Re: [ovirt-users] Users seeing all vm's
It sounds line you're adding the permissions to ovirt through the Users tab on the top right. Thats the same thing I did at first. However, the user's tab is not where you manage all settings for users. Its a bit counterintuitive. When you add a user in that tab, it adds them to the system object and not to a particular VM or pool which is why the user has more than desired permissions. What you need to do is remove the users or groups from the Users tab and add them to the specific pool or VM by selecting the pool, then select the permissions sub-tab and then select add. This will grant the permissions to only that specific resource. On Jun 12, 2014 3:08 AM, Itamar Heim ih...@redhat.com wrote: On 06/06/2014 05:52 AM, Artur Sarkisyan wrote: Thanks for replay, I have an IPA server for authentication. I am trying some scenarios, but I would like to setup pools of vm's for users, actually one pool for one user. why one pool for one user? a pool allows you to give multiple users access to it, and, specify how many VMs each user can get from the pool. Kind regards, Artur On Thu, Jun 5, 2014 at 8:30 PM, Jeff Clay jeffc...@gmail.com mailto:jeffc...@gmail.com wrote: Yes, I have resolved this issue. It was due to my lack of understanding in how Ovirt expected things to be configured and setup. Are you using active directory for authentication and setting up pools of vm's for users to access? On Thu, Jun 5, 2014 at 1:10 PM, Artur Sarkisyan s.ar...@gmail.com mailto:s.ar...@gmail.com wrote: Hi Jeff, I would like to know if you have resolved this issue? At this moment i'm building a poc and i have the same problem like yours: All users can see all vm's. Do you have some suggestions for me ? Thanks in advanced. Kind regards, Artur On Tue, May 6, 2014 at 10:32 PM, Jeff Clay jeffc...@gmail.com mailto:jeffc...@gmail.com wrote: For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Users seeing all vm's
Yes, I have resolved this issue. It was due to my lack of understanding in how Ovirt expected things to be configured and setup. Are you using active directory for authentication and setting up pools of vm's for users to access? On Thu, Jun 5, 2014 at 1:10 PM, Artur Sarkisyan s.ar...@gmail.com wrote: Hi Jeff, I would like to know if you have resolved this issue? At this moment i'm building a poc and i have the same problem like yours: All users can see all vm's. Do you have some suggestions for me ? Thanks in advanced. Kind regards, Artur On Tue, May 6, 2014 at 10:32 PM, Jeff Clay jeffc...@gmail.com wrote: For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Memory and swap issue
126455 MB total, 863 MB used, 125592 MB free That's what I'm showing right now, but I don't have as many VM's running at the moment. There are currently 8 running and I was getting that issue yesterday when I got around the 15 vm mark. On Thu, Jun 5, 2014 at 2:07 PM, Itamar Heim ih...@redhat.com wrote: On 06/05/2014 02:24 AM, Jeff Clay wrote: I'm getting the following error trying to start a VM. I have 64 gb of RAM on this host. I got this error once before and found that my swap partition was only 2gb or so. I increased the swap size to 124GB and the problem went away. Below is the error when trying to start a VM and below that is what my output from free -g. I don't see why I'm getting a swap file error when there's plenty of it available. * Cannot run VM. Host swap percentage is above the defined threshold. - Check your configuration parameters for Host Swap Percentage. * Cannot run VM. There is no host that satisfies current scheduling constraints. See below for details: * The host USARPAOVRTHOST02 did not satisfy internal filter Memory. [root@usarpaovrthost02 ~]# free -g total used free sharedbuffers cached Mem:62 62 0 0 0 12 -/+ buffers/cache: 50 12 Swap: 123 12110 [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# swapon -s FilenameTypeSizeUsed Priority /dev/dm-1 partition 129490936 12811000-1 [root@usarpaovrthost02 ~]# ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users what do you see under host general subtab for swap percentage? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Memory and swap issue
