external group
> > 
> > Maurice,
> > Is the group that you removed was added from 3.3 , before you upgraded to
> > 3.4?
> > 
> > 
> > - Original Message -
> > > From: "Maurice James" 
> > > To: "Gilad Chaplik" 
> > > Cc: users@ovirt.org
> > > Sent: Thursday, March 27, 2014 5:52:04 PM
> > > Subject: Re: [Users] Error removing external group
> > > 
> > > 
> > > I yanked it out of the database. That part is all good now. Im not sure
> > > how
> > > it got stuck though
> > > 
> > > 
> > > 
> > > 
> > > > Date: Thu, 27 Mar 2014 11:34:58 -0400
> > > > From: gchap...@redhat.com
> > > > To: midnightst...@msn.com
> > > > CC: users@ovirt.org; kia...@redhat.com
> > > > Subject: Re: [Users] Error removing external group
> > > > 
> > > > we're there for quota, we will take a look as well, it's 'on our way'
> > > > :-)
> > > > 
> > > > Thanks,
> > > > Gilad.
> > > > 
> > > > - Original Message -
> > > > > From: "Maurice James" 
> > > > > To: users@ovirt.org
> > > > > Sent: Thursday, March 27, 2014 4:01:25 PM
> > > > > Subject: [Users] Error removing external group
> > > > > 
> > > > > Version 3.4.0-1.el6
> > > > > 
> > > > > I'm attempting to remove a group from the users tab in the UI and I'm
> > > > > seeing
> > > > > the following error in the engine.log
> > > > > 
> > > > > 
> > > > > 2014-03-27 09:59:01,247 ERROR
> > > > > [org.ovirt.engine.core.bll.MultipleActionsRunner]
> > > > > (ajp--127.0.0.1-8702-8)
> > > > > [30e4f6c2] Failed to execute multiple actions of type: RemoveGroup:
> > > > > java.lang.NullPointerException
> > > > > at
> > > > > org.ovirt.engine.core.authentication.provisional.ProvisionalDirectory.mapGroup(ProvisionalDirectory.java:211)
> > > > > [bll.jar:]
> > > > > at
> > > > > org.ovirt.engine.core.authentication.provisional.ProvisionalDirectory.findGroup(ProvisionalDirectory.java:187)
> > > > > [bll.jar:]
> > > > > at
> > > > > org.ovirt.engine.core.bll.AdGroupsHandlingCommandBase.getAdGroup(AdGroupsHandlingCommandBase.java:49)
> > > > > [bll.jar:]
> > > > > at
> > > > > org.ovirt.engine.core.bll.AdGroupsHandlingCommandBase.getAdGroupName(AdGroupsHandlingCommandBase.java:38)
> > > > > [bll.jar:]
> > > > > at
> > > > > org.ovirt.engine.core.bll.AdGroupsHandlingCommandBase.getDescription(AdGroupsHandlingCommandBase.java:57)
> > > > > [bll.jar:]
> > > > > at
> > > > > org.ovirt.engine.core.bll.CommandBase.canDoActionOnly(CommandBase.java:326)
> > > > > [bll.jar:]
> > > > > at
> > > > > org.ovirt.engine.core.bll.MultipleActionsRunner.execute(MultipleActionsRunner.java:76)
> > > > > [bll.jar:]
> > > > > at
> > > > > org.ovirt.engine.core.bll.Backend.runMultipleActionsImpl(Backend.java:549)
> > > > > [bll.jar:]
> > > > > at
> > > > > org.ovirt.engine.core.bll.Backend.runMultipleActionsImpl(Backend.java:565)
> > > > > [bll.jar:]
> > > > > at
> > > > > org.ovirt.engine.core.bll.Backend.runMultipleActions(Backend.java:519)
> > > > > [bll.jar:]
> > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > > [rt.jar:1.7.0_51]
> > > > > at
> > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > > > > [rt.jar:1.7.0_51]
> > > > > at
> > > > > sun.ref

Re: [Users] Cannot add IPA server to ovirt

[Yair Zaslavsky]

- Original Message -
> From: "René Koch" 
> To: "Demeter Tibor" 
> Cc: users@ovirt.org
> Sent: Friday, March 28, 2014 11:30:44 AM
> Subject: Re: [Users] Cannot add IPA server to ovirt
> 
> On 03/28/2014 09:19 AM, Demeter Tibor wrote:
> > Hi,
> >
> > I made an IPA server for testing purposes, but I cannot add to ovirt
> > 3.4. The IPA server seems to be working good.
> >
> > When I add IPA to ovirt, I get this error mesage:
> >
> > [root@ovirttest etc]# engine-manage-domains add --domain=itsmart.local
> > --user=admin --provider=ipa
> > --ldap-servers=ldap1.itsmart.local,ldap2.itsmart.local
> > No KDC can be obtained for domain itsmart.local
> 
> I guess oVirt isn't able to find the Kerberos server due to missing SRV
> records?

Seems to me this is the reason.
Please check by dig SRV _kerberos._tcp.itsmart.local

> 
> >
> >
> > What does mean this?
> >
> > Can me help anyone?
> >
> >
> > Thanks,
> >
> >
> > Tibor
> >
> >
> >
> >
> >
> >
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Error removing external group

[Yair Zaslavsky]

Maurice,
Is the group that you removed was added from 3.3 , before you upgraded to 3.4?


