[ovirt-users] Re: CEPH - Opinions and ROI

2020-10-01 Thread Stack Korora
ure good
read/write speed with good fault tolerance. I threw two cheap SSD's as a
log drive and a cache drive (which these two SSD's made HUGE performance
gains for oVirt VM's) and it's been smooth sailing since. It's trivial
to manage/upgrade and FAR less over-head than Ceph.

That's really just the warnings I've got for you. I'm a HUGE fan of
oVirt and we've done some pretty nutty stuff with it in testing and I
trust it for multiple environments where we throw some pretty heavy
loads at it. I've got TONS of praise for oVirt and the whole team that
backs it. It's fantastic.

And I do love Ceph (and specifically CephFS) and we get incredible
performance that I could gush over all day long. If you are planning on
building Ceph on the cheap, plan replications in sets of three, and
prepare for lots of tweaking and tuning. If you are in the position to
buy, I *HIGHLY* recommend at least talking to https://softiron.com (I do
not work for them, I do not get any kick-back from them, I'm just very
pleased with their product). They focus on Ceph and they do it well, but
they still let you tweak as needed. And since they build off of Arm
processors, all the power and heat come from the drives...these things
run super-cool. Loads more efficient then the home-built stuff we ran
for years.

I'm even a huge fan of running oVirt with a CephFS storage! I _REALLY_
wish the combo would be treated better. But most of my frustrations are
many years old at this point, and we've figured out workarounds in the
meantime. It's too much for me to want to mess with at home, but so long
as you plan out your Ceph install and you are just prepared to be the
odd-ball using CephFS+oVirt including the workarounds it's a great setup.

I absolutely believe that we've gotten a HUGE return on investment into
Ceph...but I'm also using it for high-speed data computations in a big
cluster. The oVirt + CephFS is an add-on to the HPC + CephFS. The ROI on
oVirt is also huge because we were never satisfied with other
virtualization solutions and while OpenStack worked for us it was FAR
more overhead than we needed or could support with a team as small as
ours. So I'm a big believer that our specific use case for both is a
massive ROI win.

Should you decide to move forward with CephFS + oVirt and you have
questions, feel free to reach out to me. No promises that your problems
will be the same as mine, but I can at least share some
experiences/config-settings with you.

Good luck!
~Stack~
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YSMPMBZ435SK6UHYSWHLQLG4YRO5LAQ3/


[ovirt-users] Re: LDAP setup fails on 4.4 reading PEM file

2020-06-12 Thread Stack Korora
On 2020-06-11 20:55, Stack Korora wrote:
> Well made one discovery. While named with an 's' in EL7, in EL8 that 's'
> is missing. ovirt-engine-extensions-aaa-ldap is now
> ovirt-engine-extension-aaa-ldap.
>
> However, even after fixing that in the properties it still gives the
> same error message (just missing the 's' now). I do have the packages
> installed and I do have
> /usr/share/java/ovirt-engine-extension-aaa-ldap/ovirt-engine-extension-aaa-ldap.jar
> (and the symlinks that point there). Still throws errors. :-(

I finally cracked it. There's a bunch of small minor changes that don't
allow for the config file from 4.3 to work with 4.4. Things like
dropping the 's' or exchanging the '-' for '.'.  Also had a heck of a
time with the ugly verbosity of the output from
ovirt-engine-extension-aaa-ldap tool. Not nearly as clean as it was
under 4.3.

But, as I said, I cracked the issue and I've got it working. Thanks to
all on the list. I found a lot of good info in searching the archive.

Thanks!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7AMQAQKPUQGI3MDGQV5KT3CN3HOBJKZZ/


[ovirt-users] Re: LDAP setup fails on 4.4 reading PEM file

2020-06-11 Thread Stack Korora
On 2020-06-11 20:32, Stack Korora wrote:
> [snip]
>> Since I wasn't getting anywhere with this, I decided to try a few
>> things. I copied the following files from a working 4.3 on RHEL 7
>> (again, this setup is CentOS8 with 4.4):
>> /etc/ovirt-engine/aaa/ldap.jks
>> /etc/ovirt-engine/aaa/ldap.properties
>> /etc/ovirt-engine/extensions.d/ldap-authn.properties
>> /etc/ovirt-engine/extensions.d/ldap-authz.properties
>>
>> I verified permissions were all good (including SELinux). I restarted a
>> few services but wasn't getting anything at all of value telling me what
>> was wrong...so I rebooted. That did the trick! Now I get an error,
>> though nothing of use is turning up from the internet searches.
>>
>> # ovirt-engine-extensions-tool info list-extensions
>> [snip]
>> SEVERE: Extension 'ldap-authn.properties' load failed (ignored): Error
>> loading 'ldap-authn': The module 'org.ovirt.engine-extensions.aaa.ldap'
>> cannot be loaded: org.ovirt.engine-extensions.aaa.ldap
>> SEVERE: Extension 'ldap-authn.properties' load failed (ignored): Error
>> loading 'ldap-authz': The module 'org.ovirt.engine-extensions.aaa.ldap'
>> cannot be loaded: org.ovirt.engine-extensions.aaa.ldap
>> [snip]
>>
>> I do have these packages installed:
>> ovirt-engine-extensions-aaa-ldap
>> ovirt-engine-extensions-aaa-ldap-setup

Well made one discovery. While named with an 's' in EL7, in EL8 that 's'
is missing. ovirt-engine-extensions-aaa-ldap is now
ovirt-engine-extension-aaa-ldap.

However, even after fixing that in the properties it still gives the
same error message (just missing the 's' now). I do have the packages
installed and I do have
/usr/share/java/ovirt-engine-extension-aaa-ldap/ovirt-engine-extension-aaa-ldap.jar
(and the symlinks that point there). Still throws errors. :-(

Thoughts? Thanks!

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HUVCIP4KVLMPI3GBGVZTMFUNHRMHRSBW/


[ovirt-users] Re: LDAP setup fails on 4.4 reading PEM file

2020-06-11 Thread Stack Korora
Bottom posted update:

On 2020-06-11 17:35, Stack Korora wrote:
> Greetings,
> I'm having some issues getting LDAP working on CentOS 8 with oVirt 4.4.
> I would appreciate some help please.
>
> When I run ovirt-engine-extension-aaa-ldap-setup I choose "11 - RFC-2307
> Schema (Generic)" because that's what my LDAP guy said I should do. :-)
>
> Next I select the default Yes for "Use DNS".
>
> I select 4 for "Failover between multiple hosts".
>
> I put in my two hosts "svr1.my.domain srv2.my.domain".
>
> To select the protocol I type "ldaps".
>
> To select the method to obtain the PEM I type "File".
>
> Then the "File path". A full path to the file. Not quoted. Yes, I
> checked that I typed it correct. I can copy-paste into "ls" and it's
> fine with the correct read permissions and everything. (I can't copy
> paste into the script but that's another issue.)
>
> It immediately fails with:
> [ ERROR ] Failed to execute stage 'Environment customization': a
> byte-like object is required, not 'str'
>
> There is a log file, here is the snippet at the point it goes wrong.
>
> 2020-06-11 11:35:49,915-0500 DEBUG otopi.plugins.otopi.dialog.human
> dialog.__logString:204 DIALOG:SEND File path:
> 2020-06-11 11:36:24,373-0500 DEBUG otopi.plugins.otopi.dialog.human
> dialog.__logString:204 DIALOG:RECEIVE
> /etc/pki/ca-trust/source/anchors/Infrastructure.pem
> 2020-06-11 11:36:24,375-0500 DEBUG otopi.context
> context._executeMethod:145 method exception
> Traceback (most recent call last):
>   File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in
> _executeMethod
> method['method']()
>   File
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
> line 781, in _customization_late
> cacert, cacertfile, insecure = self._getCACert()
>   File
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
> line 357, in _getCACert
> _cacertfile.write('\n'.join(cacert) + '\n')
>   File "/usr/lib64/python3.6/tempfile.py", line 485, in func_wrapper
> return func(*args, **kwargs)
> TypeError: a bytes-like object is required, not 'str'
> 2020-06-11 11:36:24,376-0500 ERROR otopi.context
> context._executeMethod:154 Failed to execute stage 'Environment
> customization': a bytes-like object is required, not 'str'
> 2020-06-11 11:36:24,376-0500 DEBUG otopi.context
> context.dumpEnvironment:765 ENVIRONMENT DUMP - BEGIN
> 2020-06-11 11:36:24,376-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV BASE/error=bool:'True'
> 2020-06-11 11:36:24,376-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV BASE/exceptionInfo=list:'[( 'TypeError'>, TypeError("a bytes-like object is required, not 'str'",),
> )]'
> 2020-06-11 11:36:24,377-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/hosts=str:'svr1.my.domain
> srv2.my.domain'
> 2020-06-11 11:36:24,377-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/protocol=str:'ldaps'
> 2020-06-11 11:36:24,377-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/serverset=str:'failover'
> 2020-06-11 11:36:24,377-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/useDNS=bool:'True'
> 2020-06-11 11:36:24,378-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV
> QUESTION/1/OVAAALDAP_LDAP_CACERT_FILE=str:'/etc/pki/ca-trust/source/anchors/Infrastructure.pem'
> 2020-06-11 11:36:24,378-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV
> QUESTION/1/OVAAALDAP_LDAP_CACERT_METHOD=str:'file'
> 2020-06-11 11:36:24,378-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV
> QUESTION/1/OVAAALDAP_LDAP_PROTOCOL=str:'ldaps'
> 2020-06-11 11:36:24,378-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV QUESTION/1/OVAAALDAP_LDAP_SERVERSET=str:'4'
> 2020-06-11 11:36:24,378-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV QUESTION/1/OVAAALDAP_LDAP_USE_DNS=str:'yes'
> 2020-06-11 11:36:24,378-0500 DEBUG otopi.context
> context.dumpEnvironment:775 ENV
> QUESTION/2/OVAAALDAP_LDAP_SERVERSET=str:'svr1.my.domain srv2.my.domain'
> 2020-06-11 11:36:24,378-0500 DEBUG otopi.context
> context.dumpEnvironment:779 ENVIRONMENT DUMP - END
>

Since I wasn't getting anywhere with this, I decided to try a few
things. I copied the following files from a working 4.3 on RHEL 7
(again, this setup is CentOS8 with 4.4):
/etc/ovirt-engine/aaa/ldap.jks
/etc/ovirt-engine/aaa/ldap.properties
/etc/ovirt-engine/extensions.d/ldap-authn.properties
/etc/ovirt-engin

[ovirt-users] LDAP setup fails on 4.4 reading PEM file

2020-06-11 Thread Stack Korora
Greetings,
I'm having some issues getting LDAP working on CentOS 8 with oVirt 4.4.
I would appreciate some help please.

When I run ovirt-engine-extension-aaa-ldap-setup I choose "11 - RFC-2307
Schema (Generic)" because that's what my LDAP guy said I should do. :-)

Next I select the default Yes for "Use DNS".

I select 4 for "Failover between multiple hosts".

I put in my two hosts "svr1.my.domain srv2.my.domain".

To select the protocol I type "ldaps".

To select the method to obtain the PEM I type "File".

Then the "File path". A full path to the file. Not quoted. Yes, I
checked that I typed it correct. I can copy-paste into "ls" and it's
fine with the correct read permissions and everything. (I can't copy
paste into the script but that's another issue.)

It immediately fails with:
[ ERROR ] Failed to execute stage 'Environment customization': a
byte-like object is required, not 'str'

There is a log file, here is the snippet at the point it goes wrong.