Also, just to note, all of my VMs are configured for memory ballooning with 1.5gb guaranteed and can use up to 3gb. All VM guests are Windows 7 32bit. On Jun 5, 2014 2:30 PM, Jeff Clay jeffc...@gmail.com wrote: 126455 MB total, 863 MB used, 125592 MB free That's what I'm showing right now, but I don't have as many VM's running at the moment. There are currently 8 running and I was getting that issue yesterday when I got around the 15 vm mark. On Thu, Jun 5, 2014 at 2:07 PM, Itamar Heim ih...@redhat.com wrote: On 06/05/2014 02:24 AM, Jeff Clay wrote: I'm getting the following error trying to start a VM. I have 64 gb of RAM on this host. I got this error once before and found that my swap partition was only 2gb or so. I increased the swap size to 124GB and the problem went away. Below is the error when trying to start a VM and below that is what my output from free -g. I don't see why I'm getting a swap file error when there's plenty of it available. * Cannot run VM. Host swap percentage is above the defined threshold. - Check your configuration parameters for Host Swap Percentage. * Cannot run VM. There is no host that satisfies current scheduling constraints. See below for details: * The host USARPAOVRTHOST02 did not satisfy internal filter Memory. [root@usarpaovrthost02 ~]# free -g total used free sharedbuffers cached Mem:62 62 0 0 0 12 -/+ buffers/cache: 50 12 Swap: 123 12110 [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# swapon -s FilenameTypeSizeUsed Priority /dev/dm-1 partition 129490936 12811000-1 [root@usarpaovrthost02 ~]# ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users what do you see under host general subtab for swap percentage? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Memory and swap issue
I'm concerned about disabling it and having unexpected behavior if the system actually does end up using all of its swap space. Any insight? On Jun 5, 2014 2:34 PM, Itamar Heim ih...@redhat.com wrote: On 06/05/2014 10:30 PM, Jeff Clay wrote: 126455 MB total, 863 MB used, 125592 MB free That's what I'm showing right now, but I don't have as many VM's running at the moment. There are currently 8 running and I was getting that issue yesterday when I got around the 15 vm mark. On Thu, Jun 5, 2014 at 2:07 PM, Itamar Heim ih...@redhat.com mailto:ih...@redhat.com wrote: On 06/05/2014 02:24 AM, Jeff Clay wrote: I'm getting the following error trying to start a VM. I have 64 gb of RAM on this host. I got this error once before and found that my swap partition was only 2gb or so. I increased the swap size to 124GB and the problem went away. Below is the error when trying to start a VM and below that is what my output from free -g. I don't see why I'm getting a swap file error when there's plenty of it available. * Cannot run VM. Host swap percentage is above the defined threshold. - Check your configuration parameters for Host Swap Percentage. * Cannot run VM. There is no host that satisfies current scheduling constraints. See below for details: * The host USARPAOVRTHOST02 did not satisfy internal filter Memory. [root@usarpaovrthost02 ~]# free -g total used free sharedbuffers cached Mem:62 62 0 0 0 12 -/+ buffers/cache: 50 12 Swap: 123 12110 [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# swapon -s FilenameTypeSize Used Priority /dev/dm-1 partition 129490936 12811000-1 [root@usarpaovrthost02 ~]# _ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/__mailman/listinfo/users http://lists.ovirt.org/mailman/listinfo/users what do you see under host general subtab for swap percentage? iirc, you can either disable the swap check via the config EnableSwapCheck, or change the threshold via BlockMigrationOnSwapUsagePerce ntage (which would be a confusing name if it affects RunVm and not only migration...) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Memory and swap issue
Am I correct in understanding that vm's which aren't being actively used are moved to swap space to free more available RAM? If so, that might be what is causing my issue, since we usually have several VM's idle and not in direct use. On Thu, Jun 5, 2014 at 2:45 PM, Itamar Heim ih...@redhat.com wrote: On 06/05/2014 10:36 PM, Jeff Clay wrote: I'm concerned about disabling it and having unexpected behavior if the system actually does end up using all of its swap space. Any insight? change the percentage threshold then. the idea is if you are swapping - its bad. though, if you also have a lot of free memory, its kind of absurd to block because there is a swap, but its not needed so it remains swapped. On Jun 5, 2014 2:34 PM, Itamar Heim ih...@redhat.com mailto:ih...@redhat.com wrote: On 06/05/2014 10:30 PM, Jeff Clay wrote: 126455 MB total, 863 MB used, 125592 MB free That's what I'm showing right now, but I don't have as many VM's running at the moment. There are currently 8 running and I was getting that issue yesterday when I got around the 15 vm mark. On Thu, Jun 5, 2014 at 2:07 PM, Itamar Heim ih...@redhat.com mailto:ih...@redhat.com mailto:ih...@redhat.com mailto:ih...