- Original Message -
> From: "Maurice James" 
> To: "Gilad Chaplik" 
> Cc: users@ovirt.org
> Sent: Thursday, March 27, 2014 5:52:04 PM
> Subject: Re: [Users] Error removing external group
> 
> 
> I yanked it out of the database. That part is all good now. Im not sure how
> it got stuck though
> 
> 
> 
> 
> > Date: Thu, 27 Mar 2014 11:34:58 -0400
> > From: gchap...@redhat.com
> > To: midnightst...@msn.com
> > CC: users@ovirt.org; kia...@redhat.com
> > Subject: Re: [Users] Error removing external group
> > 
> > we're there for quota, we will take a look as well, it's 'on our way' :-)
> > 
> > Thanks,
> > Gilad.
> > 
> > - Original Message -
> > > From: "Maurice James" 
> > > To: users@ovirt.org
> > > Sent: Thursday, March 27, 2014 4:01:25 PM
> > > Subject: [Users] Error removing external group
> > > 
> > > Version 3.4.0-1.el6
> > > 
> > > I'm attempting to remove a group from the users tab in the UI and I'm
> > > seeing
> > > the following error in the engine.log
> > > 
> > > 
> > > 2014-03-27 09:59:01,247 ERROR
> > > [org.ovirt.engine.core.bll.MultipleActionsRunner] (ajp--127.0.0.1-8702-8)
> > > [30e4f6c2] Failed to execute multiple actions of type: RemoveGroup:
> > > java.lang.NullPointerException
> > > at
> > > org.ovirt.engine.core.authentication.provisional.ProvisionalDirectory.mapGroup(ProvisionalDirectory.java:211)
> > > [bll.jar:]
> > > at
> > > org.ovirt.engine.core.authentication.provisional.ProvisionalDirectory.findGroup(ProvisionalDirectory.java:187)
> > > [bll.jar:]
> > > at
> > > org.ovirt.engine.core.bll.AdGroupsHandlingCommandBase.getAdGroup(AdGroupsHandlingCommandBase.java:49)
> > > [bll.jar:]
> > > at
> > > org.ovirt.engine.core.bll.AdGroupsHandlingCommandBase.getAdGroupName(AdGroupsHandlingCommandBase.java:38)
> > > [bll.jar:]
> > > at
> > > org.ovirt.engine.core.bll.AdGroupsHandlingCommandBase.getDescription(AdGroupsHandlingCommandBase.java:57)
> > > [bll.jar:]
> > > at
> > > org.ovirt.engine.core.bll.CommandBase.canDoActionOnly(CommandBase.java:326)
> > > [bll.jar:]
> > > at
> > > org.ovirt.engine.core.bll.MultipleActionsRunner.execute(MultipleActionsRunner.java:76)
> > > [bll.jar:]
> > > at
> > > org.ovirt.engine.core.bll.Backend.runMultipleActionsImpl(Backend.java:549)
> > > [bll.jar:]
> > > at
> > > org.ovirt.engine.core.bll.Backend.runMultipleActionsImpl(Backend.java:565)
> > > [bll.jar:]
> > > at org.ovirt.engine.core.bll.Backend.runMultipleActions(Backend.java:519)
> > > [bll.jar:]
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > [rt.jar:1.7.0_51]
> > > at
> > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > > [rt.jar:1.7.0_51]
> > > at
> > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > [rt.jar:1.7.0_51]
> > > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]
> > > at
> > > org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72)
> > > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> > > at
> > > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> > > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> > > at
> > > org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374)
> > > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> > > at
> > > org.ovirt.engine.core.bll.interceptors.ThreadLocalSessionCleanerInterceptor.injectWebContextToThreadLocal(ThreadLocalSessionCleanerInterceptor.java:13)
> > > [bll.jar:]
> > > at sun.reflect.GeneratedMethodAccessor139.invoke(Unknown Source)
> > > [:1.7.0_51]
> > > at
> > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > [rt.jar:1.7.0_51]
> > > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]
> > > at
> > > org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptorFactory$ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptorFactory.java:123)
> > > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> > > at
> > > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> > > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> > > at
> > > org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
> > > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> > > at
> > > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36)
> > > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
> > > at
> > > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
> > > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
> > > at
> > > org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
> > > [jboss-invocation-1.1.1.Final.jar:1.1.1

Re: [Users] Logs using syslog

[Yair Zaslavsky]

Hi Eduardo,
We have an open RFE for that -

https://bugzilla.redhat.com/show_bug.cgi?id=1078738

In general, 
JBoss AS 7.1 has moved from log4j logging to java.util logging and the syslog 
handler is not working anymore,
>From various sources I have read at the internet looks like the solution is to 
>develop a custom syslog handler, pack it as a jboss module, and then
configure it in share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in 



- Original Message -
> From: "Eduardo Ramos" 
> To: "users@ovirt.org" 
> Sent: Thursday, March 13, 2014 5:12:25 PM
> Subject: [Users] Logs using syslog
> 
> Hi all!
> 
> Is there a way to log engine messages to a syslog? I searched for
> 'syslog' in /etc/ovirt-engine/*, but not results.
> 
> Thanks
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] API read-only access / roles

[Yair Zaslavsky]

- Original Message -
> From: "Itamar Heim" 
> To: "Sven Kieske" , "Users@ovirt.org List" 
> , "Yair Zaslavsky"
> 
> Sent: Wednesday, March 26, 2014 12:46:28 PM
> Subject: Re: [Users] API read-only access / roles
> 
> On 03/26/2014 06:39 AM, Sven Kieske wrote:
> >
> >
> > Am 26.03.2014 11:21, schrieb Itamar Heim:
> >> On 03/26/2014 06:16 AM, Sven Kieske wrote:
> >>> Hi,
> >>>
> >>> as we now have setup ldap, now the question which
> >>> never got answered in the first place:
> >>>
> >>> 1.
> >>> which rights do I need for read only access?
> >>>
> >>> as stated in BZ just login rights won't suffice.
> >>
> >> an admin role with login? why not?
> >> i thought we even pre-created such a default read only role by now:
> >> Bug 1038222 - [RFE] Read Only Admin role in AP
> >>
> >> (and you can create one yourself in 3.3 as well iirc)
> >>
> > What would happen if I create this user myself
> > and I want to upgrade to 3.4 somewhere in time?
> >
> > My guess would be the upgrade would fail if this
> > user gets added automatically, because it is already
> > there?
> >
> 
> its not a user. its a system defined role.
> you can create a user defined role (with a different name)
> you should do this via the GUI in 3.3, not via the db (then the uuid
> will be different as well, and no upgrade issues)

Regarding your upgrade question -
I would like to add that although we have a hard-coded internal admin user, 
your "read only" user (that is, a user you assigned the role you created) is 
not a hard coded one. I don't think we will go for a strategy of adding another 
"hardcoded" user for read only , so you should not have upgrade issues.

> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] External group permissions

[Yair Zaslavsky]

- Original Message -
> From: "Yair Zaslavsky" 
> To: "Maurice James" 
> Cc: users@ovirt.org
> Sent: Wednesday, March 26, 2014 12:20:02 PM
> Subject: Re: [Users] External group permissions
> 
> 
> 
> - Original Message -
> > From: "Maurice James" 
> > To: users@ovirt.org
> > Sent: Wednesday, March 26, 2014 11:48:21 AM
> > Subject: [Users] External group permissions
> > 
> > I used engine-manage-domains to allow external authentication from active
> > directory to my ovirt management ui. I assigned and ad group super user and
> > power user permissions on the DC. I cant get any user to login to the
> > webadmin portal. In the log says that they have no permission. Which right
> > do I have to assign to the group in order for its member to be able to
> > login
> > to the web ui?
> > 
> 
> 1. Which ovirt version are you using?
> 2. May I get the following results from postgresql ?
> 
> a. select user_id, name, group_ids from users;
> b. select id from ad_groups;

Actually select id,name from ad_groups;

> c. select select * from permissions;

Typo - I meant select * from permissions of course.
> 
> 
> Many thanks,
> Yair
> 
> 
> > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] External group permissions

[Yair Zaslavsky]

- Original Message -
> From: "Maurice James" 
> To: users@ovirt.org
> Sent: Wednesday, March 26, 2014 11:48:21 AM
> Subject: [Users] External group permissions
> 
> I used engine-manage-domains to allow external authentication from active
> directory to my ovirt management ui. I assigned and ad group super user and
> power user permissions on the DC. I cant get any user to login to the
> webadmin portal. In the log says that they have no permission. Which right
> do I have to assign to the group in order for its member to be able to login
> to the web ui?
> 

1. Which ovirt version are you using?
2. May I get the following results from postgresql ?

a. select user_id, name, group_ids from users;
b. select id from ad_groups;
c. select select * from permissions;


Many thanks,
Yair


> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Upgrade from 3.4.0-0.9 to 3.4.0-0.12

[Yair Zaslavsky]

- Original Message -
> From: "Maurice James" 
> To: users@ovirt.org
> Sent: Friday, March 7, 2014 1:49:23 AM
> Subject: [Users] Upgrade from 3.4.0-0.9 to 3.4.0-0.12
> 
> I got the following error while trying to upgrade
> 
>  
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35994
> 
> psql:upgrade/03_04_0600_event_notification_methods.sql:10: ERROR:  column
> "notification_method" contains null values

Maurice,
As far as I understand, this was resolved by 
https://bugzilla.redhat.com/show_bug.cgi?id=1072549
 (CC'ing Eli who worked on this bug)
Eli - I see the patch has script numbering of 03_05 - is there a plan to 
provide 03_04 script for that fix?

Yair



> 
> 2014-03-06 18:33:46 ERROR otopi.context context._executeMethod:161 Failed to
> execute stage 'Misc configuration': Command
> '/usr/share/ovirt-engine/dbscripts/upgrade.sh' failed to execute
> 
> psql:/var/lib/ovirt-engine/backups/engine-20140306183332.9FQBdD.sql:16:
> ERROR:  language "plpgsql" already exists
> 
> 2014-03-06 18:42:58 ERROR otopi.plugins.ovirt_engine_common.base.core.misc
> misc._terminate:150 Execution of setup failed
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Permissions

[Yair Zaslavsky]

- Original Message -
> From: "Maurice James" 
> To: "Yair Zaslavsky" 
> Cc: "Eli Mesika" , users@ovirt.org
> Sent: Wednesday, February 26, 2014 1:35:03 AM
> Subject: RE: [Users] Permissions
> 
> Here are the logs that I grabbed while trying to move disks between storage
> domains

It shows you have permissions issues.
Just to make sure - is this a user that belongs to a group that has 
permissions? I think you wrote in previous emails it is.
Can you, as suggested in previous email, try to perform this operation with a 
direct user that has the permissions (i.e - not inherited from a group?)

Thanks,
Yair

> 
> -Original Message-
> From: Yair Zaslavsky [mailto:yzasl...@redhat.com]
> Sent: Monday, February 24, 2014 8:56 PM
> To: Maurice James
> Cc: Eli Mesika; users@ovirt.org
> Subject: Re: [Users] Permissions
> 
> 
> 
> - Original Message -
> > From: "Maurice James" 
> > To: "Eli Mesika" 
> > Cc: users@ovirt.org
> > Sent: Tuesday, February 25, 2014 3:33:52 AM
> > Subject: Re: [Users] Permissions
> > 
> > I will have to get the logs to you tomorrow when I go to the office.
> > Until then,  I have a user group from AD with the "Power User" and
> > "Super User"
> >  permissions over the Data Center. They do not have permission to move
> > disks  between storage domains. Is this by design?
> 
> Maurice, quick question here - when you write "they don't have permissions"
> do you mean to users of the group?
> if so, are you using ovirt engine 3.4 beta2 or a development environment?
> 
> Perhaps the following bug has to do with what you're experiencing?
> 
> https://bugzilla.redhat.com/1065615
> 
> 
> Yair
> 
> > 
> > 
> > -Original Message-
> > From: Eli Mesika [mailto:emes...@redhat.com]
> > Sent: Sunday, February 23, 2014 3:34 PM
> > To: Maurice James
> > Cc: users@ovirt.org
> > Subject: Re: [Users] Permissions
> > 
> > 
> > 
> > - Original Message -
> > > From: "Maurice James" 
> > > To: users@ovirt.org
> > > Sent: Friday, February 21, 2014 9:25:12 PM
> > > Subject: [Users] Permissions
> > > 
> > > I have an LDAP user with Power User and Super User permissions at
> > > the Data Center level. Why dont I have permission to migrate disks
> > > between storage domains?
> > 
> > Hi Maurice
> > 
> > Can you elaborate please and attach a screen-shot of the error you got
> > and the relevant engine.log
> > 
> > > 
> > > oVirt Engine Version: 3.3.3-2.el6
> > > 
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Permissions

[Yair Zaslavsky]

- Original Message -
> From: "Maurice James" 
> To: "Eli Mesika" 
> Cc: users@ovirt.org
> Sent: Tuesday, February 25, 2014 3:33:52 AM
> Subject: Re: [Users] Permissions
> 
> I will have to get the logs to you tomorrow when I go to the office. Until
> then,
>  I have a user group from AD with the "Power User" and "Super User"
>  permissions over the Data Center. They do not have permission to move disks
>  between storage domains. Is this by design?

