Re: [Users] engine-iso-uploader problem
If you just want to make quick progress, you can copy your iso file to your images directory. You will want to put the .iso file (it must have a .iso extension) in the correct directory. e.g. cp my.iso /export/iso-images//images/---- The actual directory names will vary. If you just copy it, the ovirt-engine will find it in a few seconds/minutes and update itself. Brian On Tue, Oct 30, 2012 at 12:20:54PM -0400, Keith Robertson wrote: > Can you re-run with -v (verbose) and send me the output? > On 10/30/2012 12:00 PM, Dennis B?ck wrote: > > Thanks for the instructions how to build. I did it and installed the > rpm. > > Now I get a new error message: > > > [root@vdihost1 RPMS]# engine-iso-uploader upload -i local-iso-share > /run/media/dennis/4F0B-18DE/ovirt/Fedora-17-x86_64-Live-Desktop.iso > Please provide the REST API username for oVirt Engine (CTRL+D to > abort): admin > Please provide the REST API password for the admin oVirt Engine user > (CTRL+D to abort): > ERROR: Unable to connect to REST API. Reason: Unauthorized > ERROR: 'NoneType' object is not iterable > INFO: Use the -h option to see usage. > > > I am sure, that I used the same password as I used for the > webinterface. > > Any ideas? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] can't add hosts due to version compatibility with latest nightly
Ugh. Nevermind. Something bogus was going on in Firefox. When I restarted it, those drop down fields started showing up. Brian On Oct 29, 2012, at 11:27 AM, Brian Vetter wrote: > While there was a compatibility version field/selector provided in the "new > data center" dialog, it is empty - there is nothing to select. Apparently, > the default value is 3.2. > > Brian > > On Oct 29, 2012, at 10:04 AM, Eli Mesika wrote: > >> >> >> - Original Message - >>> From: "Brian Vetter" >>> To: users@ovirt.org >>> Sent: Sunday, October 28, 2012 11:17:11 PM >>> Subject: [Users] can't add hosts due to version compatibility with latest >>> nightly >>> >>> >>> >>> I decided to start over and reinstall with the latest nightly build. >>> When trying to get the system setup, I get the following error when >>> trying to add a host. >>> >>> >>> >>> >>> Host mech is compatible with versions (3.0,3.1) and cannot join >>> Cluster DCCluster which is set to version 3.2 >>> >>> I saw no way to create a cluster for any other version (it only >>> provides a 3.2 choice in the drop down). >> >> The reason is probably that you had created a 3.2 Data Center. >> If you will create a 3.1 Data Center , you should have the cluster as 3.1 as >> well >> >>> >>> >>> I noticed that the vdsm rpms in the nightly repository were at >>> version 4.10.1-0.79 as opposed to the 4.10.0 version I saw on the >>> system after adding the host. On a lark, I logged into that system >>> and tried installing/upgrading the vdsm version manually using the >>> nightly build. When I tried this, I got an error saying that it >>> required libvirt >= 0.10.1-1. To get around that, I had to download >>> all of the libvirt rpms for 0.10.1-1 (not in yum) and installed >>> them, and then upgraded vdsm. >>> >>> >>> I did seem to run into one issue - the system did not reboot on its >>> own (ovirt had it in "reboot" mode). I had to log into the system to >>> reboot it manually to get it to move to the next state and activate. >>> >>> >>> So I have a few questions. Is the ovirt-engine supposed to push a >>> matching vdsm version (one that supports 3.2) to the host when it is >>> added? If so, it doesn't appear to do that and instead it pushes an >>> older one that was only 3.1 "compatible". >>> >>> >>> And if it should have pushed a newer version (possibly matching the >>> nightly vdsm build), it seems like there is a push to use a newer >>> version of libvirt. I would presume that is coming in FC18. So are >>> the current nightly builds expected to only run on a FC18 beta type >>> release (which is supposedly coming soon)? >>> >>> >>> Brian >>> >>> >>> ___ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] can't add hosts due to version compatibility with latest nightly
While there was a compatibility version field/selector provided in the "new data center" dialog, it is empty - there is nothing to select. Apparently, the default value is 3.2. Brian On Oct 29, 2012, at 10:04 AM, Eli Mesika wrote: > > > - Original Message ----- >> From: "Brian Vetter" >> To: users@ovirt.org >> Sent: Sunday, October 28, 2012 11:17:11 PM >> Subject: [Users] can't add hosts due to version compatibility with latest >> nightly >> >> >> >> I decided to start over and reinstall with the latest nightly build. >> When trying to get the system setup, I get the following error when >> trying to add a host. >> >> >> >> >> Host mech is compatible with versions (3.0,3.1) and cannot join >> Cluster DCCluster which is set to version 3.2 >> >> I saw no way to create a cluster for any other version (it only >> provides a 3.2 choice in the drop down). > > The reason is probably that you had created a 3.2 Data Center. > If you will create a 3.1 Data Center , you should have the cluster as 3.1 as > well > >> >> >> I noticed that the vdsm rpms in the nightly repository were at >> version 4.10.1-0.79 as opposed to the 4.10.0 version I saw on the >> system after adding the host. On a lark, I logged into that system >> and tried installing/upgrading the vdsm version manually using the >> nightly build. When I tried this, I got an error saying that it >> required libvirt >= 0.10.1-1. To get around that, I had to download >> all of the libvirt rpms for 0.10.1-1 (not in yum) and installed >> them, and then upgraded vdsm. >> >> >> I did seem to run into one issue - the system did not reboot on its >> own (ovirt had it in "reboot" mode). I had to log into the system to >> reboot it manually to get it to move to the next state and activate. >> >> >> So I have a few questions. Is the ovirt-engine supposed to push a >> matching vdsm version (one that supports 3.2) to the host when it is >> added? If so, it doesn't appear to do that and instead it pushes an >> older one that was only 3.1 "compatible". >> >> >> And if it should have pushed a newer version (possibly matching the >> nightly vdsm build), it seems like there is a push to use a newer >> version of libvirt. I would presume that is coming in FC18. So are >> the current nightly builds expected to only run on a FC18 beta type >> release (which is supposedly coming soon)? >> >> >> Brian >> >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] can't add hosts due to version compatibility with latest nightly