@redhat.com wrote: On 06/05/2014 02:24 AM, Jeff Clay wrote: I'm getting the following error trying to start a VM. I have 64 gb of RAM on this host. I got this error once before and found that my swap partition was only 2gb or so. I increased the swap size to 124GB and the problem went away. Below is the error when trying to start a VM and below that is what my output from free -g. I don't see why I'm getting a swap file error when there's plenty of it available. * Cannot run VM. Host swap percentage is above the defined threshold. - Check your configuration parameters for Host Swap Percentage. * Cannot run VM. There is no host that satisfies current scheduling constraints. See below for details: * The host USARPAOVRTHOST02 did not satisfy internal filter Memory. [root@usarpaovrthost02 ~]# free -g total used free shared buffers cached Mem:62 62 0 0 0 12 -/+ buffers/cache: 50 12 Swap: 123 12110 [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# swapon -s FilenameType SizeUsed Priority /dev/dm-1 partition 129490936 12811000-1 [root@usarpaovrthost02 ~]# ___ Users mailing list Users@ovirt.org mailto:Users@ovirt.org mailto:Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users http://lists.ovirt.org/__mailman/listinfo/users http://lists.ovirt.org/__mailman/listinfo/users http://lists.ovirt.org/mailman/listinfo/users what do you see under host general subtab for swap percentage? iirc, you can either disable the swap check via the config EnableSwapCheck, or change the threshold via BlockMigrationOnSwapUsagePerce__ntage (which would be a confusing name if it affects RunVm and not only migration...) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Ovirt Guest Agent Windows 7
I have the spice guest agent/tools installed, but I'm reading that I also need to install/setup the ovirt-guest-agent to get proper reporting of resources, etc. I'm following the instructions in https://github.com/oVirt/ovirt-guest-agent/blob/master/ovirt-guest-agent/README-windows.txt I am confused at Update the AGENT_CONFIG global variable in OVirtGuestService.py to point to right configuration location. I can find the file without issue, the value I'm requested to change has a default value of: AGENT_CONFIG = 'ovirt-guest-agent.ini' I cannot locate a file named ovirt-guest-agent.ini within the C:\ovirt-guest-agent-master\ovirt-guest-agent folder so I'm not sure what to set this value to. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Memory and swap issue
I'm getting the following error trying to start a VM. I have 64 gb of RAM on this host. I got this error once before and found that my swap partition was only 2gb or so. I increased the swap size to 124GB and the problem went away. Below is the error when trying to start a VM and below that is what my output from free -g. I don't see why I'm getting a swap file error when there's plenty of it available. - Cannot run VM. Host swap percentage is above the defined threshold. - Check your configuration parameters for Host Swap Percentage. - Cannot run VM. There is no host that satisfies current scheduling constraints. See below for details: - The host USARPAOVRTHOST02 did not satisfy internal filter Memory. [root@usarpaovrthost02 ~]# free -g total used free sharedbuffers cached Mem:62 62 0 0 0 12 -/+ buffers/cache: 50 12 Swap: 123 12110 [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# [root@usarpaovrthost02 ~]# swapon -s FilenameTypeSizeUsed Priority /dev/dm-1 partition 129490936 12811000-1 [root@usarpaovrthost02 ~]# ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] vm's not shutting down from admin portal
When selecting to shutdown vm's from the admi portal, it often doesn't work although, sometimes it does. These machines are all stateless and in the same pool, yet sometimes they will shutdown from the portal, most of the time they don't. here's what I see in engine.log when they don't shutdown. 2014-05-19 18:17:42,477 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-2) [4d427221] Correlation ID: 4d427221, Job ID: ce662a5c-9474-4406-90f5-e941e130b47d, Call Stack: null, Custom Event ID: -1, Message: VM shutdown initiated by Jeff.Clay on VM USAROVRTVZ-13 (Host: USARPAOVRTHOST02). 2014-05-19 18:22:45,333 INFO [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] (DefaultQuartzScheduler_Worker-53) VM USAROVRTVZ-13 67a51ec0-659d-4372-b4f1-85a56e6c0992 moved from PoweringDown -- Up 2014-05-19 18:22:45,381 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-53) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: Shutdown of VM USAROVRTVZ-13 failed. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] transfer files from guest to client