2020-06-11 11:35:49,915-0500 DEBUG otopi.plugins.otopi.dialog.human
dialog.__logString:204 DIALOG:SEND File path:
2020-06-11 11:36:24,373-0500 DEBUG otopi.plugins.otopi.dialog.human
dialog.__logString:204 DIALOG:RECEIVE
/etc/pki/ca-trust/source/anchors/Infrastructure.pem
2020-06-11 11:36:24,375-0500 DEBUG otopi.context
context._executeMethod:145 method exception
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in
_executeMethod
method['method']()
  File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 781, in _customization_late
cacert, cacertfile, insecure = self._getCACert()
  File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 357, in _getCACert
_cacertfile.write('\n'.join(cacert) + '\n')
  File "/usr/lib64/python3.6/tempfile.py", line 485, in func_wrapper
return func(*args, **kwargs)
TypeError: a bytes-like object is required, not 'str'
2020-06-11 11:36:24,376-0500 ERROR otopi.context
context._executeMethod:154 Failed to execute stage 'Environment
customization': a bytes-like object is required, not 'str'
2020-06-11 11:36:24,376-0500 DEBUG otopi.context
context.dumpEnvironment:765 ENVIRONMENT DUMP - BEGIN
2020-06-11 11:36:24,376-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV BASE/error=bool:'True'
2020-06-11 11:36:24,376-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV BASE/exceptionInfo=list:'[(, TypeError("a bytes-like object is required, not 'str'",),
)]'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/hosts=str:'svr1.my.domain
srv2.my.domain'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/protocol=str:'ldaps'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/serverset=str:'failover'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/useDNS=bool:'True'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/1/OVAAALDAP_LDAP_CACERT_FILE=str:'/etc/pki/ca-trust/source/anchors/Infrastructure.pem'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/1/OVAAALDAP_LDAP_CACERT_METHOD=str:'file'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/1/OVAAALDAP_LDAP_PROTOCOL=str:'ldaps'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV QUESTION/1/OVAAALDAP_LDAP_SERVERSET=str:'4'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV QUESTION/1/OVAAALDAP_LDAP_USE_DNS=str:'yes'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/2/OVAAALDAP_LDAP_SERVERSET=str:'svr1.my.domain srv2.my.domain'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:779 ENVIRONMENT DUMP - END


Can someone help please?
Thanks!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MHBAPSJOFLAWFMBT4HPJAZUYB3ODL7BX/


[ovirt-users] Re: PKIX path error

2020-06-11 Thread Stack Korora
On 2020-06-02 06:16, Martin Perina wrote:
> Hi,
>
> could you please restart ovirt-engine service and share server.log and
> engine.log from /var/log/ovirt-engine ?


Greetings Martin,

Thank you for the response. Sorry it took a while, I had a family issue
come up and had to road-trip 10hours away for a few days.

An update on the status, we were also struggling with an unrelated
hardware problem. The new NVMe drives were giving my coworkers and
myself issues on 7. My coworker tried CentOS8 just to see what happened,
and it worked flawlessly. So we _just_ rebuilt the whole thing: CentOS8
+ oVirt 4.4. We figured we might as well attempt to future-proof this
install a little bit while it is still in the "build" stage. :-)

One of my goals today is to get SSL and LDAP working on the fresh
install. If I have issues, I will post back.

Thank you again!

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3X2KFSZBY337N56T2YBWSHA7YDG3UXKU/


[ovirt-users] Re: Mixing OS versions

2020-06-01 Thread Stack Korora
On 2020-06-01 16:31, Sandro Bonazzola wrote:
>
>
> Il giorno lun 1 giu 2020 alle ore 17:52 Stack Korora
> mailto:stackkor...@disroot.org>> ha scritto:
>
> Greetings,
> We've been using Scientific Linux 7 quite successfully with oVirt for
> years now. However, since there will not be a SL8 we are transitioning
> new servers to CentOS8. I would like to add a new oVirt hypervisor
> node.
>
> How bad of an idea is it to have a 8 system when the rest are 7 even
> though the version of oVirt will be the same?
>
>
> Please note the oVirt version can't be the same on el7 and el8 because
> hosts on el8 are supported only by oVirt 4.4 and oVirt 4.4 is not
> available on el7.
> You can upgrade the engine to 4.4 and then add el8 hosts while still
> keeping el7 hosts until you finish the upgrade.


Thank you for the clarification! I appreciate it.


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KIXLZWRJDRKAND2AZSQZYW6TYB2CUHXZ/


[ovirt-users] Mixing OS versions

2020-06-01 Thread Stack Korora
Greetings,
We've been using Scientific Linux 7 quite successfully with oVirt for
years now. However, since there will not be a SL7 we are transitioning
new servers to CentOS8. I would like to add a new oVirt hypervisor node.

How bad of an idea is it to have a 8 system when the rest are 7 even
though the version of oVirt will be the same?

Thanks!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KH5JK3CVNVTNUHRII2KO2VM6LAUHOBTJ/


[ovirt-users] Re: PKIX path error

2020-05-29 Thread Stack Korora
On 2020-05-29 07:03, Strahil Nikolov via Users wrote:
> You mentioned that  your certificates were different. Did you try converting 
> them to the type  used  in the example ?

Yeah. So I will walk through the steps. Since I don't have a p12 format,
the directions say "proceed to Replacing the Red Hat Virtualization
Manager Apache SSL Certificate". Well, that isn't right. :-)

Instead I skipped to "Replacing the oVirt Engine Apache SSL Certificate"

I converted mine to PEM and did step #1 and I included not just my cert
but the full chain. No issues there.

I replaced the PEM per #2 and #3. Then backed up per #4.

Step #5 & #6 require steps from the first section I skipped above. So I
did those. If I do those steps exactly, I will get SSL errors about
untrusted cert. However, if I add (>> vs >) to the original (which I
backed up) then all the SSL errors go away. That was with
apache.key.nopass and apache.cer.

The rest of the steps I followed exactly.

Not sure if that helps point out what I did wrong. Thanks for replying!

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5G27DGSCSFUJSQ7233WQ4ETH4EM32GLA/


[ovirt-users] Re: PKIX path error

2020-05-29 Thread Stack Korora
On 2020-05-29 08:08, Martin Perina wrote:
> Hi Stack,
>
> if I understand correctly your custom SSL certificates are working
> correctly and you are able to login to webadmin using admin@internal,
> right?

Correct.

> If the problem is, that your aaa-ldap profile is not visible in the
> login dialog, then there is some issue with aaa-ldap configuration.
> You have mentioned that you used ovirt-engine-extension-aaa-ldap-setup
> tool to create you aaa-ldap profile, have you executed login and
> search operation at the end of setup tool? If so, were they successful?

I did and yes they were.

>
> Anyway right you can use following command to debug your aaa
> extensions setup:
>
> # ovirt-engine-extensions-tool info list-extensions
>
> Using above command, could you see authn and authz instance of your
> aaa-ldap profile?

I do see both authz and authn.

> If so, please try below tests:
>
> 1. Checking is user search is working:
>
> # ovirt-engine-extensions-tool aaa search --extension-name= PROFILE AUTHZ NAME> --entity-name=

It does work and it returns valid information.

> 2. Checking if login is working
>
> # ovirt-engine-extensions-tool aaa login-user --profile= NAME> --user-name=
>
A result=SUCCESS on that too!
However, I still don't see a second profile option on the web login.

Thanks for responding and giving me some help!

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/C2QPG6OPMUHW2IQJO2QDA3GB74DPWVYZ/


[ovirt-users] Re: PKIX path error

2020-05-28 Thread Stack Korora
On 2020-05-28 16:07, Strahil Nikolov wrote:
> Can you check 
> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html  just 
>  in case you  missed  a  step ?
>
> Best  Regards,
> Strahil  Nikolov

Greetings,

Thanks for replying.

I was going to argue a bit since the way my certs come are in different
formats so my commands are a bit different then the directions. But I
went through step by step. Got to the end, and the internal
authentication was working with the right SSL cert! My LDAP
authentication was missing though...it looks correct.

So I redid all the steps for adding LDAP. At the end of the
ovirt-engine-extension-aaa-ldap-setup script, I can test accounts and
search so I know that is correct. My cert is in the right .jks file.
Still nothing I do shows anything but internal.

So I scrapped the changes and started over. Round three on a fresh
reboot (just in case I missed a service) with the SSL certs and
configuring LDAP. SSL works, internal works, ldap doesn't show up as a
drop-down option for the profile.

Grr...Reboot just in case I missed a service again...nope. SSL and
internal work, ldap still not shown in the profile. Tried a different
browser, same thing. Double Grr...

Any suggestions on where I might be going wrong?

Thanks!



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/A4BKWITWPNPYYVLDVRN4XOSDTN4LPNB3/


[ovirt-users] PKIX path error

2020-05-27 Thread Stack Korora
Greetings,
I have a running oVirt install that's been working for almost 2 years.
I'm building a _completely_ new install. I mention it because it is
useful for me to compare configurations when I run into issues like this
one.

Right now there are three physical hosts:
1x management where I run the engine and db
2x hypervisor nodes.

I had it up and installed and running smooth this morning on
4.3.9.4-1.el7 on Scientific Linux 7.8 (fully patched).

I copied over our 3rd party certs from the running system and restarted
httpd. Perfect. SSL is running!
/etc/pki/ovirt-engine/apache-ca.pem
/etc/pki/ovirt-engine/certs/apache.cer
/etc/pki/ovirt-engine/keys/apache.key.nopass

Next I used ovirt-engine-extension-aaa-ldap-setup to point to our ldap
server. I did the login and search test and both passed on the command
line! Horray!

Then I went to the web interface...

sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

I'm digging through logs and I don't see anything close to this error
except nearly the identical message in engine.log.

ERROR [org.ovirt.engine.core.aaa.servlet.SslPostLoginServlet] (default
task-2) [] server_error: sun.security.validator.ValidatorException: PKIX
path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

I can't log in via the web at all, I only get that message (so I can't
even test out the local admin). The aaa ldap configuration it generated
is darn near perfectly identical (just a name change). The certs are the
same. Even when I look in the keystore, the sha1 hashes are the same
between the two environments!

After over an hour poking at this, I'm completely stumped.

Can someone please give me a pointer on what I should try next?

Thanks!
~Stack~
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YOR3ATLII3LYIBEYVOKTEE4RIYZGJR76/


[ovirt-users] Re: Multiple CephFS Monitors cause issues with oVirt

2018-08-29 Thread Stack Korora
On 08/29/2018 10:44 AM, Stack Korora wrote:
> On 08/29/2018 10:14 AM, Markus Stockhausen wrote:
>> Hi,
>>
>> maybe a foolish guess: Did you try this
>>
>> https://www.spinics.net/lists/ceph-devel/msg30958.html
>>
>> Mit freundlichen Grüßen,
>>
>> Markus Stockhausen
>> Head of Software Technology
> Thanks, I thought about that but I have not tried it. I will add it to
> my list to check today and will report back if it works (though I don't
> see why it wouldn't). It is good to know that someone else has at least
> had success with having a DNS entry for the multiple CephFS monitor hosts.

A single DNS entry did not work. Red Hat's oVirt did not like mounting
it even though it works fine via command line. :-/

I now have a Red Hat ticket open so we will see what happens on that front.

Thanks!
~Stack~
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4RFPEUFOIGHKA6MD2JPC72SBD6GHIZPZ/


[ovirt-users] Re: Multiple CephFS Monitors cause issues with oVirt

2018-08-29 Thread Stack Korora
On 08/29/2018 10:14 AM, Markus Stockhausen wrote:
> Hi,
>
> maybe a foolish guess: Did you try this
>
> https://www.spinics.net/lists/ceph-devel/msg30958.html
>
> Mit freundlichen Grüßen,
>
> Markus Stockhausen
> Head of Software Technology

Thanks, I thought about that but I have not tried it. I will add it to
my list to check today and will report back if it works (though I don't
see why it wouldn't). It is good to know that someone else has at least
had success with having a DNS entry for the multiple CephFS monitor hosts.

