[ovirt-users] Re: How to configure Power Management Fence Protocol for Libvirtd VM ?

2021-01-23 Thread Martin Perina
st
>
> Id   Name   State
>
> --
>
> 26   3.ohost1   running
>
> 27   3.ohost2   running
>
> 28   3.ohost3   running
>
>
>
> *The ooengh1 and ooengh2 are configured for hosted-engine, and ohst1
> ohost2 ohost3 are configured for KVM server.*
>
>
>
> *Now, I want to test the Power Management service using my test env, how
> can I choose the fence protocol ?*
>
>
>
>
>
>
>
>
>
>
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/NKGEEQYZQU4IUP3SB6BDKEDOVHEFJ7FJ/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/73LFMPHUU47IC6BQC7MMIB2DOJPFWA6D/


[ovirt-users] Re: OVirt rest api 4.3. How do you get the job id started by the async parameter

2021-01-23 Thread Martin Perina
Hi Ori,

could you please take a look?

Thanks,
Martin

On Thu, Jan 21, 2021 at 9:52 PM  wrote:

> I am using the rest api to create a VM, because the VM is cloned from the
> template and it takes a long time, I am also passing the async parameters
> hoping to receive back a job id, which I could then query
>
> https://x/ovirt-engine/api/vms?async=true=true
>
> however I get the new VM record which is fine but then I have no way of
> knowing the job id I should query to know when it is finished. And looking
> at all jobs there is no reference back to the VM execept for the description
>
>
>   id="d17125c7-6668-4b6c-ad22-95121cb66a31">
> 
>href="/ovirt-engine/api/jobs/d17125c7-6668-4b6c-ad22-95121cb66a31/clear"
> rel="clear"/>
>href="/ovirt-engine/api/jobs/d17125c7-6668-4b6c-ad22-95121cb66a31/end"
> rel="end"/>
> 
> Creating VM DEMO-PCC-4 from Template
> MASTER-W10-20H2-CDrive in Cluster d1-c2
>  href="/ovirt-engine/api/jobs/d17125c7-6668-4b6c-ad22-95121cb66a31/steps"
> rel="steps"/>
> true
> false
> 2021-01-21T12:49:06.700-08:00
> 2021-01-21T12:48:59.453-08:00
> started
>  href="/ovirt-engine/api/users/0f2291fa-872a-11e9-b13c-00163e449339"
> id="0f2291fa-872a-11e9-b13c-00163e449339"/>
>   
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/TGZQLI55EFZOSEBNEU5CCBDZ2EDXMINQ/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SETMGF2ZNYGU6OJKJAY7WRPKTWUQGF7F/


[ovirt-users] Re: Ovirt and Vagrant

2021-01-05 Thread Martin Perina
On Tue, Jan 5, 2021 at 7:56 PM Strahil Nikolov via Users 
wrote:

> В 10:41 -0400 на 05.01.2021 (вт), Gervais de Montbrun написа:
>
> Thanks for the feedback. Are you using ansible to launch the vm from the
> template, or to provision the template once it is up?
>
> I was cloning VMs from a template, but as I'm still on oVirt 4.3 - I
> cannot use this approach with EL8 (only oVirt 4.4 can seal EL8 Templates).
> I'm now building VMs and creating snapshots, as I can easily revert back
> any changes and start new stuff.
>
>
> I think Ansible is the most popular and supported choice for managing oVirt. 
> Yet, I like the idea for Terraform.
>
>
We also have oVirt Terraform provider
https://github.com/oVirt/terraform-provider-ovirt
It doesn't yet have the coverage of oVirt Ansible Collection, so any
contribution is welcome.

>
> Best Regards,
>
> Strahil Nikolov
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/HFM6DESX7CHTCHG37PIHJBSLPT46XAOX/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7ZCNHGG3MWHW4HCBSRXI2VXPYUW6VSXN/


[ovirt-users] Re: Ovirt and Vagrant

2021-01-05 Thread Martin Perina
Hi Gervais,

Have you checked examples for the ovirt_vm module?

https://docs.ansible.com/ansible/latest/collections/ovirt/ovirt/ovirt_vm_module.html

Or if you need something more "high level" there is also vm_infra role:

https://github.com/oVirt/ovirt-ansible-collection/tree/master/roles/vm_infra

Both are provided by oVirt Ansible Collection, which is a preferred and
supported solution for automated management of oVirt installations.