The only thing I've been able to find on this is http://lists.freedesktop.org/archives/spice-devel/2014-February/016063.htmlhttp://lists.freedesktop.org/archives/spice-devel/2014-February/016063.html. I was wondering if there have been any developments since then and if not, could somebody please provide more details on the guest-side virtual folder/icon that someone described. Thank you ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Users losing permissions when user portal session times out
I finally have everything working pretty good. I have noticed that if I log in to the user portal as a user with the regular UserRole granted and only the the pool objects and the user portal session times I can not log back in. The user portal shows the message the the user is not authorized to perform this function. When I log in as admin and go to users then view the permissions for the user I was just logged in as, the user no longer shows the UserRole role even though the permissions on the pool objects still show the role is granted. I have to delete the user from the Users list and logging back in will refresh the permissions. I have ovirt integrated with my active directory for logins. I am granting permissions based on active directory groups. To grant the permissions, I am selecting the object (usually a pool), then selecting the permissions tab and then clicking add; I do a search for the group, i click the check box next to it and click ok. The group permissions seem to remain on the object when the user portal session times out, but the actual user that timed out loses all permissions/roles. I have no idea what could be causing this other than some sort of bug. Any ideas? Thanks in advance. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Users losing permissions when user portal session times out
I'm using version 3.4.0-1.el6. The user I've been testing with was directly added to this test-group in the AD. On Thu, May 8, 2014 at 2:11 AM, Oved Ourfalli ov...@redhat.com wrote: - Original Message - From: Yair Zaslavsky yzasl...@redhat.com To: Jeff Clay jeffc...@gmail.com Cc: Oved Ourfalli ov...@redhat.com, paul thornton paul.thorn...@infotech-enterprises.com, users@ovirt.org Sent: Thursday, May 8, 2014 10:09:55 AM Subject: Re: [ovirt-users] Users losing permissions when user portal session times out Jeff, which ovrit version are you using? Thanks. It sounds similar to the following issues: Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions (resolved by me). Bug 1081204 - [AAA] External user UI access unstable (resolved by Yair). iirc both are part of 3.4, but will need to check it out. Let's see what version you're using, and proceed from there. Oved - Original Message - From: Yair Zaslavsky yzasl...@redhat.com To: Jeff Clay jeffc...@gmail.com Cc: Oved Ourfalli ov...@redhat.com, paul thornton paul.thorn...@infotech-enterprises.com, users@ovirt.org Sent: Thursday, May 8, 2014 10:05:46 AM Subject: Re: [ovirt-users] Users losing permissions when user portal session times out - Original Message - From: Jeff Clay jeffc...@gmail.com To: users@ovirt.org, paul thornton paul.thorn...@infotech-enterprises.com Sent: Thursday, May 8, 2014 9:09:00 AM Subject: [ovirt-users] Users losing permissions when user portal session times out I finally have everything working pretty good. I have noticed that if I log in to the user portal as a user with the regular UserRole granted and only the the pool objects and the user portal session times I can not log back in. The user portal shows the message the the user is not authorized to perform this function. When I log in as admin and go to users then view the permissions for the user I was just logged in as, the user no longer shows the UserRole role even though the permissions on the pool objects still show the role is granted. I have to delete the user from the Users list and logging back in will refresh the permissions. I have ovirt integrated with my active directory for logins. I am granting permissions based on active directory groups. To grant the permissions, I am selecting the object (usually a pool), then selecting the permissions tab and then clicking add; I do a search for the group, i click the check box next to it and click ok. The group permissions seem to remain on the object when the user portal session times out, but the actual user that timed out loses all permissions/roles. I have no idea what could be causing this other than some sort of bug. Any ideas? Thanks in advance. This is a known issue, and IIRC was resolved by Oved. Oved, am I correct here? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Users losing permissions when user portal session times out
