[ovirt-users] Re: CentOS 8 is dead

2020-12-08 Thread Derek Atkins
Hmm.
I appear to be having Slack issues.
Even though I am logged into my slack and have it running, when I click
this link I get a "sign in to your workspace" -- and I can't get to this
channel.
Maybe it's not public and is limited somehow?
Or maybe Slack doesn't like me?
-derek

On Tue, December 8, 2020 4:21 pm, Strahil Nikolov wrote:
> Actually,
>
> you are not the only one thinking about it.
> You can check a lot of users (including me) are joining the following
> slack channel: https://app.slack.com/client/T0YKGK200/D01H5BZ85LG
>
> Best Regards,
> Strahil Nikolov
>
> В 16:01 -0500 на 08.12.2020 (вт), Derek Atkins написа:
>> On Tue, December 8, 2020 3:49 pm, Christopher Cox wrote:
>> > On 12/8/20 2:20 PM, Michael Watters wrote:
>> > > This was one of my fears regarding the IBM acquisition.  I guess
>> > > we
>> > > can't complain too much, it's not like anybody *pays* for
>> > > CentOS.  :)
>> >
>> > Yes, but this greatly limits oVirt use to temporal dev labs only.
>> >
>> > Maybe oVirt should look into what it would take to one of the long
>> > term
>> > Devian
>> > based distros
>>
>> So... stupid question, but...   What would it take for a group of
>> interested individuals to "take over" the current CentOS-as-RHEL-
>> rebuild
>> processes currently in place?  I honestly have no idea how much
>> person-hour effort it it is to maintain CentOS, or what other
>> resources
>> (build machines / infrastructure) are required?
>>
>> > ...snippity
>>
>> -derek
>> --
>>Derek Atkins 617-623-3745
>>de...@ihtfp.com www.ihtfp.com
>>Computer and Internet Security Consultant
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/IVROYZSBEM3GSWGON452YKOF7U5HXNTY/
>
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GYOQ4DA4BE2VVR2W22ERF7BAH6UWB5EY/


[ovirt-users] Re: CentOS 8 is dead

2020-12-08 Thread Derek Atkins

On Tue, December 8, 2020 3:49 pm, Christopher Cox wrote:
> On 12/8/20 2:20 PM, Michael Watters wrote:
>> This was one of my fears regarding the IBM acquisition.  I guess we
>> can't complain too much, it's not like anybody *pays* for CentOS.  :)
>
> Yes, but this greatly limits oVirt use to temporal dev labs only.
>
> Maybe oVirt should look into what it would take to one of the long term
> Devian
> based distros

So... stupid question, but...   What would it take for a group of
interested individuals to "take over" the current CentOS-as-RHEL-rebuild
processes currently in place?  I honestly have no idea how much
person-hour effort it it is to maintain CentOS, or what other resources
(build machines / infrastructure) are required?

> ...snippity

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IVROYZSBEM3GSWGON452YKOF7U5HXNTY/


[ovirt-users] Re: Error creating host certificate with SubjectAltName with -ki-enroll-request.sh

2020-12-08 Thread Derek Atkins

On Tue, December 8, 2020 10:17 am, Yedidyah Bar David wrote:
> On Tue, Dec 8, 2020 at 5:09 PM Derek Atkins  wrote:
>>
[snip]
>> Is there any chance this could be added to the --help output?
>> An actual example would have been very useful.
>
> Frankly, I'd prefer people (like you) that need to use these
> utilities manually, to search the net if they have problems,
> than spending hours debating about how long --help should be,
> what should be included in it and what not, what link we might
> provide for further reference (and please note that I didn't
> include such a link in my original reply - simply because I
> failed to find one that seemed "most suitable"), etc. That said,
> patches are welcome! If you think you can improve the current
> text in a conflict-free way, which everyone will agree to, please
> go ahead and push a patch! :-)

I'll take a look at doing that.

I did google some before asking here, but there were very few hits for
usage of pki-enroll-request.sh -- although I admit I did not try many
different search terms.  Most of the results were not ovirt related nor
related to this script at all.

> BTW: What I personally do, is to search the code and/or relevant
> logs to see what other tools (the engine, engine-setup, in this
> case) do, as "reference examples".

That presumes having ready access to (in this case) ovirt sources -- which
you obviously do but I do not.  As a user, I don't feel I should need to
go refer to the sources to determine how a utility program should be
properly used.  IMHO that's what documentation is used for.  However I
will keep that in mind for my next issue ;)

But I do understand your PoV -- for GnuCash I often reference the sources
when answering people's questions.  However that's a case where I am (or
was) one of the developers so I do have the sources handy.  :)

Thanks again.  I am all set now!

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AK42QT53KEZ4BXSCXX6K4VXDVRBRGN3R/


[ovirt-users] Re: Error creating host certificate with SubjectAltName with -ki-enroll-request.sh

2020-12-08 Thread Derek Atkins
Hi Didi,

On Tue, December 8, 2020 10:03 am, Yedidyah Bar David wrote:
> On Tue, Dec 8, 2020 at 4:25 PM Derek Atkins  wrote:
>>
>> Hi,
>>
>> I'm running a single-host, hosted-engine Ovirt deployment, version
>> 4.3.10
>> (upgraded from 4.0->4.1->4.2) and it's complaining that my host cert
>> does
>> not have a SubjectAltName.
>>
>> If I try to use pki-enroll-request.sh to rebuild the host cert and
>> follow
>> the instructions to add a --san, I get an error:
>>
>> /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me
>> --san=host.na.me
>
> Please try with '--san=DNS:host.na.me'.

AHA, thank you...  Thank worked.

>> Using configuration from openssl.conf
>> Check that the request matches the signature
>> Signature ok
>> The Subject's Distinguished Name is as follows
>> organizationName  :PRINTABLE:'My Org Name'
>> commonName:PRINTABLE:'host.na.me'
>> ERROR: adding extensions in section v3_ca_san
>> 139875647600528:error:2207507C:X509 V3
>> routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531:
>> 139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error
>> in
>> extension:v3_conf.c:95:name=subjectAltName, value=host.na.me
>> Cannot sign certificate
>>
>> Am I using this script incorrectly?
>
> You are using it well. --san argument is passed as-is to openssl's
> 'subjectAltName', which requires a prefix to tell its type. Search the
> net for 'openssl subjectAltName' for other examples.

Is there any chance this could be added to the --help output?
An actual example would have been very useful.

Thanks again!

> Best regards,
> --
> Didi

-derek


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UU4NAMQXEGUDLYG2WJJILTJZ3QRYVCRA/


[ovirt-users] [SOLVED] Re: Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

2020-12-08 Thread Derek Atkins
Hi,

On Mon, December 7, 2020 4:02 pm, Derek Atkins wrote:
> Hi Michal,
>
> On Mon, December 7, 2020 11:43 am, Michal Skrivanek wrote:
>>
[snip]
> And for the record, after putting the new certificates into place by
> hand,
> just restarting a VM was sufficient to get Spice to pull in the new
> cert(s).  So, technically, it LOOKS like I don't have to reboot the whole
> system (although I plan to do that tonight) -- I could just shutdown and
> re-run each VM.
>
>> HTH,
>> michal
>
> Thank you for all your support and everything you do for this project,
> Michal.  We very much appreciate it!

For the record, I rebooted the host last night and once everything came
back, the new certs were all in place and everything was happy Except
for the fact that my host cert does not have a SAN (SubjectAltName) so the
engine is *still* complaining about it.  See my other email about that.



FYI, here are the commands I used to refresh everything (modulo restarting
everything):

set my_date="$(date +"%Y%m%d%H%M%S")"

##  On the ENGINE, rebuild the CA Cert:

cp -p /etc/pki/ovirt-engine/private/ca.pem
/etc/pki/ovirt-engine/private/ca.pem.$my_date
cp -p /etc/pki/ovirt-engine/ca.pem{,.$my_date}
openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in
/etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new -days
3650 -sha256
openssl x509 -in /etc/pki/ovirt-engine/ca.pem.new -text >
/etc/pki/ovirt-engine/ca.pem.new.full
mv /etc/pki/ovirt-engine/ca.pem.new.full /etc/pki/ovirt-engine/ca.pem
mv /etc/pki/ovirt-engine/certs/ca.der{,.$my_date}
cp -p /etc/pki/ovirt-engine/ca.pem.new /etc/pki/ovirt-engine/certs/ca.der


#  On ovirt host, create a CSR:
#   openssl x509 -x509toreq -in /etc/pki/libvirt/clientcert.pem -out
/tmp/HOST.csr -signkey /etc/pki/libvirt/private/clientkey.pem
mv /etc/pki/ovirt-engine/certs/host.na.me.cer{,.$my_date}
mv /etc/pki/ovirt-engine/requests/host.na.me.req{,.$my_date}

# copy new CSR into place on the engine:
#/etc/pki/ovirt-engine/requests/host.na.me.req
#  and sign it:
/usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me

#  NB -- adding --san results in an error: --san=host.na.me


# copy new Host cert from /etc/pki/ovirt-engine/certs/host.na.me.cer
#to host:new_cert
#   and copy CA cert to host:cacert.pem
# ON OVIRT Host:
mv /etc/pki/libvirt/clientcert.pem{,.$my_date}
mv /etc/pki/vdsm/certs/vdsmcert.pem{,.$my_date}
mv /etc/pki/vdsm/libvirt-spice/server-cert.pem{,.$my_date}
cp -p new_cert /etc/pki/libvirt/clientcert.pem
cp -p new_cert /etc/pki/vdsm/certs/vdsmcert.pem
cp -p new_cert /etc/pki/vdsm/libvirt-spice/server-cert.pem
chown root:kvm /etc/pki/libvirt/clientcert.pem
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
#
# Copy new CA cert into place on Host:
mv /etc/pki/CA/cacert.pem{,$my_date}
cp -p cacert.pem /etc/pki/CA/cacert.pem
chgrp kvm /etc/pki/CA/cacert.pem
mv /etc/pki/vdsm/certs/cacert.pem{,.$my_date}
mv /etc/pki/vdsm/libvirt-spice/ca-cert.pem{,.$my_date}
mv /etc/pki/ovirt-engine/ca.pem{,.$my_date}
cp -p /etc/pki/CA/cacert.pem /etc/pki/vdsm/certs/cacert.pem
cp -p /etc/pki/CA/cacert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem
cp -p /etc/pki/CA/cacert.pem /etc/pki/ovirt-engine/ca.pem


At this point I shut down all VMs, rebooted the host, and restarted all
the VMs and everything came back happy (except for the lack of the
SubjectAltName).


Also note that you will need to remove the trusted cert from your
browser(s) and re-add the new CA cert -- otherwise you will get a browser
error complaining about the change in certificate from the same Issuer and
with the same Serial#.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XJ6CE262KXWE3X5CGX55YXYCUFFVYRM6/


[ovirt-users] Error creating host certificate with SubjectAltName with -ki-enroll-request.sh

2020-12-08 Thread Derek Atkins
Hi,

I'm running a single-host, hosted-engine Ovirt deployment, version 4.3.10
(upgraded from 4.0->4.1->4.2) and it's complaining that my host cert does
not have a SubjectAltName.

If I try to use pki-enroll-request.sh to rebuild the host cert and follow
the instructions to add a --san, I get an error:

/usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me
--san=host.na.me
Using configuration from openssl.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName  :PRINTABLE:'My Org Name'
commonName:PRINTABLE:'host.na.me'
ERROR: adding extensions in section v3_ca_san
139875647600528:error:2207507C:X509 V3
routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531:
139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:v3_conf.c:95:name=subjectAltName, value=host.na.me
Cannot sign certificate

Am I using this script incorrectly?

Thanks,

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JRNYDRPFACRQK6FU3YN6XMJ276N3HJYQ/


[ovirt-users] Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

2020-12-07 Thread Derek Atkins
Hi Michal,

On Mon, December 7, 2020 11:43 am, Michal Skrivanek wrote:
>
>
>> On 7 Dec 2020, at 15:35, Gianluca Cecchi 
>> wrote:
>>
>> On Mon, Dec 7, 2020 at 2:22 PM Derek Atkins > <mailto:de...@ihtfp.com>> wrote:
>> [snip]
>>
>> The main advantages of ovirt over virt-manager is the access-control and
>> remote-access capabilities.  Specifically, I have several users which
>> have
>> different access to different VMs and their consoles.  Without providing
>> ssh access to the host, I wasn't sure how to provide that access in a
>> clean way via virt-manager.
[snip]
>> +1 here.
>> And I think developers should put more attention in single host
>> environments than lastly done.
>
> well, the truth is it is a corner case. I’m not saying it shouldn’t work
> but as Didi said a single host management was never the main goal. We’ve
> built oVirt around shared storage and DC scalability, that it sort of
> happens to work with single host is….nice, but it’s really not that
> typical. There are better options for desktop-like virtualization in OSS
> world, there’s virt-manager, there’s VM management in cockpit UI,
> gnome-boxes.

As of several years ago, I don't think any of these options worked with
multiple, distributed (remote) users with different capabilities on the
same VM Host.  Has that changed?

>> Derek explained very well what could be many common situations to have a
>> single host environment and the reason not to use virt-manager and such.
>> At time there was the all-in-one and then it was deprecated/abandoned in
>> favour of single host deployment.
>
> yes. but it was never meant to be a real thing in a first place, it was
> created just for demo purposes so it can run on a single laptop.
>
>> Now due to perhaps ansible playbook or new logic in host upgrades it
>> seems to see more and more messages about single host not supported.
>
> it’s not intentional, just not tested enough so it keeps breaking. we
> really can’t test every use case in automation.

I think there are enough users who want this configuration (or, gasp, are
actually using this configuration) that it might warrant a little more
testing.  Yes, we understand that there will be times that we need to shut
down VMs and reboot the system, and those times can be scheduled (like
I've done).  However, that WOULD require a little more support, to at
least have a recipe that works on a single-host hosted-engine solution.

For host cert renewal, that recipe didn't really exist.

[snip]
> I don’t think it would take too much attention, TBH. We’re still dealing
> with 4.4 and el8 complications (it’s still fairly early since GA of a
> major release)

Of course.  (Personally, I think it should have been called 5.0 instead of
4.4, as it requires a full re-install to migrate from 4.3).

> What would make sense, I think, is to identify the actual
> issues/complications and do them differently, like indeed a special local
> playbooks or whatnot, or “special” hacks. And then document on oVirt wiki.
> But otherwise I do not really see them supportable - the amount of work to
> e.g. re-enroll certs on a running host is just too much to do properly,
> and everyone has a different level of “risk” they accept.

Exactly.  Some tested playbook recipes that allows a single-host
hosted-engine deployment to perform these operations is really what I'm
asking for.  Yes, I know it will require rebooting.  But reboot is much
less risky that re-install!

And for the record, after putting the new certificates into place by hand,
just restarting a VM was sufficient to get Spice to pull in the new
cert(s).  So, technically, it LOOKS like I don't have to reboot the whole
system (although I plan to do that tonight) -- I could just shutdown and
re-run each VM.

> HTH,
> michal

Thank you for all your support and everything you do for this project,
Michal.  We very much appreciate it!

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4NVDF5RRX54H5ZP57VIBP4ULECNQF4FJ/


[ovirt-users] Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

2020-12-07 Thread Derek Atkins
Hi Didi,

Sorry for the multiple emails yesterday.  I'm going to respond to all of
your responses in this one.

On Mon, December 7, 2020 3:31 am, Yedidyah Bar David wrote:
> On Sun, Dec 6, 2020 at 8:14 PM Derek Atkins  wrote:
>>
>> Hi again,
>>
>> I also noticed that ca.pem was not updated -- it's still using Sha1.
>
> You are right - we didn't make engine-setup recreate existing certs
> for this - "Renew" deals with other stuff [1]. We only change the
> default for new ones [2], and wrote a procedure [3][4] for doing this
> manually. At the time, this wasn't mandatory - browsers didn't reject
> sha1. Perhaps now it should be.

I should point out that it's not the browsers that are rejecting SHA1, but
it is remote-viewer that is.  My Fedora-33 firefox connected to my
Sha1-using Ovirt HTTPS just fine, without any complaints.  Granted, as I
note later, these certs were already imported and accepted in firefox
years ago, so that could be why there was not complaints.

However, the console.vv file sent to remote-viewer includes the CA cert --
but I'm not sure if it's complaining about that or the host cert that gets
sent during the connection; I can't tell from the output.  I know it's the
CA cert that's sent in the .vv file, but I'm not 100% sure which
particular source is being used, and I'm not sure which cert is considered
"bad" by the viewer.

[snip]
>> I don't know if this will be an issue with remote-viewer if I wind up
>> refreshing the host cert?
>
> As I said, at the time it didn't seem to be mandatory, and docs seemed
> to be enough. If you feel otherwise, please open a bug.

I already refreshed the CA cert, so unfortunately I wont be able to test
this for sure.  I know that refreshing the CA cert on the engine alone is
not sufficient -- the console.vv file still has the old one, even after an
engine restart.

> I think there is a difference, or at least there was, between what
> browsers
> did/do with https certs, and what they did with CA certs.

Probably true, but firefox was not complaining with the Sha1 certs.

> If you had a CA cert already accepted/imported/trusted by the browser,
> and then you entered a site with a cert signed by this CA, but with a
> SHA1 signature, this was one separate case. Browsers started warning/
> rejecting them earlier.

I think I had already accepted the site cert which is probably why it
wasn't complaining about it being SHA1.

> If you have a CA cert with a SHA1 signature, and want to import that to
> a browser, that's another case. I didn't test recently (or much over time,
> other than working on these bugs) with recent browsers, but I think it
> took longer until they rejected (if indeed they do - not sure all of them
> do).

Indeed.  I already had both the SHA1 CA cert and the SHA1 host cert
accepted in my Firefox trust before I upgraded, so perhaps that's why I
didn't see any issues in F33.  I removed both and re-imported the (new) CA
cert.

>> One more question:
>>
>> Can you verify that etc/pki/libvirt/clientcert.pem,
>> etc/pki/vdsm/certs/vdsmcert.pem, and
>> etc/pki/vdsm/libvirt-spice/server-cert.pem are all supposed to be same
>> certificate (on the host)?  By a quick find | grep all three of these
>> files appear to be the .cer certificate file?
>
> Yes, and also vdsm/libvirt-vnc/server-cert.pem .

I don't see this directly in /etc/pki on the host?  All I see is:
# ls -l /etc/pki/vdsm/
total 8
drwxr-xr-x. 2 vdsm kvm 4096 Dec  6 17:16 certs
drwxr-xr-x. 2 vdsm kvm   80 Jun  7  2020 keys
drwxr-xr-x. 2 vdsm kvm 4096 Dec  6 17:18 libvirt-spice

And /etc/pki/vdsm does not exist on the engine.  Indeed:

# find /etc/pki -name server-cert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem


>> Does it matter that ca.der didn't change?  I don't know if that is a
>> self-signed cert that might be problematic?
>
> ca.der is not used by anything, you can ignore it. The private key of
> the CA is in /etc/pki/ovirt-engine/private/ca.pem, and the public key
> is in /etc/pki/ovirt-engine/ca.pem. That's what all tools use.

Actually, I verified that ca.der *IS* used -- that's what gets sent out if
you access
http://your-manager-fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate=X509-PEM-CA
-- so I had to update that in order to make the new cert available.



> Generally speaking, the project considers the "standard" use case to be a
> setup of at least two hosts, and at least one host "extra" (in terms of
> capacity), so that if a host fails, you can still keep everything up. In
> that regard, a single-host setup is considered a kind of "corner case",
> meant mainly for testing/development, not production. Is there such a big
> advantage in using oVirt for a single host, compared to virt-manager?

The main advantages 

[ovirt-users] Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

2020-12-06 Thread Derek Atkins
Hi again,

I also noticed that ca.pem was not updated -- it's still using Sha1.
I don't know if this will be an issue with remote-viewer if I wind up
refreshing the host cert?

-derek

On Sun, December 6, 2020 7:44 am, Yedidyah Bar David wrote:
> On Sun, Dec 6, 2020 at 12:34 AM Derek Atkins  wrote:
>>
>> Hi,
>>
>> I've got a single-host hosted-engine deployment that I originally
>> installed with 4.0 and have upgraded over the years to 4.3.10.  I and
>> some
>> of my users have upgraded remote-viewer and now I get an error when I
>> try
>> to view the console of my VMs:
>>
>> (remote-viewer:8252): Spice-WARNING **: 11:30:41.806:
>> ../subprojects/spice-common/common/ssl_verify.c:477:openssl_verify:
>> Error
>> in server certificate verification: CA signature digest algorithm too
>> weak
>> (num=68:depth0:/O=/CN=)
>>
>> I am 99.99% sure this is because the old certs use SHA1.
>>
>> I reran engine-setup on the engine and it asked me if I wanted to renew
>> the PKI, and I answered yes.  This replaced many[1] of the certificates
>> in
>> /etc/pki/ovirt-engine/certs on the engine, but it did not update the
>> Host's  certificate.
>
> Indeed.
>
>>
>> All the documentation I've seen says that to refresh this certificate I
>> need to put the host into maintenance mode and then re-enroll..  However
>> I
>> cannot do that, because this is a single-host system so I cannot put the
>> host in local mode -- there is no place to migrate the VMs (let alone
>> the
>> Engine VM).
>>
>> So  Is there a command-line way to re-enroll manually and update the
>> host certs?
>
> I don't think you'll find anything like this.
>
> People did come up in the past with various procedure to hack pki like
> what
> you want, but these are, generally speaking, quite fragile - usually do
> not
> get updated over versions etc.
>
> I am pretty certain the only way to do this using "official" tools/docs
> is:
>
> 1. Stop all VMs except for the engine one.
>
> 2. Take a backup with engine-backup.
>
> 3. Stop the engine VM.
>
> 4. Reinstall the host OS from scratch or use ovirt-hosted-engine-cleanup.
>
> 5. Provision the host again as a hosted-engine host, using
> '--restore-from-file'.
> Either using new storage for the engine, or after cleaning up the existing
> hosted-engine storage.
>
> If you still want to try doing this manually, then the tool to use is
> pki-enroll-request.sh. IIRC it's documented. You should find what
> keys/certs
> you want to replace, generate new keys and CSRs (or use existing keys and
> generate CSRs, or even use existing CSRs if you find them), copy to the
> engine,
> sign with pki-enroll-request.sh, then copy the generated cert to the host.
> I am
> almost certain there is no way to tell vdsm (and other processes) to
> reload
> the certs, so you'll have to restart it (them) - and this usually
> requires putting
> the host in maintenance (and therefore stop (migrate) all VMs).
>
>>  Or some other way to get all the leftover certs renewed?
>
> Which ones, specifically?
>
>>
>> Thanks,
>>
>> -derek
>>
>> [1] Not only did it not update the Host's cert, it did not update any of
>> the vmconsole-proxy certs, nor the certs in /etc/pki/ovirt-vmconsole/,
>> and
>> obviously nothing in /etc/pki/ on the host itself.
>
> AFAIR no process uses these certs as such. There are only processes that
> use
> the ssh-format keys extracted from them, which do not include a signature
> (sha1 or whatever).
>
> If you think I am wrong, and/or notice other certs that need to be
> regenerated,
> that's a bug - please open one. Thanks!
>
> Re remote-viewer/spice: You didn't say if you tried again after
> engine-setup
> and what happened. In any case, this is unrelated to vmconsole (which is
> for
> serial consoles, using ssh). But you might still need to regenerate the
> host
> cert.
>
> BTW: You can try using novnc and websocket-proxy - engine-setup does
> update
> the cert for the latter, so this might work as-is.
>
> Best regards,
> --
> Didi
>
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UY44RUFT5MWMZ57Q4A4JWEOVPRSLBGTG/


[ovirt-users] Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

2020-12-06 Thread Derek Atkins
Hi Didi,

One more question:

Can you verify that etc/pki/libvirt/clientcert.pem,
etc/pki/vdsm/certs/vdsmcert.pem, and
etc/pki/vdsm/libvirt-spice/server-cert.pem are all supposed to be same
certificate (on the host)?  By a quick find | grep all three of these
files appear to be the .cer certificate file?