Maurice, quick question here - when you write "they don't have permissions" do 
you mean to users of the group? 
if so, are you using ovirt engine 3.4 beta2 or a development environment?

Perhaps the following bug has to do with what you're experiencing?

https://bugzilla.redhat.com/1065615


Yair

> 
> 
> -Original Message-
> From: Eli Mesika [mailto:emes...@redhat.com]
> Sent: Sunday, February 23, 2014 3:34 PM
> To: Maurice James
> Cc: users@ovirt.org
> Subject: Re: [Users] Permissions
> 
> 
> 
> - Original Message -
> > From: "Maurice James" 
> > To: users@ovirt.org
> > Sent: Friday, February 21, 2014 9:25:12 PM
> > Subject: [Users] Permissions
> > 
> > I have an LDAP user with Power User and Super User permissions at the
> > Data Center level. Why dont I have permission to migrate disks between
> > storage domains?
> 
> Hi Maurice
> 
> Can you elaborate please and attach a screen-shot of the error you got and
> the relevant engine.log
> 
> > 
> > oVirt Engine Version: 3.3.3-2.el6
> > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Creating oVirt users

[Yair Zaslavsky]

Hi Drew,
In order to be able to add users, you will have to use the 
engine-manage-domains tool and setup a domain.
a domain uses kerberos authentication and LDAP for authorization.
engine-manage-domains supports several ldap vendors , among are - active 
directory, IPA, RHDS, openLdap.
once will add a user at a given domain that will be used to authenticate during 
searching for users and groups.
For example, if you have a domain named example.com, which is which has a 
machine a.example.com which co-hosts ldap server (IPA) + KDC, and the dns 
records for kerberos and ldap are properly set, and you will like to add user 
named "myuser" then you can use :
engine-manage-domains add --user=myuser --domain=example.com --provider=IPA.
if you want to be able to login with this user, and not just with the admin of 
of "internal", please also specify --add-permissions

Hope this helps,
Yair


- Original Message -
> From: "Drew Showers" 
> To: users@ovirt.org
> Sent: Tuesday, February 25, 2014 1:49:45 AM
> Subject: [Users] Creating oVirt users
> 
> Hello,
> 
> How do I create users? I see where to add users and create roles, but can't
> figure out how to get users on the add user list.
> 
> Thanks in advance!
> Drew
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] API read-only access / roles

[Yair Zaslavsky]

- Original Message -
> From: "Yair Zaslavsky" 
> To: "Juan Hernandez" 
> Cc: "Users@ovirt.org List" 
> Sent: Sunday, February 23, 2014 8:55:07 AM
> Subject: Re: [Users] API read-only access / roles
> 
> 
> 
> - Original Message -
> > From: "Juan Hernandez" 
> > To: "Sven Kieske" , "Users@ovirt.org List"
> > 
> > Cc: "Itamar Heim" , "Yair Zaslavsky"
> > 
> > Sent: Saturday, February 22, 2014 2:22:14 PM
> > Subject: Re: [Users] API read-only access / roles
> > 
> > On 02/20/2014 04:51 PM, Itamar Heim wrote:
> > > On 02/20/2014 05:24 PM, Sven Kieske wrote:
> > >> Hi,
> > >>
> > >> is nobody interested in this feature at all?
> > >> it would be a huge security gain, while lowering
> > >> the bars for having a read only user if this could get shipped with 3.4:
> > > 
> > > we are very interested, but we want to do this based on the
> > > authentication re-factoring, which in itself, barely made the 3.4
> > > timeline.
> > > Yair - are we "pluggable" yet, that someone could add such a user by
> > > dropping a jar somewhere, or still on going work towards 3.5?
> 
> As Juan mentioned in his email, it should be possible to plug in at 3.4 as
> well.
> However, we're changing the configuration format at 3.5 as we're changing the
> mechanism to use the extensions mechanism - both Directory and Authenticator
> are extensions, the configuration for
> directory (authorization extension) and authenciator (authentication
> extension) will look a bit different.

CC'ed Sven as well, 
In addition bare in mind as Directory and Authenticator will be extensions, 
there will be some interface change.

Yair

> 
> 
> 
> 
> > > 
> > 
> > Pugglability of authentication already works in 3.4. By default it uses
> > the previous mechanism, but the administrator can change this. In order
> > to change you need to create the /etc/ovirt-engine/auth.conf.d directory
> > and then create inside one or more "authentication profiles"
> > configuration files. An authentication profile is a combination of an
> > "authenticator" and a "directory". The authenticator is used to check
> > the credentials (the user name and password) and the "directory" is used
> > to search users and their details. For example, if you want to use local
> > authentication (the users, passwords, and groups of the OS) you can
> > create a "local.conf" file with the following content:
> > 
> >   #
> >   # The name of the profile. This is what will be displayed in the
> >   # combo box in the login page.
> >   #
> >   name=local
> > 
> >   #
> >   # Needed to enable the profile, by default all profiles are
> >   # disabled.
> >   #
> >   enabled=true
> > 
> >   #
> >   # The configuration of the authenticator used by the profile. The
> >   # type and the module are mandatory, the rest are optional and
> >   # the default values are as shown below.
> >   #
> >   authenticator.type=ssh
> >   authenticator.module=org.ovirt.engine.core.authentication.ssh
> >   # authenticator.host=localhost
> >   # authenticator.port=22
> >   # authenticator.timeout=10
> > 
> >   #
> >   # The configuration of the directory:
> >   #
> >   directory.type=nss
> >   directory.module=org.ovirt.engine.core.authentication.nss
> > 
> > For this to work you need to install some additional modules, which
> > aren't currently part of the engine. This is where plugabillity comes in
> > place. This modules can be built externally. I created modules for SSH
> > authentication and NSS (Name Service Switch) directory. The source is
> > available here:
> > 
> > https://github.com/jhernand/ovirt-engine-ssh-authenticator
> > https://github.com/jhernand/ovirt-engine-nss-directory
> > 
> > The NSS directory also needs JNA (Java Native Access):
> > 
> > https://github.com/jhernand/ovirt-engine-jna-module
> > 
> > Installing these extensions is very easy, just build from source and
> > uncompress the generated .zip files to /usr/share/ovirt-engine/modules.
> > In case you don't want to build from source you can use the RPMs that I
> > created. The source for the .spec files is here:
> > 
> > https://github.com/jhernand/ovirt-engine-rpms
> > 
> > If you don't want to build form source you can use a yum repository th