Just to update, I saw in that bug report that 3.4.1-1 was released today. I upgraded my engine and host and have not been able to reproduce the problem yet. Thank you Yair and Oved. On Thu, May 8, 2014 at 7:05 AM, Jeff Clay jeffc...@gmail.com wrote: I'm using version 3.4.0-1.el6. The user I've been testing with was directly added to this test-group in the AD. On Thu, May 8, 2014 at 2:11 AM, Oved Ourfalli ov...@redhat.com wrote: - Original Message - From: Yair Zaslavsky yzasl...@redhat.com To: Jeff Clay jeffc...@gmail.com Cc: Oved Ourfalli ov...@redhat.com, paul thornton paul.thorn...@infotech-enterprises.com, users@ovirt.org Sent: Thursday, May 8, 2014 10:09:55 AM Subject: Re: [ovirt-users] Users losing permissions when user portal session times out Jeff, which ovrit version are you using? Thanks. It sounds similar to the following issues: Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions (resolved by me). Bug 1081204 - [AAA] External user UI access unstable (resolved by Yair). iirc both are part of 3.4, but will need to check it out. Let's see what version you're using, and proceed from there. Oved - Original Message - From: Yair Zaslavsky yzasl...@redhat.com To: Jeff Clay jeffc...@gmail.com Cc: Oved Ourfalli ov...@redhat.com, paul thornton paul.thorn...@infotech-enterprises.com, users@ovirt.org Sent: Thursday, May 8, 2014 10:05:46 AM Subject: Re: [ovirt-users] Users losing permissions when user portal session times out - Original Message - From: Jeff Clay jeffc...@gmail.com To: users@ovirt.org, paul thornton paul.thorn...@infotech-enterprises.com Sent: Thursday, May 8, 2014 9:09:00 AM Subject: [ovirt-users] Users losing permissions when user portal session times out I finally have everything working pretty good. I have noticed that if I log in to the user portal as a user with the regular UserRole granted and only the the pool objects and the user portal session times I can not log back in. The user portal shows the message the the user is not authorized to perform this function. When I log in as admin and go to users then view the permissions for the user I was just logged in as, the user no longer shows the UserRole role even though the permissions on the pool objects still show the role is granted. I have to delete the user from the Users list and logging back in will refresh the permissions. I have ovirt integrated with my active directory for logins. I am granting permissions based on active directory groups. To grant the permissions, I am selecting the object (usually a pool), then selecting the permissions tab and then clicking add; I do a search for the group, i click the check box next to it and click ok. The group permissions seem to remain on the object when the user portal session times out, but the actual user that timed out loses all permissions/roles. I have no idea what could be causing this other than some sort of bug. Any ideas? Thanks in advance. This is a known issue, and IIRC was resolved by Oved. Oved, am I correct here? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] user portal and stateless vm pool behavior
if a user takes a vm from the pool and uses it, then disconnects; can that vm then be assigned to another user immediately or quickly? the vm's in my pools run as stateless, is there a way to automatically get the vm's to reboot when a user disconnects so that it's fresh for the next user? i'm using windows 7 vm's and windows clients with virt-viewer to connect to the vm's. I've written a quick script that runs on the engine and tails the engine log looking for disconnects then reboots the vm when a disconnect is seen from a non-admin user, but i'm not familiar enough with how things are intended to work in the backend to know if my script is needed or if i'm just unaware of a certain feature or function. thanks ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] user portal permissions
Thanks, that clarifies quite a bit. The permissions are being applied to System for the regular UserRole, but I don't see where to define what objects the roles are assigned to. On Wed, May 7, 2014 at 2:28 AM, Oved Ourfalli ov...@redhat.com wrote: Hi Jeff Roles determine two things: 1. What the user can see 2. What the user can do It is important to know on who is the user, what is the role (UserRole? as you also mentioned SuperUser?) and on what object(s) was the role granted on. Assuming it is UserRole, on a specific user, then: If on a VM, then the user can see/operate on this VM. If on a Cluster, then the user can see/operate on all the VMs in this cluster. If on a DC, then the user can see/operate on all the VMs in clusters that are part of this DC. If on System, then the user can see/operate on all the VMs in the system. So the hierarchy is System--DC--Cluster--VM. I hope this clarifies you question. Regards, Oved - Original Message - From: Jeff Clay jeffc...@gmail.com To: users@ovirt.org Sent: Monday, May 5, 2014 10:31:53 PM Subject: [ovirt-users] user portal permissions For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] user portal permissions