-derek

On Sun, December 6, 2020 12:25 pm, Derek Atkins wrote:
> HI,
>
> On Sun, December 6, 2020 7:44 am, Yedidyah Bar David wrote:
>> On Sun, Dec 6, 2020 at 12:34 AM Derek Atkins  wrote:
> [snip]
>>> So  Is there a command-line way to re-enroll manually and update
>>> the
>>> host certs?
>>
>> I don't think you'll find anything like this.
>>
>> People did come up in the past with various procedure to hack pki like
>> what
>> you want, but these are, generally speaking, quite fragile - usually do
>> not
>> get updated over versions etc.
>>
>> I am pretty certain the only way to do this using "official" tools/docs
>> is:
>>
>> 1. Stop all VMs except for the engine one.
>>
>> 2. Take a backup with engine-backup.
>>
>> 3. Stop the engine VM.
>>
>> 4. Reinstall the host OS from scratch or use
>> ovirt-hosted-engine-cleanup.
>>
>> 5. Provision the host again as a hosted-engine host, using
>> '--restore-from-file'.
>> Either using new storage for the engine, or after cleaning up the
>> existing
>> hosted-engine storage.
>
> If I were to go this route I might as well upgrade to EL8 / 4.4 at the
> same time.  However, I would rather not do that; I consider that a very
> dangerous operation, with a generally too-high probability of failure.
>
>> If you still want to try doing this manually, then the tool to use is
>> pki-enroll-request.sh. IIRC it's documented. You should find what
>> keys/certs
>> you want to replace, generate new keys and CSRs (or use existing keys
>> and
>> generate CSRs, or even use existing CSRs if you find them), copy to the
>> engine,
>> sign with pki-enroll-request.sh, then copy the generated cert to the
>> host.
>
> Thanks.  I will look into this method.
>
>> I am
>> almost certain there is no way to tell vdsm (and other processes) to
>> reload
>> the certs, so you'll have to restart it (them) - and this usually
>> requires putting
>> the host in maintenance (and therefore stop (migrate) all VMs).
>
> I don't mind stopping the VMs in order to reboot the host if I can plan
> that.  My understanding is that because there is no place to migrate the
> hosted-engine, that implies even I stop all the other VMs, I still cannot
> put the host into maintenance mode.  Is my understanding correct?
>
>>>  Or some other way to get all the leftover certs renewed?
>>
>> Which ones, specifically?
>
> I think I listed them all:  *.cer and vmconsole*.cer on the engine,
> and of course everything on the host itself.
>
> Does it matter that ca.der didn't change?  I don't know if that is a
> self-signed cert that might be problematic?
>
>>>
>>> Thanks,
>>>
>>> -derek
>>>
>>> [1] Not only did it not update the Host's cert, it did not update any
>>> of
>>> the vmconsole-proxy certs, nor the certs in /etc/pki/ovirt-vmconsole/,
>>> and
>>> obviously nothing in /etc/pki/ on the host itself.
>>
>> AFAIR no process uses these certs as such. There are only processes that
>> use
>> the ssh-format keys extracted from them, which do not include a
>> signature
>> (sha1 or whatever).
>>
>> If you think I am wrong, and/or notice other certs that need to be
>> regenerated,
>> that's a bug - please open one. Thanks!
>
> I have not noticed anything, yet, but I have not restarted the host or
> vdsm since I re-ran engine-setup.
>
>> Re remote-viewer/spice: You didn't say if you tried again after
>> engine-setup
>> and what happened. In any case, this is unrelated to vmconsole (which is
>> for
>> serial consoles, using ssh). But you might still need to regenerate the
>> host
>> cert.
>
> Sorry, I thought I did.  Yes, I did try re-running remote-viewer after
> running engine-setup.  There was no change in the console.vv file (except
> of course for the password and sso-token), so yes, it failed in the same
> way.
>
> Note, however, that I did not restart vdsm or the host after running
> engine-setup.
>
>> BTW: You can try using novnc and websocket-proxy - engine-setup does
>> update
>> the cert for the latter, so this might work as-is.
>
> Yes, that does work indeed, so as a short-term solu

[ovirt-users] Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

2020-12-06 Thread Derek Atkins
HI,

On Sun, December 6, 2020 7:44 am, Yedidyah Bar David wrote:
> On Sun, Dec 6, 2020 at 12:34 AM Derek Atkins  wrote:
[snip]
>> So  Is there a command-line way to re-enroll manually and update the
>> host certs?
>
> I don't think you'll find anything like this.
>
> People did come up in the past with various procedure to hack pki like
> what
> you want, but these are, generally speaking, quite fragile - usually do
> not
> get updated over versions etc.
>
> I am pretty certain the only way to do this using "official" tools/docs
> is:
>
> 1. Stop all VMs except for the engine one.
>
> 2. Take a backup with engine-backup.
>
> 3. Stop the engine VM.
>
> 4. Reinstall the host OS from scratch or use ovirt-hosted-engine-cleanup.
>
> 5. Provision the host again as a hosted-engine host, using
> '--restore-from-file'.
> Either using new storage for the engine, or after cleaning up the existing
> hosted-engine storage.

If I were to go this route I might as well upgrade to EL8 / 4.4 at the
same time.  However, I would rather not do that; I consider that a very
dangerous operation, with a generally too-high probability of failure.

> If you still want to try doing this manually, then the tool to use is
> pki-enroll-request.sh. IIRC it's documented. You should find what
> keys/certs
> you want to replace, generate new keys and CSRs (or use existing keys and
> generate CSRs, or even use existing CSRs if you find them), copy to the
> engine,
> sign with pki-enroll-request.sh, then copy the generated cert to the host.

Thanks.  I will look into this method.

> I am
> almost certain there is no way to tell vdsm (and other processes) to
> reload
> the certs, so you'll have to restart it (them) - and this usually
> requires putting
> the host in maintenance (and therefore stop (migrate) all VMs).

I don't mind stopping the VMs in order to reboot the host if I can plan
that.  My understanding is that because there is no place to migrate the
hosted-engine, that implies even I stop all the other VMs, I still cannot
put the host into maintenance mode.  Is my understanding correct?

>>  Or some other way to get all the leftover certs renewed?
>
> Which ones, specifically?

I think I listed them all:  *.cer and vmconsole*.cer on the engine,
and of course everything on the host itself.

Does it matter that ca.der didn't change?  I don't know if that is a
self-signed cert that might be problematic?

>>
>> Thanks,
>>
>> -derek
>>
>> [1] Not only did it not update the Host's cert, it did not update any of
>> the vmconsole-proxy certs, nor the certs in /etc/pki/ovirt-vmconsole/,
>> and
>> obviously nothing in /etc/pki/ on the host itself.
>
> AFAIR no process uses these certs as such. There are only processes that
> use
> the ssh-format keys extracted from them, which do not include a signature
> (sha1 or whatever).
>
> If you think I am wrong, and/or notice other certs that need to be
> regenerated,
> that's a bug - please open one. Thanks!

I have not noticed anything, yet, but I have not restarted the host or
vdsm since I re-ran engine-setup.

> Re remote-viewer/spice: You didn't say if you tried again after
> engine-setup
> and what happened. In any case, this is unrelated to vmconsole (which is
> for
> serial consoles, using ssh). But you might still need to regenerate the
> host
> cert.

Sorry, I thought I did.  Yes, I did try re-running remote-viewer after
running engine-setup.  There was no change in the console.vv file (except
of course for the password and sso-token), so yes, it failed in the same
way.

Note, however, that I did not restart vdsm or the host after running
engine-setup.

> BTW: You can try using novnc and websocket-proxy - engine-setup does
> update
> the cert for the latter, so this might work as-is.

Yes, that does work indeed, so as a short-term solution that can work for
me.  I'll ask my colleague on a Mac if that works for him.

But it would be nice to get remote-viewer working, IMHO, which would
require a way to renew / refresh the host cert -- which of course would be
nice to do without having to re-install!

Thanks!!!

> Best regards,
> --
> Didi

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4AGI6SIPIP6JRU4SYLTXL5YGP5VPL462/


[ovirt-users] How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

2020-12-05 Thread Derek Atkins
Hi,

I've got a single-host hosted-engine deployment that I originally
installed with 4.0 and have upgraded over the years to 4.3.10.  I and some
of my users have upgraded remote-viewer and now I get an error when I try
to view the console of my VMs:

(remote-viewer:8252): Spice-WARNING **: 11:30:41.806:
../subprojects/spice-common/common/ssl_verify.c:477:openssl_verify: Error
in server certificate verification: CA signature digest algorithm too weak
(num=68:depth0:/O=/CN=)

I am 99.99% sure this is because the old certs use SHA1.

I reran engine-setup on the engine and it asked me if I wanted to renew
the PKI, and I answered yes.  This replaced many[1] of the certificates in
/etc/pki/ovirt-engine/certs on the engine, but it did not update the
Host's  certificate.

All the documentation I've seen says that to refresh this certificate I
need to put the host into maintenance mode and then re-enroll..  However I
cannot do that, because this is a single-host system so I cannot put the
host in local mode -- there is no place to migrate the VMs (let alone the
Engine VM).

So  Is there a command-line way to re-enroll manually and update the
host certs?  Or some other way to get all the leftover certs renewed?

Thanks,

-derek

[1] Not only did it not update the Host's cert, it did not update any of
the vmconsole-proxy certs, nor the certs in /etc/pki/ovirt-vmconsole/, and
obviously nothing in /etc/pki/ on the host itself.


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JEW5WIRD67WMF6TVG7367ZMSHX2KYGGV/


[ovirt-users] Re: Single Node HCI upgrade procedure from CentOS7/oVirt 4.3 to CentOS8/oVirt 4.4?

2020-11-11 Thread Derek Atkins
There are plenty of other reasons to be running a single-host
Hyperconverged  deployment, in production.  One of them is financial. 
Another is for small-scale production systems that don't have the space,
finances, or other resources to run a 3-node system.  Considering it a
"toy" doesn't mean it isn't (or shouldn't be) a supported deployment.

Having a tested upgrade path from EL 7.x/Ovirt 4.3.x to EL 8 / Ovirt 4.4
running on a single system would be extremely useful in those situations.

I do realize that any upgrade of a single-host system is rife with the
dangers of a failed upgrade, and it requires downtime either way.  However
I feel an in-place (yum/dnf) path is "safer" than a "reinstall from
scratch" path.  So having a well-documented path would be ideal.

Thanks!

-derek

PS: While I am LOOKING at expanding my 1-node system to 3, I don't see
that happening any time soon.  And even then, I would need to migrate my
NFS storage to something more distributed like Gluster.  So I suspect I
would need to reinstall the self-hosted engine regardless to change its
storage, and then I can migrate all existing VMs from NFS to Gluster.

On Sat, September 26, 2020 9:00 am, tho...@hoberg.net wrote:
> I can hear you saying: "You did understand that single node HCI is just a
> toy, right?"
>
> For me the primary use of a single node HCI is adding some disaster
> resilience in small server edge type scenarios, where a three node HCI
> provides the fault tolerance: 3+1 with a bit of distance, warm or even
> cold stand-by, potentially manual switch and reduced workload in case
> disaster strikes.
>
> Of course, another 3nHCI would be better, but who gets that type of
> budget, right?
>
> What I am trying say: If you want oVirt to gain market share, try to give
> HCI more love. And while you're at it, try to make expanding from 1nHCI to
> 3nHCI (and higher counts) a standard operational procedure to allow
> expanding a disaster stand-by into a production setup, while the original
> 3nHCI is being rebuilt.
>
> For me low-budget HCI is where oVirt has its biggest competitive advantage
> against vSan and Nutanix, so please don't treat the HCI/gluster variant
> like an unwanted child any more.
>
> In the mean-time OVA imports (from 4.3.10 exports) on my 4.4.2 1nHCI fail
> again, which I'll report separately.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/QI3Z45SRJD72ZJIX6HZCVC7DVVSZCKUW/
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5MMU7TOS2776IV72H75WMJTZCF7TAHDU/


[ovirt-users] Re: VM AutoStart

2020-09-30 Thread Derek Atkins
I did.  years ago.  When 4.0 was current.

Some of the work to implement that went into 4.4, where it will recover
state on a crash (i.e., if you have VMs marked as auto-start and you have
a power outage, it will restart them).  However, I believe there is no
order to it, and it will only start VMs that were running when the system
went down.  That doesn't help me; I have a single-host ovirt system and
whenever I do routine maintenance I cleanly shut down the VMs, and I want
them to come back up when ovirt does.

There is, I believe, more going into later versions.  I think there are
still at least one or two open RFEs on auto-starting VMs.

But I still use the script because I need complete fault recovery on my
system, and I need ordering of restarts (need my DNS server to come up
before other things, for example).

If you do need to make fixes for python3, please feel free to send them my
way!

-derek

On Wed, September 30, 2020 4:14 pm, Jeremey Wise wrote:
> 
>
> Ya.. that is a lot easier.
>
> Someone should put this in as a feature request.  I don't want HA (and
> have
> errors on getting that to work)  I just want VMs to boot on initial
> cluster
> start.
>
> this was standard in libvirt :)   I am trying to convert to oVirt ways...
>
> On Wed, Sep 30, 2020 at 4:10 PM Derek Atkins  wrote:
>
>> HI,
>>
>> On Wed, September 30, 2020 3:50 pm, Jeremey Wise wrote:
>> > As the three servers are Centos8 minimal installs. + oVirt HCI wizard
>> to
>> > keep them lean and mean... a couple questions
>>
>> Note that you run this on the Engine VM, not on a host.
>>
>> > 1) which version of python would I need for this (note in script about
>> > python 2 but isn't that deprecated?)
>> > [root@thor /]# yum install python
>> > Last metadata expiration check: 2:29:38 ago on Wed 30 Sep 2020
>> 01:18:32
>> PM
>> > EDT.
>> > No match for argument: python
>> > There are following alternatives for "python": python2, python36,
>> python38
>> > Error: Unable to find a match: python
>>
>> I am still running 4.3, so "python" is 2.7.
>> I have not tested with python3..
>>
>> > 2)  When you have three nodes.. one is set to host the ovirt-engine
>> > active,
>> > and another as backup.  If this is added to rc.local.   Of the two
>> nodes
>> > hosting HA for oVirt-engine.. node which boots first will host (or so
>> it
>> > seems). I think if I add this to both those hosts .. it will not
>> create
>> > issues.  Any thoughts?
>>
>> Don't run it on a host, run it from within the Engine VM.
>>
>> The host(s) will figure out by themselves that they need to start the
>> engine if one isn't running.  Then when the engine starts the script
>> will
>> run and start the VMs.
>>
>> -derek
>>
>> >
>> > On Wed, Sep 30, 2020 at 3:23 PM Derek Atkins  wrote:
>> >
>> >> I run it out of rc.local:
>> >>
>> >> /usr/local/sbin/start_vms.py > /var/log/start_vms 2>&1 &
>> >>
>> >> The script is smart enough to wait for the engine to be fully active.
>> >>
>> >> -derek
>> >>
>> >> On Wed, September 30, 2020 3:11 pm, Jeremey Wise wrote:
>> >> > i would like to eventually go ansible route..  and was starting
>> down
>> >> that
>> >> > path but this is fabulous.
>> >> >
>> >> > I will modify and post how it went.
>> >> >
>> >> > One question:  How /where do you set this saved new and delicious
>> >> script
>> >> > so
>> >> > once oVirt-engine comes up... it runs?
>> >> >
>> >> > Thanks
>> >> >
>> >> > On Wed, Sep 30, 2020 at 2:42 PM Derek Atkins 
>> wrote:
>> >> >
>> >> >> Hi,
>> >> >>
>> >> >> I had a script based around ovirt-shell which I re-wrote as a
>> script
>> >> >> around the Python SDK4 which I run on my engine during the startup
>> >> >> sequence.  The script will wait for the engine to come up and
>> ensure
>> >> the
>> >> >> storage domains are up before it tries to start the VMs.  Then it
>> >> will
>> >> >> go
>> >> >> ahead and start the VMs in the specified order with specified
>> delay
>> >> >> and/or
>> >> >> wait-for-up signal between them.
>&

[ovirt-users] Re: VM AutoStart

2020-09-30 Thread Derek Atkins
HI,

On Wed, September 30, 2020 3:50 pm, Jeremey Wise wrote:
> As the three servers are Centos8 minimal installs. + oVirt HCI wizard to
> keep them lean and mean... a couple questions

Note that you run this on the Engine VM, not on a host.

> 1) which version of python would I need for this (note in script about
> python 2 but isn't that deprecated?)
> [root@thor /]# yum install python
> Last metadata expiration check: 2:29:38 ago on Wed 30 Sep 2020 01:18:32 PM
> EDT.
> No match for argument: python
> There are following alternatives for "python": python2, python36, python38
> Error: Unable to find a match: python

I am still running 4.3, so "python" is 2.7.
I have not tested with python3..

> 2)  When you have three nodes.. one is set to host the ovirt-engine
> active,
> and another as backup.  If this is added to rc.local.   Of the two nodes
> hosting HA for oVirt-engine.. node which boots first will host (or so it
> seems). I think if I add this to both those hosts .. it will not create
> issues.  Any thoughts?

Don't run it on a host, run it from within the Engine VM.

The host(s) will figure out by themselves that they need to start the
engine if one isn't running.  Then when the engine starts the script will
run and start the VMs.

-derek

>
> On Wed, Sep 30, 2020 at 3:23 PM Derek Atkins  wrote:
>
>> I run it out of rc.local:
>>
>> /usr/local/sbin/start_vms.py > /var/log/start_vms 2>&1 &
>>
>> The script is smart enough to wait for the engine to be fully active.
>>
>> -derek
>>
>> On Wed, September 30, 2020 3:11 pm, Jeremey Wise wrote:
>> > i would like to eventually go ansible route..  and was starting down
>> that
>> > path but this is fabulous.
>> >
>> > I will modify and post how it went.
>> >
>> > One question:  How /where do you set this saved new and delicious
>> script
>> > so
>> > once oVirt-engine comes up... it runs?
>> >
>> > Thanks
>> >
>> > On Wed, Sep 30, 2020 at 2:42 PM Derek Atkins  wrote:
>> >
>> >> Hi,
>> >>
>> >> I had a script based around ovirt-shell which I re-wrote as a script
>> >> around the Python SDK4 which I run on my engine during the startup
>> >> sequence.  The script will wait for the engine to come up and ensure
>> the
>> >> storage domains are up before it tries to start the VMs.  Then it
>> will
>> >> go
>> >> ahead and start the VMs in the specified order with specified delay
>> >> and/or
>> >> wait-for-up signal between them.
>> >>
>> >> You can find my scripts at https://www.ihtfp.org/ovirt/
>> >>
>> >> Or you can go the ansible route :)
>> >>
>> >> Enjoy!
>> >>
>> >> -derek
>> >>
>> >> On Wed, September 30, 2020 11:21 am, Jeremey Wise wrote:
>> >> > When I have to shut down cluster... ups runs out etc..  I need a
>> >> sequence
>> >> > set of just a small number of VMs to "autostart"
>> >> >
>> >> > Normally I just use DNS FQND to connect to oVirt engine but as two
>> of
>> >> my
>> >> > VMs  are a DNS HA cluster..  as well as NTP / SMTP /DHCP etc...  I
>> >> need
>> >> > those two infrastructure VMs to be auto boot.
>> >> >
>> >> > I looked at HA settings for those VMs but it seems to be watching
>> for
>> >> > pause
>> >> > /resume.. but it does not imply or state auto start on clean first
>> >> boot.
>> >> >
>> >> > Options?
>> >> >
>> >> >
>> >> > --
>> >> > p enguinpages
>> >> > ___
>> >> > Users mailing list -- users@ovirt.org
>> >> > To unsubscribe send an email to users-le...@ovirt.org
>> >> > Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> >> > oVirt Code of Conduct:
>> >> > https://www.ovirt.org/community/about/community-guidelines/
>> >> > List Archives:
>> >> >
>> >>
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/VAYHFFSANCBRN44ABBTXIYEAR3ZFCP6N/
>> >> >
>> >>
>> >>
>> >> --
>> >>Derek Atkins 617-623-3745
>> >>de...@ihtfp.com www.ihtfp.com
>> >>Computer and Internet Security Consultant
>> >>
>> >>
>> >
>> > --
>> > jeremey.w...@gmail.com
>> >
>>
>>
>> --
>>Derek Atkins 617-623-3745
>>de...@ihtfp.com www.ihtfp.com
>>Computer and Internet Security Consultant
>>
>>
>
> --
> jeremey.w...@gmail.com
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BAMLT6SIDJ63L2GVPLEGZEUXAI7QLB33/


[ovirt-users] Re: VM AutoStart

2020-09-30 Thread Derek Atkins
I run it out of rc.local:

/usr/local/sbin/start_vms.py > /var/log/start_vms 2>&1 &

The script is smart enough to wait for the engine to be fully active.

-derek

On Wed, September 30, 2020 3:11 pm, Jeremey Wise wrote:
> i would like to eventually go ansible route..  and was starting down that
> path but this is fabulous.
>
> I will modify and post how it went.
>
> One question:  How /where do you set this saved new and delicious script
> so
> once oVirt-engine comes up... it runs?
>
> Thanks
>
> On Wed, Sep 30, 2020 at 2:42 PM Derek Atkins  wrote:
>
>> Hi,
>>
>> I had a script based around ovirt-shell which I re-wrote as a script
>> around the Python SDK4 which I run on my engine during the startup
>> sequence.  The script will wait for the engine to come up and ensure the
>> storage domains are up before it tries to start the VMs.  Then it will
>> go
>> ahead and start the VMs in the specified order with specified delay
>> and/or
>> wait-for-up signal between them.
>>
>> You can find my scripts at https://www.ihtfp.org/ovirt/
>>
>> Or you can go the ansible route :)
>>
>> Enjoy!
>>
>> -derek
>>
>> On Wed, September 30, 2020 11:21 am, Jeremey Wise wrote:
>> > When I have to shut down cluster... ups runs out etc..  I need a
>> sequence
>> > set of just a small number of VMs to "autostart"
>> >
>> > Normally I just use DNS FQND to connect to oVirt engine but as two of
>> my
>> > VMs  are a DNS HA cluster..  as well as NTP / SMTP /DHCP etc...  I
>> need
>> > those two infrastructure VMs to be auto boot.
>> >
>> > I looked at HA settings for those VMs but it seems to be watching for
>> > pause
>> > /resume.. but it does not imply or state auto start on clean first
>> boot.
>> >
>> > Options?
>> >
>> >
>> > --
>> > p enguinpages
>> > ___
>> > Users mailing list -- users@ovirt.org
>> > To unsubscribe send an email to users-le...@ovirt.org
>> > Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> > oVirt Code of Conduct:
>> > https://www.ovirt.org/community/about/community-guidelines/
>> > List Archives:
>> >
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/VAYHFFSANCBRN44ABBTXIYEAR3ZFCP6N/
>> >
>>
>>
>> --
>>Derek Atkins 617-623-3745
>>de...@ihtfp.com www.ihtfp.com
>>Computer and Internet Security Consultant
>>
>>
>
> --
> jeremey.w...@gmail.com
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FPIQXRONES2HEZTAK437GQTGPOAYGILT/


[ovirt-users] Re: VM AutoStart

2020-09-30 Thread Derek Atkins
Hi,

I had a script based around ovirt-shell which I re-wrote as a script
around the Python SDK4 which I run on my engine during the startup
sequence.  The script will wait for the engine to come up and ensure the
storage domains are up before it tries to start the VMs.  Then it will go
ahead and start the VMs in the specified order with specified delay and/or
wait-for-up signal between them.

You can find my scripts at https://www.ihtfp.org/ovirt/

Or you can go the ansible route :)

Enjoy!

-derek

On Wed, September 30, 2020 11:21 am, Jeremey Wise wrote:
> When I have to shut down cluster... ups runs out etc..  I need a sequence
> set of just a small number of VMs to "autostart"
>
> Normally I just use DNS FQND to connect to oVirt engine but as two of my
> VMs  are a DNS HA cluster..  as well as NTP / SMTP /DHCP etc...  I need
> those two infrastructure VMs to be auto boot.
>
> I looked at HA settings for those VMs but it seems to be watching for
> pause
> /resume.. but it does not imply or state auto start on clean first boot.
>
> Options?
>
>
> --
> p enguinpages
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/VAYHFFSANCBRN44ABBTXIYEAR3ZFCP6N/
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NWZVOBMIUWXADBIEG5OJH4ARVXNI3CDD/


[ovirt-users] Re: invalid spf record for ovirt.org

2020-07-22 Thread Derek Atkins
Hi,

The current SPF record reads:
  v=spf1 a:mail.ovirt.org a:gerrit.ovirt.org 66.187.233.88 ~all

As pointed out, this is invalid.  It requires an "ip4:" in there, so it
SHOULD read:

  v=spf1 a:mail.ovirt.org a:gerrit.ovirt.org ip4:66.187.233.88 ~all


Arguably it should also include a /32, but I don't think that's required.