I decided to start over and reinstall with the latest nightly build. When trying to get the system setup, I get the following error when trying to add a host. Host mech is compatible with versions (3.0,3.1) and cannot join Cluster DCCluster which is set to version 3.2 I saw no way to create a cluster for any other version (it only provides a 3.2 choice in the drop down). I noticed that the vdsm rpms in the nightly repository were at version 4.10.1-0.79 as opposed to the 4.10.0 version I saw on the system after adding the host. On a lark, I logged into that system and tried installing/upgrading the vdsm version manually using the nightly build. When I tried this, I got an error saying that it required libvirt >= 0.10.1-1. To get around that, I had to download all of the libvirt rpms for 0.10.1-1 (not in yum) and installed them, and then upgraded vdsm. I did seem to run into one issue - the system did not reboot on its own (ovirt had it in "reboot" mode). I had to log into the system to reboot it manually to get it to move to the next state and activate. So I have a few questions. Is the ovirt-engine supposed to push a matching vdsm version (one that supports 3.2) to the host when it is added? If so, it doesn't appear to do that and instead it pushes an older one that was only 3.1 "compatible". And if it should have pushed a newer version (possibly matching the nightly vdsm build), it seems like there is a push to use a newer version of libvirt. I would presume that is coming in FC18. So are the current nightly builds expected to only run on a FC18 beta type release (which is supposedly coming soon)? Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SELinux policy issue with oVirt/sanlock
I removed lock_manager=sanlock from the settings file, restarted the daemons, and all works fine right now. I'm guessing that means there is no locking of the VMs (the default?). In any case, the setting of the lock_manager to sanlock was not done by myself but presumably via the host/vdsm installation on my fc17 host. So if that is the desired setting, then there appears to be an issue with selinux policies, nfs storage for VMs, and sanlock that still needs to be resolved in the nightly builds. Brian On Oct 24, 2012, at 9:51 AM, Haim Ateya wrote: > - Original Message - >> From: "Brian Vetter" >> To: "Haim Ateya" >> Cc: users@ovirt.org, seli...@lists.fedoraproject.org >> Sent: Wednesday, October 24, 2012 4:11:17 PM >> Subject: Re: [Users] SELinux policy issue with oVirt/sanlock >> >> Here you go >> >> # getsebool -a | grep sanlock >> sanlock_use_fusefs --> off >> sanlock_use_nfs --> on >> sanlock_use_samba --> off >> virt_use_sanlock --> on >> >> >> # grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf >> dynamic_ownership=0 >> spice_tls=1 >> spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" >> lock_manager="sanlock" > > this entry looks problematic to me (use sanlock as lock manager of the vms), > please comment this entry, restart libvirt and vdsm, and try again. > >> >> On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote: >> >>> Hi Brian, >>> >>> please run the following commands and paste your output: >>> >>> getsetbool -a | grep sanlock >>> >>> cat /etc/libvirt/qemu.conf >>> >>> >>> - Original Message - >>>> From: "Brian Vetter" >>>> To: seli...@lists.fedoraproject.org >>>> Cc: users@ovirt.org >>>> Sent: Wednesday, October 24, 2012 6:34:07 AM >>>> Subject: [Users] SELinux policy issue with oVirt/sanlock >>>> >>>> I get the following AVC msg when trying to run a VM from the ovirt >>>> admin tool: >>>> >>>> type=AVC msg=audit(1351051834.851:720): avc: denied { read } for >>>> pid=979 comm="sanlock" name="8798edc0-dbd2-466d-8be9-1997f63e196f" >>>> dev="dm-4" ino=3145737 >>>> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 >>>> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file >>>> >>>> The file it is attempting to read I believe (from the sanlock.log >>>> file) is the following: >>>> >>>> # ls -lZ >>>> /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease >>>> -rw-rw. vdsm kvm system_u:object_r:nfs_t:s0 >>>> >>>> /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease >>>> >>>> I'm no SELinux policy expert, so I 'm not sure what is exactly >>>> wrong. >>>> The situation is that the VM image file is stored on an NFS file >>>> server (in this case, configured using NFSv3). Both the client and >>>> the server are fc17. The error occurs when trying to start the VM. >>>> The version of oVirt I am using is a recent nightly build >>>> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be >>>> making >>>> a wild guess that the sanlock process doesn't have rights to open >>>> some nfs resources but I'm way over the end of my skis. >>>> >>>> Brian >>>> >>>> ___ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >> >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SELinux policy issue with oVirt/sanlock