~Stack~
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3VJO3TMKB6WVOPORFDLC6D6OFWJDQGZS/


[ovirt-users] Re: Multiple CephFS Monitors cause issues with oVirt

2018-08-29 Thread Stack Korora
On 08/29/2018 09:28 AM, Nir Soffer wrote:
>
>
> On Wed, 29 Aug 2018, 15:48 Stack Korora,  <mailto:stackkor...@disroot.org>> wrote:
>
> Greetings,
>
> My setup is a complete Red Hat install.
> Manager OS: RHEL 7.5
> Hypervisors OS: RHEL 7.5
> Running Red Hat CephFS (with their Ceph repos on all of the systems)
> with Red Hat Virtualization (aka oVirt).
> Everything is fully patched and updated as of yesterday morning.
>
> Yes, I have valid Red Hat support but I figured this was an odd enough
> problem that the community (and the Red-Hat-ers who hang out on this
> list) might have a better idea of where to start. (Although I
> might open
> a ticket anyway just because that is what support is for, right? :)
>
> Quick background:
>
> Your /etc/fstab when you mount a nfs should probably look
> something like
> this:
> :/path/ /mount/point nfs  0 0
>
> Just one IP is needed. Since part of the redundancy for Ceph is in the
> monitors, to mount CephFS the fstab should look something like this:
>
> ,,:/path/
> /mount/point ceph  0 0
>
> Both the Ceph community and Red Hat recommend the comma separator for
> mounting multiple CephFS monitor nodes. (See section 4.2 point 3)
> 
> https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/2/html/ceph_file_system_guide_technology_preview/mounting_and_unmounting_ceph_file_systems
>
>
> Now to oVirt/RHV.
>
> When I mount my Data Domain path as a Posix file system with a path of
> ":/path/" it works splendidly well (especially
> after
> the last Red Hat kernel update!). I've done a bunch of stuff to it and
> it seems to work every time. However, I don't have the redundancy of
> multiple Ceph Monitors.
>
> When I mount my Data Domain path as a Posix file system with a path of
> ",,:/path/"
> most things seem to work. But I noticed a higher rate of failures. The
> only failure that I can trigger 100% of the time though is to mount a
> second data import domain and attempt to copy a vm disk from the
> import
> into the CephFS Data domain. Then I get an error like this:
>
> would
> VDSM ovirt01 command HSMGetAllTasksStatusesVDS failed:
> low level Image copy failed:
> (u'Destination volume 7c1bb510-9f35-4456-8d51-0955f788ac3e error:
> ParamsList: sep , in
> 
> /rhev/data-center/mnt/,,:_ovirt_data/70fb34ad-e66d-43e6-8412-5e020baa34df/images/23991a68-0c43-433f-b1f9-48b1533da54a',)
>
> Uh, oh. It seems that the commas in the mount path are causing the
> problems. So I went looking through the logs for "sep , in" and
> found a
> bunch more hits which makes me think that this is actually the problem
> message.
>
> I've switched back to just one IP address for the time being but I
> obviously want the Ceph redundancy back. While running on just one IP,
> the vm disk that refused to copy before had no problem copying. The
> _only_ change I made was dropping two of the three IP's from the Data
> Domain path option.
>
> Is this a bug, or did I do something wrong?
>
>
>
> Looks like a bug,aybe vdsm is not parsing the mount spec correctly.
>
> Please file vdsm bug and attach vdsm logs showing the entire flow.
>
> Regardless, I'm not sure how well oVirt with cephfs is tested, or
> recommended.
>
> Adding Yaniv t9 add more info on this.
>
> Nir

Thank you. I can file a report today.



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AJKZDJGU5TSF2HQXK3F6C6QPO5IQDWQ3/


[ovirt-users] Multiple CephFS Monitors cause issues with oVirt

2018-08-29 Thread Stack Korora
Greetings,

My setup is a complete Red Hat install.
Manager OS: RHEL 7.5
Hypervisors OS: RHEL 7.5
Running Red Hat CephFS (with their Ceph repos on all of the systems)
with Red Hat Virtualization (aka oVirt).
Everything is fully patched and updated as of yesterday morning.

Yes, I have valid Red Hat support but I figured this was an odd enough
problem that the community (and the Red-Hat-ers who hang out on this
list) might have a better idea of where to start. (Although I might open
a ticket anyway just because that is what support is for, right? :)

Quick background:

Your /etc/fstab when you mount a nfs should probably look something like
this:
:/path/ /mount/point nfs  0 0

Just one IP is needed. Since part of the redundancy for Ceph is in the
monitors, to mount CephFS the fstab should look something like this:

,,:/path/
/mount/point ceph  0 0

Both the Ceph community and Red Hat recommend the comma separator for
mounting multiple CephFS monitor nodes. (See section 4.2 point 3)
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/2/html/ceph_file_system_guide_technology_preview/mounting_and_unmounting_ceph_file_systems


Now to oVirt/RHV.

When I mount my Data Domain path as a Posix file system with a path of
":/path/" it works splendidly well (especially after
the last Red Hat kernel update!). I've done a bunch of stuff to it and
it seems to work every time. However, I don't have the redundancy of
multiple Ceph Monitors.

When I mount my Data Domain path as a Posix file system with a path of
",,:/path/"
most things seem to work. But I noticed a higher rate of failures. The
only failure that I can trigger 100% of the time though is to mount a
second data import domain and attempt to copy a vm disk from the import
into the CephFS Data domain. Then I get an error like this:

would
VDSM ovirt01 command HSMGetAllTasksStatusesVDS failed:
low level Image copy failed:
(u'Destination volume 7c1bb510-9f35-4456-8d51-0955f788ac3e error:
ParamsList: sep , in
/rhev/data-center/mnt/,,:_ovirt_data/70fb34ad-e66d-43e6-8412-5e020baa34df/images/23991a68-0c43-433f-b1f9-48b1533da54a',)

Uh, oh. It seems that the commas in the mount path are causing the
problems. So I went looking through the logs for "sep , in" and found a
bunch more hits which makes me think that this is actually the problem
message.

I've switched back to just one IP address for the time being but I
obviously want the Ceph redundancy back. While running on just one IP,
the vm disk that refused to copy before had no problem copying. The
_only_ change I made was dropping two of the three IP's from the Data
Domain path option.

Is this a bug, or did I do something wrong?

Does anyone have a suggestion for me to try?

Thank you!
~Stack~
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6VVKOIQIDEH5ZV5XPVO3ZTJKFZPVF2GG/


Re: [ovirt-users] Remote DB: How do you set server_version?

2018-05-02 Thread ~Stack~
On 05/02/2018 03:26 PM, Jamie Lawrence wrote:
> 
> I've been down this road. Postgres won't lie about its version for you.  If 
> you want to do this, you have to patch the Ovirt installer[1]. I stopped 
> trying to use my PG cluster at some point -  the relationship between the 
> installer and the product combined with the overly restrictive requirements 
> baked into the installer[2]) makes doing so  an ongoing hassle. So I treat 
> Ovirt's PG as an black box; disappointing, considering that we are a very 
> heavy PG shop with a lot of expertise and automation I can't use with Ovirt.
> 
> If nothing has changed (my notes are from a few versions ago), everything you 
> need to correct is in
> 
> /usr/share/ovirt-engine/setup/ovirt_engine_setup/engine_common/constants.py
> 
> Aside from the version, you'll also have to make the knobs for vacuuming 
> match those of your current installation, and I think there was another 
> configurable for something else I'm not remembering right now.
> 
> Be aware that doing so is accepting an ongoing commitment to monkeying with 
> the installer a lot. At one time I thought doing so was the right tradeoff, 
> but it turns out I  was wrong.
> 
> -j
> 
> [1] Or you could rebuild PG with a fake version. That option was unavailable 
> here.
> [2] Not criticizing, just stating a technical fact. How folks apportion their 
> QA resources is their business.
>

Yikes! OK. Thanks for the warning. I've got better things to do with my
time. I will just skip this part of exploring. :-)

Thank you!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Remote DB: How do you set server_version?

2018-05-02 Thread ~Stack~
Greetings,

Exploring hosting my engine and ovirt_engine_history db's on my
dedicated PostgreSQL server.

This is a 9.5 install on a beefy box from the postgresql.org yum repos
that I'm using for other SQL needs too. 9.5.12 to be exact. I set up the
database just as the documentation says and I'm doing a fresh install of
my engine-setup.

During the install, right after I give it the details for the remote I
get this error:
[ ERROR ] Please set:
  server_version = 9.5.9
 in postgresql.conf on 'None'. Its location is usually
/var/lib/pgsql/data , or somewhere under /etc/postgresql* .

Huh?

Um. OK.
$ grep ^server_version postgresql.conf
server_version = 9.5.9

$ systemctl restart postgresql-9.5.service

LOG:  syntax error in file "/var/lib/pgsql/9.5/data/postgresql.conf"
line 33, n...n ".9"
FATAL:  configuration file "/var/lib/pgsql/9.5/data/postgresql.conf"
contains errors


Well that didn't work. Let's try something else.

$ grep ^server_version postgresql.conf
server_version = 9.5.9

$ systemctl restart postgresql-9.5.service
LOG:  parameter "server_version" cannot be changed
FATAL:  configuration file "/var/lib/pgsql/9.5/data/postgresql.conf"
contains errors

Whelp. That didn't work either. I can't seem to find anything in the
oVirt docs on setting this.

How am I supposed to do this?

Thanks!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Is it possible to recover from a failed Engine host?

2018-05-02 Thread ~Stack~
On 05/02/2018 07:27 AM, Alexander Wels wrote:
> On Wednesday, May 2, 2018 8:03:53 AM EDT ~Stack~ wrote:
>> Greetings,
>>
>> I have a dev environment where it seems the hard drive on our Engine
>> host kicked the bucket (Yeah, I know. Smartmon. I watch it closely on
>> the systems I care about - this was a learning environment for me so I
>> didn't).
>>
>> The Hypervisors are fine and the VM's running on the Hypervisors are
>> fine...But I can't manage any of the Hypervisors. To make things a bit
>> more tricky, the SQL and the backups were on the drive that died. I
>> really don't have anything from that host. It's dev. I can rebuild. But
>> it is also a learning environment for me so might as well use this to learn.
>>
>> Is it possible for me to build a new Engine host and attach it to an
>> existing hypervisor environment? Better yet, would this be something I
>> could do as a hosted-engine-deploy? (something I haven't experimented
>> with yet.)
>>
>> Again, this is a play ground so if it goes horrifically wrong...oh well.
>> But I would really like to try to recover it for the learning
>> experience. I've been poking around in the documentation but I haven't
>> seen anything that seems to address this issue directly.
>>
>> Thoughts?
>>
>> Thanks!
>> ~Stack~
> 
> As long as the storage domain is in tact you should be able to recover 
> everything. And it does sound like this is the case as the VMs are still 
> running. Basically you just install a new engine somewhere and then do the 
> following:
> 
> - Create new Data Center
> - Create new Cluster
> - You will need a host to add to your cluster. Add this host.
> - Create a small temporary storage domain, this will allow you to bring up 
> the 
> data center which in turn will allow you to IMPORT the existing storage 
> domain.
> - Once the DC is up, you can 'import' the existing storage domain, it will 
> warn you that the storage domain is still attached to another DC, but since 
> that engine is gone, you can ignore that.
> - Once the new DC is imported you can stop/detach/remove the small temporary 
> storage domain, which will make the imported storage domain, the master 
> domain.
> 
> Once all that is done, you can simply go to the storage domain, and 'import' 
> whatever VM/template you have stored on the storage domain, and it will show 
> up in the VM/template list. Then you add all your hosts and you should have a 
> running environment again.
> 

Thank you! I will give it a try and see what happens.
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Is it possible to recover from a failed Engine host?