I'm not sure to whom this bug should be reported.

-derek

On Wed, July 22, 2020 8:49 am, Jorick Astrego wrote:
> Hi,
>
> During routine maintenance on our mailserver I noticed the following in
> the log:
>
> [22/Jul/2020 14:33:33] Error when parsing SPF TXT record for domain:
> ovirt.org, envelope-from=users-boun...@ovirt.org, message: Invalid
> character found near "" in "66.187.233.88"
>
> A check on MXtoolbox also gives an invalid systax error:
>
> v=spf1 a:mail.ovirt.org a:gerrit.ovirt.org 66.187.233.88 ~all
>
> PrefixTypeValue   PrefixDesc  Description Error
>
>   v   spf1
>   The SPF record version
> + a   mail.ovirt.org  PassMatch if IP has a DNS 'A' 
> record in
> given domain.
> + a   gerrit.ovirt.orgPassMatch if IP has a DNS 
> 'A' record in
> given domain.
> + 66.187.233.88
>   PassUnknown Unknown mechanisms are not allowed
> ~ all
>   SoftFailAlways matches. It goes at the end of your record.
>
>
>   TestResult
> 
> <https://mxtoolbox.com/problem/spf/spf-syntax-check?page=prob_spf=spf:ovirt.org=1=0=1>
>   SPF Syntax CheckInvalid syntax found
>
>
>
>
>
> Met vriendelijke groet, With kind regards,
>
> Jorick Astrego
>
> Netbulae Virtualization Experts
>
> 
>
>   Tel: 053 20 30 270  i...@netbulae.euStaalsteden 4-3A
> KvK 08198180
>   Fax: 053 20 30 271  www.netbulae.eu 7547 TA Enschede
> BTW
> NL821234584B01
>
> 
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/I4MDC4WBOOHE4TYDW4OL5SRGV7S44BIH/
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/K6IBOAYHFNBMZ6ZHVR64EIIO7NZGOVDU/


[ovirt-users] Re: EXTERNAL - Re: Update to Ovirt 4.3.10-4-1 causes XFS issue

2020-06-17 Thread Derek Atkins
Hi,

Chaz Vidal  writes:

> Thank you for the response!
>
> I tried to do another upgrade again on the ovirt manager and can
> confirm that it is now in the supposedly fixed version of the kernel.
>
> However, when I try to update the hosts using the prescribed gui style
> method they do report back as no updates available.
>
> Should I force an update on the kernel on the hosts or is this not advised?

There shouldn't be a need.  Are you sure the hosts are running the old
kernel?  The hosts should just update via "yum update", although I admit
I don't know what the "update" function from the UI does under the
covers.  I have a single-host hyperconverged system so I have to update
manually..

You can check if there is anything to do by logging into the host and
running: "yum check-update"; it shouldn't list anything.

> Thanks
> Chaz

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/S2SI6EO3VV7FW3IJTDKX7VUPXLXOQ4B2/


[ovirt-users] Re: Update to Ovirt 4.3.10-4-1 causes XFS issue

2020-06-16 Thread Derek Atkins
Hi,

"Chaz Vidal"  writes:

> Hi All
> I think I have come across this bug:
>
> https://access.redhat.com/solutions/5075561
>
> Updating Ovirt to 4.3.10 shows that the kernel installed on the hosts
> is the version that has the issue:
>
> 3.10.0-1127.8.2.el7.x86_64
>
> The RedHat article suggests updating to kernel-3.10.0-1127.10.1.el7
> but running engine-upgrade-check now shows no updates available from
> my engine manager.
>
> Is this something I can fix myself or would the updated kernel be available?
>
> Appreciate the advice as new to Ovirt. Normally I would point the
> hosts to the new kernel but I think it should be updated through Ovirt
> manager, correct?

On the engine my update method is the following:

engine-setup
yum upgrade
engine-setup
reboot

So basically run engine-setup which will update the Ovirt packages, then
you can "yum upgrade" to upgrade the base system, then re-run
engine-setup just to be sure nothing broke.  Then you can reboot into
the new kernel.

The reason I do this is that engine-setup wont upgrade the full OS
(including kernel) -- it will only update the ovirt packages.

Hope this helps,

> Thanks!
> Chaz

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JLYO3LZG6QYKEEWDTF5ZSOWU7JXP3CZQ/


[ovirt-users] Re: AutoStart VMs (was Re: Re: oVirt 4.4.0 Release is now generally available)

2020-05-29 Thread Derek Atkins
Hi,

Strahil Nikolov  writes:

> Hi Derek,
>
> I also don't like Python (and I prefer Salt instead of Ansible), but
> Ansible is the wiser option /personal opinion/ .
> My reasons  - API change , so your  code will eventually will die.
> With Ansible - a lot of people use it and there is a high chance that
> some updates the Ansible module that will do the job even after the
> API changes.

Thank you for your input.  Turns out it's probably not an issue right
now anyways because my understanding is that there is no "live" upgrade
path from 4.3/7.x to 4.4/8.x.  My understanding is that the only upgrade
path is a re-install.  If that's the case, then I suspect it will be a
VERY long time until I upgrade, because I'm on a single-host production
system so can't stage a reinstall the same way I can stage a "yum upgrade".

> Also,  Ansible is declarative ,  while  python will need more  effort.

I guess only time will tell ;)

There wasn't a significant learning curve to python (as I've already had
experience with it, and most of what I needed to do was already in the
SDK examples).  Ansible is a tool I have never even looked at, let alone
tried to use it, so I suspect it would take me more than a couple hours
to get it working.

> Best  Regards,
> Strahil Nikolov

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/Y5ZOZHNN4ERKPAGZ3QN5D7RY3ZC4XQPG/


[ovirt-users] Re: AutoStart VMs (was Re: Re: oVirt 4.4.0 Release is now generally available)

2020-05-27 Thread Derek Atkins
Hi,

On Wed, May 27, 2020 5:38 pm, Gianluca Cecchi wrote:
[snip]
> But you hated Python, didn't you? ;-)

I do.  Can't stand it.  Doesn't mean I can't read it and/or write it, but
I have to hold my nose doing it.  Syntactic white space?  Eww.  But Python
is already installed and used and, apparently, supported..  And when I
looked at the examples I found that 90% of what I needed to do was already
implemented, so it turned out to be much easier than expected.

> I downloaded your files, even if I'm far from knowing python

It's pretty much a direct translation of my bash script around
ovirt-shell.  It does have one feature that the old code didn't, which is
the ability to wait for ovirt to declare that a vm is actually "up".

> try the ansible playbook that gives you more flexibility in my opinion

I've never even installed ansible, let alone tried to use it.  I don't
need flexibility, I need the job to get done.  But I'll take a look when I
get the chance.  Thanks!

> Gianluca

-derek

PS: you (meaning whomever is "in charge" is welcome to add my script(s) to
the examples repo if you feel other people would benefit from seeing it
there.

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/J6JJBY37J4N2KGVFL5V3EHCXUONQWBLR/


[ovirt-users] Re: AutoStart VMs (was Re: Re: oVirt 4.4.0 Release is now generally available)

2020-05-27 Thread Derek Atkins
Eh, no point in creating a repo for that, so I just put them on the web:

https://www.ihtfp.org/ovirt/

-derek

On Wed, May 27, 2020 11:05 am, Staniforth, Paul wrote:
>
> Thanks Derek,
> GitHub or GitLab probably.
>
> Regards,
> Paul S.
> ____
> From: Derek Atkins 
> Sent: 27 May 2020 15:50
> To: Gianluca Cecchi 
> Cc: tho...@hoberg.net ; users 
> Subject: [ovirt-users] AutoStart VMs (was Re: Re: oVirt 4.4.0 Release is
> now generally available)
>
> Caution External Mail: Do not click any links or open any attachments
> unless you trust the sender and know that the content is safe.
>
> Hi,
>
> (Sorry if you get this twice -- looks like it didn't like the python
>  script in there so I'm resending without the code)
>
> Gianluca Cecchi  writes:
>
>> Hi Derek,
>> today I played around with Ansible to accomplish, I think, what you
>> currently
>> do in oVirt shell.
>> It was the occasion to learn, as always, something new: as "blocks" in
>> Ansible
>> dont' support looping, a workaround to get that.
>> Furthermore I have a single host environment where it can turn usefull
>> too...
> [snip]
>
> I found the time to work on this using the Python SDK.  Took me longer
> than I wanted but I think I've got something working now.  I just
> haven't done a FULL test, yet, but a runtime time on the online system
> works (I commented out the start call).
>
> I still have two files, a vm_list.py which is a config file that
> contains the list of VMs, in order, and then the main program itself
> (start_vms.py) which is based on several of the examples available in
> github.
>
> Unfortunately I can't seem to send the script in email because it's
> getting blocked by the redhat server -- so I have no idea the best way
> to share it.
>
> -derek
>
> --
>Derek Atkins 617-623-3745
>de...@ihtfp.com
> https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ihtfp.com%2Fdata=02%7C01%7Cp.staniforth%40leedsbeckett.ac.uk%7C481a5446434f4870d2af08d8024ebc14%7Cd79a81124fbe417aa112cd0fb490d85c%7C0%7C0%7C637261884477418381sdata=91YXNjtMwqPp%2BYzfXDfWRaas2hwrWl55AHoW89yq4E8%3Dreserved=0
>Computer and Internet Security Consultant
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7Cp.staniforth%40leedsbeckett.ac.uk%7C481a5446434f4870d2af08d8024ebc14%7Cd79a81124fbe417aa112cd0fb490d85c%7C0%7C0%7C637261884477418381sdata=zWJOVIR%2BpaBxBoYYXxc6eNw%2B5lc2%2BdYrBF8VUCxCUAI%3Dreserved=0
> oVirt Code of Conduct:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7Cp.staniforth%40leedsbeckett.ac.uk%7C481a5446434f4870d2af08d8024ebc14%7Cd79a81124fbe417aa112cd0fb490d85c%7C0%7C0%7C637261884477418381sdata=HgU9l5h4kCDZ7%2BiZ3DrXgYeRFzmB8fUiRs8BRrXs%2BTY%3Dreserved=0
> List Archives:
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FX7KLBANUBJCMASFONU2SZQH5Z3HJU2SI%2Fdata=02%7C01%7Cp.staniforth%40leedsbeckett.ac.uk%7C481a5446434f4870d2af08d8024ebc14%7Cd79a81124fbe417aa112cd0fb490d85c%7C0%7C0%7C637261884477418381sdata=XtCL1PEnD3VeqtTSSClvIkovqJRklwisxK%2FZD9HnLRI%3Dreserved=0
> To view the terms under which this email is distributed, please go to:-
> http://leedsbeckett.ac.uk/disclaimer/email/
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2SWGNCELQXAQ6RB6KPQ3RR62G63OLKAS/


[ovirt-users] AutoStart VMs (was Re: Re: oVirt 4.4.0 Release is now generally available)

2020-05-27 Thread Derek Atkins
Hi,

(Sorry if you get this twice -- looks like it didn't like the python
 script in there so I'm resending without the code)

Gianluca Cecchi  writes:

> Hi Derek,
> today I played around with Ansible to accomplish, I think, what you currently
> do in oVirt shell.
> It was the occasion to learn, as always, something new: as "blocks" in Ansible
> dont' support looping, a workaround to get that.
> Furthermore I have a single host environment where it can turn usefull too...
[snip]

I found the time to work on this using the Python SDK.  Took me longer
than I wanted but I think I've got something working now.  I just
haven't done a FULL test, yet, but a runtime time on the online system
works (I commented out the start call).

I still have two files, a vm_list.py which is a config file that
contains the list of VMs, in order, and then the main program itself
(start_vms.py) which is based on several of the examples available in
github.

Unfortunately I can't seem to send the script in email because it's
getting blocked by the redhat server -- so I have no idea the best way
to share it.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/X7KLBANUBJCMASFONU2SZQH5Z3HJU2SI/


[ovirt-users] Re: oVirt 4.4.0 Release is now generally available

2020-05-22 Thread Derek Atkins
Hi,

Strahil Nikolov  writes:

> Actually,
> You can use Ansible and 'uri' module to communicate wwith the engine
> via the API. Most probably the 'uri' module was written in python -
> but you don't have to deal with python code - just ansible.
> Also, it's worth checking the ansible Ovirt modules , as they are kept
> up to date evwn when the API endpoint changes.
>
> I think it won't be too hard to get a list of the VMs and then create
> some logic how to order them for the 'ignition'.

I took a much closer look at the examples yesterday and there are 2 of
the 3 things I need already there:

1) test_connection.py -- make sure the engine is up
2) [ get list of total and attached storage domains ]
3) start_vm.pl -- start a VM (by name, it looks like)

So really it's only #2 that is missing.  There is a show_summary.py in
there, but that doesn't give me *all* the code I need to piece together
(but I suspect it's close to what I need as I was calling the 'summary'
ovirt-shell api to get the info I needed before).  I suspect I just need
to pull apart the api.summary.storage_domains class to figure out what I
need.  Clearly there is a 'total', so I just need to figure out 'up',
and it looks like I might be able to rewrite my script.  Python... EWW.

FTR: I don't think I need to check that the datacenter status is up; I
added that in not really understanding the changes between 4.1 and 4.3.
The issue is that the storage domain status isn't initialized to 'down'
when the engine first comes up so my script was testing that and seeing
all domains up when they really weren't.

> Best Regards,
> Strahil Nikolov

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CHFRKNZLNHNJOGSEHOX5QAIMBYUYD3VZ/


[ovirt-users] Re: oVirt 4.4.0 Release is now generally available

2020-05-21 Thread Derek Atkins
Nir,

Nir Soffer  writes:

> Why not open RFE to add the feature you need?

I did -- about 3-4 years ago.  SOME of them have been implemented, some
have been partially implemented, but I am still waiting for ovirt to
support the full VM startup functionality that I had in vmware-server
from like 2007 (or earlier).

Part of the issue here is that I suspect most ovirt users have multiple
hosts and therefore rarely have to worry about how host-system
maintenance affects the VMs, and probably live in data centers with
redundant power supplies, UPSes, and backup generators.

I, on the other hand, I've got a single system so when I need to
perform any maintenance I need to take down everything, or if I have a
power outage that outlasts my UPS, or...  I want the VMs to come back up
automatically -- and in a particular order (e.g., I need my DNS and KDC
servers to come up before others).

I filed these RFEs during the 4.0 days, which is when I first started
using ovirt and put it into deployment.

> You can use the python SDK to do anything supported by oVirt API.
> Did you look here?
> https://github.com/oVirt/ovirt-engine-sdk/tree/master/sdk/examples

I have looked there, but I stopped reading after seeing "python".  ;)
Frankly I detest python.  I think it's an abomination.  There are so
many other, better languages out there and I don't understand why so
many people like it (and worse, force it down everyone else's throats).
But I'll step off my soap-box (and get off my lawn!)  lol.

Honestly, I already spent the time to build a tool to do what I need.  I
even had to update the tool going from 4.1 to 4.3 because some startup
assumptions changed.  I really don't want to spend the time again, time
I frankly don't have right now, to re-implement what I've already got.
It's easier for me to just stay put on 4.3.x.

Yes, I realize that in about 2 years or so I will need to do so.  I'll
worry about that then.

Of course, since the (partial?) functionality is only in 4.4, I really
have no way to test it to make sure it does what I need, so see what I'm
missing.  I don't have a testbed to play with it, just my one system.

Thanks,

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/X7LYSJ6M2YUUKSRT3H4A5RR4MUOTNYOS/


[ovirt-users] Re: oVirt 4.4.0 Release is now generally available

2020-05-20 Thread Derek Atkins
Hi,

On Wed, May 20, 2020 3:06 pm, Gianluca Cecchi wrote:

> In the mean time, just to better understand your environment, you say that
> you are in a single host environment.
> Can you detail where does your engine live? Is it a server outside the
> host
> or are you in a Self Hosted Engine configuration?

Self-hosted engine.

> And what are the kind of your storage domains, are they NFS served by the
> server itself or by Gluster on the host or external hosts or what?

NFS served by the host itself.

Both Host and Engine are CentOS-based systems with ovirt installed on top
of it.  Currently running 4.3.8; I plan to upgrade to 4.3.10 (and 7.8)
once it goes GA.

The start_vms.sh script is, of course, run on the engine, and runs with a
user with appropriate privs to start VMs.

Thanks!

> Gianluca

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/G6E2M52VW4QZQM46SRCKSW4UXZHH5K7P/


[ovirt-users] Re: oVirt 4.4.0 Release is now generally available

2020-05-20 Thread Derek Atkins
Hi,

On Wed, May 20, 2020 12:28 pm, Gianluca Cecchi wrote:
> Il Mer 20 Mag 2020, 18:15 Derek Atkins  ha scritto:
>
> [snip]
>
> I am happy to share my startup script if someone else wants to port it to
>> work with 4.4.  :-)
>>
>> -derek
>>
>
> Interesting. yes, please.
> We could try to convert to python or through ansible and/or leverage
> already existing roles/modules.
>
> Gianluca

Sure,

I cannot attach the script because it will get blocked by the mailer, so
I'll just copy-and-paste it below (which of course means that it'll be
line-wrapped, which might break it but you'll at least see what it's
doing).

The script does have some embedded assumptions about my system (like the
number of storage domains to look for).

It's broken into two parts, the script itself (start_vms.sh) and a
sysconfig script that says what VMs to start.  I run start_vms.sh from
/etc/rc.d/rc.local:

/usr/local/sbin/start_vms.sh > /var/log/start_vms 2>&1 &



The /etc/sysconfig/vm_list file looks like:

default_timeout=10

# Ordered list of VMs
declare -a vm_list=(
first-vm
second-vm
)

# Timeout override (otherwise use default_timeout)
declare -A vm_timeout=(
[first-vm]=30
)




The start_vms.sh script itself:

#!/bin/bash

[ -f /etc/sysconfig/vm_list ] || exit 0
. /etc/sysconfig/vm_list

echo -n "Starting at "
date

# Wait for the engine to respond
while [ `ovirt-shell -I -c -F -T 50 -E ping 2>/dev/null | grep -c success`
!= 1 ]
do
echo "Not ready... Sleeping..."
sleep 60
done

# Now wait for the storage domain to appear active
echo -n "Engine up.  Searching for disks at " ; date

# The 4.3.x engine keeps stale data, so let's wait for it to update
# to the correct state before we start looking for storage domains
sleep 60

total_disks=`ovirt-shell -I -c -E summary | grep storage_domains-total |
sed -e 's/.*: //'`
# subtract one because we know we're not using the image-repository
total_disks=`expr $total_disks - 1`
active_disks=`ovirt-shell -I -c -E summary | grep storage_domains-active |
sed -e 's/.*: //'`
while [ $active_disks -lt $total_disks ]
do
echo "Storage Domains not active yet.  Only found
$active_disks/$total_disks.  Waiting..."
sleep 60
active_disks=`ovirt-shell -I -c -E summary | grep
storage_domains-active | sed -e 's/.*: //'`
done

# Now wait for the data center to show up
echo -n "All storage mounted.  Waiting for datacenter to be up at "
date

while [ `ovirt-shell -I -c -E 'show datacenter Default' | grep
status-state | sed -e 's/.*: //'` != 'up' ]
do
echo "Not ready... Sleeping..."
sleep 60
done

# Now start all of the VMs in the requested order.
echo -n "Datacenter up.  Starting VMs at "; date

for vm in "${vm_list[@]}"
do
  timeout=${vm_timeout[$vm]:-$default_timeout}
  ovirt-shell -I -c -E "action vm $vm start"
  sleep "$timeout"
done



Enjoy!

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/O3TENJOBFUZN6PYI3OR5TK3S5YJJJ6WH/


[ovirt-users] Re: oVirt 4.4.0 Release is now generally available

2020-05-20 Thread Derek Atkins

On Wed, May 20, 2020 11:19 am, Sandro Bonazzola wrote:
> Il giorno mer 20 mag 2020 alle ore 16:33  ha scritto:
>
>> My enthusiasm for CentOS8 is limited.
>> My enthusiasm for a hard migration even more so.
>> So how much time do I have before 4.3 becomes inoperable?
>>
>
> oVirt 4.3.10 is approaching GA and we expect 4.3.11 to be released too
> before declaring 4.3 at the end of life.
> After that, 4.3 should keep working till CentOS 7 or any other repo on the
> system will break it with some incompatible change.
> I totally understand system administrators' point of view and how
> difficult
> it is to find a good maintenance window for a busy production
> environment, ensuring backups are recent enough, check new requirements
> matching, give it a try on a test environment if it's available and so on.
> That said, I would really encourage starting to plan a maintenance window
> for upgrading to 4.4 as soon as practical.
> It will be easier to help with upgrade from 4.3 at this time than 2 years
> from now when 4.3 can be broken (or new hardware replacement will be
> missing drivers on CentOS 7) and there won't be any additional release for
> fixing upgrade incompatibilities.

I can't speak to other people, but the lack of "ovirt-shell" for 4.4 is a
deal-breaker for me to upgrade at this time, and probably for the
forseeable future.  I've been working on migrating my mail server for 3
years now and still haven't finished that; migrating ovirt to a new
platform that requires new startup support??  Haha.

Granted, I suspect SOME of the reasons I have this script might be
implemented in 4.4 (e.g. auto-start of VMs).  However, my understanding of
the auto-start feature is that it's really an auto-restart -- it will
restart a VM that was running if the datacenter crashes, but if I shut it
down manually and then "reboot" the cluster, those VMs wont come back
automatically.  As I am on a single-host system, I need it to start from a
clean shutdown and bring up all the VMs in addition to dealing with
power-outage reboots.

I work from the "if it aint broke, don't fix it" camp.  So I think I'm
going to stick with 4.3 until I can't anymore.

I am happy to share my startup script if someone else wants to port it to
work with 4.4.  :-)

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NHIGVCJOWLGUB4LJOKXNTFUJRNVYA5RB/


[ovirt-users] Re: Ovirt API and CLI

2020-02-28 Thread Derek Atkins
Hi,

It took me about 5 seconds to google for "ovirt sdk4" and the first link
is:  https://github.com/oVirt/ovirt-engine-sdk/tree/master/sdk

NB: I am not an ovirt dev (nor am I a python programmer, although I do
play one on TV sometimes ;-).