Regards,
Martin


On Tue, Jan 5, 2021 at 4:06 PM Gervais de Montbrun 
wrote:

> Thanks for the feedback. Are you using ansible to launch the vm from the
> template, or to provision the template once it is up?
>
> We have 15+ developers bringing up vm's for a variety of different
> environments (like 80) for different, custom configurations of client
> environments. Vagrant is really just to stand up (suspend, destroy) the vms
> and then puppet runs on them to apply custom configuration.
>
> I noticed Terraform support. I suspect that it would be a ton of work for
> us to switch to it.
>
> Cheers,
> Gervais
>
>
>
> On Jan 5, 2021, at 12:33 AM, Strahil Nikolov via Users 
> wrote:
>
>
> I wonder what other folks are using or if someone has any suggestions to
> offer.
>
>
> I'm using Ansible do deploy some stuff from templates.
> I think that terraform is also used with oVirt, so you can give it a try.
>
> Best Regards,
> Strahil Nikolov
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/MUM7MMOZTU54HSGAEOME7PDW4FMA7QQW/
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/WSBBX7K6MUWA44KOR35FHFDI2PL6OM3Q/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7WK44KUE6SGUTWU7MYESZEVWGA3STOVV/


[ovirt-users] Re: Cannot upgrade cluster to v4.5 (All hosts are CentOS 8.3.2011)

2020-12-16 Thread Martin Perina
On Wed, Dec 16, 2020 at 4:59 PM Gilboa Davara  wrote:

> Thanks for the prompt reply.
> I assume I can safely ignore the "Upgrade cluster compatibility" warning
> until libvirt 6.6 gets pushed to CentOS 8.3?
>

We are working on releasing AV 8.3, hopefully it will be available soon,
but until that happen you have no way how to upgrade to CL 4.5 and you just
need to stay in 4.4

>
> - Gilboa
>
> On Wed, Dec 16, 2020 at 5:56 PM Martin Perina  wrote:
>
>>
>>
>> On Wed, Dec 16, 2020 at 2:25 PM Gilboa Davara  wrote:
>>
>>> Shani,
>>>
>>> 1. I created a new 4.5 cluster with the same CPU (Secure Intel
>>> Cascadelake Server Family) and platform type (Q35/BIOS).
>>> 2. All 3 hosts are 8.3, but report 4.4 compatibility.
>>> 3. The only reason I attempted to upgrade the cluster was simple: The
>>> cluster state kept on dropping down to "unavailable" (even though all 3
>>> hosts are up) and I was offered to upgrade the cluster to v4.5.
>>>
>>> - Gilboa
>>>
>>> On Wed, Dec 16, 2020 at 1:28 PM Shani Leviim  wrote:
>>>
>>>> Hi Gilboa,
>>>>
>>>> Here are some guidelines/checks:
>>>> - Are you able to create a 4.5 DC/cluster?
>>>> - Host can be Up in the 4.5 clusters only when it reports 4.5 level
>>>> compatibility (it's based on RHEL 8.3).
>>>>   Can you make sure that on all 3 hosts?
>>>> - You can upgrade the 4.4 clusters to 4.5 only when all
>>>> Up/NonOperational hosts are reporting 4.5 level
>>>> - You can upgrade 4.4 DC to 4.5 only when all clusters inside are on
>>>> the 4.5 level
>>>> - A 4.5 host-based on RHEL 8.3 should be fully functional in
>>>> 4.2/4.3/4.4 clusters
>>>>
>>>>
>>>>
>>>> *Regards,*
>>>>
>>>> *Shani Leviim*
>>>>
>>>>
>>>> On Wed, Dec 16, 2020 at 12:53 PM Gilboa Davara 
>>>> wrote:
>>>>
>>>>> Hello all,
>>>>>
>>>>> I'm more-or-less finished building a new ovirt over glusterfs cluster
>>>>> with 3 fairly beefy servers.
>>>>> Nodes were fully upgraded to CentOS Linux release 8.3.2011 before they
>>>>> joined the cluster.
>>>>> Looking at the cluster view in the WebUI, I get an exclamation mark
>>>>> with the following message: "Upgrade cluster compatibility level".
>>>>> When I try to upgrade the cluster, 2 of the 3 hosts go into
>>>>> maintenance and reboot, but once the procedure is complete, the cluster
>>>>> version remains the same.
>>>>> Looking at the host vdsm logs, I see that once the engine refreshes
>>>>> their capabilities, all hosts return 4.2-4.4 and not 4.5.
>>>>>
>>>>> E.g.
>>>>>  'supportedENGINEs': ['4.2', '4.3', '4.4'], 'clusterLevels': ['4.2',
>>>>> '4.3', '4.4']
>>>>> I assume I should be seeing 4.5 after the upgrade, no?
>>>>>
>>>>> AmI missing something?
>>>>>
>>>>
>> EL 8.3 is not enough, you also need Advanced Virtualization 8.3 (in
>> particular libvirt 6.6)
>>
>>>
>>>>> Thanks,
>>>>> - Gilboa
>>>>> _______
>>>>> Users mailing list -- users@ovirt.org
>>>>> To unsubscribe send an email to users-le...@ovirt.org
>>>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>>>> oVirt Code of Conduct:
>>>>> https://www.ovirt.org/community/about/community-guidelines/
>>>>> List Archives:
>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/7CCUHPEGVZD3BBLBDTOCHG5J6EEG5DE2/
>>>>>
>>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/RMZ3S64FFIOFTRBQOWVTTLCRJJA65EMJ/
>>>
>>
>>
>> --
>> Martin Perina
>> Manager, Software Engineering
>> Red Hat Czech s.r.o.
>>
>