I figured it out. I was using Configure - System Permissions to add my users and assign them to roles. Removing the users from there and adding them under the Permissions tab on the actual object did what I wanted it to. On Wed, May 7, 2014 at 10:14 AM, Jeff Clay jeffc...@gmail.com wrote: Thanks, that clarifies quite a bit. The permissions are being applied to System for the regular UserRole, but I don't see where to define what objects the roles are assigned to. On Wed, May 7, 2014 at 2:28 AM, Oved Ourfalli ov...@redhat.com wrote: Hi Jeff Roles determine two things: 1. What the user can see 2. What the user can do It is important to know on who is the user, what is the role (UserRole? as you also mentioned SuperUser?) and on what object(s) was the role granted on. Assuming it is UserRole, on a specific user, then: If on a VM, then the user can see/operate on this VM. If on a Cluster, then the user can see/operate on all the VMs in this cluster. If on a DC, then the user can see/operate on all the VMs in clusters that are part of this DC. If on System, then the user can see/operate on all the VMs in the system. So the hierarchy is System--DC--Cluster--VM. I hope this clarifies you question. Regards, Oved - Original Message - From: Jeff Clay jeffc...@gmail.com To: users@ovirt.org Sent: Monday, May 5, 2014 10:31:53 PM Subject: [ovirt-users] user portal permissions For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] user portal and pool views
Is there a way to get the user portal to show the pool tag or pool name and assign an unused vm from within the pool instead of showing all vm's in the pool for them to choose from? Thanks ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Users seeing all vm's
For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] user portal permissions
For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM - Basic Operations - Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions? Thanks. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] set domain credentials to be used during sysprep joining an AD domain.
Ok, I see those options now in the RunOnce menu.The problem is that I won't be using RunOnce. I need the systems to do sysprep and join the domain when the pool creates them as new. I'm hoping to automate this process when new VM's are created so that I don't have to work on each VM when I create it, that would take some time when creating 30 new vm's in a pool. On Mon, Apr 7, 2014 at 9:42 AM, Michal Skrivanek michal.skriva...@redhat.com wrote: On Apr 7, 2014, at 11:19 , Itamar Heim ih...@redhat.com wrote: On 04/07/2014 08:47 AM, Roy Golan wrote: On 04/06/2014 08:57 PM, Jeff Clay wrote: i'm having trouble finding how set the domain user credentials used when joing a computer to an AD domain using sysprep. i've found where ovirt stores the windows product keys, and the settings in engine-config, but i don't see anything about the domain user credentials. Do I need to replace the domain user variables in sysprep.w7 and statically set them to what I need? I'm pretty sure we are not supposed to be limiting the domains a VM can join to the domains a user can authenticate to? the dropdown field is editable so one can enter any custom domain then it gets replaced in the system's sysprep template. the same goes for user credentials - tehre's the Alternate Credentials checkbox...does it not work? BTW note in 3.4 you would be able to use a custom sysprep file (with existing variables substitution) Thanks, michal ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users * first configure you domain if not already done $ engine-manage-domains add --domain=DOMAIN --provider=activeDirectory --user=USER --add-permissions * make sure your vm Os Type is set to Windows 7 (or whatever type your installing) - Edit the Vm and see the drop-down at the first dialog screen * then click Run-once (right click a vm from VMs tab) and go to Initial Run tab in the dialog. * in the boot options make sure sysprep is set Thanks, Roy ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] set domain credentials to be used during sysprep joining an AD domain.