-derek

On Fri, February 28, 2020 1:12 pm, Eugène Ngontang wrote:
> Yes I know ovirt-shell.
>
> But if the Interface (API) is well exposed, we could ourself code add-hoc
> client to interact with, as we know how it's defined and structured.
>
> Please do you have useful links about those SDK4 and others API/CLI
> related
> stuff?
>
> Regards,
> Eugène NG
>
> Le ven. 28 févr. 2020 à 16:50, Derek Atkins  a écrit :
>
>> Yes.  The devs call it "SDK4", which has been around for a few releases
>> now.
>> The CLI, however, uses SDK3, which was removed from Ovirt 4.4.
>> Search for "ovirt-shell".
>>
>> -derek
>>
>> On Fri, February 28, 2020 10:47 am, Eugène Ngontang wrote:
>> > @Derek,
>> >
>> > You're talking about a client the should up-port, but before having a
>> > client, my question is is there a documented API (server) to interact
>> with
>> > through that client?
>> >
>> > Eugene NG
>> >
>> > Le jeu. 27 févr. 2020 à 14:57, Derek Atkins  a écrit
>> :
>> >
>> >> Eugene,
>> >>
>> >> On Thu, February 27, 2020 4:53 am, Eugène Ngontang wrote:
>> >> > Yes Ansible ovirt_vms module is useful, I use it for
>> >> > provisioning/deployment, but once my VM created, I'd like to
>> >> > administrate/interact with them, I don't think I should write
>> >> playbooks
>> >> > for
>> >> > that.
>> >> >
>> >> > But I'll find a solution.
>> >>
>> >> I am in a similar boat as you.  I wrote some management scripts
>> around
>> >> ovirt-shell when I first started using ovirt (4.0), in order to mimic
>> >> some
>> >> vmware-server features that I needed.  I run a single-host
>> hosted-engine
>> >> environment, so when the system boots up (e.g. from a power failure)
>> I
>> >> wanted all my VMs to auto-start, and to start in the correct order.
>> I
>> >> can't use the ovirt power management utilities because it's only a
>> >> single
>> >> host.  So I wrote a relatively small script around ovirt-shell that
>> >> would
>> >> do the following:
>> >>
>> >> 1) Wait for the engine to respond
>> >> 2) Wait for the storage to come online
>> >> 3) Start my VMs, with appropriate order and delay between
>> >>(e.g., ensure my DNS server and KDC come up before other VMs)
>> >>
>> >> I know that SOME of these features are now in Ovirt (and I think they
>> >> are
>> >> even in 4.4), but my understanding is that they only return the
>> system
>> >> to
>> >> previous state and wont auto-start a VM that was cleanly shut down.
>> >> Also
>> >> the ordering is, IIUC, somewhat course (low/medium/high).
>> >>
>> >> At this point I plan to delay my deployment of 4.4 or beyond because
>> >> what
>> >> I have in 4.3 is working (still), and frankly I have no interest in
>> >> learning Ansible or Python just to replace what should be a
>> relatively
>> >> simple script.
>> >>
>> >> I honestly find it very sad that the developers wont up-port
>> >> ovirt-client
>> >> to SDK4.  If SDK4 is "so good" vs SDK3 then I don't see why it would
>> be
>> >> hard to do that.  And if it IS that hard to do, then how do they
>> expect
>> >> us
>> >> to use it?
>> >>
>> >> Maybe I will find some time to play with OV4.4 on a test system in
>> order
>> >> to play with the auto-start features.   In my copious amounts of free
>> >> time.  :(
>> >>
>> >> Thanks,
>> >>
>> >> -derek
>> >>
>> >> --
>> >>Derek Atkins 617-623-3745
>> >>de...@ihtfp.com www.ihtfp.com
>> >>Computer and Internet Security Consultant
>> >>
>> >>
>> >
>> > --
>> > LesCDN <http://lescdn.com>
>> > engont...@lescdn.com
>> > 
>> > *Aux hommes il faut un chef, et au*
>> >
>> > * chef il faut des hommes!L'habit ne fait pas le moine, mais lorsqu'on
>> te
>> > voit on te juge!*
>> >
>>
>>
>> --
>>Derek Atkins 617-623-3745
>>de...@ihtfp.com www.ihtfp.com
>>Computer and Internet Security Consultant
>>
>>
>
> --
> LesCDN <http://lescdn.com>
> engont...@lescdn.com
> 
> *Aux hommes il faut un chef, et au*
>
> * chef il faut des hommes!L'habit ne fait pas le moine, mais lorsqu'on te
> voit on te juge!*
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AHCCQP2G4WTY6NMRTDSTYYC5CB6VZK6K/


[ovirt-users] Re: Ovirt API and CLI

2020-02-28 Thread Derek Atkins
Yes.  The devs call it "SDK4", which has been around for a few releases now.
The CLI, however, uses SDK3, which was removed from Ovirt 4.4.
Search for "ovirt-shell".

-derek

On Fri, February 28, 2020 10:47 am, Eugène Ngontang wrote:
> @Derek,
>
> You're talking about a client the should up-port, but before having a
> client, my question is is there a documented API (server) to interact with
> through that client?
>
> Eugene NG
>
> Le jeu. 27 févr. 2020 à 14:57, Derek Atkins  a écrit :
>
>> Eugene,
>>
>> On Thu, February 27, 2020 4:53 am, Eugène Ngontang wrote:
>> > Yes Ansible ovirt_vms module is useful, I use it for
>> > provisioning/deployment, but once my VM created, I'd like to
>> > administrate/interact with them, I don't think I should write
>> playbooks
>> > for
>> > that.
>> >
>> > But I'll find a solution.
>>
>> I am in a similar boat as you.  I wrote some management scripts around
>> ovirt-shell when I first started using ovirt (4.0), in order to mimic
>> some
>> vmware-server features that I needed.  I run a single-host hosted-engine
>> environment, so when the system boots up (e.g. from a power failure) I
>> wanted all my VMs to auto-start, and to start in the correct order.  I
>> can't use the ovirt power management utilities because it's only a
>> single
>> host.  So I wrote a relatively small script around ovirt-shell that
>> would
>> do the following:
>>
>> 1) Wait for the engine to respond
>> 2) Wait for the storage to come online
>> 3) Start my VMs, with appropriate order and delay between
>>(e.g., ensure my DNS server and KDC come up before other VMs)
>>
>> I know that SOME of these features are now in Ovirt (and I think they
>> are
>> even in 4.4), but my understanding is that they only return the system
>> to
>> previous state and wont auto-start a VM that was cleanly shut down.
>> Also
>> the ordering is, IIUC, somewhat course (low/medium/high).
>>
>> At this point I plan to delay my deployment of 4.4 or beyond because
>> what
>> I have in 4.3 is working (still), and frankly I have no interest in
>> learning Ansible or Python just to replace what should be a relatively
>> simple script.
>>
>> I honestly find it very sad that the developers wont up-port
>> ovirt-client
>> to SDK4.  If SDK4 is "so good" vs SDK3 then I don't see why it would be
>> hard to do that.  And if it IS that hard to do, then how do they expect
>> us
>> to use it?
>>
>> Maybe I will find some time to play with OV4.4 on a test system in order
>> to play with the auto-start features.   In my copious amounts of free
>> time.  :(
>>
>> Thanks,
>>
>> -derek
>>
>> --
>>Derek Atkins 617-623-3745
>>de...@ihtfp.com www.ihtfp.com
>>Computer and Internet Security Consultant
>>
>>
>
> --
> LesCDN <http://lescdn.com>
> engont...@lescdn.com
> 
> *Aux hommes il faut un chef, et au*
>
> * chef il faut des hommes!L'habit ne fait pas le moine, mais lorsqu'on te
> voit on te juge!*
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/F3F7KHR7OOUDQSKZEQX5553MAUKMLFAV/


[ovirt-users] Re: Ovirt API and CLI

2020-02-27 Thread Derek Atkins
Eugene,

On Thu, February 27, 2020 4:53 am, Eugène Ngontang wrote:
> Yes Ansible ovirt_vms module is useful, I use it for
> provisioning/deployment, but once my VM created, I'd like to
> administrate/interact with them, I don't think I should write playbooks
> for
> that.
>
> But I'll find a solution.

I am in a similar boat as you.  I wrote some management scripts around
ovirt-shell when I first started using ovirt (4.0), in order to mimic some
vmware-server features that I needed.  I run a single-host hosted-engine
environment, so when the system boots up (e.g. from a power failure) I
wanted all my VMs to auto-start, and to start in the correct order.  I
can't use the ovirt power management utilities because it's only a single
host.  So I wrote a relatively small script around ovirt-shell that would
do the following:

1) Wait for the engine to respond
2) Wait for the storage to come online
3) Start my VMs, with appropriate order and delay between
   (e.g., ensure my DNS server and KDC come up before other VMs)

I know that SOME of these features are now in Ovirt (and I think they are
even in 4.4), but my understanding is that they only return the system to
previous state and wont auto-start a VM that was cleanly shut down.  Also
the ordering is, IIUC, somewhat course (low/medium/high).

At this point I plan to delay my deployment of 4.4 or beyond because what
I have in 4.3 is working (still), and frankly I have no interest in
learning Ansible or Python just to replace what should be a relatively
simple script.

I honestly find it very sad that the developers wont up-port ovirt-client
to SDK4.  If SDK4 is "so good" vs SDK3 then I don't see why it would be
hard to do that.  And if it IS that hard to do, then how do they expect us
to use it?

Maybe I will find some time to play with OV4.4 on a test system in order
to play with the auto-start features.   In my copious amounts of free
time.  :(

Thanks,

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NAZWFWDINJIOVD4X57LUH26RVDQ2SVHK/


[ovirt-users] Re: Can't install virtio-win with EL7.7/Ovirt-4.3.8 -- rpm error

2020-02-19 Thread Derek Atkins
Thanks for the repair!
-d

Dominic Coulombe  writes:

> Confirmed as working.
>
> Thanks.
>
> On Thu, Feb 13, 2020 at 5:00 AM Cole Robinson  wrote:
>
> Thanks for the cc Gal. Latest published virtio-win RPMs, 0.1.173-7, are
> back to using xz compression now. Seems like the new compression got
> picked up automatically by building on Fedora 31.
>
> Thanks,
> Cole
>
> On 2/9/20 3:20 AM, Gal Zaidman wrote:
> > Forwarding this to virtio-win developers and packagers.
> > Notice that virtio-win is a package in Fedora/Centos/RHEL and it is not
> > an "ovirt/RHV" package so ovirt doesn't package it.
> >
> > On Sun, Feb 9, 2020 at 4:59 AM  > <mailto:eshwa...@gmail.com>> wrote:
> >
> >     Same problem.  Looks like the virtio rpm is now built with the new
> >     compression method, but rpm for EL7 hasn't been updated to support
> it.
> >     ___
> >     Users mailing list -- users@ovirt.org <mailto:users@ovirt.org>
> >     To unsubscribe send an email to users-le...@ovirt.org
> >     <mailto:users-le...@ovirt.org>
> >     Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> >     oVirt Code of Conduct:
> >     https://www.ovirt.org/community/about/community-guidelines/
> >     List Archives:
> >     
> 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/5Q4AQYIVCAQY6JWFTNJWOHNXZPQD4IEI/
> >
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives: 
> 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/EUBGCDBSILOEAMS3XFQ43IZVE3OHYPNB/
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/IWD3OBHCZQ24SX4RPRKJTZ5XKMGAK5FA/
>

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HQP7TR3G5DNKXF6MOVI55AQXZG3CMZD6/


[ovirt-users] Can't install virtio-win with EL7.7/Ovirt-4.3.8 -- rpm error

2020-02-06 Thread Derek Atkins
Hi,

I was trying to install the virtio-win package, but it gives an error:

ERROR You need to update rpm to handle:
rpmlib(PayloadIsZstd) <= 5.4.18-1 is needed by virtio-win-0.1.173-6.noarch

Is this a known problem with current 4.3.x and EL7.7?

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OR47UVYR6DWQX6NFTGUFU5JOVJVFOWDO/


[ovirt-users] Re: Websocket-proxy not working after upgrade to 4.3

2020-02-05 Thread Derek Atkins
Hi,

nico...@devels.es writes:

> A little bit more info on it. I debugged the requests with Chrome and
> seems that the webservice call is made with https://engine:6100
> (literally), instead of https://:6100.
>
> A snapshot is included in this mail.
>
> I don't know why is it trying to connect to this address, seems like a
> missed step on the upgrade process? (we upgraded 4.1 -> 4.2 -> 4.3).
>
> How can I fix this problem?

Did you set your webproxy URL in your engine configuration?  E.g.:
engine-config -s SpiceProxyDefault=http://:6100

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UOH4IRE3OR2QV3RDAXBYBTXIJGM53VBH/


[ovirt-users] Re: [ANN] oVirt 4.3.8 is now generally available

2020-01-30 Thread Derek Atkins
Hi,

On Thu, January 30, 2020 10:38 am, Sandro Bonazzola wrote:

>> Quick question.  My engine is currently running 4.3.6.  My host is still
>> at 4.1.x.  I was planning (this weekend) to just yum upgrade the host
>> system to bring it up to 4.3.x.
>>
>> Is it okay for the host to be at 4.3.8 while the engine is still at
>> 4.3.6?  Or must I upgrade the engine to 4.3.8 first?
>>
>
> I would recommend to upgrade engine first, but host upgrade should work
> fine being engine already at 4.3.

Good to know.  I'll see if I can find the time to upgrade the engine first.

> I would recommend to use the engine for upgrading the hosts. It can use
> the
> cluster upgrade ansible role (
> https://github.com/oVirt/ovirt-ansible-cluster-upgrade/blob/master/README.md)
> and save you some time.

Can't do that -- this is a single-host self-hosted system, so there is no
where to migrate the engine.  So everything needs to be done manually.  At
least that is my understanding.  And since this is a production system I'd
rather spend more time and have it work than trying something and having
it fail mid-way.  As I'm already planning significant downtime to move the
machines to a new location and re-rack them, the additional time to "yum
upgrade" shouldn't be a problem.  :)

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TEMY6MLPUGIAL7E36CE3L2AAY7ACCVNE/


[ovirt-users] Re: [ANN] oVirt 4.3.8 is now generally available

2020-01-30 Thread Derek Atkins
Hi,

Sandro Bonazzola  writes:

> The oVirt Project is pleased to announce the general availability of oVirt
> 4.3.8 as of January 27th, 2020.

First, congrats on the release.

Quick question.  My engine is currently running 4.3.6.  My host is still
at 4.1.x.  I was planning (this weekend) to just yum upgrade the host
system to bring it up to 4.3.x.

Is it okay for the host to be at 4.3.8 while the engine is still at
4.3.6?  Or must I upgrade the engine to 4.3.8 first?

Thanks,

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KSQISM2VIMCPK6E2KC5BLPYMN6IES7QE/


[ovirt-users] Re: oVirt on a Single Server

2020-01-21 Thread Derek Atkins
You can set up a localhost NFS server to serve out the local storage.
Just ensure you have enough RAM so you don't hit the potential NFS
dead-locking problem.  I've been running in this configuration for several
years.  I've got 256GB RAM on the host.  Works great for me.

-derek

On Tue, January 21, 2020 3:05 am, Joseph Goldman wrote:
> I dont think a bare-metal engine can be a compute node as well.
>
> On 2020-01-21 6:46 PM, Tony Brian Albers wrote:
>> On Tue, 2020-01-21 at 07:35 +, webma...@hotmail.com wrote:
>>> Hello,
>>>
>>> I can't seem to install the self-hosted engine onto local storage. It
>>> gives me glustefs, iscsi, fc, and nfs as the available options. I'm
>>> using this in a home-lab scenario, and don't have budget/etc. for
>>> building out a dedicated NAS for it, or setting up multiple nodes. I
>>> like the look of oVirt, and wanted to try it with a couple disposable
>>> vm's (plex, and a docker instance I break often). My current best-
>>> thought for how to make it work is to setup NFS on the server, and
>>> then point the self-hosted engine at the (local) NFS share. Is there
>>> a better way to do this that I might be overlooking?*
>>>
>>> *Factoring that I don't have the funds to build out a proper storage
>>> environment, yet.
>>>
>>> (and if anyone asks, I did search for a solution to this, but didn't
>>> find anything super helpful. Mostly I found 5+ year old articles on a
>>> similar but different scenario).
>>>
>> Well, if you can live with a regular engine(not self-hosted), this
>> works:
>>
>> https://www.ovirt.org/documentation/install-guide/chap-Installing_oVirt.html
>>
>>
>> HTH
>>
>> /tony
>>
>>
>>
>>
>>
>>
>>
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/NT2D5DZWGFOM3MEZZNQ4K3QERITKGN2Y/
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/VB3INTSWVRKGAZWAQKPKUHNHWIJCQU3S/
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/STTLMFU3KUJMSR4AOV3PMUAFX23QW7AU/


[ovirt-users] What to do with old ovirt yum repos, and why are they kept around?

2019-10-28 Thread Derek Atkins
Hi,

I just upgraded my engine from 4.1.9 to 4.2.8 to 4.3.x yesterday.  One
issue I hit along the way was a complaint about repos being listed more
than once:

Repository virtio-win-stable is listed more than once in the configuration
Repository centos-sclo-rh-release is listed more than once in the configuration

I also received errors like:

http://mirror.centos.org/centos/7/storage/x86_64/gluster-3.8/repodata/repomd.xml:
 [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.

Even after I did a yum erase on ovirt-release40 (and ovirt-release41) I
noticed that the 4.0 and 4.1 yum repositories (and dependencies)
configurations were left in /etc/yum.repos.d/.   Is there a reason these
files are not removed when the associated release packages are removed?

Thanks,

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TBSFHBNMJKULFN3PG6XRHPUFP3HQZ6SI/


[ovirt-users] Problem upgrading from 4.1.9 to 4.2.8 -- vmconsole SElinux issue

2019-10-28 Thread Derek Atkins
Hi,

I spent yesterday trying to upgrade my self-hosted, single-host, ovirt
engine from EL7.4/OV4.1.9 to EL7.7/OV4.3.x with a step at EL7.6/OV4.2.8.
Unfortunately that first step was extremely problematic.  Specifically,
I kept hitting an issue where the installation ofovirt-vmconsole would
error out with a "non-fatal POSTUN scriptlet failure", which of course
is considered fatal:

2019-10-27 10:42:18,436-0400 DEBUG otopi.plugins.otopi.packagers.yumpackager yum
packager.verbose:76 Yum Done: ovirt-vmconsole
2019-10-27 10:42:18,504-0400 ERROR otopi.plugins.otopi.packagers.yumpackager yum
packager.error:85 Yum Non-fatal POSTUN scriptlet failure in rpm package ovirt-vm
console-1.0.4-1.el7.centos.noarch
2019-10-27 10:42:18,505-0400 DEBUG otopi.plugins.otopi.packagers.yumpackager yum
packager.verbose:76 Yum Done: ovirt-vmconsole-1.0.4-1.el7.centos.noarch
2019-10-27 10:42:18,605-0400 DEBUG otopi.plugins.otopi.packagers.yumpackager yum
packager.verbose:76 Yum Script sink: D:   --- h# 747 ovirt-vmconsole-1.0.4-1
.el7.centos.noarch

This appears to be https://bugzilla.redhat.com/show_bug.cgi?id=1665197
which is closed as being fixed in 4.3.1, but that *STILL* doesn't help
when trying to upgrade the engine from 4.1. to 4.2.  It should have been
fixed for 4.2.8 (or push a 4.2.9 with the fix).

After googling around, I was able to work around this bug by moving
semodule out of the way:

mv /usr/sbin/semodule{,-bak}
ln -fs /bin/true /usr/sbin/semodule

and then running the update (I reverted after the update).  I don't
*like* this solution, but it got it working.  I'll note that I have
SELinux set to "enforcing", and I started with EL7.2/OV4.0 and have
upgraded a few times.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UX35CRE62PC5RDNZULLGNRJDR4TXIXTP/


[ovirt-users] Re: [ANN] oVirt 4.3.6 is now generally available

2019-10-01 Thread Derek Atkins
jvdw...@xs4all.nl writes:

>> Yes, it's still available. It will be dropped in 4.4.
>
> OK, good to know, time to polish up my ansible or start writing api scripts.
>
> Now that 4.4 popped up, how is that going?
> I looked a bit at the Gerrit yesterday and right now and see that el8
> builds are being done now, great work!

Yeah.  I've got a startup script that I use to start all my VMs (see
below).  I'll need to figure out how to migrate that script to SDK4.
It really sucks that there's no SDK4 version of ovirt-shell.  I suspect
my script will expand by an order of magnitude, and everyone who has
written a script around ovirt-shell will have to duplicate effort.

I know there is a feature for the engine to autostart VMs (which I
believe will be in 4.4), but AFAIK it doesn't do ordering.  I need at
least one specific VM to start up before everything else.

Thanks,

-derek

#!/bin/bash

[ -f /etc/sysconfig/vm_list ] || exit 0
. /etc/sysconfig/vm_list

echo -n "Starting at "
date

# Wait for the engine to respond
while [ `ovirt-shell -I -c -F -T 50 -E ping 2>/dev/null | grep -c success` != 1 
]
do
echo "Not ready... Sleeping..."
sleep 60
done

# Now wait for the storage domain to appear active
echo -n "Engine up.  Searching for disks at "
date
total_disks=`ovirt-shell -I -c -E summary | grep storage_domains-total | sed -e 
's/.*: //'`
# subtract one because we know we're not using the image-repository
total_disks=`expr $total_disks - 1`
active_disks=`ovirt-shell -I -c -E summary | grep storage_domains-active | sed 
-e 's/.*: //'`
while [ $active_disks -lt $total_disks ]
do
echo "Storage Domains not active yet.  Only found 
$active_disks/$total_disks.  Waiting..."
sleep 60
active_disks=`ovirt-shell -I -c -E summary | grep storage_domains-active | 
sed -e 's/.*: //'`
done

# Now start all of the VMs in the requested order.
echo -n "All storage mounted.  Starting VMs at "
date
for vm in "${vm_list[@]}"
do
  timeout=${vm_timeout[$vm]:-$default_timeout}
  ovirt-shell -I -c -E "action vm $vm start"
  sleep "$timeout"
done

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NS4VMN66G6K3WH2ROGSEBTQDEAMZB5DQ/


[ovirt-users] Re: [ANN] oVirt 4.3.6 is now generally available

2019-09-27 Thread Derek Atkins

On Fri, September 27, 2019 11:46 am, Sandro Bonazzola wrote:
[nsip]
>> I'm curious what the steps should be going from 4.1.9 / EL7.4 to 4.3.x /
>> EL7.7?  I am pretty sure I need some steps along the way (I doubt I can
>> jump directly from 4.1.9 -> 4.3.x and 7.4 -> 7.7, right).
>>
>> So should I jump from 7.4/4.1.9 to 7.6/4.2.8 and then from there to
>> 7.7/4.3.6?
>>
>
> 4.1 cluster level is still supported by 4.3 engine.
> So you can upgrade the engine from 7.4/4.1.9 to 7.6/4.2.8 and then to
> 7.7/4.3.6 while on the host side you can go straight to 4.3.6/7.7.
> Once done, please update cluster level to 4.3.

Excellent, I can do that.  I just need to ensure that the cluster settings
fully upgraded from 4.0 to 4.1.

One final question:  I know that ovirt-shell is deprecated, but is it
still available in 4.3.x?

Thanks for all your support!

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FDURRMTSB2IGUGIQPQHRXQCJT7PGDDEB/


[ovirt-users] Re: [ANN] oVirt 4.3.6 is now generally available

2019-09-27 Thread Derek Atkins
HI,

On Fri, September 27, 2019 7:23 am, Sandro Bonazzola wrote:
> Il giorno ven 27 set 2019 alle ore 12:55 Derek Atkins  ha
> scritto:
>
>> >
>> > Please use the engine to upgrade hosts, there's a command in webadmin
>> > interface for that.
>>
>> I didn't think you could do this in a single-host hosted-engine system?
>> In such a deployment the engine has nowhere to migrate to, so it
>> requires
>> shutting down the whole "data center" in order to upgrade the host.  I
>> didn't think that could be done via the engine?
>>
>> Personally, I still need to upgrade from 4.1.9 / CentOS 7.4!
>>
>
> Single host self hosted engine will require more work.
> You'll need to put the host in global maintenance, turn off the engine,
> yum
> upgrade the host and reboot.
> Then get out of global maintenance and engine VM should get back up and
> running in a few minutes.

Yeah, this is how I've done it in the past.

I'm curious what the steps should be going from 4.1.9 / EL7.4 to 4.3.x /
EL7.7?  I am pretty sure I need some steps along the way (I doubt I can
jump directly from 4.1.9 -> 4.3.x and 7.4 -> 7.7, right).

So should I jump from 7.4/4.1.9 to 7.6/4.2.8 and then from there to
7.7/4.3.6?

Thanks,

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RCQYRXCAH3BX5VIXFASDI432UNIXVEJ4/


[ovirt-users] Re: [ANN] oVirt 4.3.6 is now generally available

2019-09-27 Thread Derek Atkins

On Fri, September 27, 2019 6:41 am, Sandro Bonazzola wrote:
[snip]
>> hosts
>> 6) put into maintenance
>> 7) simply yum update that will update CentOS packages + oVirt ones (vdsm
>> and such..)
>>
>
> Please use the engine to upgrade hosts, there's a command in webadmin
> interface for that.

I didn't think you could do this in a single-host hosted-engine system?
In such a deployment the engine has nowhere to migrate to, so it requires
shutting down the whole "data center" in order to upgrade the host.  I
didn't think that could be done via the engine?

Personally, I still need to upgrade from 4.1.9 / CentOS 7.4!