Re: [Users] API read-only access / roles

[Yair Zaslavsky]

- Original Message -
> From: "Juan Hernandez" 
> To: "Sven Kieske" , "Users@ovirt.org List" 
> 
> Cc: "Itamar Heim" , "Yair Zaslavsky" 
> Sent: Saturday, February 22, 2014 2:22:14 PM
> Subject: Re: [Users] API read-only access / roles
> 
> On 02/20/2014 04:51 PM, Itamar Heim wrote:
> > On 02/20/2014 05:24 PM, Sven Kieske wrote:
> >> Hi,
> >>
> >> is nobody interested in this feature at all?
> >> it would be a huge security gain, while lowering
> >> the bars for having a read only user if this could get shipped with 3.4:
> > 
> > we are very interested, but we want to do this based on the
> > authentication re-factoring, which in itself, barely made the 3.4 timeline.
> > Yair - are we "pluggable" yet, that someone could add such a user by
> > dropping a jar somewhere, or still on going work towards 3.5?

As Juan mentioned in his email, it should be possible to plug in at 3.4 as well.
However, we're changing the configuration format at 3.5 as we're changing the 
mechanism to use the extensions mechanism - both Directory and Authenticator 
are extensions, the configuration for
directory (authorization extension) and authenciator (authentication extension) 
will look a bit different.




> > 
> 
> Pugglability of authentication already works in 3.4. By default it uses
> the previous mechanism, but the administrator can change this. In order
> to change you need to create the /etc/ovirt-engine/auth.conf.d directory
> and then create inside one or more "authentication profiles"
> configuration files. An authentication profile is a combination of an
> "authenticator" and a "directory". The authenticator is used to check
> the credentials (the user name and password) and the "directory" is used
> to search users and their details. For example, if you want to use local
> authentication (the users, passwords, and groups of the OS) you can
> create a "local.conf" file with the following content:
> 
>   #
>   # The name of the profile. This is what will be displayed in the
>   # combo box in the login page.
>   #
>   name=local
> 
>   #
>   # Needed to enable the profile, by default all profiles are
>   # disabled.
>   #
>   enabled=true
> 
>   #
>   # The configuration of the authenticator used by the profile. The
>   # type and the module are mandatory, the rest are optional and
>   # the default values are as shown below.
>   #
>   authenticator.type=ssh
>   authenticator.module=org.ovirt.engine.core.authentication.ssh
>   # authenticator.host=localhost
>   # authenticator.port=22
>   # authenticator.timeout=10
> 
>   #
>   # The configuration of the directory:
>   #
>   directory.type=nss
>   directory.module=org.ovirt.engine.core.authentication.nss
> 
> For this to work you need to install some additional modules, which
> aren't currently part of the engine. This is where plugabillity comes in
> place. This modules can be built externally. I created modules for SSH
> authentication and NSS (Name Service Switch) directory. The source is
> available here:
> 
> https://github.com/jhernand/ovirt-engine-ssh-authenticator
> https://github.com/jhernand/ovirt-engine-nss-directory
> 
> The NSS directory also needs JNA (Java Native Access):
> 
> https://github.com/jhernand/ovirt-engine-jna-module
> 
> Installing these extensions is very easy, just build from source and
> uncompress the generated .zip files to /usr/share/ovirt-engine/modules.
> In case you don't want to build from source you can use the RPMs that I
> created. The source for the .spec files is here:
> 
> https://github.com/jhernand/ovirt-engine-rpms
> 
> If you don't want to build form source you can use a yum repository that
> I created with binaries for Fedora 20 (should work in CentOS as well):
> 
> http://jhernand.fedorapeople.org/repo
> 
> So, to summarize:
> 
> # cat > /etc/yum.repos.d/my.repo <<.
> [my]
> name=my
> baseurl=http://jhernand.fedorapeople.org/repo
> enabled=1
> gpgcheck=0
> .
> 
> # yum -y install \
> ovirt-engine-ssh-authenticator \
> ovirt-engine-nss-directory
> 
> # mkdir -p /etc/ovirt-engine/auth.conf.d
> 
> # cat > /etc/ovirt-engine/auth.conf.d/local.conf <<.
> name=local
> enabled=true
> authenticator.type=ssh
> authenticator.module=org.ovirt.engine.core.authentication.ssh
> directory.type=nss
> directory.module=org.ovirt.engine.core.authentication.nss
> .
> 
> # systemctl restart ovirt-engine
> 
> Then you can login with admin@internal, add some local users and
> permissions, and 

Re: [Users] SSO from user portal to Windows 7 guest

[Yair Zaslavsky]