2018-05-02 Thread ~Stack~
Greetings,

I have a dev environment where it seems the hard drive on our Engine
host kicked the bucket (Yeah, I know. Smartmon. I watch it closely on
the systems I care about - this was a learning environment for me so I
didn't).

The Hypervisors are fine and the VM's running on the Hypervisors are
fine...But I can't manage any of the Hypervisors. To make things a bit
more tricky, the SQL and the backups were on the drive that died. I
really don't have anything from that host. It's dev. I can rebuild. But
it is also a learning environment for me so might as well use this to learn.

Is it possible for me to build a new Engine host and attach it to an
existing hypervisor environment? Better yet, would this be something I
could do as a hosted-engine-deploy? (something I haven't experimented
with yet.)

Again, this is a play ground so if it goes horrifically wrong...oh well.
But I would really like to try to recover it for the learning
experience. I've been poking around in the documentation but I haven't
seen anything that seems to address this issue directly.

Thoughts?

Thanks!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Help debugging VM import error

2018-04-23 Thread ~Stack~
Thank you Roy and Benny for your assistance. I have opened the following
bug ticket:
https://bugzilla.redhat.com/show_bug.cgi?id=1571039

Please let me know if there is something else I can provide.

And thank you for your work on oVirt! :-)

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Help debugging VM import error

2018-04-23 Thread ~Stack~
On 04/23/2018 01:57 PM, Roy Golan wrote:
> Please open a bug including the logs.
> https://www.ovirt.org/community/get-involved/report-a-bug/

Sorry, got pulled onto another project that a coworker needed help on. I
will gladly file a bug report in the morning (or later tonight if I get
the chance).

> Also what is the exact version you are using?
4.2.2

Thanks!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Help debugging VM import error

2018-04-23 Thread ~Stack~
Greetings,

After my rebuild, I have imported my VM's. Everything went smooth and
all of them came back, except one. One VM gives me the error "General
command validation failure." which isn't helping me when I search for
the problem.

The oVirt engine logs aren't much better at pointing to what the failure
is (posted below).

Can someone help me figure out why this VM isn't importing, please?

Thanks!
~Stack~


2018-04-23 13:31:44,313-05 INFO
[org.ovirt.engine.core.bll.exportimport.ImportVmFromConfigurationCommand]
(default task-72) [6793fe73-7cda-4cb5-a806-7104a05c3c1b] Lock Acquired
to object 'EngineLock:{exclusiveLocks='[infra01=VM_NAME,
0b64ced5-7e4b-48cd-9d0d-24e8b905758c=VM]',
sharedLocks='[0b64ced5-7e4b-48cd-9d0d-24e8b905758c=REMOTE_VM]'}'
2018-04-23 13:31:44,349-05 ERROR
[org.ovirt.engine.core.bll.exportimport.ImportVmFromConfigurationCommand]
(default task-72) [6793fe73-7cda-4cb5-a806-7104a05c3c1b] Error during
ValidateFailure.: java.lang.NullPointerException
at
org.ovirt.engine.core.bll.validator.ImportValidator.validateStorageExistsForMemoryDisks(ImportValidator.java:140)
[bll.jar:]
at
org.ovirt.engine.core.bll.exportimport.ImportVmFromConfigurationCommand.isValidDisks(ImportVmFromConfigurationCommand.java:151)
[bll.jar:]
at
org.ovirt.engine.core.bll.exportimport.ImportVmFromConfigurationCommand.validate(ImportVmFromConfigurationCommand.java:103)
[bll.jar:]
at
org.ovirt.engine.core.bll.CommandBase.internalValidate(CommandBase.java:779)
[bll.jar:]
at
org.ovirt.engine.core.bll.CommandBase.validateOnly(CommandBase.java:368)
[bll.jar:]
at
org.ovirt.engine.core.bll.PrevalidatingMultipleActionsRunner.canRunActions(PrevalidatingMultipleActionsRunner.java:113)
[bll.jar:]
at
org.ovirt.engine.core.bll.PrevalidatingMultipleActionsRunner.invokeCommands(PrevalidatingMultipleActionsRunner.java:99)
[bll.jar:]
at
org.ovirt.engine.core.bll.PrevalidatingMultipleActionsRunner.execute(PrevalidatingMultipleActionsRunner.java:76)
[bll.jar:]
at
org.ovirt.engine.core.bll.Backend.runMultipleActionsImpl(Backend.java:596)
[bll.jar:]
at
org.ovirt.engine.core.bll.Backend.runMultipleActions(Backend.java:566)
[bll.jar:]
at sun.reflect.GeneratedMethodAccessor914.invoke(Unknown Source)
[:1.8.0_161]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_161]
at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_161]
at
org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
at
org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:78)
at
org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:88)
at
org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:101)
at
org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
at
org.ovirt.engine.core.bll.interceptors.CorrelationIdTrackerInterceptor.aroundInvoke(CorrelationIdTrackerInterceptor.java:13)
[bll.jar:]
at sun.reflect.GeneratedMethodAccessor71.invoke(Unknown Source)
[:1.8.0_161]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_161]
at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_161]
at
org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptor.java:89)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
[wildfly-ejb3-11.0.0.Final.jar:11.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)
[wildfly-ee-11.0.0.Final.jar:11.0.0.Final]
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedIntercept

Re: [ovirt-users] Power management / fencing with Intel AMT

2018-04-21 Thread ~Stack~
On 04/21/2018 06:03 AM, Shawn Southern wrote:
> Does anyone have power management with Intel's Management Engine / AMT 
> working with oVirt 4.22?

Sorry. I don't have any experience with Intel AMT.

> I found this article @ RH, but I don't have access to read it. 
> https://access.redhat.com/solutions/913413

Basically it says "If you need this, open a Red Hat support case and
tell us because it isn't supported yet." It does give mention to amtterm
which I have no idea if it will be useful to you or not.

$ yum info amtterm
Available Packages
Name: amtterm
Arch: x86_64
Version : 1.6
Release : 1.el7
Size: 48 k
Repo: epel/x86_64
Summary : Serial-over-lan (sol) client for Intel AMT
URL : http://www.kraxel.org/blog/linux/amtterm/
License : GPLv2+
Description : Serial-over-lan (sol) client for Intel AMT.
: Includes a terminal and a graphical (gtk) version.
: Also comes with a perl script to gather informations
: about and remotely control AMT managed computers.

Hope this helps some.

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] libzbxovirt - zabbix module for oVirt (proof-of-concept)

2018-04-19 Thread ~Stack~
On 04/19/2018 05:25 PM, Peter Hudec wrote:
> Hi,
> 
> I just wanted to share my work to get oVirt monitored by Zabbix. It
> could be good start for future work.
> 
> If interested, please see https://github.com/hudecof/libzbxovirt
> 
> There is still a lot of work on this, so any help is welcome.

Awesome! Thanks for your work. I will check it out.

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Unable to add host to cluster after network

2018-04-18 Thread ~Stack~
On 04/18/2018 09:55 AM, ~Stack~ wrote:
> On 04/18/2018 08:41 AM, Eitan Raviv wrote:
>> Hi Stack,
>>
>> I read through your ordeal and I would like to post a few comments:
> 
> Thanks I appreciate it!
> 
>>   * When I try to reproduce your scenario with the second network set to
>> 'not required' before on-boarding the second host, it  is processed
>> and set to 'up' by the engine without any hiccups or any errors in
>> the log.
> 
> Hrm. Yeah, I think I can reproduce the failure. I've only done it once,
> but I have the chance to test so just to make sue I've got the right
> information I'm going to run a another test specifically for it.
> 

I agree with you, Eitan. I did a complete rebuild and made sure my
alternate network was set to 'not required' before adding the second
host. I successfully added a second host. It is possible I did something
else wrong in that first test.

Since this is an acceptable work-around for now, I am going to finish
building my hosts out so I can move forward with this project.

I would still like feedback on my other questions in the original post
if anyone is willing.

Thanks!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Unable to add host to cluster after network

2018-04-18 Thread ~Stack~
On 04/18/2018 09:55 AM, ~Stack~ wrote:
> On 04/18/2018 08:41 AM, Eitan Raviv wrote:
[snip]

>> but on my setup it can be resolved: initially the second
>> network is proclaimed missing and the host becomes non-operational,
>> with its interfaces disappearing from the engine as you reported.
>> But if the second network is rendered 'not-required' or even deleted
>> for that matter from the engine, engine succeeds in reconnecting to
>> the second host within a couple of minutes, and the host gains 'up'
>> status.
> 
> Setting the second network to 'not-required' does not seem to break my
> hosts out of their infinite loop.

Confirmed. Setting the second network to 'not required' did not break
the loop. I hard powered off the box, let ovirt set it as down (thus
breaking the loop), then powered it back on. The loop continued (at
least twice anyway - takes roughly 5 minutes for a loop).

> 
> I haven't tried deleting the second network yet. Let me try that before
> I rebuild to test the first point.

Confirmed. Same thing as above only this time I deleted every network
but ovirtmgmt. Again, went through 2 full loops without resolving.

I am going to do a fresh rebuild and test by having the second network
set to 'not required' before adding a second host.

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Unable to add host to cluster after network

2018-04-18 Thread ~Stack~
On 04/18/2018 08:41 AM, Eitan Raviv wrote:
> Hi Stack,
> 
> I read through your ordeal and I would like to post a few comments:

Thanks I appreciate it!

>   * When I try to reproduce your scenario with the second network set to
> 'not required' before on-boarding the second host, it  is processed
> and set to 'up' by the engine without any hiccups or any errors in
> the log.

Hrm. Yeah, I think I can reproduce the failure. I've only done it once,
but I have the chance to test so just to make sue I've got the right
information I'm going to run a another test specifically for it.


>   * On the other hand, if the network is 'required' the scenario
> reproduces,

Whoo! I'm not completely crazy! I'm just lucky to discover a new bug I
suppose. :-)

> but on my setup it can be resolved: initially the second
> network is proclaimed missing and the host becomes non-operational,
> with its interfaces disappearing from the engine as you reported.
> But if the second network is rendered 'not-required' or even deleted
> for that matter from the engine, engine succeeds in reconnecting to
> the second host within a couple of minutes, and the host gains 'up'
> status.

Setting the second network to 'not-required' does not seem to break my
hosts out of their infinite loop.

I haven't tried deleting the second network yet. Let me try that before
I rebuild to test the first point.

Thank you for your feedback. It is much appreciated.

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Unable to add host to cluster after network

2018-04-17 Thread ~Stack~
tVdsStatusVDSCommandParameters:{hostId='f0a3d515-8ba2-490e-8d65-54edbb52cefc',
status='NonOperational', nonOperationalReason='NETWORK_UNREACHABLE',
stopSpmFailureLogged='false', maintenanceReason='null'}), log id: 7459a748

Which network is unreachable? Because every single one of them is fine! Ugh!

I am completely stumped as to why it works perfectly
pre-additional-networks but fails every time after a network is configured.

A couple of questions.

1. I assume people have added hosts _after_ they've configured multiple
networks. So what am I doing wrong? Why am I unable to add a host?
Again, if I don't configure that second network, it will happily add all
my hosts. But what happens when I want to add a host in the future?

2. How do I break that infuriating infinite non-operational loop? I
can't put it into maintenance mode, I can't delete the host, or anything
else. The options are greyed out. The only solution I've found is yank
the power and after it freaks out for about 30 minutes because it can't
find the host, it will stop trying. But I still can't seem to remove the
bad host. There has to be a way via command-line to say "stop timing
out, knock that off, and delete this host!" but I'm not finding it in my
searching.