> It's *a bit* outdated, but still valid:
> https://ovirt.org/documentation/upgrade-guide/upgrade-guide.html

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/A6MYNHANZ3IN5WDACOTFMK7ZHNCW7D6R/


[ovirt-users] Re: Changing ISO domains

2019-09-17 Thread Derek Atkins
If you push down a level or two you'll see your .iso files.
I just scp them directly in.
-derek


On Tue, September 17, 2019 10:52 am, Mark Steele wrote:
> Additional information:
>
> The directory for the domain appear to have been created properly so I am
> not clear on why the upload from the ovirt engine is failing:
> drwxr-xr-x. 3 36 36  88 Sep 17 10:40 .
> drwxr-xr-x. 5 36 36 126 Oct 17  2018 ..
> drwxr-xr-x. 4 36 36  46 Sep 17 10:40 bdd2a547-dde9-4248-b2de-ae67063da8e4
> -rwxr-xr-x. 1 36 36   0 Sep 17 10:50 __DIRECT_IO_TEST__
> [root@phl-tevestore-01 iso-store]#
>
> ***
> *Mark Steele*
> CIO / VP Technical Operations | TelVue Corporation
> TelVue - We Share Your Vision
> 16000 Horizon Way, Suite 100 | Mt. Laurel, NJ 08054
> 800.885.8886 x128 | mste...@telvue.com | http://www.telvue.com
> twitter: http://twitter.com/telvue | facebook:
> https://www.facebook.com/telvue
>
>
> On Tue, Sep 17, 2019 at 10:46 AM Mark Steele  wrote:
>
>> I was not using the uploader - I have the new domain active and attached
>> now.
>>
>> I am attempting to upload the iso using the following command:
>>
>> engine-iso-uploader --iso-domain=phl-iso-03 upload
>> ./windows-server-2012.iso
>>
>> Unfortunately I keep getting this error:
>>
>> Uploading, please wait...
>> ERROR: mount.nfs: Connection timed out
>>
>>
>>
>> ***
>> *Mark Steele*
>> CIO / VP Technical Operations | TelVue Corporation
>> TelVue - We Share Your Vision
>> 16000 Horizon Way, Suite 100 | Mt. Laurel, NJ 08054
>> 800.885.8886 x128 | mste...@telvue.com | http://www.telvue.com
>> twitter: http://twitter.com/telvue | facebook:
>> https://www.facebook.com/telvue
>>
>>
>> On Tue, Sep 17, 2019 at 10:39 AM Staniforth, Paul <
>> p.stanifo...@leedsbeckett.ac.uk> wrote:
>>
>>> Did you have the correct ownership/permissions ?
>>>
>>> Regards,
>>> Paul S.
>>>
>>> 
>>> From: Derek Atkins 
>>> Sent: 17 September 2019 15:06
>>> To: Mark Steele
>>> Cc: users
>>> Subject: [ovirt-users] Re: Changing ISO domains
>>>
>>> On Tue, September 17, 2019 9:58 am, Mark Steele wrote:
>>> > I think I see the issue now - the ISO domain is attached properly -
>>> > however
>>> > I was simply copying ISO files into that directory - I think I have
>>> to
>>> use
>>> > a tool to upload the ISO's - is that correct?
>>>
>>> At least in 4.1.9, oVirt re-scans the ISO domain for new files, so you
>>> should be able to scp your .iso file directly into the domain and have
>>> it
>>> appear in the engine after some re-scan period.  I.e., at least
>>> historically there was no hard-and-fast requirement to upload an ISO
>>> image
>>> through an ovirt interface.
>>>
>>> That may have changed in 4.2 and/or 4.3, but I hope not.
>>>
>>> -derek
>>>
>>> --
>>>Derek Atkins 617-623-3745
>>>de...@ihtfp.com
>>> https://eur02.safelinks.protection.outlook.com/?url=www.ihtfp.comdata=02%7C01%7Cp.staniforth%40leedsbeckett.ac.uk%7Ca9b9c1e1b4a84c01fc2308d73b78abab%7Cd79a81124fbe417aa112cd0fb490d85c%7C0%7C0%7C637043261770242199sdata=sjTxgTWmn2nhmsuPMaTtUg3nEKcSFhDpRnqQf9PFbF0%3Dreserved=0
>>>Computer and Internet Security Consultant
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement:
>>> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fsite%2Fprivacy-policy%2Fdata=02%7C01%7Cp.staniforth%40leedsbeckett.ac.uk%7Ca9b9c1e1b4a84c01fc2308d73b78abab%7Cd79a81124fbe417aa112cd0fb490d85c%7C0%7C0%7C637043261770242199sdata=T6kCaN%2Foox64IhYOAtROtjTPYRd9yrhFKAIj%2F12caAk%3Dreserved=0
>>> oVirt Code of Conduct:
>>> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7Cp.staniforth%40leedsbeckett.ac.uk%7Ca9b9c1e1b4a84c01fc2308d73b78abab%7Cd79a81124fbe417aa112cd0fb490d85c%7C0%7C0%7C637043261770252196sdata=Svqw%2FGZS%2Bg6DEp9TlVdpbgijdpUsEWuQAmZry61Q3mw%3Dreserved=0
>>> List Archives:
>>> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FMDR7NCR4HLIYRRFRUITKE2NFL2YLHZKS%2Fdata=02%7C01%7Cp.staniforth%40leedsbeckett.ac.uk%7Ca9b9c1e1b4a84c01fc2308d73b78abab%7Cd79a81124fb

[ovirt-users] Re: Changing ISO domains

2019-09-17 Thread Derek Atkins
On Tue, September 17, 2019 9:58 am, Mark Steele wrote:
> I think I see the issue now - the ISO domain is attached properly -
> however
> I was simply copying ISO files into that directory - I think I have to use
> a tool to upload the ISO's - is that correct?

At least in 4.1.9, oVirt re-scans the ISO domain for new files, so you
should be able to scp your .iso file directly into the domain and have it
appear in the engine after some re-scan period.  I.e., at least
historically there was no hard-and-fast requirement to upload an ISO image
through an ovirt interface.

That may have changed in 4.2 and/or 4.3, but I hope not.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MDR7NCR4HLIYRRFRUITKE2NFL2YLHZKS/


[ovirt-users] Re: Adding VLANs to a single-host, self-hosted-engine oVirt deployment?

2019-08-16 Thread Derek Atkins
Hi,

On Fri, August 16, 2019 1:49 pm, Vincent Royer wrote:
> Definitely upgrade to 4.3.5, do this first.  If you can afford to just
> image it and start over, do that.

Does 4.3 still support ovirt-shell?

I cannot re-image, I need to upgrade.  That only means I need to do it in
two steps, 4.1 -> 4.2 -> 4.3.

> As long as your switch ports are configured correctly, adding vlans is
> simple. I don't put anything in maintenance to do it.

I have a bonded NIC (2x1Gbps); I presume I just need to tell the switch
that this is a vlan trunk?

> Just go to networks -> New
>
> [image: image.png]
>
> Check the "enable VLAN tagging" and enter your vlan.  You don't really
> need
> to change anything else.

Do I need to edit ovirtmgmt and enable vlan tagging too?

> [image: image.png]
>
> Now you have a logical network and a Vnic profile for this vlan:
>
> [image: image.png]
>
> [image: image.png]
>
>
> Now you need to tell Ovirt what physical NIC you want this to operate on.
> Go to your host and select "Setup Host Networks"
>
> Drag the new network onto the NIC or bond you want to use:

So there's nothing special I need to set up on the host?  I just need to
add the new virtual networks to the existing bond/interface?

>
>
> [image: image.png]
>
> [image: image.png]
>
>
>
> You can click the pencil and have this interface get an IP address if you
> want, but, you don't need to - your vms will get IPs. So you can leave
> this
> all alone in here:

This would be a host address on the VLAN?   If so, I agree -- I don't
think most VLANs will need that.

> [image: image.png]
>
> Now when you are creating a VM, you can attach this Vnic profile.  You
> could also add the Vnic to an existing VM.
>
> [image: image.png]
>
> And that's it.  If you have the VM configured to DHCP, and you have a dhcp
> server listening on that Vlan, it will work.  If your VM doesn't get an
> IP,
> check your router's DHCP logs to see if it hears anything from the Mac
> address of your VM's nic.  If you also have a DNS resolver that adds DHCP
> entries, and your VM has a hostname configured in cloud-init, you'll even
> be able to resolve the FQDN to your VM immediately.

Yeah, pretty much all VMs are DHCP.

Thanks.  I'll try this out.  I still have at least 1-2 months before I can
even entertain migrating, and it could be as long as 3-4 months.  So I
have time to think and plan.

> Hope this helps!

Indeed.  Major open question right now is ovirt-shell ;)

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/F4MS7MKSFPZMUT7QLTT7LLNTS5FU5I4E/


[ovirt-users] Adding VLANs to a single-host, self-hosted-engine oVirt deployment?

2019-08-16 Thread Derek Atkins
HI,

I've got a single oVirt host running a self-contained hosted-engine
deployment.  When I set it up I did not use VLANs in my network.  I am in
the process of moving my equipment, and in part of this move I would like
to introduce VLANs into my network infrastructure.  The documentation
seems to imply that to add virtual networks and/or VLANs to a host that I
need to put it into maintenance mode, configure it in the engine, and then
resync the network.  However, I don't think I can do that with a
single-host environment.  If I put the host into local maint mode, it will
try to offload all my VMs, including the engine, which obviously it cannot
do because there is no other host to migrate them to.
So what's the approach to add VLANs in this situation?

I should add that this system started at 4.0, and I'm still only running
4.1 (although I do plan to upgrade to 4.2 as part of this move).  I'm
hesitant to upgrade further because of the impending removal of SDK-3 -- I
am depending on a script that uses ovirt-shell which I keep being told is
going away.  If ovirt-shell is still in 4.3 then I might consider
upgrading to that as well.  :)

Thanks.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3KR6PJE2XHNISXCJXG3GNADXEHWHWEXI/


[ovirt-users] Re: no network interface

2019-08-01 Thread Derek Atkins
HI,

Are you installing this as a node, or are you using CentOS and then
hosted-engine --deploy?

-derek

On Thu, August 1, 2019 2:59 pm, A S wrote:
> Hi. I had ovirt running with a VM but it suddenly broke. I wiped it all
> and did a reinstall but now I am not able to connect my host to the
> network. the host is always saying status='unassigned'. in the network
> page where I would drag and drop a connection, there is no interface to
> connect to. its this page
> https://ovirt.org/images/wiki/SetupNetworksNew.png?1478101462
> but there is nothing in the interfaces column on the left
> Can anyone point me in the right direction to fix this? Thanks
> I have only one machine with the engine and host on it.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/DFXV5N6MHDYGTROLBVCXNK6ILM5ASEIH/
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TA5O4NGAC5PRI6WBLWD6YJ3SI2FMTPCD/


[ovirt-users] Re: major network changes

2019-07-25 Thread Derek Atkins
Hi,

carl langlois  writes:

> Strahil, not sure what to put for the --cacert.
>
> Yes Derek your are right at one point the port 8702 stop listening.
>
> tcp6       0      0 127.0.0.1:8702          :::*                    LISTEN    
>  1607/ovirt-engine   

Can you try running 'lsof' to figure out what application has that port
open?  Then you can figure out why it's dying.

> After some time the line above disappear. I am trying to figure why this port
> is being close after some time when  the engine is running on the host on the
> 248.x network. On the 236.x network this port is kept alive all the time.
> If you have any hint on why this port is closing do not hesitate because i am
> starting to be out of ideas. :-)
>
> Thanks & Regards
>
> Carl

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PH5NE5FKZXSQKTDCBVJLAQHYTJ2VZWH5/


[ovirt-users] Re: major network changes

2019-07-24 Thread Derek Atkins
Hi,

carl langlois  writes:

> If i try to access http://ovengine/ovirt-engine/services/health
> i always get "Service Unavailable" in the browser and each time i it reload in
> the browser i get in the error_log
>
>  [proxy_ajp:error] [pid 1868] [client 10.8.1.76:63512] AH00896: failed to make
> connection to backend: 127.0.0.1
> [Tue Jul 23 14:04:10.074023 2019] [proxy:error] [pid 1416] (111)Connection
> refused: AH00957: AJP: attempt to connect to 127.0.0.1:8702 (127.0.0.1) failed

Sounds like a service isn't running on port 8702.

> Thanks & Regards
>
> Carl

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QMW4OB7AIVE2YYU2OYIGZPVW5F4VTLLK/


[ovirt-users] Re: major network changes

2019-07-23 Thread Derek Atkins
 > >> >>> >>
>> > >> >>> >> Also if i try to do ovs-vsctl list . The list command
>> require
>> a Table name. Not sure what table to use?
>> > >> >>> >>
>> > >> >>> >> Regards
>> > >> >>> >> Carl
>> > >> >>> >>
>> > >> >>> >>
>> > >> >>> >>
>> > >> >>> >> On Wed, Jul 17, 2019 at 4:21 AM Miguel Duarte de Mora
>> Barroso <
>> mdbarr...@redhat.com> wrote:
>> > >> >>> >>>
>> > >> >>> >>> On Tue, Jul 16, 2019 at 8:48 PM carl langlois <
>> crl.langl...@gmail.com> wrote:
>> > >> >>> >>> >
>> > >> >>> >>> > Hi
>> > >> >>> >>> >
>> > >> >>> >>> > We are in a process of changing our network connection.
>> Our
>> current network is using 10.8.256.x and we will change to 10.16.248.x.
>> We
>> have a HA ovirt cluster (around 10 nodes) currently configure on the
>> 10.8.256.x. So my question is is it possible to relocate the ovirt
>> cluster
>> to the 10.16.248.x.  We have tried to move everything to the new network
>> without success. All the node seem to boot up properly, our gluster
>> storage
>> also work properly.
>> > >> >>> >>> > When we try to start the hosted-engine it goes up but
>> fail
>> the liveliness check. We have notice in the
>> /var/log/openvswitch/ovn-controller.log that he is triying to connect to
>> the hold ip address of the hosted-engine vm.
>> > >> >>> >>> > 019-07-16T18:41:29.483Z|01992|reconnect|INFO|ssl:
>> 10.8.236.244:6642: waiting 8 seconds before reconnect
>> > >> >>> >>> > 2019-07-16T18:41:37.489Z|01993|reconnect|INFO|ssl:
>> 10.8.236.244:6642: connecting...
>> > >> >>> >>> > 2019-07-16T18:41:45.497Z|01994|reconnect|INFO|ssl:
>> 10.8.236.244:6642: connection attempt timed out
>> > >> >>> >>> >
>> > >> >>> >>> > So my question is were is the 10.8.236.244 come from.
>> > >> >>> >>>
>> > >> >>> >>> Looks like the ovn controllers were not updated during the
>> network change.
>> > >> >>> >>>
>> > >> >>> >>> The wrong IP is configured within openvswitch, you can see
>> it
>> in the
>> > >> >>> >>> (offending) nodes through "ovs-vsctl list . ". It'll be a
>> key
>> in the
>> > >> >>> >>> 'external_ids' column called 'ovn-remote' .
>> > >> >>> >>>
>> > >> >>> >>> This is not the solution, but a work-around; you could try
>> to
>> > >> >>> >>> configure the ovn controllers via:
>> > >> >>> >>> vdsm-tool ovn-config  > management network>
>> > >> >>> >>>
>> > >> >>> >>> Despite the provided work-around, I really think the hosted
>> engine
>> > >> >>> >>> should have triggered the ansible role that in turn
>> triggers
>> this
>> > >> >>> >>> reconfiguration.
>> > >> >>> >>>
>> > >> >>> >>> Would you open a bug with this information ?
>> > >> >>> >>>
>> > >> >>> >>>
>> > >> >>> >>> >
>> > >> >>> >>> > The routing table for one of our host look like this
>> > >> >>> >>> >
>> > >> >>> >>> > estination Gateway Genmask Flags
>> Metric
>> RefUse Iface
>> > >> >>> >>> > default gateway 0.0.0.0 UG0
>>   00 ovirtmgmt
>> > >> >>> >>> > 10.16.248.0 0.0.0.0 255.255.255.0   U 0
>>   00 ovirtmgmt
>> > >> >>> >>> > link-local  0.0.0.0 255.255.0.0 U
>> 1002
>>  00 eno1
>> > >> >>> >>> > link-local  0.0.0.0 255.255.0.0 U
>> 1003
>>  00 eno2
>> > >> >>> >>> > link-local  0.0.0.0 255.255.0.0 U
>> 1025
>>  00 ovirtmgmt
>> > >> >>> >>> >
>> > >> >>> >>> > Any help would be really appreciated.
>> > >> >>> >>> >
>> > >> >>> >>> > Regards
>> > >> >>> >>> > Carl
>> > >> >>> >>> >
>> > >> >>> >>> >
>> > >> >>> >>> >
>> > >> >>> >>> >
>> > >> >>> >>> > ___
>> > >> >>> >>> > Users mailing list -- users@ovirt.org
>> > >> >>> >>> > To unsubscribe send an email to users-le...@ovirt.org
>> > >> >>> >>> > Privacy Statement:
>> https://www.ovirt.org/site/privacy-policy/
>> > >> >>> >>> > oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> > >> >>> >>> > List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/DBQUWEPPDK2JDFU4HOGNURK7AB3FDINC/
>>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/UB72PHIP2FO3EC3M3NRKDGOL6SA3MAE5/
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/N4F3Q6CVPZWBMGLHDMVCZHMYN5KLDM4E/


[ovirt-users] Re: assign vm traffic to a physical NIC and Storage traffic to another NIC

2019-07-18 Thread Derek Atkins
Hi,

"Erick Perez"  writes:

> Hi,
> fresh install 
> I have created a network called "storage" and another called "vms" and
> both have vlan 102 tag. Only the "vms" network have the check on "vm
> network".

Why are you using the same VLAN on both networks?  That's probably not a
good idea.

> then on Compute---Hosts---hvm001---setup_host_network 
> physical nic enp3s0f0 has ovirtmgmt and vms networks defined
> physical nic enp3s0f1 has storage network defined
>
> Question is how do I tell ovirt that I want the STORAGE traffic to use
> enp3s0f1 ?
> I am using NFS data domains and I cannot find a place to tell the
> network/physical nic my NFS traffic should use.

I think that is going to be via IP-based routing of your NFS traffic
using the IP range on your 'storage' network.  You DO have different
network blocks on your different lans/vlans, right?

> thanks,

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SMRSVKBWAOKO2AYWXILMFMY6OYEYMZB6/


[ovirt-users] Re: Virtual office, how?

2019-05-20 Thread Derek Atkins
Hi,

andres.b@gmail.com writes:

> I'm trying to be able to create different virtual LANs, where, for
> example, I have 2 groups of pcs
>
> A and B belongs to network N1
> C and D belongs to network N2
>
> N1 and N2 with his own public IP. For example
> A: Local ip: 192.168.122.100
>
> B: Local ip: 192.168.122.101
>
> C: Local ip: 192.168.122.102
>
> D: Local ip: 192.168.122.103

You've got a few problems here.

First, if you have two networks, N1, and N2, you probably DO NOT want
the same IP Network (192.168.122) on both N1 and N2.  So for your
sanity, if A and B are on N1 and C and D are on N2, you might want to
use:

A: 192.168.10.100
B: 192.168.10.101

C: 192.168.20.100
D: 192.168.20.101

> Where A and B has the same public ip, and C and D has the same public ip.

I'm confused by this.  What do you mean "has the same public ip"?  None
of the IPs here are public, they are all RFC1918 (private network) IPs.
Do you mean that you've got a router, somewhere, that have a reverse NAT
that will translate externally from some public addresses to these
private addresses?

Also, you will need that reverse NAT to be smart about how it routes.
Specifically, once you have an active connection to A or B, it will need
to ensure that the connection continues to the same (A or B) target.

> Now, I want that A can ssh on B, but not on C or D. The same goes for
> C, where C can access to D via ssh but not to A or B

I'm not sure I understand what this means.  What do you mean by "A can
ssh on B"?  This is probably a language issue.  I think you mean that A
and B can ssh to each other but can't reach C or D, and C and D can ssh
to each other but can't reach A or B.

If you renumber as above then you can do that by not routing between
192.168.10.0/24 and 192.168.20.0/24.   However in your original
configuration where all four hosts are on the same 192.168.122.0/24
network, there is no way (at the network level) to prevent A and B from
talking with C and D.

> I'm not sure if OVS solve this problem or not, or if this is not possible.
>
> Is this possible? How?

You can do this with OVS, or even with basic networking, but you will
need to create actual separate networks.

Good Luck,

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LQVJAXSTSU3UXJHAAUXSN2FY2FBHNG47/


[ovirt-users] Re: oVirt Open Source Backup solution?

2019-05-16 Thread Derek Atkins
Jorick Astrego  writes:

> Maybe split it in 2 disks? One OS and one APP/DATA? You can then backup 
> only one. 
>  
> I prefer to do this anyway as I then can just redeploy the OS and attach 
> the second disk to get things back up and running. 

Are you suggesting that /etc and /var should go onto their own disks?
There is lots of configuration in /etc (which is usually in the root
disk) that needs to be backed up.

Also, different apps store configuration and data in different places,
so saying "just put it on a second disk" can be hard.

Sure, it works fine for /home -- but mysql?  imapd?  ...

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WCKEURYZBKGWW5HFECF7OMLBCONFXRKZ/


[ovirt-users] Re: deprecating export domain?

2019-05-15 Thread Derek Atkins
Hi,

"Andreas Elvers"  writes:

> Maybe I overlooked the information, but in recent RHVE 4.3 docs the
> information how to use the export storage domain have been removed and
> there is no alternative to do so, but to detach a data domain and
> attach it somewhere else. But how can I move my VMs one by one to a
> new storage domain on a different datacenter without completely
> detaching the original storage domain?

I was under the impression that you just needed a regular (second) data
domain in lieu of the (deprecated) export domain.  So you attach a new
data domain, then migrate the VM over to it, then you can detach the
data domain and attach it to another datacenter.

> I don't want to bring down all of my VMs on the old storage domain for
> import. I want to export and import them one by one. When all VMs are
> moved to the new data center only then I want to decommission
> the old data center.
>
> What is the rationale to deprecate the export storage and already
> remove documentation when there seems to be no alternative available?

IANAD, but I believe the rationale was that there was no need for a
"special case" domain.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BYRVO6MDVVLLT6TIPFDYZMRGNDDMC7FA/


[ovirt-users] Re: oVirt Open Source Backup solution?

2019-05-14 Thread Derek Atkins
Strahil Nikolov  writes:

> In such case ,
> you use the same approach for the VM in whole - lock + snapshot on oVirt +
> unlock.
> This way you keep OS + app backup in one place , which has it's own Pluses and
> Minuses.

Sure  But the minus being it requires SIGNIFICANTLY more space.
I've got over a dozen VMs, all running the same (pretty much) OS.
If I based up the VM Snaphot there would be 12x space usage for OS
files that I don't need to backup because I can recreate those from the
initial repositories.  Of course, this is at the expense of more time to
restore from the backup.

YMMV.

> Best Regards,
> Strahil Nikolov

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/X3VEPWIQVOM5PCFPL56PZN4RRKBNYXBV/


[ovirt-users] Re: oVirt Open Source Backup solution?

2019-05-14 Thread Derek Atkins
Hi,

I am sorry I was unclear.  Of course the long operation happens with the
DB unlocked.

Once the LVM snapshot is created (from within the locked environment), the
lock is of course released and the backup proceeds from a db-unlocked
environment.

I apologize for my lack of clarity with "and then I backup off the
snapshot" not making that clear.

-derek

On Tue, May 14, 2019 6:20 am, Strahil wrote:
> Derek,
>
> That's risky.
> Just read lock the DB, create the lvm snapshot and release the lock.
> Otherwise you risk a transaction to be  interrupted.
>
> Best Regards,
> Strahil NikolovOn May 13, 2019 16:47, Derek Atkins 
> wrote:
>>
>> Strahil  writes:
>>
>> > Another option is to create a snapshot, backup the snapahot and merge
>> > the disks (delete the snapshot actually).
>> > Sadly that option doesn't work with Databases, as you might inyerrupt
>> > a transaction and leave the DB in inconsistent state.
>>
>> Yet another reason to do it from inside the VM.
>>
>> What I do (on systems that have a running database) is to run a "flush"
>> operation to sync the database to disk, and then from within the flush
>> operation I create an LVM snapshot, and then I backup off the snapshot.
>> If I'm not running a database, then I just create the snapshot directly.
>>
>> > Best Regards,
>> > Strahil Nikolov
>>
>> -derek
>> --
>>    Derek Atkins 617-623-3745
>>    de...@ihtfp.com www.ihtfp.com
>>    Computer and Internet Security Consultant
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/JS6YVB3S33VYLPEQTUE3UJVZOBBO5W7H/
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3LQMSRLUHRBXNLGUHAIHZNEES7WWDHMJ/


[ovirt-users] Re: New to OVirt

2019-05-13 Thread Derek Atkins
Hi,

When I installed oVirt (on CentOS 7.2 using 4.0.x in October 2016) I
used the following sets of instructions:

https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/self-hosted-engine-guide/chapter-2-deploying-self-hosted-engine
http://www.ovirt.org/documentation/how-to/hosted-engine/#fresh-install

I did take a few trials to get it right.