Here you go # getsebool -a | grep sanlock sanlock_use_fusefs --> off sanlock_use_nfs --> on sanlock_use_samba --> off virt_use_sanlock --> on # grep -v -e "^#" -e "^$" /etc/libvirt/qemu.conf dynamic_ownership=0 spice_tls=1 spice_tls_x509_cert_dir="/etc/pki/vdsm/libvirt-spice" lock_manager="sanlock" On Oct 24, 2012, at 1:07 AM, Haim Ateya wrote: > Hi Brian, > > please run the following commands and paste your output: > > getsetbool -a | grep sanlock > > cat /etc/libvirt/qemu.conf > > > - Original Message - >> From: "Brian Vetter" >> To: seli...@lists.fedoraproject.org >> Cc: users@ovirt.org >> Sent: Wednesday, October 24, 2012 6:34:07 AM >> Subject: [Users] SELinux policy issue with oVirt/sanlock >> >> I get the following AVC msg when trying to run a VM from the ovirt >> admin tool: >> >> type=AVC msg=audit(1351051834.851:720): avc: denied { read } for >> pid=979 comm="sanlock" name="8798edc0-dbd2-466d-8be9-1997f63e196f" >> dev="dm-4" ino=3145737 >> scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file >> >> The file it is attempting to read I believe (from the sanlock.log >> file) is the following: >> >> # ls -lZ >> /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease >> -rw-rw. vdsm kvm system_u:object_r:nfs_t:s0 >> >> /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease >> >> I'm no SELinux policy expert, so I 'm not sure what is exactly wrong. >> The situation is that the VM image file is stored on an NFS file >> server (in this case, configured using NFSv3). Both the client and >> the server are fc17. The error occurs when trying to start the VM. >> The version of oVirt I am using is a recent nightly build >> (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be making >> a wild guess that the sanlock process doesn't have rights to open >> some nfs resources but I'm way over the end of my skis. >> >> Brian >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] SELinux policy issue with oVirt/sanlock
I get the following AVC msg when trying to run a VM from the ovirt admin tool: type=AVC msg=audit(1351051834.851:720): avc: denied { read } for pid=979 comm="sanlock" name="8798edc0-dbd2-466d-8be9-1997f63e196f" dev="dm-4" ino=3145737 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file The file it is attempting to read I believe (from the sanlock.log file) is the following: # ls -lZ /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease -rw-rw. vdsm kvm system_u:object_r:nfs_t:s0 /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease I'm no SELinux policy expert, so I 'm not sure what is exactly wrong. The situation is that the VM image file is stored on an NFS file server (in this case, configured using NFSv3). Both the client and the server are fc17. The error occurs when trying to start the VM. The version of oVirt I am using is a recent nightly build (ovirt-engine -> 3.1.0-3.1345126685.git7649eed.fc17). I'd be making a wild guess that the sanlock process doesn't have rights to open some nfs resources but I'm way over the end of my skis. Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Error creating the first storage domain (NFS)
Ugh. Spoke a little too soon. While I got past my problem creating a storage domain, I ran into a new sanlock issue. When trying to run a VM (the first one so I can create a template), I get an error in the admin UI: VM DCC4.0 is down. Exit message: Failed to acquire lock: Permission denied. The sanlock.log file shows the following: 2012-10-23 22:32:02-0500 22023 [981]: s3:r3 resource 8798edc0-dbd2-466d-8be9-1997f63e196f:71252c8f-68a9-495f-b5a6-4e8e035b56ea:/rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease:0 for 2,11,14629 2012-10-23 22:32:02-0500 22023 [981]: open error -13 /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease 2012-10-23 22:32:02-0500 22023 [981]: r3 acquire_token open error -13 2012-10-23 22:32:02-0500 22023 [981]: r3 cmd_acquire 2,11,14629 acquire_token -13 I looked at the lease file referenced above, and it is there. [root@mech ~]# ls -l /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease -rw-rw. 1 vdsm kvm 1048576 Oct 23 22:30 /rhev/data-center/a8ea368c-bc08-4e10-81e7-c8439bf7bd35/8798edc0-dbd2-466d-8be9-1997f63e196f/images/b029b5a6-9eb3-4a34-ad03-1ac4386e8c7c/71252c8f-68a9-495f-b5a6-4e8e035b56ea.lease On a lark, I turned off selinux enforcement and tried it again. It worked just fine. So what selinux option do I need to enable to get it to work? The only other sanlock specific settings I saw are: sanlock_use_fusefs --> off sanlock_use_nfs --> on sanlock_use_samba --> off Do I turn these all on or is there some other setting I need to enable? Brian On Oct 23, 2012, at 9:54 PM, Brian Vetter wrote: > That was the problem. I checked the sanlock_use_nfs boolean and it was off. I > set it and then created and attached the storage and it all works. > > Thanks for the help/pointer. > > Brian > > On Oct 23, 2012, at 8:55 PM, Federico Simoncelli wrote: > >> Hi Brian, >> I hate progressing by guesses but could you try to disable selinux: >> >> # setenforce 0 >> >> If that works you could go on, re-enable it and try something more >> specific: >> >> # setenforce 1 >> # setsebool sanlock_use_nfs on >> >> I have the feeling that the vdsm patch setting the sanlock_use_nfs >> sebool flag didn't made it to fedora 17 yet. >> -- >> Federico >> >> - Original Message - >>> From: "Brian Vetter" >>> To: "Federico Simoncelli" >>> Cc: "Vered Volansky" , users@ovirt.org, "David Teigland" >>> >>> Sent: Tuesday, October 23, 2012 6:10:36 PM >>> Subject: Re: [Users] Error creating the first storage domain (NFS) >>> >>> Ok. Here's four log files: >>> >>> engine.log from my ovirt engine server. >>> vdsm.log from my host >>> sanlock.log from my host >>> messages from my host >>> >>> The errors occur around the 20:17:57 time frame. You might see other >>> errors from either previous attempts or for the time after when I >>> tried to attach the storage domain. It looks like everything starts >>> with an error -13 in sanlock. If the -13 maps to 13/EPERM in >>> errno.h, then it is likely be some kind of permission or other >>> access error. I saw things that were related to the nfs directories >>> not being owned by vdsm:kvm, but that is not the case here. >>> >>> I did see a note online about some issues with sanlock and F17 (which >>> I am running), but those bugs were related to sanlock crashing. >>> >>> Brian > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Error creating the first storage domain (NFS)