3. I feel like I go through periods with oVirt where everything is
running exactly the way I want then something happens (like me trying to
add a host! Or thinking I can just change a host IP without the whole
thing dying on me!) and it all just falls apart. I feel like I am just
stumbling through most of it. I've previously gotten a lot out of the
Red Hat classes and work has offered to send me to a training of my
choice this year. I am really considering taking the 318 Virtualization
class. I'm curious though, how close is that to what I would be working
with oVirt? I'm guessing that since 4.2 recently came out, there is
probably minimal chance the class will be over 4.2 but maybe it is close
enough? I would love to hear feedback.

Thanks!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] I broke my ovirt real good....

2018-04-16 Thread ~Stack~
On 04/16/2018 10:02 AM, Alexander Wels wrote:
> On Friday, April 13, 2018 6:48:31 PM EDT ~Stack~ wrote:
[sni]
>> It just sits there and in the log files there is the below messages
>> repeating. It's like it doesn't care for the fact that this was an
>> imported domain or something.
>>
>> Thoughts?
>>
>> Thanks!
>> ~Stack~
>>
> 
> Don't know too much about the VDSM side of things. But obviously its looking 
> for a storage domain it can't find anymore. You can try restarting VDSM 
> (won't 
> affect running VMs) and see if rescans the available storage domains and 
> won't 
> try to access it during the migration of the VMs. Other than that I don't 
> know.

No worries. Thanks for responding. One of my hosts has gone berserk
anyway so I'm just going to do a complete fresh reinstall tomorrow.

The host says "Host has no default route" which is a load of bull.
There's nothing wrong with the default route or network connectivity.
However, oVirt puts it into non-opperational where it will sit for about
20 minutes. When it finally actually stops that process, it immediately
(milliseconds later) puts it into "activating" but then complain about
the default route and the whole process starts over again.

There's something wrong with this install so I'm just going to take the
nuke-it-from-orbit-and-start-over approach tomorrow morning.

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] I broke my ovirt real good....

2018-04-13 Thread ~Stack~
On 04/13/2018 07:16 AM, Alexander Wels wrote:
> On Thursday, April 12, 2018 6:26:07 PM EDT ~Stack~ wrote:
>> Greetings,
>>
>> So I did a over-confident-admin-makes-rookie-mistake. I changed a bunch
>> of things all back-to-back and thus don't actually know what broke. :-D
>>
>> The only two real "big" changes were:
>> * Upgrade from 4.2.1 to 4.2.2
>> * change my ovirtmgmt network
>>
>> The update I followed the upgrade procedures and I thought it all went
>> pretty well. Because I am moving it from a testing into what I hope will
>> be a more heavily used environment, I changed my ovirtmgmt network from
>> 192.168.100.0/24 to 192.168.101.0/24 via the web-gui.
>>
>> That was a touch tricker than just a change as I had to poke the
>> management engine host to be reachable on both network for a while, then
>> it just seemed OK.
>>
>> What's happening is:
>> * I can no longer migrate a vm from one host to the other.
>> * If I try to do a "reinstall" it dies.
>> * There is some serious network lag between my hosts on a 10Gb network.
>> * I've got all kinds of python2.4 failures in my vdsm and mom logs.
>>
>> Those are least the biggies.
>>
>> So while I was planning on moving this to a more active use case, right
>> now - it is all still my play ground. I would REALLY hate to lose the
>> VM's but everything else can go and be rebuilt.
>>
>> Given that I've somehow really broke this system pretty good, would it
>> be more advisable to blow away and rebuild it ALL or can I simply delete
>> the hypervisor hosts and rebuild them?
>>
>> Thoughts?
>>
>> Thanks!
>> ~Stack~
> 
> As long as you don't destroy the data on your data domain you can rebuild the 
> engine and hosts and then import the existing data domain without too many 
> issues. I have destroyed my engine database many times, and I am still using 
> the same VMs from the same data domain.
> 
> Here is what I do when I mess up my database to the point I have to make a 
> new 
> one:
> 
> 1. Recreate the engine and database, so that I have basically have an empty 
> engine with no hosts and VMs.
> 1.1 (Optional) make a new DC that is not default. and add a cluster.
> 2. Add my hosts (I only have 2 so that is quick and easy).
> 3. Add a throw away data domain (This is needed to get the DC up so I can 
> import the existing data domain).
> 4. Import (NOT new, import) the existing data domain.
> 5. Do to Storage->Storage Domains->VM import and import the VMs I want.
> 6. Same for templates and disks if needed.
> 7. After you have imported the VMs/Templates/Disks you can detach and remove 
> the throw away data domain and the one you imported becomes the master domain.
> 
> Note if you want to move VMs between your play ground and more serious system 
> you can simply detach your data domain from the play ground, then attach it 
> to 
> the serious engine (so you have 2 engines, one play ground and one serious) 
> and import which VMs you want. That way you won't run into issues with 
> configuring networks and stuff like you experienced.
> 

Thanks for that help. I did that and everything looks fantastic...except
I can't migrate VM's. :-/

It just sits there and in the log files there is the below messages
repeating. It's like it doesn't care for the fact that this was an
imported domain or something.

Thoughts?

Thanks!
~Stack~


2018-04-13 16:58:59,920-0500 ERROR (monitor/232975a) [storage.Monitor]
Setting up monitor for 232975ad-1771-4b6b-afda-958f7b745867 failed
(monitor:329)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/vdsm/storage/monitor.py", line
326, in _setupLoop
self._setupMonitor()
  File "/usr/lib/python2.7/site-packages/vdsm/storage/monitor.py", line
348, in _setupMonitor
self._produceDomain()
  File "/usr/lib/python2.7/site-packages/vdsm/utils.py", line 158, in
wrapper
value = meth(self, *a, **kw)
  File "/usr/lib/python2.7/site-packages/vdsm/storage/monitor.py", line
366, in _produceDomain
self.domain = sdCache.produce(self.sdUUID)
  File "/usr/lib/python2.7/site-packages/vdsm/storage/sdc.py", line 110,
in produce
domain.getRealDomain()
  File "/usr/lib/python2.7/site-packages/vdsm/storage/sdc.py", line 51,
in getRealDomain
return self._cache._realProduce(self._sdUUID)
  File "/usr/lib/python2.7/site-packages/vdsm/storage/sdc.py", line 134,
in _realProduce
domain = self._findDomain(sdUUID)
  File "/usr/lib/python2.7/site-packages/vdsm/storage/sdc.py", line 151,
in _findDomain
return findMethod(sdUUID)
  File "/usr/lib/python2.7/site-packages/vdsm/storage/sd

Re: [ovirt-users] I broke my ovirt real good....

2018-04-13 Thread ~Stack~
On 04/13/2018 03:02 AM, Michael Mortensen (MCMR) wrote:
> Hi Stack,
> 
> Do you use FQDN? Did you perhaps hit this one 
> https://www.ovirt.org/blog/2016/05/modify-ifcfg-files/ ? The discussion in 
> this bug report may be of assistance in that case: 
> https://bugzilla.redhat.com/show_bug.cgi?id=1252534

That looks very interesting! I will investigate that.

> If you've stored the VM disks and templates and whatnot on a network share 
> like NFS, you should be able to start all over and import your old (current) 
> storage domains and start using your templates etc.

I am currently using NFS. I will see how this networking issue you
pointed me to works out, then maybe rebuild.

Thank you for the assistance!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] I broke my ovirt real good....

2018-04-12 Thread ~Stack~
Greetings,

So I did a over-confident-admin-makes-rookie-mistake. I changed a bunch
of things all back-to-back and thus don't actually know what broke. :-D

The only two real "big" changes were:
* Upgrade from 4.2.1 to 4.2.2
* change my ovirtmgmt network

The update I followed the upgrade procedures and I thought it all went
pretty well. Because I am moving it from a testing into what I hope will
be a more heavily used environment, I changed my ovirtmgmt network from
192.168.100.0/24 to 192.168.101.0/24 via the web-gui.

That was a touch tricker than just a change as I had to poke the
management engine host to be reachable on both network for a while, then
it just seemed OK.

What's happening is:
* I can no longer migrate a vm from one host to the other.
* If I try to do a "reinstall" it dies.
* There is some serious network lag between my hosts on a 10Gb network.
* I've got all kinds of python2.4 failures in my vdsm and mom logs.

Those are least the biggies.

So while I was planning on moving this to a more active use case, right
now - it is all still my play ground. I would REALLY hate to lose the
VM's but everything else can go and be rebuilt.

Given that I've somehow really broke this system pretty good, would it
be more advisable to blow away and rebuild it ALL or can I simply delete
the hypervisor hosts and rebuild them?

Thoughts?

Thanks!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] How it is oVirt used in your Department?

2018-04-10 Thread ~Stack~
On 04/09/2018 08:00 AM, Yaniv Kaul wrote:
> On Sun, Apr 8, 2018 at 5:33 PM, ~Stack~ <i.am.st...@gmail.com
[snip]
>> I'm still learning how to set up something where my users can click a
>> button on a webpage and get a VM spun up for a Graphical session on
>> oVirt. I'm also still debating on the pros/cons for setting up oVirt
>> VM's for things like JupyterNotebooks/RStudio Server/ect for the "I just
>> want a web page to develop my code on and will submit to the cluster for
>> the job run" crowd.
> 
> 
> Few options to consider:
> 1. oVirt user portal (with VM pools perhaps?)
> 2.  vagrant with the oVirt provider
> 3. ManageIQ service portal
> 4. Ansible playbooks - a simple rule could suffice for most tasks.

I'm been looking at 1.
I haven't considered 2 yet - Interesting thought that I will look into.
I just saw 3 for the first time from Pauls post and it looks very
interesting!
4 is on my potential list too.

Thanks!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] How it is oVirt used in your Department?

2018-04-10 Thread ~Stack~
On 04/09/2018 07:01 AM, Alexander Wels wrote:
> On Sunday, April 8, 2018 10:33:50 AM EDT ~Stack~ wrote:
[snip]

>> Foreman is and overcomplicated buggy headache, IMO. Every time I or a
>> coworker has tried to get it going it has been a massive
>> time-suck-crash-and-burn. Add to it that my current security team has
>> HUGE issues with Puppet (don't get me started - I like Puppet) and
>> building Foreman by hand with Salt is just an awful awful awful
>> experience I wouldn't wish on an enemy...just no. :-)
>> DigitalRebar was looking SUPER promising, but they recently went to a
>> model that MUST chat out to the Internet or it breaks itself (a complete
>> no-go for me). A complete shame.
>> So I'm back to Cobbler which is simple and works fantastically well, but
>> doesn't really have any integrations into oVirt (that I'm aware of). I'm
>> probably going to have to write something with the two API's.
>>
> 
> Have you looked at ansible? You can make some playbooks that call the REST 
> api 
> and have it deploy the VMs for you. Or if you feel like writing your own 
> portal you can use the Java or Python SDK to access the REST api.
> 

I have. It is one of the tools I've considered using. Thanks!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] How it is oVirt used in your Department?

2018-04-08 Thread ~Stack~
On 03/28/2018 05:31 AM, Fedele Stabile Nuovo Server wrote:
> My question is mainly addressed at those of you who use oVirt not only
> for creating services on virtual machines.
> What is your experience and what did you made?

Still consider myself an oVirt newb. Only been using it for a few months
but I'm liking it so far. I don't have the hardware specs in front of me
but I have a 4 node Hypervisor setup with a physical Engine host. All
running on Scientific Linux 7.

> Is there anyone who virtualized an HPC cluster?