I made sure I had CentOS fully installed, set up my local file systems,
NFS (for storage domains), permissions, networking, etc.  Then I
installed and did the hosted-engine --deploy

Then in the hosted engine VM I also installed CentOS manually and
installed the hosted engine itself.

It did take me a while to get it all right.  I did need to run
hosted-engine-cleanup.sh at least once.  :)

But it's been very solid for almost 3 years now.  I'm due for another
upgrade soon.

-derek

Slobodan Stevanovic  writes:

> I am currently at the point that I am thinking on giving up and start playing
> more with Proxmox.
>
> Do you guys have any suggestion on what instructions I should use? I just want
> to setup something to get a better idea on how everything works before I go to
> more advance things.
>
> Currently, downloading Ovirt Node from 
> https://www.ovirt.org/download/node.html and running Cockpit does not work
> form me.   
>
> On Friday, May 10, 2019, 7:54:39 PM PDT,  wrote:
>
> I'm glad to hear i'm in the minority!  I had the worst luck with struggling to
> get it loaded, then once it was loaded, I ran great, until it didn't, and have
> to wait and wait for it to load while the host rebooted and trying to figure
> out why it wasn't coming up just drove me crazy.  Although I ran it on 3 nodes
> so I had to track down where it migrated too.
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/P4VQHNED55IT55QRBW5WVEF5LSYZCLS5/
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/XE6RJ7ZEGZQM2YREIYXZO63YYD2GOHVX/
>

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PEUEBQAGOO323ODAMF4KSPYILAUUDAP3/


[ovirt-users] Re: oVirt Open Source Backup solution?

2019-05-13 Thread Derek Atkins
Strahil  writes:

> Another option is to create a snapshot, backup the snapahot and merge
> the disks (delete the snapshot actually).
> Sadly that option doesn't work with Databases, as you might inyerrupt
> a transaction and leave the DB in inconsistent state.

Yet another reason to do it from inside the VM.

What I do (on systems that have a running database) is to run a "flush"
operation to sync the database to disk, and then from within the flush
operation I create an LVM snapshot, and then I backup off the snapshot.
If I'm not running a database, then I just create the snapshot directly.

> Best Regards,
> Strahil Nikolov

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JS6YVB3S33VYLPEQTUE3UJVZOBBO5W7H/


[ovirt-users] Re: New to OVirt

2019-05-10 Thread Derek Atkins
The only issue I've had is that it can take 15 minutes before the HE 
starts...  And I have to ensure the host is taken out of maintenance mode 
manually.  Beyond that, it has recovered from many updates, reboots, and 
power hits without intervention.



-derek
Sent using my mobile device. Please excuse any typos.
On May 10, 2019 9:16:02 PM Dmitry Filonov  wrote:
I have used both hosted and standalone engine and can tell that so far I 
had more issues with hosted engine than with standalone one.
Not like huge issues, but something like you put host in to global HA 
maintenance, then update hosted engine, reboot and... and it doesn't start.

Not a big deal, but for a new user it might be a bit confusing.
So am with Michael, if you just starting using oVirt then it's better to 
have standalone engine et first. And then migrate it over into hosted 
environment when you are comfortable to do so.


Fil


--
Dmitry Filonov
Linux Administrator
SBGrid Core | Harvard Medical School
250 Longwood Ave, SGM-114
Boston, MA 02115


On Fri, May 10, 2019 at 9:00 PM Vincent Royer  wrote:
Disagree, I've had some pretty significant meltdowns and if you cant access 
hosted engine, go have drink and try again... It comes up.  It's ability to 
self-repair and find a scrap of a host to run on is pretty impressive.



On Fri, May 10, 2019, 2:18 PM Derek Atkins  wrote:
I've been running hosted engine on a single host for a few years now with
no issue.  I did redo my initial install several times but its been fine
ever since. I started at 4.0.x and have gone through multiple OS and ovirt
upgrades with few issues.

-derek
Sent using my mobile device. Please excuse any typos.
On May 10, 2019 4:47:12 PM mich...@wanderingmad.com wrote:


Honestly?  don't do hosted engine deployment first.  If you're just getting
started with ovirt, you're going to waste weeks on getting hosted engine
running, and then I guarantee once it's running, it's not going to come up
when you need it most.  Just load your single host, and then load the
engine on a separate VM/Machine to manage it.  I have the engine running on
a separate machine so just in case there is a host issue, you can still
access the engine to fix it.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7TAEQR6SZKQM2YBPCKBAEYFWF432QGAA/



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TRJGHLOBJB2GQPW32FAXKSE6DWSUO5H5/

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/I6AR5C276BXNNRZTBMU65ES5NGCON7J7/

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PSXWMLPKDZBMYQS4HAT7WVCAB3GLZUJF/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MQZS7XR4OEDDPMKKA3HCHXNEW5LTXCBN/


[ovirt-users] Re: New to OVirt

2019-05-10 Thread Derek Atkins
I've been running hosted engine on a single host for a few years now with 
no issue.  I did redo my initial install several times but its been fine 
ever since. I started at 4.0.x and have gone through multiple OS and ovirt 
upgrades with few issues.


-derek
Sent using my mobile device. Please excuse any typos.
On May 10, 2019 4:47:12 PM mich...@wanderingmad.com wrote:

Honestly?  don't do hosted engine deployment first.  If you're just getting 
started with ovirt, you're going to waste weeks on getting hosted engine 
running, and then I guarantee once it's running, it's not going to come up 
when you need it most.  Just load your single host, and then load the 
engine on a separate VM/Machine to manage it.  I have the engine running on 
a separate machine so just in case there is a host issue, you can still 
access the engine to fix it.

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7TAEQR6SZKQM2YBPCKBAEYFWF432QGAA/



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TRJGHLOBJB2GQPW32FAXKSE6DWSUO5H5/


[ovirt-users] Re: oVirt Open Source Backup solution?

2019-05-10 Thread Derek Atkins
Hi,

Michael Blanchard  writes:

> If you haven't seen my other posts, I'm not a very experienced Linux admin, so
> I'm trying to make it as easy as possible to run and maintain.  It's hard
> enough for me to not break ovirt in crazy ways

This has nothing to do with ovirt.

You could use rdiff-backup on any running machine, be it virtual or bare
metal.  It's just a way to use a combination of diff and rsync to backup
machines.  Indeed, I was using it with my vmware-based systems and, when
I migrated them to ovirt, the backups just continued working.

> Get Outlook for Android

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CBMHSCOBQ3MQHK2CFK6KYGBD2TSSOYAA/


[ovirt-users] Re: oVirt Open Source Backup solution?

2019-05-09 Thread Derek Atkins
mich...@wanderingmad.com writes:

> Is there a good low to no-cost solution to backup oVirt and the
> virtual machines?  I've been unabel to find something that will do a
> direct VM backup instead of a backup agent installed on VM

I just use rdiff-backup inside my VMs.

-derek
-- 
       Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/Z52SMCGN2SYDB2I2QLBYM5TZZL6HYPX7/


[ovirt-users] Re: How to replace vMware infrastructure with oVirt

2019-01-25 Thread Derek Atkins
Hi,

"Mannish Kumar"  writes:

> Hi,
>
> I have two Esxi hosts managed by VMware vCenter Server. I want to
> create a similar infrastructure with oVirt. I know that oVirt is
> similar to VMware vCenter Server but not sure what to replace the Esxi
> hosts with in oVirt Environment.
>
> I am looking to build oVirt with Self-Hosted Engine.It would be great
> help if someone could help me to build this.

I migrated from the old vmware-server to oVirt a few years ago.  I
exported my VMs as OVA and then imported them into oVirt.  Some of them
imported immediately, some took several hours.  But this was all with
oVirt 4.0 and older versions of virt-v2v, so some of my issues may have
been fixed.

I would recommend you build a new oVirt infra first, migrate your VMs,
and then, if you want, you can repurpose your existing hardware for
additional nodes.

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7KRVXC6O75VD56E7LYZD6GMS2M2OIIHL/


[ovirt-users] Re: Centos7.6

2018-12-06 Thread Derek Atkins
Sandro Bonazzola  writes:

> oVirt 4.2.7 is already compatible with CentOS 7.6.
> I think that right now it's the best time to upgrade both oVirt and CentOS.

Is it safe to upgrade straight from 4.1.9 on 7.4 to 4.2.7 on 7.6?

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M5BKGNLWKKU2WXDIVGNNDBODUJXVRUTI/


[ovirt-users] Re: RAID L1/L5/L10 + NFS Loopback Benchmarks

2018-11-28 Thread Derek Atkins
Simone Tiraboschi  writes:

> On Wed, Nov 21, 2018 at 10:08 AM Andrei Verovski  wrote:
>
> Hi !
>
> Deadlock of NFS loopback happens with 3.10 stock kernel from CentOS 7.6
> only or also with 4.x mainline ?
>
> I use 4.x mainline on my nodes.
>
> AFAIK is still an open issue.
>

FWIW, I've been running with an NFS loopback and have never, in 3+
years, had an issue.  On the other hand, I am very over-provisioned and
under-subscribed on RAM, so it probably never really gets into a
situation where it has to swap.

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JDWIDN2YE7TL5IU4G3TCB2CVFMQU7AUE/


[ovirt-users] Re: Managing multiple oVirt installs?

2018-09-03 Thread Derek Atkins
Configure a single FreeIPA domain for all deployments?  And maybe use 
oauth? (not sure if ovirt supports the latter, and it's unclear if the 
former works for your environment).  But that's the only option I can think 
of to support multiple engines.


-derek
Sent using my mobile device. Please excuse any typos.
On September 3, 2018 10:10:23 AM "femi adegoke"  
wrote:



Lets say you have 10 clients & each client has a 3 node oVirt install.
I would prefer to not login into 10 different HE portals.

How can I log in once & manage all 10 instances of oVirt?
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/A5COP2VHEFIMEY2RLKZRC6W3EIJO66Q6/



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OF646S7W3BVFISXEMX6CYCO24VXYDMBR/


[ovirt-users] Re: ovirt selfhost error

2018-08-28 Thread Derek Atkins
Hi,

mustafa.taha.m...@gmail.com writes:

> when i use hosted-engine --vm-status
>
> this will appear 
[snip]

Did you actually install and configure the hosted-engine VM?

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
   Member, MIT Student Information Processing Board  (SIPB)
   URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
   warl...@mit.eduPGP key available
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AFEIXOFOQVZ3GMY6A6Z7RLBWKMMQDEXZ/


[ovirt-users] Re: oVirt: single host install

2018-06-05 Thread Derek Atkins
Hi,

Sahina Bose  writes:

> I'm running loopback NFS and I've not encountered any issues.  I've been
> running this way since 2016-10-22.  I did not understand Gluster enough
> and wasn't sure how I could make a "replica 1" -- everything seemed to
> imply you *NEEDED* 3 gluster hosts.  So I went with what I knew -- NFS.
>
> We did add support for single node gluster volume in 4.2 - see 
> https://www.ovirt.org/documentation/gluster-hyperconverged/chap-Single_node_hyperconverged/

Good to know, and thank you for the link.  I started with 4.0, which
explains why I did not go this route.  I've upgraded along the way, but
the upgrades wont let me easily change out the underlying storage
mechanisms without fully reinstalling the HE.

Still, next time I do a system refresh I'll definitely consider this.

Thanks,

-derek

-- 
   Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
   Member, MIT Student Information Processing Board  (SIPB)
   URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
   warl...@mit.eduPGP key available
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DMFFYTGWYBOHNDIT3VVJRM3BBXTB6AFX/


[ovirt-users] Re: oVirt: single host install

2018-05-25 Thread Derek Atkins
Hi,

Justin Zygmont <jzygm...@proofpoint.com> writes:

>> This is true -- I have to bring everything down when I want to upgrade the 
>> system, especially the host itself.  So I don't upgrade as often as I might 
>> if I had multiple hosts where I could migrate.
>>
>> How can you do it without a second host and importing with a temporary 
>> storage domain?
>
>>I just shut everything down.  So long as it's planned my users can >handle a 
>>30-60 minute outage.  And this is only when I update the >host.
>>I can update the Engine on its own, and often will update my VMs 
>>>simultaneously to minimize downtime.  But I'm okay with some >downtime.
>
> I see, so you just did an in place update of engine I guess, what if
> you want to update the node as well, and install a new HE?  You'd lose
> the locally stored NFS domains.  Or what if the engine update stuffs
> up, there'd be no way to access the admin portal right?

Yes, log into engine and run:

  yum update 'ovirt-*-setup'

Then engine-setup.

As for the host, I'm not using Node.  It's just a regular CentOS system
with the ovirt host software installed.  I update it the normal way
you'd update any other CentOS system: yum update

I don't understand what you mean by "install a new HE"?  If this is a
single-host system, what do you mean by installing a new hosted engine?
If you're asking about starting with one host and adding a second host,
then that returns back to the previous statement that you'd have to
migrate HE to a new (Gluster-based) storage system.  If you stayed with
NFS, then you "master host" could never go down or your HE would also go
down (because its [NFS-based] storage would go away).

You're right that if the Engine update breaks somehow then the admin
portal would go away -- but I'm never updating systems through the
portal.  It's always via SSH (or worst case local console on the host).

If the engine update breaks so much that even ssh wont work, then I'm
definitely in trouble.  That's what backups are for!  :)

-derek

-- 
   Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
   Member, MIT Student Information Processing Board  (SIPB)
   URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
   warl...@mit.eduPGP key available
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


[ovirt-users] Re: Using remote viewer outside lan

2018-05-23 Thread Derek Atkins
Hi,

Aziz <azizgst...@gmail.com> writes:

> Hi all,
>
> I am able to access my VMs from LAN using remote Viewer, however this is not
> working from outside LAN, my setup is as follow: 
>
> 1. Controller in a separate HW machine
> 2. Host in a server 
>
> When checking the console.vv file, I see that it includes the local IP address
> of the host + port 5900. Is there a way to force ovirt to generate a
> console.vv file with public IP port when the user tries to connect from
> Internet and another file with lan IP when the user tries to connect from LAN.
>
> Any hint on how to set this feature up ?

I don't think you can set up a different IP based on the connection
source. What I would recommend is setting up a web proxy on your ovirt
host and then tell it to always use the proxy.  Specifically, always use
the public IP address.

Of course, this assumes you can reach the public IP from inside your
network.  If you can't, then you might have a bigger issue.

> Best regards

-derek
-- 
   Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
   Member, MIT Student Information Processing Board  (SIPB)
   URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
   warl...@mit.eduPGP key available
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


[ovirt-users] Re: oVirt: single host install

2018-05-23 Thread Derek Atkins
Hi,

Justin Zygmont <jzygm...@proofpoint.com> writes:

> -Original Message-
> From: Derek Atkins [mailto:warl...@mit.edu] 
> Sent: Monday, May 21, 2018 8:33 AM
> To: Simone Tiraboschi <stira...@redhat.com>
> Cc: users <users@ovirt.org>; ov...@fateknollogee.com
> Subject: [ovirt-users] Re: oVirt: single host install
>
> Hi,
>
> Simone Tiraboschi <stira...@redhat.com> writes:
>
>> On Mon, May 21, 2018 at 7:49 AM, <ov...@fateknollogee.com> wrote:
>>
>> Use case: small sites with a minimum number of vm's.
>>
>> Is there such a thing as a single host install?
>>
>> In the past we had the all-in-one mode but we deprecated it.
>> Now the suggested mode is hosted-engine since you could expand it 
>> adding other hosts in the future.
>>  
>
> Sounds like "local storage" is useless then?

IMHO, yes.  When I installed (4.0) you could not use it for
hosted-engine storage.  Don't know if that changed, but what's the point
of using different storage methods?  I already had to set up a local NFS
(pr theoretically Gluster) for HE -- so might as well re-use that for my
main storage too!

> I am running in this configuration and have had little problem.  I migrated 
> from an old vmware-server platform, and, modulo a few hiccups along the way 
> and a few false starts as I was installing ovirt, it's been pretty stable for 
> me!
>
> Did you use NFS for all storage domains?  

Yes.

Both HE and Main Data storage domains are backed by SSD.
My ISO domain is backed by spinning rust.

>> Is it valid for production use?
>>
>> With a single host the upgrades will become more intrusive: without 
>> the capability to migrate your VMs on other hosts at upgrade time, you 
>> will be required to bring down everything.
>>  
>
> This is true -- I have to bring everything down when I want to upgrade the 
> system, especially the host itself.  So I don't upgrade as often as I might 
> if I had multiple hosts where I could migrate.
>
> How can you do it without a second host and importing with a temporary 
> storage domain?

I just shut everything down.  So long as it's planned my users can
handle a 30-60 minute outage.  And this is only when I update the host.
I can update the Engine on its own, and often will update my VMs
simultaneously to minimize downtime.  But I'm okay with some downtime.

-derek

PS: I don't know what mailer you used, but I had a very hard time
differentiating your responses from mine.  Hopefully I did not miss one
of your questions.
-- 
   Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
   Member, MIT Student Information Processing Board  (SIPB)
   URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
   warl...@mit.eduPGP key available
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


[ovirt-users] Re: oVirt: single host install

2018-05-21 Thread Derek Atkins
Hi,

Simone Tiraboschi <stira...@redhat.com> writes:

> On Mon, May 21, 2018 at 7:49 AM, <ov...@fateknollogee.com> wrote:
>
> Use case: small sites with a minimum number of vm's.
>
> Is there such a thing as a single host install?
>
> In the past we had the all-in-one mode but we deprecated it.
> Now the suggested mode is hosted-engine since you could expand it adding other
> hosts in the future.
>  

I am running in this configuration and have had little problem.  I
migrated from an old vmware-server platform, and, modulo a few hiccups
along the way and a few false starts as I was installing ovirt, it's
been pretty stable for me!

> Is it valid for production use?
>
> With a single host the upgrades will become more intrusive: without the
> capability to migrate your VMs on other hosts at upgrade time, you will be
> required to bring down everything.
>  

This is true -- I have to bring everything down when I want to upgrade
the system, especially the host itself.  So I don't upgrade as often as
I might if I had multiple hosts where I could migrate.

> What kind of storage?
>
> NFS in loopback could be problematic, I'd suggest gluster in replica 1 or
> iSCSI.

I'm running loopback NFS and I've not encountered any issues.  I've been
running this way since 2016-10-22.  I did not understand Gluster enough
and wasn't sure how I could make a "replica 1" -- everything seemed to
imply you *NEEDED* 3 gluster hosts.  So I went with what I knew -- NFS.

This might be problematic if I move forward to a multi-host platform as
I'll have to "migrate" my storage -- specifically for hosted-engine --
which IIRC requires a re-install (or some other drastic measure).

-derek

-- 
   Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
   Member, MIT Student Information Processing Board  (SIPB)
   URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
   warl...@mit.eduPGP key available
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


Re: [ovirt-users] How to setup users to see a subset of VMs in oVirt

2018-03-06 Thread Derek Atkins
Hi,

Jean Pickard <ggkkr...@gmail.com> writes:

> Hello,
> I need to create user accounts in oVirt that can only manage a specific set of
> VMs and I don't want them to see any other ones.
> example:
> User1 can only see VM1, VM2, VM3, VM4
> User2 can only see VM5, VM6, VM7
> Admin can see all of them.
> How do I accomplish this?

Just set the permissions on the VMs.
It works quite well.

> Thank you,
>
> Payman Vazinkhoo

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Power off VM from VM portal

2018-03-06 Thread Derek Atkins
Hi,

Alexandr Krivulya <shur...@shurik.kiev.ua> writes:

> Hi,
>
> is there any way to power off VM from VM portal (4.2.1.7)? I can't
> find "power off" button, just "shutdown".

I don't know about 4.2, but in 4.1 and 4.0 there is a right-click
context menu that gives you access to the Power Off feature.  If that
doesn't work (ISTR disucssion about removing that context menu), then
there must be a different way to access it now.

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] OVS not running / logwatch error after upgrade from 4.0.6 to 4.1.8

2018-01-21 Thread Derek Atkins
Hi,

I tried creating the directory but then it complained about missing log
files.

I think I'm just going to block out the logwatch file.

It's annoying that the default config bleats out.

Thanks for the feedback.

-derek

Darrell Budic <bu...@onholyground.com> writes:

> OVS is an optional tech preview in 4.1.x, you don’t need it. It is annoying
> about the logwatch errors though…
>
> I think I created the directory to avoid the errors, I forgot exactly what it
> was, sorry.
>
> ------
> From: Derek Atkins <de...@ihtfp.com>
> Subject: [ovirt-users] OVS not running / logwatch error after upgrade from
> 4.0.6 to 4.1.8
> Date: January 19, 2018 at 10:44:56 AM CST
> To: users
>
> Hi,
> I recently upgraded my 1-host ovirt deployment from 4.0.6 to 4.1.8.
> Since then, the host has been reporting a cron.daily error:
>
> /etc/cron.daily/logrotate:
>
> logrotate_script: line 4: cd: /var/run/openvswitch: No such file or
> directory
>
> This isn't surprising, since:
>
> # systemctl status openvswitch
> ● openvswitch.service - Open vSwitch
>   Loaded: loaded (/usr/lib/systemd/system/openvswitch.service; disabled;
> vendor preset: disabled)
>   Active: inactive (dead)
>
> The host was just upgraded by "yum update".
> Was there anything special that needed to happen after the update?
> Do I *NEED* OVS running?
> The VMs all seem to be behaving properly.
>
> Thanks,
>
> -derek
>
> --
>   Derek Atkins 617-623-3745
>   de...@ihtfp.com www.ihtfp.com
>   Computer and Internet Security Consultant
>
> _______
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] OVS not running / logwatch error after upgrade from 4.0.6 to 4.1.8

2018-01-19 Thread Derek Atkins

It is /var/run/openvswitch
However it will need to be recreated on every reboot.

-derek
Sent using my mobile device. Please excuse any typos.



On January 19, 2018 3:54:44 PM Darrell Budic <bu...@onholyground.com> wrote:

OVS is an optional tech preview in 4.1.x, you don’t need it. It is annoying 
about the logwatch errors though…


I think I created the directory to avoid the errors, I forgot exactly what 
it was, sorry.



From: Derek Atkins <de...@ihtfp.com>
Subject: [ovirt-users] OVS not running / logwatch error after upgrade from 
4.0.6 to 4.1.8

Date: January 19, 2018 at 10:44:56 AM CST
To: users

Hi,
I recently upgraded my 1-host ovirt deployment from 4.0.6 to 4.1.8.
Since then, the host has been reporting a cron.daily error:

/etc/cron.daily/logrotate:

logrotate_script: line 4: cd: /var/run/openvswitch: No such file or directory

This isn't surprising, since:

# systemctl status openvswitch
● openvswitch.service - Open vSwitch
  Loaded: loaded (/usr/lib/systemd/system/openvswitch.service; disabled;
vendor preset: disabled)
  Active: inactive (dead)

The host was just upgraded by "yum update".
Was there anything special that needed to happen after the update?
Do I *NEED* OVS running?
The VMs all seem to be behaving properly.

Thanks,

-derek

--
  Derek Atkins 617-623-3745
  de...@ihtfp.com www.ihtfp.com
  Computer and Internet Security Consultant

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] OVS not running / logwatch error after upgrade from 4.0.6 to 4.1.8

2018-01-19 Thread Derek Atkins
Hi,
I recently upgraded my 1-host ovirt deployment from 4.0.6 to 4.1.8.
Since then, the host has been reporting a cron.daily error:

/etc/cron.daily/logrotate:

logrotate_script: line 4: cd: /var/run/openvswitch: No such file or directory

This isn't surprising, since:

# systemctl status openvswitch
● openvswitch.service - Open vSwitch
   Loaded: loaded (/usr/lib/systemd/system/openvswitch.service; disabled;
vendor preset: disabled)
   Active: inactive (dead)

The host was just upgraded by "yum update".
Was there anything special that needed to happen after the update?
Do I *NEED* OVS running?
The VMs all seem to be behaving properly.