- Original Message -
> From: "Itamar Heim" 
> To: "simon" 
> Cc: "Frantisek Kobzik" , users@ovirt.org, "Yair 
> Zaslavsky" 
> Sent: Thursday, February 20, 2014 9:15:11 AM
> Subject: Re: [Users] SSO from user portal to Windows 7 guest
> 
> On 02/20/2014 07:31 AM, simon wrote:
> >  > On February 18, 2014 at 4:47 PM Itamar Heim  wrote:
> >  >
> >  > On 02/18/2014 06:59 PM, SimmInfo wrote:
> >  > > Yes, I make my tests from user portal.
> >  > >
> >  > > Envoyé de mon iPad
> >  > >
> >  > >> Le 2014-02-18 à 09:14, Itamar Heim  a écrit :
> >  > >>
> >  > >>> On 02/18/2014 03:36 PM, SimmInfo wrote:
> >  > >>> Ok,
> >  > >>>
> >  > >>> I tested it on a 3.4 beta2. Build a VM (win7 32) check "Guest
> > agent" as SSO option in vm config.
> >  > >>>
> >  > >>> Same result as the 3.3.3 engine. No sso but lock screen on spice
> > session termination.
> >  > >>>
> >  > >>> Nothing in engine.log about VmLogon nor Guest agent reportion to
> > the engine but Admin portal populated with vm ip, user connected, ip of
> > the connected user (very useful info), installed app, etc.
> >  > >>>
> >  > >>> Is there another way to know if the agent is correctly reporting
> > to the engine?
> >  > >>>
> >  > >>> Will test today with a fedora host.
> >  > >>
> >  > >> just to make sure - did you notice the important point of SSO only
> > works if you login from the user portal, not from the webadmin?
> >  > >>
> >  > >>>
> >  > >>> Thanks!
> >  > >>>
> >  > >>> My test config :
> >  > >>>
> >  > >>> Engine 3.4 beta2 on CentOS 6.5
> >  > >>> Node CentOS 6.5 with vdsm from prerelease repo.
> >  > >>> Storage iscsi
> >  > >>>
> >  > >>>
> >  > >>>> Le 2014-02-17 à 04:24, Frantisek Kobzik  a
> > écrit :
> >  > >>>>
> >  > >>>> Yes, that's a valid point (however it _should_ be set to 'Guest
> > Agent' by default).
> >  > >>>>
> >  > >>>> To sum it up, SSO should happen (on the engine side) if all
> > these conditions are true:
> >  > >>>> - user is connecting via userportal (not webadmin),
> >  > >>>> - guest agent presence is reported to engine,
> >  > >>>> - state of VM is strictly "Up"
> >  > >>>> - VM has SSO method set to "Guest agent" (Itamar's mail).
> >  > >>>>
> >  > >>>> If these conditions are fulfilled and SSO still doesn't work,
> > there must be something wrong with the engine (or with reporting GA
> > presence).
> >  > >>>>
> >  > >>>> Also VmLogon command should print some information to engine's
> > log - could you take a look?
> >  > >>>>
> >  > >>>> Cheers,
> >  > >>>> Franta.
> >  > >>>>
> >  > >>>>
> >  > >>>> - Original Message -
> >  > >>>> From: "Itamar Heim" 
> >  > >>>> To: "SimmInfo" , users@ovirt.org, "Frantisek
> > Kobzik" 
> >  > >>>> Sent: Monday, February 17, 2014 3:35:08 AM
> >  > >>>> Subject: Re: [Users] SSO from user portal to Windows 7 guest
> >  > >>>>
> >  > >>>>> On 02/15/2014 07:51 AM, SimmInfo wrote:
> >  > >>>>> Ok, after more investigation on agent logs and some code
> > modification it seem that the agent is receiving commands from virtio
> > device. As it should. I have seen commands lock-screen, shutdown, etc...
> > But not the "login" command. Look like engine trouble... I will do more
> > testing tomorrow.
> >  > >>>>>
> >  > >>>>> Simon
> >  > >>>>> ___
> >  > >>>>> Users mailing list
> >  > >>>>> Users@ovirt.org
> >  > >>>>> http://lists.ovirt.org/mailman/listinfo/users
> >  > >>>>
> >  > >>>> make sur

Re: [Users] new oVirt look-and-feel -- feature page

[Yair Zaslavsky]

Looks really great, can't wait to see more :)


- Original Message -
> From: "Greg Sheremeta" 
> To: "users" , a...@ovirt.org
> Sent: Tuesday, February 18, 2014 11:19:18 PM
> Subject: new oVirt look-and-feel -- feature page
> 
> Hi,
> 
> Please check out the feature page for the new oVirt look-and-feel, PatternFly
> based: http://www.ovirt.org/Features/NewLookAndFeelPatternFlyPhase1.
> 
> Comments are welcome.
> 
> Thanks,
> Greg
> 
> Greg Sheremeta
> Red Hat, Inc.
> Sr. Software Engineer, RHEV
> Cell: 919-807-1086
> gsher...@redhat.com
> ___
> Arch mailing list
> a...@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/arch
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[Users] ovirt test day 2

[Yair Zaslavsky]

Hi,
I tested the following:

https://bugzilla.redhat.com/1053646easily collapsible left-pane - was 
not included in test day 1 (I was supposed to test it back then) - works fine.

https://bugzilla.redhat.com/1054209 - read only disks - works fine.

https://bugzilla.redhat.com/1054219 - Only comment is - IMHO it should be 
considered having disks marked as read only (where applicable) in templates -> 
disks and perhaps also when showing the disks of each snapshot.

other bugs opened:
https://bugzilla.redhat.com/show_bug.cgi?id=1064601


Yair
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] ovirt 3.4.0-0.5.beta1 and OpenLDAP groups

[Yair Zaslavsky]