I'm still not convinced that virtualized HPC is a good idea for those
who need compute performance. Though it is getting better than when I
first heard someone say they were doing it at Supercomputing14!

> What is for you the advantage on virtualizing a cluster?

Um. As a 14year HPC admin, I still say none for compute. However, I am
using oVirt to support a ton of my infrastructure services: Frontends,
Log-ins, Scheduler, Database, LDAP, ect.

I'm still learning how to set up something where my users can click a
button on a webpage and get a VM spun up for a Graphical session on
oVirt. I'm also still debating on the pros/cons for setting up oVirt
VM's for things like JupyterNotebooks/RStudio Server/ect for the "I just
want a web page to develop my code on and will submit to the cluster for
the job run" crowd.

It is a huge learning process for me. Most of the tools I've been using
have worked great for years, but it is time to update and refresh those
skills. Most of the provisioning tools I've used in the past don't work
so well with oVirt. So now I'm exploring other tools.

Foreman is and overcomplicated buggy headache, IMO. Every time I or a
coworker has tried to get it going it has been a massive
time-suck-crash-and-burn. Add to it that my current security team has
HUGE issues with Puppet (don't get me started - I like Puppet) and
building Foreman by hand with Salt is just an awful awful awful
experience I wouldn't wish on an enemy...just no. :-)
DigitalRebar was looking SUPER promising, but they recently went to a
model that MUST chat out to the Internet or it breaks itself (a complete
no-go for me). A complete shame.
So I'm back to Cobbler which is simple and works fantastically well, but
doesn't really have any integrations into oVirt (that I'm aware of). I'm
probably going to have to write something with the two API's.


> Or, having a class with PC or Raspberry is better to use LTSP or PiNet
> or virtualize desktops?
Can't say. Don't mess with Raspberry Pi's much.

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-11 Thread ~Stack~
On 02/11/2018 02:41 AM, Yedidyah Bar David wrote:
> On Sun, Feb 11, 2018 at 10:26 AM, Yaniv Kaul <yk...@redhat.com> wrote:
>>
>>
>> On Sun, Feb 11, 2018 at 2:43 AM, ~Stack~ <i.am.st...@gmail.com> wrote:

[snip]

>>> We decided to just start from scratch and my coworker watched and
>>> confirmed every step. It works! No problems at all this time. Further
>>> evidence that I goofed _something_ up the first time.
>>
>>
>> We should really have an Ansible role that performs the conversion to
>> self-signed certificates.
>> That would make the conversion easier and safer.
> 
> +1
> 
> Not sure "self-signed" is the correct term here. Also the internal
> engine CA's cert is self-signed.
> 
> I guess you refer to this:
> 
> https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/
> 
> I'd call it "configure-3rd-party-CA" or something like that.

Greetings,

Another +1 from me (obviously! :-).

I also agree in that we are not doing a self-signed cert, but rather
we've purchased a cert from one of the big-name-CA-vendors that is valid
for our domain. "configure-3rd-party-CA" makes more sense to me.

Lastly, that is the link that I used for a guide.

Thanks!
~Stack~





signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-10 Thread ~Stack~
On 02/08/2018 06:42 AM, Petr Kotas wrote:
> Hi Stack,

Greetings Petr

> have you tried it on other linux distributions? Scientific is not
> officially supported.

No, but SL isn't really any different than CentOS. If anything, we've
found it adheres closer to RH than CentOS does.

> My guess based on your log is there are somewhere missing certificates,
> maybe different path?.
> You can check the paths by the documentation:
> https://www.ovirt.org/develop/release-management/features/infra/pki/#vdsm
>
> Hope this helps.


Thanks for the suggestion. It took a while but we dug into it and I
*think* the problem was because I may have over-written the wrong cert
file in one of my steps. I'm only about 80% certain of that, but it
seems to match what we found when we were digging through the log files.

We decided to just start from scratch and my coworker watched and
confirmed every step. It works! No problems at all this time. Further
evidence that I goofed _something_ up the first time.

Thank you for the suggestion!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Issue with 4.2.1 RC and SSL

2018-02-07 Thread ~Stack~
Greetings,

I was having a lot of issues with 4.2 and 95% of them are in the change
logs for 4.2.1. Since this is a new build, I just blew everything away
and started from scratch with the RC release.

The very first thing that I did after the engine-config was to set up my
SSL cert. I followed the directions from here:
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

Logged in the first time to the web interface and everything worked! Great.

Install my hosts (also completely fresh installs - Scientific Linux 7
fully updated) and none would finish the install...


I can send the full host debug log if you want, however, I'm pretty sure
that the problem is because of the SSL somewhere. I've cut/pasted the
relevant part.

Any advice/help, please?

Thanks!
~Stack~


2018-02-07 16:56:21,697-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   **%EventEnd STAGE misc METHOD
otopi.plugins.ovirt_host_deploy.tune.tuned.Plugin._misc (None)
2018-02-07 16:56:21,698-0600 DEBUG otopi.context
context._executeMethod:128 Stage misc METHOD
otopi.plugins.ovirt_host_deploy.vdsm.vdsmid.Plugin._store_id
2018-02-07 16:56:21,698-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   **%EventStart STAGE misc METHOD
otopi.plugins.ovirt_host_deploy.vdsm.vdsmid.Plugin._store_id (None)
2018-02-07 16:56:21,699-0600 DEBUG otopi.transaction
transaction._prepare:61 preparing 'File transaction for '/etc/vdsm/vdsm.id''
2018-02-07 16:56:21,699-0600 DEBUG otopi.filetransaction
filetransaction.prepare:183 file '/etc/vdsm/vdsm.id' missing
2018-02-07 16:56:21,705-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   **%EventEnd STAGE misc METHOD
otopi.plugins.ovirt_host_deploy.vdsm.vdsmid.Plugin._store_id (None)
2018-02-07 16:56:21,706-0600 DEBUG otopi.context
context._executeMethod:128 Stage misc METHOD
otopi.plugins.ovirt_host_deploy.vdsmhooks.hooks.Plugin._hooks
2018-02-07 16:56:21,706-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   **%EventStart STAGE misc METHOD
otopi.plugins.ovirt_host_deploy.vdsmhooks.hooks.Plugin._hooks (None)
2018-02-07 16:56:21,707-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   **%EventEnd STAGE misc METHOD
otopi.plugins.ovirt_host_deploy.vdsmhooks.hooks.Plugin._hooks (None)
2018-02-07 16:56:21,707-0600 DEBUG otopi.context
context._executeMethod:128 Stage misc METHOD
otopi.plugins.ovirt_host_common.vdsm.pki.Plugin._misc
2018-02-07 16:56:21,708-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   **%EventStart STAGE misc METHOD
otopi.plugins.ovirt_host_common.vdsm.pki.Plugin._misc (None)
2018-02-07 16:56:21,708-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   ### Setting up PKI
2018-02-07 16:56:21,709-0600 DEBUG
otopi.plugins.ovirt_host_common.vdsm.pki plugin.executeRaw:813 execute:
('/usr/bin/openssl', 'req', '-new', '-newkey', 'rsa:2048', '-nodes',
'-subj', '/', '-keyout', '/tmp/tmpQkrIuV.tmp'), executable='None',
cwd='None', env=None
2018-02-07 16:56:21,756-0600 DEBUG
otopi.plugins.ovirt_host_common.vdsm.pki plugin.executeRaw:863
execute-result: ('/usr/bin/openssl', 'req', '-new', '-newkey',
'rsa:2048', '-nodes', '-subj', '/', '-keyout', '/tmp/tmpQkrIuV.tmp'), rc=0
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   ###
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   ###
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   ### Please issue VDSM
certificate based on this certificate request
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   ###
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   ***D:MULTI-STRING
VDSM_CERTIFICATE_REQUEST --=451b80dc-996f-432e-9e4f-2b29ef6d1141=--
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND   -BEGIN CERTIFICATE REQUEST-
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND
MIICRTCCAS0CAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZm
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND
eYTWbHKkN+GlQnZ8C6fdk++htyFE+IHSzkhTyTSZdM0bPTdvhomTeCwzNlWBWdU+
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND
PrVB7j/1iksSt6RXDQUWlPDPBNfAa6NtZijEaGuxAe0RpI71G5feZmgVRmtIfrkE
2018-02-07 16:56:21,757-0600 DEBUG otopi.plugins.otopi.dialog.machine
dialog.__logString:204 DIALOG:SEND
5BjhnCMJW46y9Y7dc2TaXzQqeVj0nkWkHt0v6AVdRWP3OHfOCvqoABny1urStvFT
2018-02-07 16:56:21,757-0600 DEBUG

Re: [ovirt-users] noVNC console is not work

2018-01-22 Thread ~Stack~
On 01/22/2018 05:48 AM, Pym wrote:
> Hi:
>
[snip]
> When I click on the Console function of the virtual machine, the new
> page will always display Loading.
[snip]



Greetings,

I ran into this today as well.
Scientific Linux 7, all updated. Firewall + SELinux enabled, but
engine-setup configured all of that so the ports are open.

Nothing wrong with the certs that I can tell. Browser trusts them. I'm
on the same network as the servers so it isn't firewall/network issues.

What I see when I run 'systemctl status ovirt-websocket-proxy' it says
it is proxying to *:6100. But I don't get anything more than "loading".

Any thoughts on to where I should look next?

Thanks!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt 2018 Survey

2018-01-16 Thread ~Stack~
Greetings,
FYI, your Ubuntu options are antiquated.

12.10, 13.04, 13.10 are all unsupported.

12.04 is only in extended security maintenance.

I believe the options should be 12.04, 14.04, 16.04, and 17.10 (latest
non-LTS).

~Stack~


On 01/16/2018 02:33 AM, Sandro Bonazzola wrote:
> As we continue to develop oVirt 4.2 and future releases, the Development
> and Integration teams at Red Hat would value 
> insights on how you are deploying the oVirt environment. Please help us
> to hit the mark by completing this short survey. Survey will close on
> February 1st.
> 
> Here's the link to the survey: https://goo.gl/forms/cAKWAR8RD7rGrVhE2
> 
> Thanks,
> -- 
> 
> SANDRO BONAZZOLA
> 
> ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R
> 
> Red Hat EMEA <https://www.redhat.com/>
> 
> <https://red.ht/sig>  
> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
> 
> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt 4.2 CEPH support

2018-01-08 Thread ~Stack~
On 01/08/2018 07:15 AM, Gianluca Cecchi wrote:
> Probably he refers to this blog:
> https://rhelblog.redhat.com/2018/01/04/red-hat-virtualization-4-2-beta-is-live/
> 
> with:
> "
> *Support for Ceph via iSCSI* – The Ceph iSCSI target has been tested and
> certified as a storage domain for virtual machines. This provides more
> infrastructure and deployment choices for engineers and architects.
> "
> 
> It seems a described feature that didn't get any referral in oVirt 4.2
> release notes:
> https://ovirt.org/release/4.2.0/
> 
> But I think in general, given a version, it is not guaranteed that what
> in RHEV maps with what in oVirt and viceversa.
> I don't know if this one about Ceph via iSCSI is one of them.

ErrrWHAA???

If Ceph support is in oVirt, I am about to be extremely excited. I'm
just racked the hardware for a new oVirt install today and the Ceph gear
is showing up in a few weeks. I was planning on setting up a dedicated
NFS server for VM's essentially having two storage domains, but if I can
just have Ceph...I would be a very happy sys admin!

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Import VM's from a dead ovirt domain

2017-11-04 Thread ~Stack~
On 11/04/2017 09:36 PM, Wesley Stewart wrote:
> I am quite new to oVirt and only use it at home for the moment.  So I
> wont be of much help.

That's OK. I'm quite new myself and learning a lot!