Thanks,

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] 4.1.8: Run Once does not allow me to choose a CD Image to attach

2018-01-17 Thread Derek Atkins
Hi,

On Wed, January 17, 2018 11:13 am, Pavel Novotny wrote:
>
> On 16.1.2018 21:05, Derek Atkins wrote:
>> Hi,
>>
>> I upgraded from 4.0.6 to 4.1.8.  I had created a VM in 4.0.6 but had
>> never started it nor had I ever run it before I upgraded.  I then
>> upgraded to 4.1.8 (which went very smoothly), but then I tried to use
>> the Run Once function to boot up and attach an ISO Image.  However when
>> I select Run Once, then Boot Options, the "Attach CD" option is
>> unchecked and wont let me select it like I could in 4.0.6.  If I try to
>> select the checkbox I see the popup flash but the box remains unchecked.
>
> Hi Derek,
>
> this reminds me UX bug https://bugzilla.redhat.com/1516311
> It has been filed for 4.2, but it affects also 4.1.x.
> It happens when the browser window width is less than approx. 1200 px,
> if it is your case.

Interesting.  Yes, xwininfo reports a geometry of 1105x883 for my browser
window.

What an interesting bug.  Why would it assume it's a mobile view?  and
even if it IS a mobile view, why disable the functionality?

At least the Edit dialog still works, but it's still annoying.

I've added myself to that bug.

Thanks,

> -Pavel

-derek

>>
>> Is this a bug/regression in 4.1.8?
>>
>> I did clear my browser cache thinking that might be it, but no, that
>> didn't help.
>>
>> The only thing I could do was Edit the VM, go to Boot options, select it
>> there (which I could do) and then choose the ISO.  THEN I could run it
>> with the CD attached.
>>
>> Thanks,
>>
>> -derek
>
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] 4.1.8: Run Once does not allow me to choose a CD Image to attach

2018-01-16 Thread Derek Atkins
Hi,

I upgraded from 4.0.6 to 4.1.8.  I had created a VM in 4.0.6 but had
never started it nor had I ever run it before I upgraded.  I then
upgraded to 4.1.8 (which went very smoothly), but then I tried to use
the Run Once function to boot up and attach an ISO Image.  However when
I select Run Once, then Boot Options, the "Attach CD" option is
unchecked and wont let me select it like I could in 4.0.6.  If I try to
select the checkbox I see the popup flash but the box remains unchecked.

Is this a bug/regression in 4.1.8?

I did clear my browser cache thinking that might be it, but no, that
didn't help.

The only thing I could do was Edit the VM, go to Boot options, select it
there (which I could do) and then choose the ISO.  THEN I could run it
with the CD attached.

Thanks,

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

2018-01-16 Thread Derek Atkins
Hi,

I upgraded to EL7.4 / oVirt 4.1.8 last night.
I must say it was easier than expected, so kudos to all the devs.
I did have a few hiccups along the way, mostly of my own making.
The one main hiccup is that the ovirt-40-dependencies package links to a
CentOS repo that no longer exists, and that caused lots of pain.  I had to
manually disable two repos to get the upgrade to work.
Note:  Nowhere in the docs does it say to remove the ovirt-release40
package, either before OR after the upgrade!

Having said that, my ovirt host now reports:

# bash spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux
3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64
CPU is Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  YES
> STATUS:  NOT VULNERABLE  (106 opcodes found, which is >= 70, heuristic
to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available:  YES
* The SPEC_CTRL CPUID feature bit is set:  YES
*   Kernel support for IBRS:  YES
*   IBRS enabled for Kernel space:  YES
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  NOT VULNERABLE  (IBRS mitigates the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Checking if we're running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

Do I need to enabke IBRS for User space?
If so, how would that be done?

Thanks!

-derek

On Mon, January 15, 2018 1:10 pm, Yaniv Kaul wrote:
> On Mon, Jan 15, 2018 at 6:28 PM, Derek Atkins <de...@ihtfp.com> wrote:
>
>> Thanks.
>>
>> I guess it still boils down to updating to 7.4.  :(
>>
>> In the short term, will Ovirt 4.0 continue to run in 7.4?  Or MUST I
>>
>
> We don't know, but I would assume NO. Every minor release of EL required
> some small adjustments to expected and unexpected changes in the platform.
> We have worked with 4.1 to support 7.3 and then 7.4, I would not presume
> 4.0 works with it.
> Y.
>
>
>> upgrade both the OS and ovirt simultaneously?  My time is very short
>> over
>> the next few weeks (I'm moving) so I'd like to get as much bang for the
>> buck with as little down time as possible.  I can't spend 12 hours of my
>> time working to repair a botched upgrade from 4.0 to 4.1 or 4.2.
>>
>> Thanks again!
>>
>> -derek
>>
>> On Mon, January 15, 2018 11:05 am, Arman Khalatyan wrote:
>> > If you see that after the update of your OS dmesg shows RED alert in
>> > the spectra check script in the second position then you should follow
>> > the intel's read.me.
>> > As in readme described on Centos 7.4:
>> > rsync  -Pa intel-ucode /lib/firmware/
>> > On the recent kernels(>2.6.xx) the dd method does not work, dont do
>> that.
>> > To confirm that microcode loaded:
>> > dmesg | grep micro
>> > look for the release dates.
>> > But I beleve that v4 should be already in the microcode_ctl package of
>> > the CentOS7.4 ( in my case 2650v2 was not inside, but the  v3 and v4
>> > were there)
>> > I have a script to enable or disable the protection so you can see the
>> > performance impact on your case:
>> > https://arm2armcos.blogspot.de/2018/01/lustrefs-big-
>> performance-hit-on-lfs.html
>> >
>> >
>> >
>> > On Mon, Jan 15, 2018 at 4:28 PM, Derek Atkins <de...@ihtfp.com> wrote:
>> >> Arman,
>> >>
>> >> Thanks for the info...  And sorry for taking so long to reply.  It's
>> >> been a busy weekend.
>> >>
>> >> First, thank you for the links.  Useful information.
>> >>
>> >> However, could you define "recent"?  My system is from Q3 2016.  Is
>> that
>> >> considered recent enough to not need a bios updte?
>> >>
>> >> My /proc/cpuinfo reports:
>> >> model name  : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
>> >>
>> >> I downloaded the microcode.tgz file, which is dated Jan 8.  I noticed
>> >> that the microcode_ctl package in my repo is dated Jan 4, which
>> implies
>> >> it probably does NOT contain the Jan 8 tgz from Intel.  It LOOKS like
>>

Re: [ovirt-users] hosted-engine unknow stale-data

2018-01-16 Thread Derek Atkins

Why are both hosts reporting as ovirt 1?
Look at the hostname fields to see what mean.

-derek
Sent using my mobile device. Please excuse any typos.



On January 16, 2018 7:11:09 AM Artem Tambovskiy 
 wrote:



Hello,

Yes, I followed exactly the same procedure while reinstalling the hosts
(the only difference that I have SSH key configured instead of the
password).

Just reinstalled the second host one more time, after 20 min the host still
haven't reached active score of 3400 (Hosted Engine HA:Not Active) and I
still don't see crown icon for this host.

hosted-engine --vm-status  from ovirt1 host

[root@ovirt1 ~]# hosted-engine --vm-status


--== Host 1 status ==--

conf_on_shared_storage : True
Status up-to-date  : True
Hostname   : ovirt1.telia.ru
Host ID: 1
Engine status  : {"health": "good", "vm": "up",
"detail": "up"}
Score  : 3400
stopped: False
Local maintenance  : False
crc32  : 3f94156a
local_conf_timestamp   : 349144
Host timestamp : 349144
Extra metadata (valid at timestamp):
metadata_parse_version=1
metadata_feature_version=1
timestamp=349144 (Tue Jan 16 15:03:45 2018)
host-id=1
score=3400
vm_conf_refresh_time=349144 (Tue Jan 16 15:03:45 2018)
conf_on_shared_storage=True
maintenance=False
state=EngineUp
stopped=False


--== Host 2 status ==--

conf_on_shared_storage : True
Status up-to-date  : False
Hostname   : ovirt1.telia.ru
Host ID: 2
Engine status  : unknown stale-data
Score  : 0
stopped: True
Local maintenance  : False
crc32  : c7037c03
local_conf_timestamp   : 7530
Host timestamp : 7530
Extra metadata (valid at timestamp):
metadata_parse_version=1
metadata_feature_version=1
timestamp=7530 (Fri Jan 12 16:10:12 2018)
host-id=2
score=0
vm_conf_refresh_time=7530 (Fri Jan 12 16:10:12 2018)
conf_on_shared_storage=True
maintenance=False
state=AgentStopped
stopped=True


hosted-engine --vm-status output from ovirt2 host

[root@ovirt2 ovirt-hosted-engine-ha]# hosted-engine --vm-status


--== Host 1 status ==--

conf_on_shared_storage : True
Status up-to-date  : False
Hostname   : ovirt1.telia.ru
Host ID: 1
Engine status  : unknown stale-data
Score  : 3400
stopped: False
Local maintenance  : False
crc32  : 6d3606f1
local_conf_timestamp   : 349264
Host timestamp : 349264
Extra metadata (valid at timestamp):
metadata_parse_version=1
metadata_feature_version=1
timestamp=349264 (Tue Jan 16 15:05:45 2018)
host-id=1
score=3400
vm_conf_refresh_time=349264 (Tue Jan 16 15:05:45 2018)
conf_on_shared_storage=True
maintenance=False
state=EngineUp
stopped=False


--== Host 2 status ==--

conf_on_shared_storage : True
Status up-to-date  : False
Hostname   : ovirt1.telia.ru
Host ID: 2
Engine status  : unknown stale-data
Score  : 0
stopped: True
Local maintenance  : False
crc32  : c7037c03
local_conf_timestamp   : 7530
Host timestamp : 7530
Extra metadata (valid at timestamp):
metadata_parse_version=1
metadata_feature_version=1
timestamp=7530 (Fri Jan 12 16:10:12 2018)
host-id=2
score=0
vm_conf_refresh_time=7530 (Fri Jan 12 16:10:12 2018)
conf_on_shared_storage=True
maintenance=False
state=AgentStopped
stopped=True


Also I saw some log messages in webGUI about time drift like

"Host ovirt2.telia.ru has time-drift of 5305 seconds while maximum
configured value is 300 seconds." that is a bit weird as haven't touched
any time settings since I installed the cluster.
both host have the same time and timezone (MSK) but hosted engine lives in
UTC timezone. Is it mandatory to have everything in sync and in the same
timezone?

Regards,
Artem






On Tue, Jan 16, 2018 at 2:20 PM, Kasturi Narra  wrote:


Hello,

 I now see that your hosted engine is up and running. Can you let me
know how did you try reinstalling the host? Below is the 

Re: [ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

2018-01-15 Thread Derek Atkins
Thanks.

I guess that means I need to upgrade both OS and Ovirt simultaneously. 
And if I recall correctly I need to upgrade my hosted engine first and
then upgrade the host?  (This is a single-host hosted-engine setup).

I've never actually upgraded an ovirt release beyond point releases (I
started with 4.0, and currently run 4.0.6).  I did upgrade from 7.2 to
7.3, which was relatively straightforward.  My plan is to follow the
instructions at https://www.ovirt.org/release/4.1.0/ -- will the
engine-setup also wind up pulling in the OS update?  I suppose I can run a
yum update after running engine-setup?

Thanks,

-derek

On Mon, January 15, 2018 1:10 pm, Yaniv Kaul wrote:
> On Mon, Jan 15, 2018 at 6:28 PM, Derek Atkins <de...@ihtfp.com> wrote:
>
>> Thanks.
>>
>> I guess it still boils down to updating to 7.4.  :(
>>
>> In the short term, will Ovirt 4.0 continue to run in 7.4?  Or MUST I
>>
>
> We don't know, but I would assume NO. Every minor release of EL required
> some small adjustments to expected and unexpected changes in the platform.
> We have worked with 4.1 to support 7.3 and then 7.4, I would not presume
> 4.0 works with it.
> Y.
>
>
>> upgrade both the OS and ovirt simultaneously?  My time is very short
>> over
>> the next few weeks (I'm moving) so I'd like to get as much bang for the
>> buck with as little down time as possible.  I can't spend 12 hours of my
>> time working to repair a botched upgrade from 4.0 to 4.1 or 4.2.
>>
>> Thanks again!
>>
>> -derek
>>
>> On Mon, January 15, 2018 11:05 am, Arman Khalatyan wrote:
>> > If you see that after the update of your OS dmesg shows RED alert in
>> > the spectra check script in the second position then you should follow
>> > the intel's read.me.
>> > As in readme described on Centos 7.4:
>> > rsync  -Pa intel-ucode /lib/firmware/
>> > On the recent kernels(>2.6.xx) the dd method does not work, dont do
>> that.
>> > To confirm that microcode loaded:
>> > dmesg | grep micro
>> > look for the release dates.
>> > But I beleve that v4 should be already in the microcode_ctl package of
>> > the CentOS7.4 ( in my case 2650v2 was not inside, but the  v3 and v4
>> > were there)
>> > I have a script to enable or disable the protection so you can see the
>> > performance impact on your case:
>> > https://arm2armcos.blogspot.de/2018/01/lustrefs-big-
>> performance-hit-on-lfs.html
>> >
>> >
>> >
>> > On Mon, Jan 15, 2018 at 4:28 PM, Derek Atkins <de...@ihtfp.com> wrote:
>> >> Arman,
>> >>
>> >> Thanks for the info...  And sorry for taking so long to reply.  It's
>> >> been a busy weekend.
>> >>
>> >> First, thank you for the links.  Useful information.
>> >>
>> >> However, could you define "recent"?  My system is from Q3 2016.  Is
>> that
>> >> considered recent enough to not need a bios updte?
>> >>
>> >> My /proc/cpuinfo reports:
>> >> model name  : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
>> >>
>> >> I downloaded the microcode.tgz file, which is dated Jan 8.  I noticed
>> >> that the microcode_ctl package in my repo is dated Jan 4, which
>> implies
>> >> it probably does NOT contain the Jan 8 tgz from Intel.  It LOOKS like
>> I
>> >> can just replace the intel-ucode files with those from the tgz, but
>> I'm
>> >> not sure what, if anything, I need to do with the microcode.dat file
>> in
>> >> the tgz?
>> >>
>> >> Thanks,
>> >>
>> >> -derek
>> >>
>> >> Arman Khalatyan <arm2...@gmail.com> writes:
>> >>
>> >>> if you have recent supermicro you dont need to update the bios,
>> >>>
>> >>> Some tests:
>> >>> Crack test:
>> >>> https://github.com/IAIK/meltdown
>> >>>
>> >>> Check test:
>> >>> https://github.com/speed47/spectre-meltdown-checker
>> >>>
>> >>> the intel microcodes  you can find here:
>> >>> https://downloadcenter.intel.com/download/27431/Linux-
>> Processor-Microcode-Data-File?product=41447
>> >>> good luck.
>> >>> Arman.
>> >>>
>> >>>
>> >>>
>> >>> On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <de...@ihtfp.com>
>> wrote:
>> >>>> Hi,
>> >>>>
>> >

Re: [ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

2018-01-15 Thread Derek Atkins
Thanks.

I guess it still boils down to updating to 7.4.  :(

In the short term, will Ovirt 4.0 continue to run in 7.4?  Or MUST I
upgrade both the OS and ovirt simultaneously?  My time is very short over
the next few weeks (I'm moving) so I'd like to get as much bang for the
buck with as little down time as possible.  I can't spend 12 hours of my
time working to repair a botched upgrade from 4.0 to 4.1 or 4.2.

Thanks again!

-derek

On Mon, January 15, 2018 11:05 am, Arman Khalatyan wrote:
> If you see that after the update of your OS dmesg shows RED alert in
> the spectra check script in the second position then you should follow
> the intel's read.me.
> As in readme described on Centos 7.4:
> rsync  -Pa intel-ucode /lib/firmware/
> On the recent kernels(>2.6.xx) the dd method does not work, dont do that.
> To confirm that microcode loaded:
> dmesg | grep micro
> look for the release dates.
> But I beleve that v4 should be already in the microcode_ctl package of
> the CentOS7.4 ( in my case 2650v2 was not inside, but the  v3 and v4
> were there)
> I have a script to enable or disable the protection so you can see the
> performance impact on your case:
> https://arm2armcos.blogspot.de/2018/01/lustrefs-big-performance-hit-on-lfs.html
>
>
>
> On Mon, Jan 15, 2018 at 4:28 PM, Derek Atkins <de...@ihtfp.com> wrote:
>> Arman,
>>
>> Thanks for the info...  And sorry for taking so long to reply.  It's
>> been a busy weekend.
>>
>> First, thank you for the links.  Useful information.
>>
>> However, could you define "recent"?  My system is from Q3 2016.  Is that
>> considered recent enough to not need a bios updte?
>>
>> My /proc/cpuinfo reports:
>> model name  : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
>>
>> I downloaded the microcode.tgz file, which is dated Jan 8.  I noticed
>> that the microcode_ctl package in my repo is dated Jan 4, which implies
>> it probably does NOT contain the Jan 8 tgz from Intel.  It LOOKS like I
>> can just replace the intel-ucode files with those from the tgz, but I'm
>> not sure what, if anything, I need to do with the microcode.dat file in
>> the tgz?
>>
>> Thanks,
>>
>> -derek
>>
>> Arman Khalatyan <arm2...@gmail.com> writes:
>>
>>> if you have recent supermicro you dont need to update the bios,
>>>
>>> Some tests:
>>> Crack test:
>>> https://github.com/IAIK/meltdown
>>>
>>> Check test:
>>> https://github.com/speed47/spectre-meltdown-checker
>>>
>>> the intel microcodes  you can find here:
>>> https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=41447
>>> good luck.
>>> Arman.
>>>
>>>
>>>
>>> On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <de...@ihtfp.com> wrote:
>>>> Hi,
>>>>
>>>> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
>>>>
>>>>> No one likes downtime but I suspect this is one of those serious
>>>>> vulnerabilities that you really really must be protected against.
>>>>> That being said, before planning downtime, check your HW vendor for
>>>>> firmware or Intel for microcode for the host first.
>>>>> Without it, there's not a lot of protection anyway.
>>>>> Note that there are 4 steps you need to take to be fully protected:
>>>>> CPU,
>>>>> hypervisor, guests and guest CPU type - plan ahead!
>>>>> Y.
>>>>
>>>> Is there a HOW-To written up somewhere on this?  ;)
>>>>
>>>> I built the hardware from scratch myself, so I can't go off to Dell or
>>>> someone for this.  So which do I need, motherboard firmware or Intel
>>>> microcode?  I suppose I need to go to the motherboard manufacturer
>>>> (Supermicro) to look for updated firmware?  Do I also need to look at
>>>> Intel?  Is this either-or or a "both" situation?  Of course I have no
>>>> idea
>>>> how to reflash new firmware onto this motherboard -- I don't have DOS.
>>>>
>>>> As you can see, planning I can do.  Execution is more challenging ;)
>>>>
>>>> Thanks!
>>>>
>>>>>> > Y.
>>>>
>>>> -derek
>>>>
>>>> --
>>>>Derek Atkins 617-623-3745
>>>>de...@ihtfp.com www.ihtfp.com
>>>>Computer and Internet Security Consultant
>>>>
>>>> ___
>>>> Users mailing list
>>>> Users@ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>
>> --
>>Derek Atkins 617-623-3745
>>de...@ihtfp.com www.ihtfp.com
>>Computer and Internet Security Consultant
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

2018-01-15 Thread Derek Atkins
Arman,

Thanks for the info...  And sorry for taking so long to reply.  It's
been a busy weekend.

First, thank you for the links.  Useful information.

However, could you define "recent"?  My system is from Q3 2016.  Is that
considered recent enough to not need a bios updte?

My /proc/cpuinfo reports:
model name  : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz

I downloaded the microcode.tgz file, which is dated Jan 8.  I noticed
that the microcode_ctl package in my repo is dated Jan 4, which implies
it probably does NOT contain the Jan 8 tgz from Intel.  It LOOKS like I
can just replace the intel-ucode files with those from the tgz, but I'm
not sure what, if anything, I need to do with the microcode.dat file in
the tgz?

Thanks,

-derek

Arman Khalatyan <arm2...@gmail.com> writes:

> if you have recent supermicro you dont need to update the bios,
>
> Some tests:
> Crack test:
> https://github.com/IAIK/meltdown
>
> Check test:
> https://github.com/speed47/spectre-meltdown-checker
>
> the intel microcodes  you can find here:
> https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=41447
> good luck.
> Arman.
>
>
>
> On Thu, Jan 11, 2018 at 4:32 PM, Derek Atkins <de...@ihtfp.com> wrote:
>> Hi,
>>
>> On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:
>>
>>> No one likes downtime but I suspect this is one of those serious
>>> vulnerabilities that you really really must be protected against.
>>> That being said, before planning downtime, check your HW vendor for
>>> firmware or Intel for microcode for the host first.
>>> Without it, there's not a lot of protection anyway.
>>> Note that there are 4 steps you need to take to be fully protected: CPU,
>>> hypervisor, guests and guest CPU type - plan ahead!
>>> Y.
>>
>> Is there a HOW-To written up somewhere on this?  ;)
>>
>> I built the hardware from scratch myself, so I can't go off to Dell or
>> someone for this.  So which do I need, motherboard firmware or Intel
>> microcode?  I suppose I need to go to the motherboard manufacturer
>> (Supermicro) to look for updated firmware?  Do I also need to look at
>> Intel?  Is this either-or or a "both" situation?  Of course I have no idea
>> how to reflash new firmware onto this motherboard -- I don't have DOS.
>>
>> As you can see, planning I can do.  Execution is more challenging ;)
>>
>> Thanks!
>>
>>>> > Y.
>>
>> -derek
>>
>> --
>>    Derek Atkins 617-623-3745
>>de...@ihtfp.com www.ihtfp.com
>>Computer and Internet Security Consultant
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
>

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

2018-01-11 Thread Derek Atkins
Hi,

On Thu, January 11, 2018 9:53 am, Yaniv Kaul wrote:

> No one likes downtime but I suspect this is one of those serious
> vulnerabilities that you really really must be protected against.
> That being said, before planning downtime, check your HW vendor for
> firmware or Intel for microcode for the host first.
> Without it, there's not a lot of protection anyway.
> Note that there are 4 steps you need to take to be fully protected: CPU,
> hypervisor, guests and guest CPU type - plan ahead!
> Y.

Is there a HOW-To written up somewhere on this?  ;)

I built the hardware from scratch myself, so I can't go off to Dell or
someone for this.  So which do I need, motherboard firmware or Intel
microcode?  I suppose I need to go to the motherboard manufacturer
(Supermicro) to look for updated firmware?  Do I also need to look at
Intel?  Is this either-or or a "both" situation?  Of course I have no idea
how to reflash new firmware onto this motherboard -- I don't have DOS.

As you can see, planning I can do.  Execution is more challenging ;)

Thanks!

>> > Y.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

2018-01-11 Thread Derek Atkins
Yaniv Kaul <yk...@redhat.com> writes:

> On Mon, Jan 8, 2018 at 7:32 PM, Derek Atkins <warl...@mit.edu> wrote:
>
> Michal Skrivanek <michal.skriva...@redhat.com> writes:
>
> >             > If there are Patches nessessary will there also be updates
> for
> >             ovirt 4.1 or
> >             > only 4.2?
> >
> > 4.1 will be covered
>
> What about 4.0?  Or will that not be covered because it depends on 7.3,
> which also isn't covered??
>
> It will not be covered because we have 4.1 and 4.2 out, both of which we take
> care of.

I was afraid of that.  So I will need to upgrade to at least 7.4/4.1 to
get this fixed.   I'll need to find some time to do that.  :(

My users don't like having downtime..  and this is a single-host system.

> Y.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Are Ovirt updates nessessary after CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

2018-01-08 Thread Derek Atkins
Michal Skrivanek <michal.skriva...@redhat.com> writes:

> > If there are Patches nessessary will there also be updates for
> ovirt 4.1 or
> > only 4.2?
>
> 4.1 will be covered

What about 4.0?  Or will that not be covered because it depends on 7.3,
which also isn't covered??