- Original Message -
> From: "Itamar Heim" 
> To: "Yair Zaslavsky" , "Winfried de Heiden - Voorwinde" 
> 
> Cc: users@ovirt.org
> Sent: Monday, February 3, 2014 1:32:00 AM
> Subject: Re: [Users] ovirt 3.4.0-0.5.beta1 and OpenLDAP groups
> 
> On 02/02/2014 11:01 PM, Yair Zaslavsky wrote:
> >
> >
> > - Original Message -
> >> From: "Winfried de Heiden - Voorwinde" 
> >> To: users@ovirt.org
> >> Sent: Sunday, February 2, 2014 5:09:01 PM
> >> Subject: [Users] ovirt 3.4.0-0.5.beta1 and OpenLDAP groups
> >>
> >> Hi All,
> >>
> >> I managed to use OpenLDAP to integrate with oVirt 3.4.0-0.5.beta1. For
> >> this, I followed (more or less, I used a Raspberry Pi and Raspbian)
> >> instructions as found on http://www.ovirt.org/LDAP_Quick_Start
> >>
> >> It all seems to work well, I am able to connect to a domain, login etc.
> >> and assign some roles to users.
> >> However, I cannot use (ldap) groups it seems. I cann add a group in the
> >> ovirt gui, but (in the tab General) "Active" remain "false".
> >>
> >> A I missing something...?
> >
> > HI Winfried, I have a question for you -
> > When you add the group , can you use one of its user to perform an
> > operation the group has permission to perform? for example, if the group
> > has login permissions, can you login with a user that belongs to the
> > group?
> > I'm looking at the code, and this might be an issue that the "active" flag
> > is simply not set on a group.
> 
> Yair - why would active be set on a group?

Itamar - I don't think there is a sense in that.
At engine-core-  not being set.
At UI - I think the code should be revisited, in AdElementListModel there are 
places where we create user objects and store in side them group information. 
later on we store these objects at the groups collection of the model, and this 
model is being used to present the list of users and groups. 
 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] ovirt 3.4.0-0.5.beta1 and OpenLDAP groups

[Yair Zaslavsky]

- Original Message -
> From: "Winfried de Heiden - Voorwinde" 
> To: users@ovirt.org
> Sent: Sunday, February 2, 2014 5:09:01 PM
> Subject: [Users] ovirt 3.4.0-0.5.beta1 and OpenLDAP groups
> 
> Hi All,
> 
> I managed to use OpenLDAP to integrate with oVirt 3.4.0-0.5.beta1. For
> this, I followed (more or less, I used a Raspberry Pi and Raspbian)
> instructions as found on http://www.ovirt.org/LDAP_Quick_Start
> 
> It all seems to work well, I am able to connect to a domain, login etc.
> and assign some roles to users.
> However, I cannot use (ldap) groups it seems. I cann add a group in the
> ovirt gui, but (in the tab General) "Active" remain "false".
> 
> A I missing something...?

HI Winfried, I have a question for you -
When you add the group , can you use one of its user to perform an operation 
the group has permission to perform? for example, if the group has login 
permissions, can you login with a user that belongs to the group?
I'm looking at the code, and this might be an issue that the "active" flag is 
simply not set on a group.

> 
> Winfried
> 
> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Ovirt 3.4 - Fail to set permissions to VM

[Yair Zaslavsky]

Yes,
A fix was already submitted for review.


- Original Message -
> From: "Jonas Israelsson" 
> To: "Oved Ourfalli" 
> Cc: users@ovirt.org, "Juan Hernandez" , "Yair Zaslavsky" 
> 
> Sent: Wednesday, January 29, 2014 2:44:46 PM
> Subject: Re: [Users] Ovirt 3.4 - Fail to set permissions to VM
> 
> 
> On 29/01/14 07:29, Oved Ourfalli wrote:
> > Hi Jonas
> >
> > Apparently there is a quite new bug open about this issue
> > (https://bugzilla.redhat.com/1057147).
> > CC-ing Juan and Yair - perhaps the'll know what's the source of the issue,
> > as I think they were the last ones to make changes in it.
> Jupp, got it.
> 
> Sorry for not checking there first..
> 
> 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Manage domains

[Yair Zaslavsky]

- Original Message -
> From: "Itamar Heim" 
> To: "Maurice James" , users@ovirt.org, "Barak Azulay" 
> , "Juan Antonio
> Hernandez Fernandez" 
> Sent: Thursday, January 23, 2014 11:03:48 PM
> Subject: Re: [Users] Manage domains
> 
> On 01/23/2014 08:06 PM, Maurice James wrote:
> >
> > No matter what provider I use, it keeps complaining about kerberos
> > 
> > From: midnightst...@msn.com
> > To: users@ovirt.org
> > Date: Thu, 23 Jan 2014 12:13:03 -0500
> > Subject: [Users] Manage domains
> >
> > In version 3.4. The authentication has been refactored. How do I add
> > 389-ds as my authentication backend without the use of Kerberos? This
> > was supposed to be possible in 3.4

H
> >
> > ___ Users mailing list
> > Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
> >
> >
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> 
> the refactoring happened, I'm not sure the new functionality made it.
> maybe if its low risk could be looked at for following through.

Hi, the refactoring included introduction of new infrastructure to support 
loose coupling between authentication and directory related operations.
It also includes a tested "bridge" - between the new interfaces and the old 
code.
The new ldap directory code is still under development. 
manage-domains is still working only with Kerberos for authentication.

You can see more at 
http://www.ovirt.org/Features/Authentication-Rewrite

You will see that what I described in this email is related to "Phase 1"

Hope this helps ,
Yair



> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Problem adding an IPA server to oVirt

[Yair Zaslavsky]

Hi Adam,
Looks like you have problems in running the Root DSE query.
I would like you to try and troubleshoot by comparing this to the execution of -