That was the problem. I checked the sanlock_use_nfs boolean and it was off. I set it and then created and attached the storage and it all works. Thanks for the help/pointer. Brian On Oct 23, 2012, at 8:55 PM, Federico Simoncelli wrote: > Hi Brian, > I hate progressing by guesses but could you try to disable selinux: > > # setenforce 0 > > If that works you could go on, re-enable it and try something more > specific: > > # setenforce 1 > # setsebool sanlock_use_nfs on > > I have the feeling that the vdsm patch setting the sanlock_use_nfs > sebool flag didn't made it to fedora 17 yet. > -- > Federico > > - Original Message - >> From: "Brian Vetter" >> To: "Federico Simoncelli" >> Cc: "Vered Volansky" , users@ovirt.org, "David Teigland" >> >> Sent: Tuesday, October 23, 2012 6:10:36 PM >> Subject: Re: [Users] Error creating the first storage domain (NFS) >> >> Ok. Here's four log files: >> >> engine.log from my ovirt engine server. >> vdsm.log from my host >> sanlock.log from my host >> messages from my host >> >> The errors occur around the 20:17:57 time frame. You might see other >> errors from either previous attempts or for the time after when I >> tried to attach the storage domain. It looks like everything starts >> with an error -13 in sanlock. If the -13 maps to 13/EPERM in >> errno.h, then it is likely be some kind of permission or other >> access error. I saw things that were related to the nfs directories >> not being owned by vdsm:kvm, but that is not the case here. >> >> I did see a note online about some issues with sanlock and F17 (which >> I am running), but those bugs were related to sanlock crashing. >> >> Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Error creating the first storage domain (NFS)
I reinstalled my system and ran the setup again. This time I configured both my host and the ovirt-engine systems to use nfs3 (it was using nfs4 by default). After getting all of the iptables straightened out (nfs3 apparently ignores the port settings in /etc/sysconfig/nfs and instead looks at /etc/services), I was able to do mounts between the two systems. When I attempt to add the storage domain, I am getting the same error as before (from sanlock.log): 2012-10-23 18:45:16-0500 8418 [979]: s1 lockspace 42c7d146-86e1-403f-97de-1da0dcbf95ec:250:/rhev/data-center/mnt/eos.dcc.mobi:_home_vmstorage/42c7d146-86e1-403f-97de-1da0dcbf95ec/dom_md/ids:0 2012-10-23 18:45:16-0500 8418 [4285]: open error -13 /rhev/data-center/mnt/eos.dcc.mobi:_home_vmstorage/42c7d146-86e1-403f-97de-1da0dcbf95ec/dom_md/ids 2012-10-23 18:45:16-0500 8418 [4285]: s1 open_disk /rhev/data-center/mnt/eos.dcc.mobi:_home_vmstorage/42c7d146-86e1-403f-97de-1da0dcbf95ec/dom_md/ids error -13 It all goes downhill from there. So it doesn't appear to be nfs4 vs nfsv3 related. I can send more logs, but they are pretty much the same as what I sent before. Also, if it wasn't clear from before, I'm running the ovirt-engine on a full fedora 17 system and I am running the host on a minimal fc17 system with the kernel at version 3.3.4-5.fc17 (to avoid the prior nfs hanging issues). Brian On Oct 23, 2012, at 4:38 AM, Vered Volansky wrote: > Hi Brian, > > We'll need your engine & host (full) logs at the very least to look into the > problem. > Can you try it with nfs3 and tell us if it works? > > Note, more comments in the email body. > > Regards, > Vered > > - Original Message - >> From: "Brian Vetter" >> To: users@ovirt.org >> Sent: Tuesday, October 23, 2012 5:06:06 AM >> Subject: [Users] Error creating the first storage domain (NFS) >> >> >> I have reinstalled my ovirt installation using the nightly builds so >> that I can try out non-admin REST API access to ovirt. After >> installing the engine, connecting to my directory system, creating a >> domain, and adding a host (all successfully), I tried to add my >> first storage domain (NFS). >> >> >> While creating the storage domain, I get an error at the end along >> with a couple of events that say: >> >> >> >> >> "Failed to attach Storage Domains to Data Center DCC. (User: >> admin@internal)" >> >> >> followed by: >> >> >> >> >> "Failed to attach Storage Domain DCVMStorage to Data Center DCC. >> (User: admin@internal)" >> >> >> I see the following in the engine.log file: >> >> >> >> >> >> 2012-10-22 20:17:57,617 WARN >> [org.ovirt.engine.core.vdsbroker.vdsbroker.BrokerCommandBase] >> (ajp--127.0.0.1-8009-7) [7d1ffd97] Weird return value: Class Name: >> org.ovirt.engine.core.vdsbroker.vdsbroker.StatusForXmlRpc >> >> mCode 661 >> >> mMessage Cannot acquire host id: >> ('b97019e9-bd43-46d8-afd0-421d6768271b', SanlockException(19, >> 'Sanlock lockspace add failure', 'No such device')) >> >> >> >> >> 2012-10-22 20:17:57,619 WARN >> [org.ovirt.engine.core.vdsbroker.vdsbroker.BrokerCommandBase] >> (ajp--127.0.0.1-8009-7) [7d1ffd97] Weird return value: Class Name: >> org.ovirt.engine.core.vdsbroker.vdsbroker.StatusForXmlRpc >> >> mCode 661 >> >> mMessage Cannot acquire host id: >> ('b97019e9-bd43-46d8-afd0-421d6768271b', SanlockException(19, >> 