Thanks,

-derek
-- 
   Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
   Member, MIT Student Information Processing Board  (SIPB)
   URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
   warl...@mit.eduPGP key available
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Ovirt 4.0

2018-01-08 Thread Derek Atkins
Hi,

On Mon, January 8, 2018 9:44 am, Yaniv Kaul wrote:
> On Mon, Jan 8, 2018 at 4:27 PM, Marktvk <mark...@xs4all.nl> wrote:
>
>> Hello Correct.
>>
>> But i can not do this for a reason. I hope ovirt will bring a kvm
>> upgrade
>> for 4.0 the security issue at this moment with CPU's ( intel)
>>
>
> You could upgrade your CPU firmware and get up-to-date packages, but what
> about the new CPU types for the guests?
> There are no plans to backport the patch for them[1] to 4.0 (though I
> assume you could patch your own engine with it!).
> Y.
>
> [1] https://gerrit.ovirt.org/#/c/85998/

I've been only minimally following this discussion as I've had other
things on my plate, but I'm in a similar situation here -- I'm running 4.0
(on EL7.3) on a single host and would rather not upgrade my ovirt
infrastructure to 4.1/4.2 just to get the security fixes for these CPU
bugs.

I don't mind upgrading my host (or engine) to el7.4, provided I can
continue to use ovirt 4.0

But I don't understand what "new CPU types" would be here, or even why
they would be required, to fix these security issues.  Perhaps I need a
more basic primer about what actually needs to be patched to fix an ovirt
system against these speculative execution bugs.

Obviously the host systems need to be patched, and KVM most likely needs
to be patched.  But do I then need to patch each of my guests?  Do I need
to reconfigure anything else?

Is there a minimalist "how to" here?

-derek

>
>> I believe you most upgrade to 4.1 first, and then to 4.2.
>>
>>
>>
>> On Jan 8, 2018 6:00 AM, "Marktvk" <mark...@xs4all.nl> wrote:
>>
>> Hello,
>>
>>
>> We have now running ovirt 4.0 for a specif reason we can not upgrade to
>> the new version.
>>
>> If possible for 1 time to upgrade qemu-kvm to the new version for the
>> fix with processors today ?
>>
>>
>> I hope so.
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>>
>> _______
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Auto-starting VMS in a all-in-one / confusion.

2017-11-27 Thread Derek Atkins
Hi,

On Mon, November 27, 2017 1:58 pm, CRiMSON wrote:
> I've been digging thru mailing lists and blogs and I'm a bit confused
> about
> how you have VMs auto-start after a reboot in a ovirt system that is setup
> as all-in-one.
>
> From what I can gather this can be achieved via some startup scripts (or a
> rc.local foo).
>
> But there is no setting inside the WebUI that can be set to achieve this?
>
> Or have I missed something.

You have not missed anything.  As of right now there is nothing in the
WebUI to configure this.  It can only be done by startup scripts.  Me, I
run my script on my hosted-engine VM.

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Issue with a LACP bond interface.

2017-11-03 Thread Derek Atkins
Gianluca Cecchi <gianluca.cec...@gmail.com> writes:

> On Thu, Nov 2, 2017 at 2:45 PM, CRiMSON <crim...@unspeakable.org> wrote:
>
> What is the *proper* way. Cause I've come across quite a few different
> ways reading on this how to get it done. Some say do it by hand, others
> say never do it by hand use the vdsClient, others say do it this way. I
> mean between forum posts, blogs, it seems there are multiple ways to do
> this. With no concrete "This is how you should do it"
>
> Through the GUI in admin portal. Main page about logical network i here:
> https://ovirt.org/documentation/admin-guide/chap-Logical_Networks/
>
> Near the end of the page there is the section regarding Bonds, how to create
> them and also how to configure with particular customization.

That works if you want to add to the bond.  It doesn't work if you want
to completely remove/change the bond (because -- oops -- you'll lose
connectivity)!

> HIH,
> Gianluca

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Issue with a LACP bond interface.

2017-11-01 Thread Derek Atkins
You need to save the network configuration.  Ovirt calls it "persist".  I 
don't know the vdsClient command but there is one to save the network 
configuration.


-derek
Sent using my mobile device. Please excuse any typos.



On November 1, 2017 9:07:01 PM CRiMSON  wrote:


The config details:

root@lv426 network-scripts]# cat ifcfg-bond0

# Generated by VDSM version 4.19.31-1.el7.centos

DEVICE=bond0

BONDING_OPTS='mode=4 lacp_rate=1 miimon=100 xmit_hash_policy=2'

BRIDGE=ovirtmgmt

ONBOOT=yes

MTU=1500

DEFROUTE=no

NM_CONTROLLED=no

IPV6INIT=no

[root@lv426 network-scripts]# cat ifcfg-eno1

# Generated by VDSM version 4.19.31-1.el7.centos

DEVICE=eno1

MASTER=bond0

SLAVE=yes

ONBOOT=yes

MTU=1500

DEFROUTE=no

NM_CONTROLLED=no

IPV6INIT=no

[root@lv426 network-scripts]# cat ifcfg-enp11s0

# Generated by VDSM version 4.19.31-1.el7.centos

DEVICE=enp11s0

MASTER=bond0

SLAVE=yes

ONBOOT=yes

DEFROUTE=no

NM_CONTROLLED=no

IPV6INIT=no

[root@lv426 network-scripts]# cat ifcfg-enp2s0f0

# Generated by VDSM version 4.19.31-1.el7.centos

DEVICE=enp2s0f0

MASTER=bond0

SLAVE=yes

ONBOOT=yes

MTU=1500

DEFROUTE=no

NM_CONTROLLED=no

IPV6INIT=no

[root@lv426 network-scripts]# cat ifcfg-enp2s0f1

# Generated by VDSM version 4.19.31-1.el7.centos

DEVICE=enp2s0f1

MASTER=bond0

SLAVE=yes

ONBOOT=yes

MTU=1500

DEFROUTE=no

NM_CONTROLLED=no

IPV6INIT=no

[root@lv426 network-scripts]# cat ifcfg-ovirtmgmt

# Generated by VDSM version 4.19.31-1.el7.centos

DEVICE=ovirtmgmt

TYPE=Bridge

DELAY=0

STP=off

ONBOOT=yes

BOOTPROTO=dhcp

MTU=1500

DEFROUTE=yes

NM_CONTROLLED=no

IPV6INIT=no

DNS1=10.100.100.1

DNS2=10.1.2.2

[root@lv426 network-scripts]# cat /proc/net/bonding/bond0 |grep Slave

*Slave* Interface: eno1

*Slave* queue ID: 0

*Slave* Interface: enp2s0f0

*Slave* queue ID: 0

*Slave* Interface: enp2s0f1

*Slave* queue ID: 0

*Slave* Interface: enp11s0

*Slave* queue ID: 0

As you can see by the above all 4 interfaces are configured and up properly
and working.

I've configured them using the command:

 vdsClient -s 0 setupNetworks
bondings='{bond0:{nics:eno1+enp11s0+enp2s0f0+enp2s0f1,options:mode=4
lacp_rate=1 miimon=100 xmit_hash_policy=2}}'

It's all good.

But when I reboot interface3 enp11s0 is not part of the bond,

[root@lv426 ~]# cat /proc/net/bonding/bond0 |grep Slave

*Slave* Interface: eno1

*Slave* queue ID: 0

*Slave* Interface: enp2s0f0

*Slave* queue ID: 0

*Slave* Interface: enp2s0f1

*Slave* queue ID: 0

And looks like it's had it's bonding config removed b y VDSM.

[root@lv426 network-scripts]# cat ifcfg-enp11s0

# Generated by VDSM version 4.19.31-1.el7.centos

DEVICE=enp11s0

ONBOOT=yes

MTU=1500

NM_CONTROLLED=no

If I re-=run the vdsClient command and if down/ifup the interface it
happily rejoins the bond and carries on working perfectly.

For the life of me I can't figure out what I'm missing / done wrong.



--
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] How to change network card configuration under bridge on host?

2017-10-12 Thread Derek Atkins
Hi,

Derek Atkins <de...@ihtfp.com> writes:

> How do I convince ovirt to stop overwriting those files?  Or how do I
> tell ovirt about the new configuration?

For the record, the answer was that I needed to change the VDSM
persistence files and then it swapped over to the new devices.  It took
me a few hours to both track this down and get the files formatted
correctly.

> Thanks,
>
> -derek

-derek

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] How to change network card configuration under bridge on host?

2017-10-06 Thread Derek Atkins
Hi,

I've got a single host running CentOS 7.3 + Ovirt 4.0.6 with hosted
engine.  I'm having network issues (see previous email thread) and the
next thing I'm going to try is to add a new network card and use that
instead of the onboard ethernet on the mobo.  However it looks like
/etc/sysconfig/network-scripts/ifcfg-* get replaced every time the host
restarts.

Right now it's configured with:

  eno1, eno2 -> bond0 -> ovirtmgmt

I accomplished this by setting up the bond by hand on the host before I
installed the hosted engine, but then ovirt "took control" of the
configuration.  I want to change this to replace eno1 and eno2 with the
two new devices when I add the new card tomorrow.  What's the best way
to do this?

I suppose I can just add the new devices as bond0 slaves pretty easily
by creating new ifcfg-xxx files for the new devices (I'm assuming they
will be eno3 and eno4) that looks similar to the eno1 and eno2 files.
However I'd like to also remove eno1 and eno2 from bond0.  Yet I suspect
if I change ifcfg-eno1 and ifcfg-eno2 by hand, they will just get
replaced at the next reboot by ovirt.

How do I convince ovirt to stop overwriting those files?  Or how do I
tell ovirt about the new configuration?

Thanks,

-derek
-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Ovirt causing strange network issues?

2017-10-04 Thread Derek Atkins
Hi,

I've done a lot more testing today.  I've narrowed the issues down to
two specific VMs.  When I'm running either of these two VMs I get
horrific network performance.  When both of those two are stopped, my
network is just fine (like 99% of the time).

I've been spending the day gathering packet dumps.  I'm running
wireshark on my host listening to the ovirtmgmt bridge (which is my only
network).  So, that SHOULD be capturing everything, right?

I have not noticed anything out of the ordinary except for one odd
thing -- corellated with my network wonkiness wireshark reports a bunch
of duplicate or out-of-order TCP packets!  I'll just note that
corellation does not imply causation, but I'm not seeing anything else
out of the ordinary.  I certainly don't see anything that would imply
I've been hacked.

Is there something with CentOS/ovirt-host/vdsm networking that could
cause this?  Or could it be a router issue?  Specifically my host and my
hosted-engine are on separate logical networks (different /24s) but
both networks are on the same physical wire; my router, an ERPro8, uses
a single interface with both /24s assigned and routes between them.  But
some of the duplicate/out-of-order was for the periodic host <-> engine
health checks.

Still, I'm not sure why it's these two specific VMs that are causing my
issues, other than that they have the most amount of network traffic
coming/going.  If it IS a router problem (the router is relatively new,
and also updated with the latest firmware), I'm honestly not sure how to
properly test that.

Any more ideas where I can look, or what I can/should be looking for?
I'm extremely comfortable with internet technologies (25+ years
experience) but this has got me stumpted!

Thanks,

-derek

Jason Keltz <j...@cse.yorku.ca> writes:

> Derek,
> Have you used tcpdump to check what network traffic is coming out of
> your box? Is it possible that it is some kind of DoS attack from
> outside in or that your VM was compromised and is attacking other
> external hosts?
>
> Hope you get to the bottom of it!
> Jason.
>
> Sent with AquaMail for Android
> http://www.aqua-mail.com
>
>
> On October 2, 2017 4:56:54 PM Derek Atkins <de...@ihtfp.com> wrote:
>
>> Hi,
>>
>> I'm at my wits end so I'm tossing this here in the hopes that SOMEONE
>> will be able to help me.
>>
>> tl;dr: Ovirt is doing something on my network that is causing my fiber
>> modem to go from 3-5ms to 300-1000+ms round trip times.  I know it's
>> ovirt because when I unplug ovirt from my network the issue goes away;
>> when I plug it back in, the issue recurs.
>>
>> Long version:
>>
>> I've been running Ovirt 4.0.6 happily on CentOS 7.3 for several months
>> on a single host machine. Indeed, the host had an uptime of 200+ days
>> and was working great until approximately midnight, September 21/22
>> (just over a week ago).  I was on an airplane halfway across the
>> Atlantic at that time, so it wasn't anything I did.
>>
>> My network is configured as:
>>
>>   fiber modem <-> edgerouter <-> switch <-> everything else
>>
>> ovirt is living in the "everything else" area.
>>
>> When I sit with a laptop connected to either the everything else range
>> or even directly connected to the fiber modem, I run 'mtr' and see
>> network times (starting at the fiber modem) that bounce all over the
>> place.  When I unplug ovirt I see consistent 3-5ms times.  Plug it back
>> in, voom, back up to badness.
>>
>> I've spent several hours plugging and unplugging different devices
>> trying to isolate the issue.  The only "device" that has any effect is
>> my ovirt box.
>>
>> I have tried to debug this in several ways, but really the only thing
>> that seems to have helped at all is shutting down all the VMs and the
>> hosted engine.  Once nothing else is running (but the host itself), only
>> then does the network seem to return to normal.
>>
>> I'm really at my wits end on this; I have no idea what is causing this
>> or what might have changed to cause the issue right at that time.  I
>> also can't imagine what ovirt is doing over the network that could cause
>> the modem, two physical hops away, to lose its mind in this way.  But my
>> experiementation is definitely showing a direct correlation.
>>
>> Help!!
>>
>> -derek
>>
>> --
>>Derek Atkins 617-623-3745
>>de...@ihtfp.com www.ihtfp.com
>>Computer and Internet Security Consultant
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
>
>
>

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Ovirt causing strange network issues?

2017-10-03 Thread Derek Atkins
Hi,

Yes, I have (well, wireshark, but effectively the same thing).
Nothing is standing out.

I'm trying to visually coordinate the wireshark traces with my mtr run to
try to see "what's going on when my RTTs skyrocket".  Honestly the only
correlation I'm seeing is that it's when the ovirt host is checking the
ovirt engine health (and I get a bunch of TCP out of order messages).

I've already ruled out overflow of my Arris modem NAT/forwarding table.
I've already ruled out Ethernet Pause Frames.

I don't understand how something inside my network can affect the Arris in
such a profound way across both the switch and router.

-derek

On Tue, October 3, 2017 7:38 am, Jason Keltz wrote:
> Derek,
> Have you used tcpdump to check what network traffic is coming out of your
> box? Is it possible that it is some kind of DoS attack from outside in or
> that your VM was compromised and is attacking other external hosts?
>
> Hope you get to the bottom of it!
> Jason.
>
> Sent with AquaMail for Android
> http://www.aqua-mail.com
>
>
> On October 2, 2017 4:56:54 PM Derek Atkins <de...@ihtfp.com> wrote:
>
>> Hi,
>>
>> I'm at my wits end so I'm tossing this here in the hopes that SOMEONE
>> will be able to help me.
>>
>> tl;dr: Ovirt is doing something on my network that is causing my fiber
>> modem to go from 3-5ms to 300-1000+ms round trip times.  I know it's
>> ovirt because when I unplug ovirt from my network the issue goes away;
>> when I plug it back in, the issue recurs.
>>
>> Long version:
>>
>> I've been running Ovirt 4.0.6 happily on CentOS 7.3 for several months
>> on a single host machine. Indeed, the host had an uptime of 200+ days
>> and was working great until approximately midnight, September 21/22
>> (just over a week ago).  I was on an airplane halfway across the
>> Atlantic at that time, so it wasn't anything I did.
>>
>> My network is configured as:
>>
>>   fiber modem <-> edgerouter <-> switch <-> everything else
>>
>> ovirt is living in the "everything else" area.
>>
>> When I sit with a laptop connected to either the everything else range
>> or even directly connected to the fiber modem, I run 'mtr' and see
>> network times (starting at the fiber modem) that bounce all over the
>> place.  When I unplug ovirt I see consistent 3-5ms times.  Plug it back
>> in, voom, back up to badness.
>>
>> I've spent several hours plugging and unplugging different devices
>> trying to isolate the issue.  The only "device" that has any effect is
>> my ovirt box.
>>
>> I have tried to debug this in several ways, but really the only thing
>> that seems to have helped at all is shutting down all the VMs and the
>> hosted engine.  Once nothing else is running (but the host itself), only
>> then does the network seem to return to normal.
>>
>> I'm really at my wits end on this; I have no idea what is causing this
>> or what might have changed to cause the issue right at that time.  I
>> also can't imagine what ovirt is doing over the network that could cause
>> the modem, two physical hops away, to lose its mind in this way.  But my
>> experiementation is definitely showing a direct correlation.
>>
>> Help!!
>>
>> -derek
>>
>> --
>>Derek Atkins 617-623-3745
>>de...@ihtfp.com www.ihtfp.com
>>Computer and Internet Security Consultant
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
>
>


-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Ovirt causing strange network issues?

2017-10-03 Thread Derek Atkins
A quick check of the host shows STP=off in ifcfg-ovirtmgmt.  I see nothing 
about STP elsewhere in the configuration on the host.


-derek
Sent using my mobile device. Please excuse any typos.



On October 3, 2017 7:15:35 AM Colin Coe <colin@gmail.com> wrote:


Spanning Tree Protocol.

Make sure the /etc/sysconfig/network-scripts/ifcfg-eth0 (or whatever) does
not have an STP=yes line.

CC

On 3 Oct. 2017 19:11, "Derek Atkins" <de...@ihtfp.com> wrote:


I'm sorry. What is STP?
And how do I turn that off?

-derek
Sent using my mobile device. Please excuse any typos.

On October 2, 2017 7:41:15 PM Colin Coe <colin@gmail.com> wrote:


Hi

We saw something very similar to this a couple of years ago.  In our
case, it was caused by STP being enabled on our hypervisors.

HTH



On 3 Oct. 2017 04:56, "Derek Atkins" <de...@ihtfp.com> wrote:


Hi,

I'm at my wits end so I'm tossing this here in the hopes that SOMEONE
will be able to help me.

tl;dr: Ovirt is doing something on my network that is causing my fiber
modem to go from 3-5ms to 300-1000+ms round trip times.  I know it's
ovirt because when I unplug ovirt from my network the issue goes away;
when I plug it back in, the issue recurs.

Long version:

I've been running Ovirt 4.0.6 happily on CentOS 7.3 for several months
on a single host machine. Indeed, the host had an uptime of 200+ days
and was working great until approximately midnight, September 21/22
(just over a week ago).  I was on an airplane halfway across the
Atlantic at that time, so it wasn't anything I did.

My network is configured as:

  fiber modem <-> edgerouter <-> switch <-> everything else

ovirt is living in the "everything else" area.

When I sit with a laptop connected to either the everything else range
or even directly connected to the fiber modem, I run 'mtr' and see
network times (starting at the fiber modem) that bounce all over the
place.  When I unplug ovirt I see consistent 3-5ms times.  Plug it back
in, voom, back up to badness.

I've spent several hours plugging and unplugging different devices
trying to isolate the issue.  The only "device" that has any effect is
my ovirt box.

I have tried to debug this in several ways, but really the only thing
that seems to have helped at all is shutting down all the VMs and the
hosted engine.  Once nothing else is running (but the host itself), only
then does the network seem to return to normal.

I'm really at my wits end on this; I have no idea what is causing this
or what might have changed to cause the issue right at that time.  I
also can't imagine what ovirt is doing over the network that could cause
the modem, two physical hops away, to lose its mind in this way.  But my
experiementation is definitely showing a direct correlation.

Help!!

-derek

--
   Derek Atkins 617-623-3745 <(617)%20623-3745>
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Ovirt causing strange network issues?

2017-10-03 Thread Derek Atkins

On the host or in the guests?

-derek
Sent using my mobile device. Please excuse any typos.



On October 3, 2017 7:15:35 AM Colin Coe <colin@gmail.com> wrote:


Spanning Tree Protocol.

Make sure the /etc/sysconfig/network-scripts/ifcfg-eth0 (or whatever) does
not have an STP=yes line.

CC

On 3 Oct. 2017 19:11, "Derek Atkins" <de...@ihtfp.com> wrote:


I'm sorry. What is STP?
And how do I turn that off?

-derek
Sent using my mobile device. Please excuse any typos.

On October 2, 2017 7:41:15 PM Colin Coe <colin@gmail.com> wrote:


Hi

We saw something very similar to this a couple of years ago.  In our
case, it was caused by STP being enabled on our hypervisors.

HTH



On 3 Oct. 2017 04:56, "Derek Atkins" <de...@ihtfp.com> wrote:


Hi,

I'm at my wits end so I'm tossing this here in the hopes that SOMEONE
will be able to help me.

tl;dr: Ovirt is doing something on my network that is causing my fiber
modem to go from 3-5ms to 300-1000+ms round trip times.  I know it's
ovirt because when I unplug ovirt from my network the issue goes away;
when I plug it back in, the issue recurs.

Long version:

I've been running Ovirt 4.0.6 happily on CentOS 7.3 for several months
on a single host machine. Indeed, the host had an uptime of 200+ days
and was working great until approximately midnight, September 21/22
(just over a week ago).  I was on an airplane halfway across the
Atlantic at that time, so it wasn't anything I did.

My network is configured as:

  fiber modem <-> edgerouter <-> switch <-> everything else

ovirt is living in the "everything else" area.

When I sit with a laptop connected to either the everything else range
or even directly connected to the fiber modem, I run 'mtr' and see
network times (starting at the fiber modem) that bounce all over the
place.  When I unplug ovirt I see consistent 3-5ms times.  Plug it back
in, voom, back up to badness.

I've spent several hours plugging and unplugging different devices
trying to isolate the issue.  The only "device" that has any effect is
my ovirt box.

I have tried to debug this in several ways, but really the only thing
that seems to have helped at all is shutting down all the VMs and the
hosted engine.  Once nothing else is running (but the host itself), only
then does the network seem to return to normal.

I'm really at my wits end on this; I have no idea what is causing this
or what might have changed to cause the issue right at that time.  I
also can't imagine what ovirt is doing over the network that could cause
the modem, two physical hops away, to lose its mind in this way.  But my
experiementation is definitely showing a direct correlation.

Help!!

-derek

--
   Derek Atkins 617-623-3745 <(617)%20623-3745>
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Ovirt causing strange network issues?

2017-10-03 Thread Derek Atkins

Do you mean spanning tree protocol?
I'm not sure how that could cross a router boundary, but it is something to 
look into..


-derek
Sent using my mobile device. Please excuse any typos.



On October 3, 2017 7:12:00 AM Derek Atkins <de...@ihtfp.com> wrote:


I'm sorry. What is STP?
And how do I turn that off?

-derek
Sent using my mobile device. Please excuse any typos.



On October 2, 2017 7:41:15 PM Colin Coe <colin@gmail.com> wrote:


Hi

We saw something very similar to this a couple of years ago.  In our case,
it was caused by STP being enabled on our hypervisors.

HTH



On 3 Oct. 2017 04:56, "Derek Atkins" <de...@ihtfp.com> wrote:


Hi,

I'm at my wits end so I'm tossing this here in the hopes that SOMEONE
will be able to help me.

tl;dr: Ovirt is doing something on my network that is causing my fiber
modem to go from 3-5ms to 300-1000+ms round trip times.  I know it's
ovirt because when I unplug ovirt from my network the issue goes away;
when I plug it back in, the issue recurs.

Long version:

I've been running Ovirt 4.0.6 happily on CentOS 7.3 for several months
on a single host machine. Indeed, the host had an uptime of 200+ days
and was working great until approximately midnight, September 21/22
(just over a week ago).  I was on an airplane halfway across the
Atlantic at that time, so it wasn't anything I did.

My network is configured as:

  fiber modem <-> edgerouter <-> switch <-> everything else

ovirt is living in the "everything else" area.

When I sit with a laptop connected to either the everything else range
or even directly connected to the fiber modem, I run 'mtr' and see
network times (starting at the fiber modem) that bounce all over the
place.  When I unplug ovirt I see consistent 3-5ms times.  Plug it back
in, voom, back up to badness.

I've spent several hours plugging and unplugging different devices
trying to isolate the issue.  The only "device" that has any effect is
my ovirt box.

I have tried to debug this in several ways, but really the only thing
that seems to have helped at all is shutting down all the VMs and the
hosted engine.  Once nothing else is running (but the host itself), only
then does the network seem to return to normal.

I'm really at my wits end on this; I have no idea what is causing this
or what might have changed to cause the issue right at that time.  I
also can't imagine what ovirt is doing over the network that could cause
the modem, two physical hops away, to lose its mind in this way.  But my
experiementation is definitely showing a direct correlation.

Help!!

-derek

--
   Derek Atkins 617-623-3745 <(617)%20623-3745>
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users





--
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


  1   2   >