Are you referring to SysPrepDefaultUser: Default SysPrep user name (Value Type: String) and SysPrepDefaultPassword: Default SysPrep user password (Value Type: Password) ? I thought those values were used for creating the initial user on the system. On Mon, Apr 7, 2014 at 12:18 PM, Itamar Heim ih...@redhat.com wrote: On 04/07/2014 08:15 PM, Jeff Clay wrote: Ok, I see those options now in the RunOnce menu.The problem is that I won't be using RunOnce. I need the systems to do sysprep and join the domain when the pool creates them as new. I'm hoping to automate this process when new VM's are created so that I don't have to work on each VM when I create it, that would take some time when creating 30 new vm's in a pool. this should work with pools as well. you just need to pre-add the domain (via enigne-manage-domains) and configure the user/password with credentials to add the computer to the domain (via engine-config) On Mon, Apr 7, 2014 at 9:42 AM, Michal Skrivanek michal.skriva...@redhat.com mailto:michal.skriva...@redhat.com wrote: On Apr 7, 2014, at 11:19 , Itamar Heim ih...@redhat.com mailto:ih...@redhat.com wrote: On 04/07/2014 08:47 AM, Roy Golan wrote: On 04/06/2014 08:57 PM, Jeff Clay wrote: i'm having trouble finding how set the domain user credentials used when joing a computer to an AD domain using sysprep. i've found where ovirt stores the windows product keys, and the settings in engine-config, but i don't see anything about the domain user credentials. Do I need to replace the domain user variables in sysprep.w7 and statically set them to what I need? I'm pretty sure we are not supposed to be limiting the domains a VM can join to the domains a user can authenticate to? the dropdown field is editable so one can enter any custom domain then it gets replaced in the system's sysprep template. the same goes for user credentials - tehre's the Alternate Credentials checkbox...does it not work? BTW note in 3.4 you would be able to use a custom sysprep file (with existing variables substitution) Thanks, michal ___ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users * first configure you domain if not already done $ engine-manage-domains add --domain=DOMAIN --provider=activeDirectory --user=USER --add-permissions * make sure your vm Os Type is set to Windows 7 (or whatever type your installing) - Edit the Vm and see the drop-down at the first dialog screen * then click Run-once (right click a vm from VMs tab) and go to Initial Run tab in the dialog. * in the boot options make sure sysprep is set Thanks, Roy ___ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org mailto:Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] Login Error using AD domain
This was working fine, now I get the error below in engine.log when I try to log in. The clock times are the same. I even changed the time service on the domain controller to use the same NTP source as the engine server. I have rebooted the domain controller to make sure that all settings were applied, but I still get this error. I can log into our other AD domain without issue, the problem is just with this particular domain. 2014-04-07 16:05:07,453 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Kerberos error: Clock skew too great (37) 2014-04-07 16:05:07,454 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-7) Authentication Failed. The Engine clock is not synchronized with directory services (must be within 5 minutes difference). Please verify the clocks are synchronized 2014-04-07 16:05:07,456 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp--127.0.0.1-8702-7) Failed ldap search server ldap://par-dc1:389 using user jc...@corporate.wellsco.net due to Authentication Failed. The Engine clock is not synchronized with directory services (must be within 5 minutes difference). Please verify the clocks are synchronized. We should try the next server ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] set computername and domain when vm is created from template.
i'm needing to change the computer name to something based on the vm's name or something and add the system to an active directory domain. this needs to be done when i create new vm's from a template. any suggestions? from what i'm reading, cloud-init is what i'm needing to use, i installed and ran it to check it out. it changed the computer name, but i can't find where to specify the computer name value or how to set domain info. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] set domain credentials to be used during sysprep joining an AD domain.