> But I was able to add a new export domain, and then copy the original
> contents of my old domain into this export domain, which seemed to work
> fine.  I just had to hit the "load" button while in the import section
> of the web gui (but I am assuming you have done this already).

Yeah, I did try this but I couldn't get it to show anything when I hit
load. I tried copying it into just about every folder in the export
domain hoping I was just putting it in the wrong spot. Never got this to
work. *shrug*

> I have struggled understanding why you cannot simply just point to an
> oVirt VM file and import this way, or "import" an export domain that
> already exists.

Yeah. That's what I was hoping for at first, but maybe I just don't know
how to do it right yet.

Thanks for taking the time to respond!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Import VM's from a dead ovirt domain

2017-11-04 Thread ~Stack~
On 11/04/2017 09:36 PM, Wesley Stewart wrote:
> I am quite new to oVirt and only use it at home for the moment.  So I
> wont be of much help.
> 
> But I was able to add a new export domain, and then copy the original
> contents of my old domain into this export domain, which seemed to work
> fine.  I just had to hit the "load" button while in the import section
> of the web gui (but I am assuming you have done this already).
> 
> I have struggled understanding why you cannot simply just point to an
> oVirt VM file and import this way, or "import" an export domain that
> already exists.
> 
> On Sat, Nov 4, 2017 at 3:07 PM, ~Stack~ <i.am.st...@gmail.com
> <mailto:i.am.st...@gmail.com>> wrote:
> 
> Greetings,
> 
> Per my earlier adventures this week, my old domain is kaput. However,
> all of the VM's were stored on a remote NFS server. I've been trying and
> trying to import the VM's by copying them into the new data/export
> domains, but it's not seeing them and I'm not getting much out of my
> Internet searches.
> 
> Thoughts on how I can import the old VM's into the new domain?
> 
> Thanks!
> ~Stack~
> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org <mailto:Users@ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
> 
> 




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Import VM's from a dead ovirt domain

2017-11-04 Thread ~Stack~
On 11/04/2017 04:08 PM, Joop wrote:
> On 4-11-2017 20:07, ~Stack~ wrote:
>> Greetings,
>>
>> Per my earlier adventures this week, my old domain is kaput. However,
>> all of the VM's were stored on a remote NFS server. I've been trying and
>> trying to import the VM's by copying them into the new data/export
>> domains, but it's not seeing them and I'm not getting much out of my
>> Internet searches.
>>
>> Thoughts on how I can import the old VM's into the new domain?
>>
> Add a temporary new data domain, without a master data domain you can't
> do much. After that you can import the old domain without making copies.

When I was dealing with my previous issue, this method was not working.
I was going to respond that this was a no-go, but thought "Well, this is
now a completely fresh build...I should try it."

And it worked!!

So further evidence that my previous install was just completely borked.

While slightly traumatic, this has been quite the educational learning
experience. :-)

Thank you very much for the suggestion.
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Import VM's from a dead ovirt domain

2017-11-04 Thread ~Stack~
Greetings,

Per my earlier adventures this week, my old domain is kaput. However,
all of the VM's were stored on a remote NFS server. I've been trying and
trying to import the VM's by copying them into the new data/export
domains, but it's not seeing them and I'm not getting much out of my
Internet searches.

Thoughts on how I can import the old VM's into the new domain?

Thanks!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt management has lost its SSL.

2017-11-03 Thread ~Stack~
On 11/03/2017 01:17 PM, ~Stack~ wrote:
> On 11/03/2017 12:48 PM, Alexander Wels wrote:

>> But if all else fails you should be able to create a fresh engine, and after 
>> you have added a host, you should be able to import the existing storage 
>> domain (like you noted the VMs are still there).
>>
>>
> Greetings,
> Thanks, but I've tried that too. Even though it did delete the keystore,
> I ended up with the exact same error. :-(
> 
> I'm doing a fresh install right now. I've never done an import like this
> before. I just connect the fresh install to one of my hosts and I can
> import the others hosts/vms/configurations?
> 
> Thanks!
> ~Stack~
> 
> 

Bender: Are we boned?
Leela: Yeah, we're boned


So I built a new management host from scratch. I added one of my hosts,
and immediately crashed the vm's running on that hypervisor (they all
just stopped responding). I don't know why they didn't fail over, but
they didn't. Oh well. At least the other hypervisor is up!

So I tried following this guide to import my storage domain from the
section "Disaster Recovery flows" for "Import file Storage Domain".

https://www.ovirt.org/develop/release-management/features/storage/importstoragedomain/

Yeah. That didn't work. It says it can't find any other domains to
import, but if I attempt to create a new one it says it can't because
there are existing domains!

Well, while I was poking at it the other VM's started acting up (crazy
high latency and the ovirt logs were really pissed at me). So I shut off
the ones that still responded, then shut down the other hypervisor. I
backed up the VM's on my NFS share, and created a new directory for the
data domain.

Guess I'm rebuilding my environment from scratch. I just hope I can get
some of the VM's to come back some how. :-/

~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt management has lost its SSL.

2017-11-03 Thread ~Stack~
On 11/03/2017 12:48 PM, Alexander Wels wrote:
> 
> AFAIC engine-setup will create the files needed. Try running engine-cleanup 
> and maybe it will remove everything needed and then running engine-setup 
> again?
> 
> But if all else fails you should be able to create a fresh engine, and after 
> you have added a host, you should be able to import the existing storage 
> domain (like you noted the VMs are still there).
> 
> 
Greetings,
Thanks, but I've tried that too. Even though it did delete the keystore,
I ended up with the exact same error. :-(

I'm doing a fresh install right now. I've never done an import like this
before. I just connect the fresh install to one of my hosts and I can
import the others hosts/vms/configurations?

Thanks!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt management has lost its SSL.

2017-11-03 Thread ~Stack~
On 11/03/2017 12:23 PM, Alexander Wels wrote:
> On Friday, November 3, 2017 1:15:27 PM EDT ~Stack~ wrote:
>> Greetings,
>>
>> I'm seriously just grasping at straws here. I took a spare hard drive,
>> tossed it in the management host, and did a fresh install. It did not
>> like me trying to add it into the existing infrastructure. Tried to dump
>> the DB from the old to the new, update the passwords, and pretty much
>> ended up in the same place.
>>
>> I did check the .trustedkeystore and it has the same 1 key as my
>> original back up. So that isn't the issue.
>>
>> Still poking at it. Would love some thoughts/feedback.
>>
>> Thanks!
>> ~Stack~
>>
> 
> Running engine-setup on the engine machine should re-generate the keys.

Thanks for the suggestion. I've tried that. Twice. Still the same error.

"Keystore was tampered with, or password was incorrect."

From digging around in the logs, it looks like it is trying to access
/etc/pki/ovirt-engine/.trustedstore but the password found in the ovirt
configs works just fine. So I know it is not a password issue.

I've been trying to figure out how that file is created so I can
possibly generate a new one, but no luck so far.

Thanks!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt management has lost its SSL.

2017-11-03 Thread ~Stack~
Greetings,

I'm seriously just grasping at straws here. I took a spare hard drive,
tossed it in the management host, and did a fresh install. It did not
like me trying to add it into the existing infrastructure. Tried to dump
the DB from the old to the new, update the passwords, and pretty much
ended up in the same place.

I did check the .trustedkeystore and it has the same 1 key as my
original back up. So that isn't the issue.

Still poking at it. Would love some thoughts/feedback.

Thanks!
~Stack~



On 11/03/2017 09:30 AM, ~Stack~ wrote:
> Greetings,
> 
> Please, I would greatly appreciate some help/feedback. I'm not sure what
> else to do.
> 
> I reverted the .trustedstore to the only backup I have, and there is one
> key in it. That too gets flagged by oVirt as having been tampered with
> (I'm guessing oVirt added something that isn't there any more). The
> password is correct as I can verify it from the oVirt config file on the
> command line.
> 
> I'm out of ideas on fixing this. What happens to my oVirt hypervisors
> and VM's if I rebuild the management engine host from scratch?
> 
> Thanks!
> ~Stack~
> On 11/02/2017 04:18 PM, ~Stack~ wrote:
>> Greetings,
>>
>> OS: Scientific Linux 7.4
>> oVirt: 4.1
>> Everything fully updated.
>>
>> Everything was working great. I received my new network card today to
>> upgrade my ovirt management node (physical node; not self-hosted), took
>> the machine down, swapped the card, and brought it up to many many errors.
>>
>> Here's the basic break-down of my discoveries.
>>
>> 1) My /etc/pki/ovirt-engine/.trustedstore was corrupt. I had lots of
>> messages in my engine.log about it being corrupt. Restored from backup,
>> and oVirt engine was really peeved for not having my domain cert in it
>> (tons of messages in the engine.log file)...figured out how to add my
>> domain cert and it seemed OK. Which led me to...
>>
>> 2) My /etc/pki/ovirt-engine/keys/engine.p12 and
>> /etc/pki/ovirt-engine/keys/apache.p12 are _gone_. Don't have them in my
>> backups either. This results in a massive java dump when I try to start
>> the engine service.
>>
>> 3) I noticed that I had
>> /etc/pki/ovirt-engine/keys/engine.p12.201711021302 which is a time stamp
>> corresponding to when I shut the node down. Then I noticed, that I was
>> missing dang near EVERY file in /etc/pki/ovirt-engine but I had an
>> equivalent file with the ".201711021302" extension. So a touch of bash
>> and I copied all of my "*.201711021302" files with the proper
>> user/group/permissions into their base name. Hooray! No more errors in
>> the log files and all services start!!
>>
>> 4) I open my web browser and head to my management host...and I get this
>> error:
>> Keystore was tampered with, or password was incorrect
>>
>> Well...yeah. I had to fix it in step one. :-/
>>
>> I'm not getting anything useful out of my Internet searching. I don't
>> know what went wrong or why, but my SSL is just borked.
>>
>> Any suggestions? Thoughts? Ideas?
>>
>> Is there a way to just blow away and start over with the SSL _without_
>> destroying the VM's (which fortunately they all seem to still be
>> functional!)?
>>
>> Any help would be greatly appreciated.
>> Thanks!
>> ~Stack~
>>
>>
> 
> 
> 





signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] oVirt management has lost its SSL.

2017-11-03 Thread ~Stack~
Greetings,

Please, I would greatly appreciate some help/feedback. I'm not sure what
else to do.

I reverted the .trustedstore to the only backup I have, and there is one
key in it. That too gets flagged by oVirt as having been tampered with
(I'm guessing oVirt added something that isn't there any more). The
password is correct as I can verify it from the oVirt config file on the
command line.

I'm out of ideas on fixing this. What happens to my oVirt hypervisors
and VM's if I rebuild the management engine host from scratch?