ldapsearch -x -h  -s base

- Original Message -
> From: "Adam Litke" 
> To: users@ovirt.org
> Sent: Tuesday, January 21, 2014 12:12:03 AM
> Subject: [Users] Problem adding an IPA server to oVirt
> 
> Hi,
> 
> I am trying to set up an oVirt environment with an IPA provider and
> am hitting a GeneralException that I am unsure how to debug.  I have
> configured freeIPA in a Fedora VM using the supplied configuration
> script and I can 'kinit admin' from the ovirt-engine machine.  When I
> run the manage-domains command I get the following exception:
> 
> I didn't realize it, but I had to add _kerberos srv records to my
> dnsmasq.conf in order for the script to even find my KDC.
> 
> ./engine-manage-domains -action=add -provider=IPA -domain=alitke.net
> -user=admin -interactive -ldapServers=directory.alitke.net
> Enter password:
> General error has occurednull
> java.lang.NegativeArraySizeException
>   at
> sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
>   at
> sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
>   at
> sun.security.jgss.krb5.WrapToken_v2.(WrapToken_v2.java:200)
>   at
> sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
>   at
> sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
>   at
> com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
>   at
> com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
>   at
> com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
>   at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
>   at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
>   at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
>   at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
>   at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
>   at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
>   at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
>   at
> javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
>   at
> org.ovirt.engine.core.ldap.RootDSEData.(RootDSEData.java:52)
>   at
> org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:254)
>   at
> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
>   at java.security.AccessController.doPrivileged(Native Method)
>   at javax.security.auth.Subject.doAs(Subject.java:356)
>   at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
>   at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
>   at
> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
>   at
> org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:739)
>   at
> org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:909)
>   at
> org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:531)
>   at
> org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:308)
>   at
> org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:205)
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>   at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:606)
>   at org.jboss.modules.Module.run(Module.java:260)
>   at org.jboss.modules.Main.main(Main.java:291)
> Failure while testing domain %1$s. Details: %2$s: One of the
> parameters for this error is null and no default message to show
> 
> Any thoughts on what might be going wrong?
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] New user to oVirt, and I haz a sad so far...

[Yair Zaslavsky]

Gabi, why not share with us engine.log for your failure of adding the disk?

Yair


- Original Message -
> From: "Gabi C" 
> To: "Will Dennis (Live.com)" 
> Cc: users@ovirt.org
> Sent: Friday, January 17, 2014 9:53:55 AM
> Subject: Re: [Users] New user to oVirt, and I haz a sad so far...
> 
> 've been there! :-D
> 
> I mean exactly same issuse you had on Centos, I had on Fedora 19.
> Did you disable selinux on nodes? 'cause that's what is causing SSh
> connection closing
> 
> My setup:
> 
> 1 engine on vmware  - fedora 19, up-to-date
> 
> 
> 2 nodes on IBM x series 3650  - fedora 19 based -oVirt Node - 3.0.3 -
> 1.1.fc19 with nodes beig in glusterfs cluster also.
> 
> 
> Right now, I'm banging my head against "Operation Add-Disk failed to
> complete." , message I have got after adding a new virtual machine and try
> to addd its disk
> 
> 
> On Fri, Jan 17, 2014 at 6:08 AM, Will Dennis (Live.com) <
> willardden...@live.com> wrote:
> 
> > Hi all, ready for a story? (well, more of a rant, but hopefully it will be
> > a
> > good UX tale, and may even be entertaining.)
> >
> > Had one of the groups come to me at work this week and request a OpenStack
> > setup. When I sat down and discussed their needs, it turns out that they
> > really only need a multi-hypervisor setup where they can spin up VMs for
> > their research projects. The VMs should be fairly long-lived, and will have
> > persistent storage. Their other request is that the storage should be local
> > on the hypervisor nodes (they plan to use Intel servers with 8-10 2TB
> > drives
> > for VM storage on each node.) They desire this in order to keep the VM I/O
> > local - they do not have a SAN of any sort anyhow, and they do not care
> > about live migration, etc.
> >
> > In any case, knowing that they did not want to afford a VMware setup (which
> > is what I'm used to using), I proposed using oVirt to fill their needs,
> > having heard and read up on it a bit (It's "open-source VMware", right?)
> > even though I had not used it before (I have however made single-node KVM
> > hypervisors for their group before, utilizing Open vSwitch, libvirt,
> > virt-manager etc., so I'm not completely ignorant of KVM/libvirt etc.)
> >
> > In any case, I took one of their older servers which was already running
> > CentOS 6.5, installed the requisite packages on it, and in short order had
> > an engine server up and running (oVirt 3.3.2). That seems to have been the
> > easy part :-/  Now came the installation of a hypervisor node. I downloaded
> > and burned an ISO of the latest oVirt node installer
> > (ovirt-node-iso-3.0.3-1.1.vdsm.fc19.iso) and tried to install it on one of
> > their target Intel servers. On the 1st try I got to the end of the setup
> > TUI, invoked the Install link, and was promptly thrown an error (sorry, but
> > forgot what it was, something like "press X for a command prompt, or
> > Reboot".) No problem, I rebooted, selected booting off the CD again, waited
> > until the TUI came up, and when I tried to move past the first screen, it
> > threw me out to a login prompt. OK, enough of that (the server takes a long
> > time to reboot, and then boot off the CD) - I then thought I would try it
> > on
> > a VMware Workstation VM (yes, I get the irony, but VMware wkstn can handle
> > nested virt, so it's a great testbed platform for OpenStack, etc.) because
> > that would install a heck of a lot faster. That went a lot better - got the
> > oVirt node 3.0.3 installed on the first try.
> >
> > More pain was soon to follow, however.  I logged in and started configuring
> > the node. The TUI was easy enough - much like an ESXi node ;)  I set the
> > NIC
> > to IPv4 static, entered in the correct IP info, registered a DNS name for
> > the IP I had assigned, and then tested pinging the engine, all was good. I
> > then moved on to the section where you define the engine. I entered in the
> > FQDN of the engine, verified the key fingerprint, and clicked the "Save and
> > Register" link at the bottom. That seemed to work, so I completed the rest
> > of the TUI, and then looked at the oVirt engine web UI. There was my new
> > node, ready for authorization. I clicked the link to authorize it, and
> > after
> > a while, the UI came back with "Install Failed" status. Hmmm. So I went
> > back
> > to the node's TUI, and now some of the screens said that the IP addr was
> > unconfigured? I went then to the Network screen, and sure enough, the NIC
> > at
> > the bottom showed "Unconfigured". WTF? So I went and entered in the correct
> > info back in the IPv4 section, and then arrowed down to the Save link and
> > clicked it - and the next screen said something like "No info needing
> > changes, nothing to do." Wh? Went back to the network setup screen, NIC
> > still showing "Unconfigured" even though the IPv4 info still was there. I
> > did a ping test at this point from the Ping link on the network setup page,
> > and what do you know - I could st