i'm having trouble finding how set the domain user credentials used when joing a computer to an AD domain using sysprep. i've found where ovirt stores the windows product keys, and the settings in engine-config, but i don't see anything about the domain user credentials. Do I need to replace the domain user variables in sysprep.w7 and statically set them to what I need? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] Unable to log into user portal with user account
I have attached an AD domain. I can log in to the admin and user portals with the credentials used to add the domain. I made a new user on the AD for testing. I have added BuiltIn\Users and Domain\Users to the UserRole in Ovirt. When I try to log in to the UserPortal with a regular user account I get the error that the user isn't authorized to perform the action. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Unable to log into user portal with user account
I added the domain using engine-manage-domains and then I went into the engine admin portal and added the groups I mentioned and assigned those groups to the UserRole for ovirt. I'm not familiar with psql at all, every iteration of running the queries you requested has failed. On Sun, Apr 6, 2014 at 7:27 PM, Yair Zaslavsky yzasl...@redhat.com wrote: Hi, 1. When you log in to to the admin portal, and check the permissions the user have, does it have the UserRole? 2. Can you please provide us the following SQL queries (using psql) select user_name, groupIds from users; select id,name from ad_groups; 3. In addition - have you manually added your user to oVirt before the login attempt, or did you just add the mentioned group + gave it permissions? Thanks, Yair - Original Message - From: Jeff Clay jeffc...@gmail.com To: users@ovirt.org Sent: Monday, April 7, 2014 3:01:55 AM Subject: [Users] Unable to log into user portal with user account I have attached an AD domain. I can log in to the admin and user portals with the credentials used to add the domain. I made a new user on the AD for testing. I have added BuiltIn\Users and Domain\Users to the UserRole in Ovirt. When I try to log in to the UserPortal with a regular user account I get the error that the user isn't authorized to perform the action. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Unable to log into user portal with user account
[root@usarpaovrtengine01 ~]# psql select username, group_ids from users; psql: warning: extra command-line argument group_ids ignored psql: warning: extra command-line argument from ignored psql: warning: extra command-line argument users ignored psql: FATAL: Ident authentication failed for user username, [root@usarpaovrtengine01 ~]# I can log into the admin portal fine with my admin users. I can log into the user portal fine with the admin users. I can not log into the user portal with a regular user account. Here's the engine.log for when I try to log in to user portal with that user account: 2014-04-06 20:51:59,208 WARN [org.ovirt.engine.core.bll.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION The user account ovirt (which I've added to my AD) is what I'm trying to log in with. That user account is not specifically showing up in the admin portal user list; however, the group Domain\Users does show up. The 'ovirt' user is a member of Domain\Users. On Sun, Apr 6, 2014 at 8:38 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Jeff Clay jeffc...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Monday, April 7, 2014 4:28:09 AM Subject: Re: [Users] Unable to log into user portal with user account I added the domain using engine-manage-domains and then I went into the engine admin portal and added the groups I mentioned and assigned those groups to the UserRole for ovirt. I'm not familiar with psql at all, every iteration of running the queries you requested has failed. Ok, after you fail to login to userportal, can you login to the admin portal, and check for the user you tried to login with what are the permissions he has? Thanks, Yair On Sun, Apr 6, 2014 at 7:27 PM, Yair Zaslavsky yzasl...@redhat.com wrote: Hi, 1. When you log in to to the admin portal, and check the permissions the user have, does it have the UserRole? 2. Can you please provide us the following SQL queries (using psql) select user_name, groupIds from users; Should be select username, group_ids from users; - sorry, my bad. select id,name from ad_groups; 3. In addition - have you manually added your user to oVirt before the login attempt, or did you just add the mentioned group + gave it permissions? Thanks, Yair - Original Message - From: Jeff Clay jeffc...@gmail.com To: users@ovirt.org Sent: Monday, April 7, 2014 3:01:55 AM Subject: [Users] Unable to log into user portal with user account I have attached an AD domain. I can log in to the admin and user portals with the credentials used to add the domain. I made a new user on the AD for testing. I have added BuiltIn\Users and Domain\Users to the UserRole in Ovirt. When I try to log in to the UserPortal with a regular user account I get the error that the user isn't authorized to perform the action. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] inconsistent sign-on, inacurate cpu % -- new to ovirt, new installation, new vm, first vm
I've noticed something inconsistent. When viewing the the console using virtviewer on windows, I open the .vv file and sometimes the display connection prompts me for a password, no user name, only password. Regardless of what password I enter, it isn't accepted. Sometimes, I don't get prompted for a password at all. Keep in mind, this is the only VM on this machine, it's not like I'm having different issues on different machines. Also, if it's relevant, I have SSO disabled for this VM. Another issue, this vm has Windows 7 32-bit installed, configured for 2gb RAM, 1 socket 2 cores, yet when doing windows updates, the system resources shows the processor at constantly peaking to 100% on both graphs (both cores); yet, the CPU utilization in the ovirt webui doesn't go above 50%, almost like 50% = 100%. Any suggestions? Thanks in advance. I'm sure I'm going to be bugging everyone with a lot of questions as I dig further into this. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users