-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EEMTSO56TO2SX5HMTQCLYOZBBXCSAI2O/


[ovirt-users] Re: Cannot upgrade cluster to v4.5 (All hosts are CentOS 8.3.2011)

2020-12-16 Thread Martin Perina
On Wed, Dec 16, 2020 at 2:25 PM Gilboa Davara  wrote:

> Shani,
>
> 1. I created a new 4.5 cluster with the same CPU (Secure Intel Cascadelake
> Server Family) and platform type (Q35/BIOS).
> 2. All 3 hosts are 8.3, but report 4.4 compatibility.
> 3. The only reason I attempted to upgrade the cluster was simple: The
> cluster state kept on dropping down to "unavailable" (even though all 3
> hosts are up) and I was offered to upgrade the cluster to v4.5.
>
> - Gilboa
>
> On Wed, Dec 16, 2020 at 1:28 PM Shani Leviim  wrote:
>
>> Hi Gilboa,
>>
>> Here are some guidelines/checks:
>> - Are you able to create a 4.5 DC/cluster?
>> - Host can be Up in the 4.5 clusters only when it reports 4.5 level
>> compatibility (it's based on RHEL 8.3).
>>   Can you make sure that on all 3 hosts?
>> - You can upgrade the 4.4 clusters to 4.5 only when all Up/NonOperational
>> hosts are reporting 4.5 level
>> - You can upgrade 4.4 DC to 4.5 only when all clusters inside are on the
>> 4.5 level
>> - A 4.5 host-based on RHEL 8.3 should be fully functional in 4.2/4.3/4.4
>> clusters
>>
>>
>>
>> *Regards,*
>>
>> *Shani Leviim*
>>
>>
>> On Wed, Dec 16, 2020 at 12:53 PM Gilboa Davara  wrote:
>>
>>> Hello all,
>>>
>>> I'm more-or-less finished building a new ovirt over glusterfs cluster
>>> with 3 fairly beefy servers.
>>> Nodes were fully upgraded to CentOS Linux release 8.3.2011 before they
>>> joined the cluster.
>>> Looking at the cluster view in the WebUI, I get an exclamation mark with
>>> the following message: "Upgrade cluster compatibility level".
>>> When I try to upgrade the cluster, 2 of the 3 hosts go into maintenance
>>> and reboot, but once the procedure is complete, the cluster version remains
>>> the same.
>>> Looking at the host vdsm logs, I see that once the engine refreshes
>>> their capabilities, all hosts return 4.2-4.4 and not 4.5.
>>>
>>> E.g.
>>>  'supportedENGINEs': ['4.2', '4.3', '4.4'], 'clusterLevels': ['4.2',
>>> '4.3', '4.4']
>>> I assume I should be seeing 4.5 after the upgrade, no?
>>>
>>> AmI missing something?
>>>
>>
EL 8.3 is not enough, you also need Advanced Virtualization 8.3 (in
particular libvirt 6.6)