'Sanlock lockspace add failure', 'No such device')) >> >> >> >> >> 2012-10-22 20:17:57,620 ERROR >> [org.ovirt.engine.core.vdsbroker.vdsbroker.BrokerCommandBase] >> (ajp--127.0.0.1-8009-7) [7d1ffd97] Failed in CreateStoragePoolVDS >> method >> >> 2012-10-22 20:17:57,620 ERROR >> [org.ovirt.engine.core.vdsbroker.vdsbroker.BrokerCommandBase] >> (ajp--127.0.0.1-8009-7) [7d1ffd97] Error code unexpected and error >> message VDSGenericException: VDSErrorException: Failed to >> CreateStoragePoolVDS, error = Cannot acquire host id: >> ('b97019e9-bd43-46d8-afd0-421d6768271b', SanlockException(19, >> 'Sanlock lockspace add failure', 'No such device')) >> >> >> On the host where it tried to install from, I see the following in >> the vdsm.log: >> >> >> >> >> >> Thread-243::INFO::2012-10-22 >> 20:17:56,624::safelease::156::SANLock::(acquireHostId) Acquiring >> host id for domain
[Users] Error creating the first storage domain (NFS)
I have reinstalled my ovirt installation using the nightly builds so that I can try out non-admin REST API access to ovirt. After installing the engine, connecting to my directory system, creating a domain, and adding a host (all successfully), I tried to add my first storage domain (NFS). While creating the storage domain, I get an error at the end along with a couple of events that say: "Failed to attach Storage Domains to Data Center DCC. (User: admin@internal)" followed by: "Failed to attach Storage Domain DCVMStorage to Data Center DCC. (User: admin@internal)" I see the following in the engine.log file: 2012-10-22 20:17:57,617 WARN [org.ovirt.engine.core.vdsbroker.vdsbroker.BrokerCommandBase] (ajp--127.0.0.1-8009-7) [7d1ffd97] Weird return value: Class Name: org.ovirt.engine.core.vdsbroker.vdsbroker.StatusForXmlRpc mCode 661 mMessage Cannot acquire host id: ('b97019e9-bd43-46d8-afd0-421d6768271b', SanlockException(19, 'Sanlock lockspace add failure', 'No such device')) 2012-10-22 20:17:57,619 WARN [org.ovirt.engine.core.vdsbroker.vdsbroker.BrokerCommandBase] (ajp--127.0.0.1-8009-7) [7d1ffd97] Weird return value: Class Name: org.ovirt.engine.core.vdsbroker.vdsbroker.StatusForXmlRpc mCode 661 mMessage Cannot acquire host id: ('b97019e9-bd43-46d8-afd0-421d6768271b', SanlockException(19, 'Sanlock lockspace add failure', 'No such device')) 2012-10-22 20:17:57,620 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.BrokerCommandBase] (ajp--127.0.0.1-8009-7) [7d1ffd97] Failed in CreateStoragePoolVDS method 2012-10-22 20:17:57,620 ERROR [org.ovirt.engine.core.vdsbroker.vdsbroker.BrokerCommandBase] (ajp--127.0.0.1-8009-7) [7d1ffd97] Error code unexpected and error message VDSGenericException: VDSErrorException: Failed to CreateStoragePoolVDS, error = Cannot acquire host id: ('b97019e9-bd43-46d8-afd0-421d6768271b', SanlockException(19, 'Sanlock lockspace add failure', 'No such device')) On the host where it tried to install from, I see the following in the vdsm.log: Thread-243::INFO::2012-10-22 20:17:56,624::safelease::156::SANLock::(acquireHostId) Acquiring host id for domain b97019e9-bd43-46d8-afd0-421d6768271b (id: 250) Thread-243::ERROR::2012-10-22 20:17:57,628::task::853::TaskManager.Task::(_setError) Task=`1ead54dc-407c-4d0b-96f4-8dc56c74d4cf`::Unexpected error Traceback (most recent call last): File "/usr/share/vdsm/storage/task.py", line 861, in _run return fn(*args, **kargs) File "/usr/share/vdsm/logUtils.py", line 38, in wrapper res = f(*args, **kwargs) File "/usr/share/vdsm/storage/hsm.py", line 790, in createStoragePool return sp.StoragePool(spUUID, self.taskMng).create(poolName, masterDom, domList, masterV ersion, safeLease) File "/usr/share/vdsm/storage/sp.py", line 567, in create self._acquireTemporaryClusterLock(msdUUID, safeLease) File "/usr/share/vdsm/storage/sp.py", line 508, in _acquireTemporaryClusterLock msd.acquireHostId(self.id) File "/usr/share/vdsm/storage/sd.py", line 407, in acquireHostId self._clusterLock.acquireHostId(hostId) File "/usr/share/vdsm/storage/safelease.py", line 162, in acquireHostId raise se.AcquireHostIdFailure(self._sdUUID, e) AcquireHostIdFailure: Cannot acquire host id: ('b97019e9-bd43-46d8-afd0-421d6768271b', SanlockException(19, 'Sanlock lockspace add failure', 'No such device')) After I get this error, I logged into the host and see that the nfs mount is present: eos.dcc.mobi:/home/vmstorage on /rhev/data-center/mnt/eos.dcc.mobi:_home_vmstorage type nfs4 (rw,relatime,vers=4,rsize=1048576,wsize=1048576,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=10.1.1.12,minorversion=0,local_lock=none,addr=10.1.1.11) And when I look at the directory, I see the following: [root@mech ~]# ls -laR /rhev/data-center/mnt/eos.dcc.mobi:_home_vmstorage /rhev/data-center/mnt/eos.dcc.mobi:_home_vmstorage: total 12 drwxr-xr-x. 3 vdsm kvm 4096 Oct 22 20:17 . drwxr-xr-x. 6 vdsm kvm 4096 Oct 22 20:17 .. drwxr-xr-x. 4 vdsm kvm 4096 Oct 22 20:17 b97019e9-bd43-46d8-afd0-421d6768271b /rhev/data-center/mnt/eos.dcc.mobi:_home_vmstorage/b97019e9-bd43-46d8-afd0-421d6768271b: total 16 drwxr-xr-x. 4 vdsm kvm 4096 Oct 22 20:17 . drwxr-xr-x. 3 vdsm kvm 4096 Oct 22 20:17 .. drwxr-xr-x. 2 vdsm kvm 4096 Oct 22 20:17 dom_md drwxr-xr-x. 2 vdsm kvm 4096 Oct 22 20:17 images /rhev/data-center/mnt/eos.dcc.mobi:_home_vmstorage/b97019e9-bd43-46d8-afd0-421d6768271b/dom_md: total 2060 drwxr-xr-x. 2 vdsm kvm4096 Oct 22 20:17 . drwxr-xr-x. 4 vdsm kvm4096 Oct 22 20:17 .. -rw-rw. 1 vdsm kvm 1048576 Oct 22 20:17 ids -rw-rw. 1 vdsm kvm 0 Oct 22 20:17 inbox -rw-rw. 1 vdsm kvm 1048576 Oct 22 20:17 leases -rw-r--r--. 1 vdsm kvm 308 Oct 22 20:17 metadata -rw-rw. 1 vdsm kvm 0 Oct 22 20:17 outbox /rhev/data-center/mnt/eos.dcc.mobi:_home_vmstorage/b97019e9-bd43-46d8-afd0-4
Re: [Users] Nightly Builds, was Authentication for REST APIs?