Thanks!
~Stack~
On 11/02/2017 04:18 PM, ~Stack~ wrote:
> Greetings,
> 
> OS: Scientific Linux 7.4
> oVirt: 4.1
> Everything fully updated.
> 
> Everything was working great. I received my new network card today to
> upgrade my ovirt management node (physical node; not self-hosted), took
> the machine down, swapped the card, and brought it up to many many errors.
> 
> Here's the basic break-down of my discoveries.
> 
> 1) My /etc/pki/ovirt-engine/.trustedstore was corrupt. I had lots of
> messages in my engine.log about it being corrupt. Restored from backup,
> and oVirt engine was really peeved for not having my domain cert in it
> (tons of messages in the engine.log file)...figured out how to add my
> domain cert and it seemed OK. Which led me to...
> 
> 2) My /etc/pki/ovirt-engine/keys/engine.p12 and
> /etc/pki/ovirt-engine/keys/apache.p12 are _gone_. Don't have them in my
> backups either. This results in a massive java dump when I try to start
> the engine service.
> 
> 3) I noticed that I had
> /etc/pki/ovirt-engine/keys/engine.p12.201711021302 which is a time stamp
> corresponding to when I shut the node down. Then I noticed, that I was
> missing dang near EVERY file in /etc/pki/ovirt-engine but I had an
> equivalent file with the ".201711021302" extension. So a touch of bash
> and I copied all of my "*.201711021302" files with the proper
> user/group/permissions into their base name. Hooray! No more errors in
> the log files and all services start!!
> 
> 4) I open my web browser and head to my management host...and I get this
> error:
> Keystore was tampered with, or password was incorrect
> 
> Well...yeah. I had to fix it in step one. :-/
> 
> I'm not getting anything useful out of my Internet searching. I don't
> know what went wrong or why, but my SSL is just borked.
> 
> Any suggestions? Thoughts? Ideas?
> 
> Is there a way to just blow away and start over with the SSL _without_
> destroying the VM's (which fortunately they all seem to still be
> functional!)?
> 
> Any help would be greatly appreciated.
> Thanks!
> ~Stack~
> 
> 





signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] oVirt management has lost its SSL.

2017-11-02 Thread ~Stack~
Greetings,

OS: Scientific Linux 7.4
oVirt: 4.1
Everything fully updated.

Everything was working great. I received my new network card today to
upgrade my ovirt management node (physical node; not self-hosted), took
the machine down, swapped the card, and brought it up to many many errors.

Here's the basic break-down of my discoveries.

1) My /etc/pki/ovirt-engine/.trustedstore was corrupt. I had lots of
messages in my engine.log about it being corrupt. Restored from backup,
and oVirt engine was really peeved for not having my domain cert in it
(tons of messages in the engine.log file)...figured out how to add my
domain cert and it seemed OK. Which led me to...

2) My /etc/pki/ovirt-engine/keys/engine.p12 and
/etc/pki/ovirt-engine/keys/apache.p12 are _gone_. Don't have them in my
backups either. This results in a massive java dump when I try to start
the engine service.

3) I noticed that I had
/etc/pki/ovirt-engine/keys/engine.p12.201711021302 which is a time stamp
corresponding to when I shut the node down. Then I noticed, that I was
missing dang near EVERY file in /etc/pki/ovirt-engine but I had an
equivalent file with the ".201711021302" extension. So a touch of bash
and I copied all of my "*.201711021302" files with the proper
user/group/permissions into their base name. Hooray! No more errors in
the log files and all services start!!

4) I open my web browser and head to my management host...and I get this
error:
Keystore was tampered with, or password was incorrect

Well...yeah. I had to fix it in step one. :-/

I'm not getting anything useful out of my Internet searching. I don't
know what went wrong or why, but my SSL is just borked.

Any suggestions? Thoughts? Ideas?

Is there a way to just blow away and start over with the SSL _without_
destroying the VM's (which fortunately they all seem to still be
functional!)?

Any help would be greatly appreciated.
Thanks!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Ovirt + Cobbler + Koan ?

2017-10-17 Thread ~Stack~
Greetings,

I've spent the last week trying to get Foreman to work (see SSL question
2017-10-11) but no one answers in their IRC or mailing list. So I tried
cobbler instead and I had it working in just a couple of hours! I'm
further along today than a week of foreman's constant problems. Hooray!

Here's where I am at now, if I manually configure a VM in Ovirt I can
provision it from Cobbler. Great!

What I would like to do is to have an easy way from Ovirt say "Grab this
cobbler profile and build me a new VM with this template". In my
searches on line, I haven't found anything like that. It seems the
closest I'm going to get is to use Koan. However, I've not found great
information for using Koan with Ovirt. My attempts so far of installing
Koan on the Ovirt Management host and trying to get it to provision have
all resulted in Koan trying to build a KVM _on_ the management host; not
in Ovirt.

Does anyone have any good documentation for setting up Cobbler
integration into Ovirt? Or at least getting Koan to work with the two?

Thanks!
~Stack~





signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Help with SSL

2017-10-11 Thread ~Stack~
On 10/11/2017 05:51 AM, Martin Perina wrote:
> 
> [snip]
> On Tue, Oct 10, 2017 at 11:48 PM, ~Stack~ <i.am.st...@gmail.com
> are you able to login to oVirt webadmin successfully? If so then oVirt
> side should be fine.
> 
I am able to log into oVirt webmin successfully. Is there a reason to
keep the old cert, or was it OK for me to replace
/etc/pki/ovirt-engine/ca.pem with mine?

> About Foreman, is it installed on the same machine as oVirt?

It is on a separate machine.

> If not
> could you please check, that your custom CA is included either in host
> wide truststore or in specific trustore for Foreman (no idea what
> Foreman is using, better to ask in specific Foreman​
> ​mailing list).

I will check. Thanks Martin!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Help with SSL

2017-10-10 Thread ~Stack~
Greetings,

OS: Scientific Linux 7.3
Ovirt: 4.1.6.2-1.el7.centos
Foreman: 1.16.0-RC1

I updated my OVirt SSL cert from a self-signed to a purchased one using
the directions here:
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/

Everything seems to work from the web interface.

Then I tried to add in Foreman. Thats where I get the error:

Unable to save
ERF56-1309 [Foreman::FingerprintException]: The remote system presented
a public key signed by an unidentified certificate authority. If you are
sure the remote system is authentic, go to the compute resource edit
page, press the 'Test Connection' or 'Load Datacenters' button and submit.

Everything I can find says that it *should* be resolved - From Red Hat,
to Foreman, to even the Ovirt list! Yet there it is!

Well after poking at it for a while, I realized that the cert Foreman
was auto-resolving was still the /OLD/ cert!

Step #2 in those ovirt directions says to break the symbolic link to
/etc/pki/ovirt-engine/ca.pem. But it doesn't say what to do with that
file. So I replaced it with my cert. Restarted ovirt and now Foreman
resolves the correct X509 cert! (I have no idea if that broke something
else.)

But I still get the error in foreman. :-(

I feel like I'm still missing something in the ovirt configs. Something
needs to be updated/replaced in ovirt that isn't in those docs.

Can anyone help me out please? I've been trying for hours and not making
progress.
Thanks!

~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Proper Network Configuration

2017-10-03 Thread ~Stack~
On 10/03/2017 03:08 AM, Luca 'remix_tj' Lorenzetto wrote:
> On Mon, Oct 2, 2017 at 11:49 PM, ~Stack~ <i.am.st...@gmail.com> wrote:
>> Greetings,
>>
>> For various reasons I have multiple networks that I am required to work
>> with. I just want to ensure that I've understood the documentation for
>> setting up Ovirt correctly.
>>
>> - First is my BMC/ilo network. The security team wants as few entry
>> points into this as possible and wants as much segregation as possible.
>>
>> - Second is my "management" access network. For my other machines on
>> this network this means admin-SSH/rsyslog/SaltStack configuration
>> management/ect.
>>
>> - Third is my high speed network where my NFS storage sits and
>> applications that need the bandwidth do their thing.
>>
>> - Fourth is my "public" access.
>>
>> My Engine host has the "management" and "public" networks.
>> My Hypervisor hosts have the "BMC/ilo", "management", and "storage"
>> networks.
>>
>> Is there a reason why I should add "public" on the hypervisors?
> 
> 
> No, you should only plug the network to oVirt but not configure any ip
> on the hypervisors.
> 
>>
>> Is there a reason why I may need "BMC/ilo" or "storage" on the Engine host?
> 
> No, you don't need. I've only management on engine host. The
> hypervisors, instead have an ip on management and storage network, and
> no ip on the other networks. For bmc traffic we use routed access
> through a firewall that is dividing bmc network from the rest of the
> world.
> 
> Luca

Thanks for the information, Luca!
I appreciate it.






signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Proper Network Configuration

2017-10-02 Thread ~Stack~
Greetings,

For various reasons I have multiple networks that I am required to work
with. I just want to ensure that I've understood the documentation for
setting up Ovirt correctly.

- First is my BMC/ilo network. The security team wants as few entry
points into this as possible and wants as much segregation as possible.

- Second is my "management" access network. For my other machines on
this network this means admin-SSH/rsyslog/SaltStack configuration
management/ect.

- Third is my high speed network where my NFS storage sits and
applications that need the bandwidth do their thing.

- Fourth is my "public" access.

My Engine host has the "management" and "public" networks.
My Hypervisor hosts have the "BMC/ilo", "management", and "storage"
networks.

Is there a reason why I should add "public" on the hypervisors?

Is there a reason why I may need "BMC/ilo" or "storage" on the Engine host?

Thanks!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Help with Power Management network

2017-10-02 Thread ~Stack~
On 09/29/2017 05:31 PM, Dan Yasny wrote:
> You need more than one host for power management

Thanks for the help on this. Added a second host and had IMPI working in
minutes.

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Help with Power Management network

2017-09-30 Thread ~Stack~
On 09/30/2017 06:51 AM, Dan Yasny wrote:
> The power management command is sent by the engine via a proxy host.
> That means you need at least one more host to act as proxy. The engine
> itself doesn't need to access the bmc network directly. Just like the
> engine needs no access to the atorage network to perform storage
> manipulations. 
> 
> I think in some recent versions fencing by the engine was introduced,
> but I don't have a setup in front of me to verify.

Ah, good to know. Thank you for clarifying!
~Stack~




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Help with Power Management network

2017-09-29 Thread ~Stack~
On 09/29/2017 05:31 PM, Dan Yasny wrote:
> You need more than one host for power management
> 

Seriously?? I didn't see anything like that in the docs...Maybe I just
missed it.

Also, why wouldn't it still validate? It should still be able to talk to
the interface over the BMC/IPMI network. The fact that I can run the
equivalent test on the command line makes it seem like it should at
least be able to check via the test. Obviously, it would be silly for it
to try to manage itself, but it could at least verify that the
configuration is valid, right?

I have more hosts that I'm going to add, I was just hoping to do those
via the Foreman integration instead of manually building them. Since I'm
not quite ready for that, I will just build a second host on Monday and
report back.

Thanks for the feedback. I would have never guess that as a possibility. :-)

~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Help with Power Management network

2017-09-29 Thread ~Stack~
Greetings,

I hit up the IRC earlier, but only crickets. Guess no one wants to stick
around late on a Friday night. :-D

I'm an ovirt newb here. I've been going through the docs setting up 4.1
on Scientific Linux 7.4. For the most part everything is going well once
I learn how to do it. I'm, however, stuck on power management.

I have multiple networks:
192.168.1.x is my BMC/ilo network. The security team wants as few entry
points into this as possible and wants as much segregation as possible.

192.168.2.x is my "management" access network. For my other machines on
this network this means admin-SSH/rsyslog/SaltStack configuration
management/ect.

192.168.3.x is my high speed network where my NFS storage sits and
applications that need the bandwidth do their thing.

10.10.86.x is my "public" access

All networks are configured on the Host network settings. Mostly
confident I got it right...at least each network/IP matches the right
interface. ;-)

Right now I only have the engine server and one hyper-visor. On either
host I can ssh into the command line and run fence_ipmilan -a
192.168.1.x -l USER -p PASS -o status -v -P" it works, all is good.
However, when I try to add it in the ovirt interface I get an error. :-/

Edit Host -> Power Management:
Address: 192.168.1.14
User Name: root
Password: SorryCantTellYou
Type: ipmilan
Options: 

Test

Test failed: Failed to run fence status-check on host '192.168.2.14'. No
other host was available to serve as proxy for the operation.

Yes, same host because I only have one right now. :-)

Any help or guidance would be much appreciated. In the meantime I'm
going back to the docs to poke at a few other things I need to figure
out. :-)

Thanks!
~Stack~



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users