I found instructions on the wiki for using nightly builds at: http://wiki.ovirt.org/wiki/Installing_ovirt-engine_from_rpm The instructions didn't work. In particular, the ovirt-engine.repo file was not found at the provided url. http://www.ovirt.org/releases/nightly/fedora/16/ovirt-engine.repo I did find an ovirt-engine.repo file at: http://www.ovirt.org/releases/nightly/rpm/Fedora/17/ovirt-engine.repo The contents of that repo file point it back to the releases/3.1/rpm/Fedora/17 directory. I'm presuming that if I change the baseurl to releases/nightly/rpm/... it will all work (which I'll be doing this afternoon). In any case, someone might want to fix the ovirt-engine.repo file in the nightly tree and then update the urls in the wiki. Brian On Oct 3, 2012, at 1:13 PM, Itamar Heim wrote: >> If the user level api isn't in 3.1, then I presume it would be in the >> nightly builds. Are there instructions for pulling the nightly builds >> and/or upgrading them. I saw the build instructions, but was hoping to >> save some time while evaluating things. >> >> Brian >> > > true, nightly builds should have them. > ofer - any wiki on how best to use the nightly builds? > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] oVirt-engine and UserPortal "cluster"
I've been scouring through the install notes and the architecture documents but didn't find my answer. Is there a way to "cluster" or replicate the userportal app or is it strictly a single instance? Any thoughts to the scale of a large VDI system with 10,000 desktops and their VMs and how that impacts the ovirt-engine and the user-portal app? I figure it has been discussed, but using the word cluster in a google search of the wiki results in a lot of hits, none of them that I saw that are to do with clustering the server, just the virtual machine nodes. Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
On Oct 3, 2012, at 12:55 AM, Itamar Heim wrote: >> snip ... >> >> So based upon what I see in this log file, it would seem that the >> connect API wants to make sure that I am an admin and not a regular user. >> >> Which gets me back to my original question: Do the REST API and the >> ovirt-shell require admin privileges or is there a separate uri >> namespace for regular users to make requests? Or perhaps more direct, >> should https://$ovirt-server/api/vms be accessible to non-admins or is >> there a different url a non-admin should use? >> >> Brian >> > > which version of the sdk are you using? > michael - maybe user level api made it into upstream post ovirt 3.1 feature > freeze (brian, in that case, it will be in ovirt 3.2, slated for freeze in > novemeber/release in december) > oVirt Engine version is 3.1.0-2.fc17 oVirt API/shell/tool version from yum is 3.1.0.6-1.fc17 Results from 'info' command in ovirt-shell: [oVirt shell (connected)]# info backend version: 3.1 sdk version: 3.1.0.4 cli version: 3.1.0.6 python version : 2.7.3.final.0 If the user level api isn't in 3.1, then I presume it would be in the nightly builds. Are there instructions for pulling the nightly builds and/or upgrading them. I saw the build instructions, but was hoping to save some time while evaluating things. Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
The "error: 'str' object has no attribute 'product_info'" was a red herring (mistyped url). The 401 errors for non-admins though is still quite real. Detailed response inside ... On Oct 2, 2012, at 1:48 PM, Michael Pasternak wrote: > Hi Brian, > > On 10/02/2012 05:52 PM, Brian Vetter wrote: >> I also tried a simple connect to the home of the ovirt server in the >> ovirt-shell: >> >>[oVirt shell (disconnected)]# connect https://ovirtserver >> >>error: 'str' object has no attribute 'product_info' > > this could happen if you trying connect to SSL site via HTTP protocol, > btw what sdk/cli version you're using [1]? latest sdk/cli protects against > this. > > [1] run 'info' command in cli As this turned out, the problem was due to a bad url (transposed characters). Once fixed, I'm back to the 401 error condition. >> As to your question: >> >>>i think you should get an empty list and not a 401 in any case, but just >>> to make sure - you have the user role on a specific VM and you don't see it? >> >> >> Yes, I believe this is true. If the same user logs into the user portal, he >> can see the VM and start/stop it. From the ovirt admin portal, I see the >> following permissions >> for the VM: > > does this user has any other role/s besides UserRole? No, the only role it is given is UserRole. Here is how it was applied: 1) The user was created in my directory server (that was added to the ovirt manager during setup). 2) After creating a new desktop VM, I selected the VM, selected its Permissions tab, and then added the user with the role 'UserRole' to the VM. This was all done in the ovirt-manager web app. 3) I then login to the user portal with that user account name. After refreshing the VM list (a very minor bug), I see the VM that was assigned to the user. 4) When using the ovirt-shell command, the connect command fails with an error 401 as in the following text: [oVirt shell (disconnected)]# connect https://ovirt-serveri/ 'xxx@' 'pword' error: Unauthorized, [Errno: 401] 5) If I add the "DatacenterAdmin" role, the connect command works. 6) Similarly, if I use curl, I get the same HTTPS Status 401 error. # curl --cacert $CA_FILE -X GET -H "Filter: true" -u xxx@:pword https://ovirtserver/api/vms > uservms.xml # cat uservms.xml JBoss Web/7.0.0.SNAPSHOT - Error report<!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--> HTTP Status 401 - type Status reportmessage description This request requires HTTP authentication ().JBoss Web/7.0.0.SNAPSHOT[bjv@eos ~]$ 7) I see the following when I use ovirt -d and do the connect: send: 'GET /api HTTP/1.1\r\nHost: eos.testcloud.com\r\nAccept-Encoding: identity\r\nPrefer: persistent-auth\r\nContent-type: application/xml\r\nAuthorization: Basic Ymp2ZXR0ZXJAZHJvaWRjbG91ZC5tb2JpOmxvc3QrZm91bmQ=\r\n\r\n' reply: 'HTTP/1.1 401 Unauthorized\r\n' header: Date: Wed, 03 Oct 2012 03:24:53 GMT header: Set-Cookie: JSESSIONID=n3Ex3mxsvzTEM3rlkiHa85mP.undefined; Path=/api; Secure header: WWW-Authenticate: Basic realm="ENGINE" header: Content-Type: text/html;charset=utf-8 header: Content-Length: 962 header: Connection: close Clearly, the ovirt-shell and curl are making the same request and getting the same error response. The engine.log file in /var/log/ovirt-engine has the following after I try to connect: 2012-10-02 22:28:37,489 INFO [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp--0.0.0.0-8009-3) Checking if user bjvetter is an admin, result false 2012-10-02 22:28:37,490 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp--0.0.0.0-8009-3) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2012-10-02 22:28:37,491 INFO [org.ovirt.engine.api.restapi.security.auth.LoginValidator] (ajp--0.0.0.0-8009-3) Login failure, user: bjvetter domain: my.testcloud.com reason: [USER_NOT_AUTHORIZED_TO_PERFORM_ACTION] So based upon what I see in this log file, it would seem that the connect API wants to make sure that I am an admin and not a regular user. Which gets me back to my original question: Do the REST API and the ovirt-shell req
Re: [Users] Authentication for REST APIs?
I also tried a simple connect to the home of the ovirt server in the ovirt-shell: [oVirt shell (disconnected)]# connect https://ovirtserver error: 'str' object has no attribute 'product_info' [oVirt shell (disconnected)]# So this happens without trying to get to the api/vms. As to your question: > i think you should get an empty list and not a 401 in any case, but just to > make sure - you have the user role on a specific VM and you don't see it? Yes, I believe this is true. If the same user logs into the user portal, he can see the VM and start/stop it. From the ovirt admin portal, I see the following permissions for the VM: User Role Brian Vetter (bjvetter@domain) UserRole Brian On Oct 2, 2012, at 10:27 AM, Itamar Heim wrote: > On 10/02/2012 05:20 PM, Brian Vetter wrote: >>> 3.1 added support for non admin to use the api. >>> i.e., this should work. >>> which specific version are you using? >> >> From the about box in the admin web app: >> >>oVirt Engine Version:3.1.0-2.fc17 >> >> >> The curl command I send is: >> >>curl --cacert $CA_FILE -X GET -H "Filter: true" -u >>user@domain:password https://$OVIRT/api/vms > uservms.xml >> >> >> The output when my user's group has a DOMAIN_ADMIN role contains the xml >> for the VMs. The output when the user's group has either a power user or >> a regular user role contains the error response with a 401 unauthorized >> error. >> >> I had lots of fun getting this server set up so it is possible I made a >> mistake during installation, but it seems pretty functional right now. >> Everything seems to be working but I haven't been able to to test out >> how/if I can connect a new, non-portal client without having to add new >> servlets. > > i think you should get an empty list and not a 401 in any case, but just to > make sure - you have the user role on a specific VM and you don't see it? > michael - thoughts? > maybe this was fixed post ovirt 3.1 fedora release? > >> >> Brian >> >> On Oct 2, 2012, at 9:57 AM, Itamar Heim wrote: >> >>> On 10/02/2012 04:52 PM, Brian Vetter wrote: >>>> Adding the "Filter:true" header to the curl request doesn't change >>>> anything. If the user account is not an admin account, I get a 401 >>>> status result. So my question still stands, can the REST API be used >>>> by a mere, non-admin "mortal" or is it only for administrative functions? >>>> >>>> I'm in the process of trying to hook up a different client to a VM >>>> managed by ovirt. I can't use the user portal app. So I was trying to >>>> use the REST APIs on behalf of a normal, non-admin user to get the >>>> list of the authenticating user's VMs and their connection information. >>> >>> 3.1 added support for non admin to use the api. >>> i.e., this should work. >>> which specific version are you using? >>> >>>> >>>> Brian >>>> >>>> On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: >>>> >>>>> On 10/02/2012 06:28 AM, Brian Vetter wrote: >>>>>> I've done two different things. First, I associated one of my >>>>>> groups in my directory with being a VMUser which gave members >>>>>> access to a particular VM. If I login with one of those users via >>>>>> the User portal, I can see their VM (or VMs if I do more than one). >>>>>> If I use the REST API (or ovirt-shell) using this user's account >>>>>> and password, I get an unauthorized error. >>>>>> >>>>>> Similarly, I have another group that is assigned the DomainManager >>>>>> role. If I add this other user to that group, when I login with >>>>>> that user via the user portal, I see the advanced portal. If I use >>>>>> the REST-API (using curl) or ovirt-shell and use the user's login >>>>>> information, I now am authorized and see a list of VMs returned as >>>>>> XML (in the case of curl). >>>>>> >>>>>> That said, I see all VMs in the system, not just the one assigned >>>>>> to the user that logged in. So this makes me think that either the >>>>>> REST API for getting the APIs as suggested by the article is an >>>>>> administrative API and there is either (a) a diffe
Re: [Users] Authentication for REST APIs?
> 3.1 added support for non admin to use the api. > i.e., this should work. > which specific version are you using? From the about box in the admin web app: oVirt Engine Version: 3.1.0-2.fc17 The curl command I send is: curl --cacert $CA_FILE -X GET -H "Filter: true" -u user@domain:password https://$OVIRT/api/vms > uservms.xml The output when my user's group has a DOMAIN_ADMIN role contains the xml for the VMs. The output when the user's group has either a power user or a regular user role contains the error response with a 401 unauthorized error. I had lots of fun getting this server set up so it is possible I made a mistake during installation, but it seems pretty functional right now. Everything seems to be working but I haven't been able to to test out how/if I can connect a new, non-portal client without having to add new servlets. Brian On Oct 2, 2012, at 9:57 AM, Itamar Heim wrote: > On 10/02/2012 04:52 PM, Brian Vetter wrote: >> Adding the "Filter:true" header to the curl request doesn't change anything. >> If the user account is not an admin account, I get a 401 status result. So >> my question still stands, can the REST API be used by a mere, non-admin >> "mortal" or is it only for administrative functions? >> >> I'm in the process of trying to hook up a different client to a VM managed >> by ovirt. I can't use the user portal app. So I was trying to use the REST >> APIs on behalf of a normal, non-admin user to get the list of the >> authenticating user's VMs and their connection information. > > 3.1 added support for non admin to use the api. > i.e., this should work. > which specific version are you using? > >> >> Brian >> >> On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: >> >>> On 10/02/2012 06:28 AM, Brian Vetter wrote: >>>> I've done two different things. First, I associated one of my groups in my >>>> directory with being a VMUser which gave members access to a particular >>>> VM. If I login with one of those users via the User portal, I can see >>>> their VM (or VMs if I do more than one). If I use the REST API (or >>>> ovirt-shell) using this user's account and password, I get an unauthorized >>>> error. >>>> >>>> Similarly, I have another group that is assigned the DomainManager role. >>>> If I add this other user to that group, when I login with that user via >>>> the user portal, I see the advanced portal. If I use the REST-API (using >>>> curl) or ovirt-shell and use the user's login information, I now am >>>> authorized and see a list of VMs returned as XML (in the case of curl). >>>> >>>> That said, I see all VMs in the system, not just the one assigned to the >>>> user that logged in. So this makes me think that either the REST API for >>>> getting the APIs as suggested by the article is an administrative API and >>>> there is either (a) a different rest API/uri that returns the logged in >>>> user's vms (the list that would be returned to the portal) or (b) no way >>>> to get a particular user's list of VMs authenticated as the user. >>> >>> you need to specify to the api you want to view things in "user mode" via >>> the filter header. >>> Example: >>> curl -X GET -H "Filter: true" -u user@domain:password >>> http://[servername]:PORT/api/vms >>> >>> >>> >>>> >>>> Brian >>>> >>>> On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: >>>> >>>>> Hi Brian, >>>>> I looked at the wiki - >>>>> I assume you're referring to the "showVm" part. >>>>> Have you assigned any permissions to the user that is supposed to view >>>>> the VMs? >>>>> I assume you created the VMs with the administrator user, so any other >>>>> user will require to have a proper permissions in order to view these VMs >>>>> >>>>> Yair >>>>> >>>>> >>>>> On 10/02/2012 05:09 AM, Brian Vetter wrote: >>>>>> I was trying to use both the rest api to view a user's vm information. I >>>>>> found that the REST APIs always returned an authentication error if the >>>>>> account I had logged into was not an ovirt administrator. I am guessing >>>>>> that either (a) I am using the wrong URL in the REST api or
Re: [Users] Authentication for REST APIs?
Adding the "Filter:true" header to the curl request doesn't change anything. If the user account is not an admin account, I get a 401 status result. So my question still stands, can the REST API be used by a mere, non-admin "mortal" or is it only for administrative functions? I'm in the process of trying to hook up a different client to a VM managed by ovirt. I can't use the user portal app. So I was trying to use the REST APIs on behalf of a normal, non-admin user to get the list of the authenticating user's VMs and their connection information. Brian On Oct 2, 2012, at 2:15 AM, Itamar Heim wrote: > On 10/02/2012 06:28 AM, Brian Vetter wrote: >> I've done two different things. First, I associated one of my groups in my >> directory with being a VMUser which gave members access to a particular VM. >> If I login with one of those users via the User portal, I can see their VM >> (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using >> this user's account and password, I get an unauthorized error. >> >> Similarly, I have another group that is assigned the DomainManager role. If >> I add this other user to that group, when I login with that user via the >> user portal, I see the advanced portal. If I use the REST-API (using curl) >> or ovirt-shell and use the user's login information, I now am authorized and >> see a list of VMs returned as XML (in the case of curl). >> >> That said, I see all VMs in the system, not just the one assigned to the >> user that logged in. So this makes me think that either the REST API for >> getting the APIs as suggested by the article is an administrative API and >> there is either (a) a different rest API/uri that returns the logged in >> user's vms (the list that would be returned to the portal) or (b) no way to >> get a particular user's list of VMs authenticated as the user. > > you need to specify to the api you want to view things in "user mode" via the > filter header. > Example: > curl -X GET -H "Filter: true" -u user@domain:password > http://[servername]:PORT/api/vms > > > >> >> Brian >> >> On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: >> >>> Hi Brian, >>> I looked at the wiki - >>> I assume you're referring to the "showVm" part. >>> Have you assigned any permissions to the user that is supposed to view the >>> VMs? >>> I assume you created the VMs with the administrator user, so any other user >>> will require to have a proper permissions in order to view these VMs >>> >>> Yair >>> >>> >>> On 10/02/2012 05:09 AM, Brian Vetter wrote: >>>> I was trying to use both the rest api to view a user's vm information. I >>>> found that the REST APIs always returned an authentication error if the >>>> account I had logged into was not an ovirt administrator. I am guessing >>>> that either (a) I am using the wrong URL in the REST api or (b) you must >>>> be some kind of admin to access the REST APIs. I noticed the same behavior >>>> when I was using the ovirt-shell tool. >>>> >>>> For example, I was trying to follow the instructions in >>>> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal >>>> to get the list of VMs (presumably for the user that is logging in), I get >>>> an unauthorized error. If the user account I login with in the curl or >>>> ovirt-shell connect statement is an admin, I get the list of VMs. >>>> >>>> So my question here is does the REST-API need admin privileges or am I >>>> using a url that requires admin privileges whereas some others don't. And >>>> if it is the latter, is there somewhere that documents the various rest >>>> api resources? For example, to go back to the "How to connect to Spice >>>> console ..." article, how would one use the REST API to fetch one's >>>> virtual machines, their status, and connection info for them? >>>> >>>> Thanks, >>>> >>>> Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Authentication for REST APIs?
I've done two different things. First, I associated one of my groups in my directory with being a VMUser which gave members access to a particular VM. If I login with one of those users via the User portal, I can see their VM (or VMs if I do more than one). If I use the REST API (or ovirt-shell) using this user's account and password, I get an unauthorized error. Similarly, I have another group that is assigned the DomainManager role. If I add this other user to that group, when I login with that user via the user portal, I see the advanced portal. If I use the REST-API (using curl) or ovirt-shell and use the user's login information, I now am authorized and see a list of VMs returned as XML (in the case of curl). That said, I see all VMs in the system, not just the one assigned to the user that logged in. So this makes me think that either the REST API for getting the APIs as suggested by the article is an administrative API and there is either (a) a different rest API/uri that returns the logged in user's vms (the list that would be returned to the portal) or (b) no way to get a particular user's list of VMs authenticated as the user. Brian On Oct 1, 2012, at 10:49 PM, Yair Zaslavsky wrote: > Hi Brian, > I looked at the wiki - > I assume you're referring to the "showVm" part. > Have you assigned any permissions to the user that is supposed to view the > VMs? > I assume you created the VMs with the administrator user, so any other user > will require to have a proper permissions in order to view these VMs > > Yair > > > On 10/02/2012 05:09 AM, Brian Vetter wrote: >> I was trying to use both the rest api to view a user's vm information. I >> found that the REST APIs always returned an authentication error if the >> account I had logged into was not an ovirt administrator. I am guessing that >> either (a) I am using the wrong URL in the REST api or (b) you must be some >> kind of admin to access the REST APIs. I noticed the same behavior when I >> was using the ovirt-shell tool. >> >> For example, I was trying to follow the instructions in >> http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to >> get the list of VMs (presumably for the user that is logging in), I get an >> unauthorized error. If the user account I login with in the curl or >> ovirt-shell connect statement is an admin, I get the list of VMs. >> >> So my question here is does the REST-API need admin privileges or am I using >> a url that requires admin privileges whereas some others don't. And if it is >> the latter, is there somewhere that documents the various rest api >> resources? For example, to go back to the "How to connect to Spice console >> ..." article, how would one use the REST API to fetch one's virtual >> machines, their status, and connection info for them? >> >> Thanks, >> >> Brian >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] Authentication for REST APIs?
I was trying to use both the rest api to view a user's vm information. I found that the REST APIs always returned an authentication error if the account I had logged into was not an ovirt administrator. I am guessing that either (a) I am using the wrong URL in the REST api or (b) you must be some kind of admin to access the REST APIs. I noticed the same behavior when I was using the ovirt-shell tool. For example, I was trying to follow the instructions in http://wiki.ovirt.org/wiki/How_to_Connect_to_SPICE_Console_Without_Portal to get the list of VMs (presumably for the user that is logging in), I get an unauthorized error. If the user account I login with in the curl or ovirt-shell connect statement is an admin, I get the list of VMs. So my question here is does the REST-API need admin privileges or am I using a url that requires admin privileges whereas some others don't. And if it is the latter, is there somewhere that documents the various rest api resources? For example, to go back to the "How to connect to Spice console ..." article, how would one use the REST API to fetch one's virtual machines, their status, and connection info for them? Thanks, Brian ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users