>
>>> Thanks,
>>> - Gilboa
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/7CCUHPEGVZD3BBLBDTOCHG5J6EEG5DE2/
>>>
>> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/RMZ3S64FFIOFTRBQOWVTTLCRJJA65EMJ/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YIYBNDNOR4RKDQFBUVKTDSIFAZBTLLK3/


[ovirt-users] Re: fence_xvm for testing

2020-12-15 Thread Martin Perina
On Tue, Dec 15, 2020 at 12:59 PM Alex K  wrote:

>
>
> On Tue, Dec 15, 2020 at 1:43 PM emesika  wrote:
>
>> The problem is that the custom fencing configuration is not defined well
>>
>> Please follow [1] and retry
>>
>> [1]
>> https://www.ovirt.org/develop/developer-guide/engine/custom-fencing.html
>>
> Yes, I followed that.
> I cannot see what I am missing:
>
> [root@manager ~]# engine-config -g CustomVdsFenceType
> CustomVdsFenceType: fence_xvm version: general
> [root@manager ~]# engine-config -g CustomFenceAgentMapping
> CustomFenceAgentMapping: fence_xvm=xvm version: general
> [root@manager ~]# engine-config -g CustomVdsFenceOptionMapping
> CustomVdsFenceOptionMapping: fence_xvm: version: general
>
>
>>
>> On Tue, Dec 15, 2020 at 12:56 PM Alex K  wrote:
>>
>>>
>>>
>>> On Tue, Dec 15, 2020 at 12:34 PM Martin Perina 
>>> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Dec 15, 2020 at 11:18 AM Alex K 
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Tue, Dec 15, 2020 at 11:59 AM Martin Perina 
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> could you please provide engine.log? And also vdsm.log from a host
>>>>>> which was acting as a fence proxy?
>>>>>>
>>>>>
>>>>> At proxy host (kvm1) I see the following vdsm.log:
>>>>>
>>>>> 2020-12-15 10:13:03,933+ INFO  (jsonrpc/0) [jsonrpc.JsonRpcServer]
>>>>> RPC call Host.fenceNode failed (error 1) in 0.01 seconds (__init__:312)
>>>>> 2020-12-15 10:13:04,376+ INFO  (jsonrpc/7) [jsonrpc.JsonRpcServer]
>>>>> RPC call Host.fenceNode failed (error 1) in 0.01 seconds (__init__:312)
>>>>>
>>>>
>>>> Isn't there stdout and stderr content of fence_xvm execution a few
>>>> lines above, which should reveal the exact error? If not, then could you
>>>> please turn on debug logging using below command:
>>>>
>>>> vdsm-client Host setLogLevel level=DEBUG
>>>>
>>>> This should be executed on the host which acts as a fence proxy (if you 
>>>> have multiple hosts, then you would need to turn on debug on all, because 
>>>> the fence proxy is selected randomly).
>>>>
>>>> Once we will have vdsm.log with fence_xvm execution details, then you can 
>>>> change log level to INFO again by running:
>>>>
>>>> I had to set engine-config -s CustomFenceAgentMapping="fence_xvm=xvm"
>>> at engine, as it seems the host prepends fence_.
>>> After that I got the following at the proxy host with DEBUG enabled:
>>>
>>> 2020-12-15 10:51:57,891+ DEBUG (jsonrpc/7) [jsonrpc.JsonRpcServer]
>>> Calling 'Host.fenceNode' in bridge with {u'username': u'root', u'addr':
>>> u'225.0.0.12', u'agent': u'xvm', u'options': u'port=ovirt-node0',
>>> u'action': u'status', u'password': '', u'port': u'0'} (__init__:329)
>>> 2020-12-15 10:51:57,892+ DEBUG (jsonrpc/7) [root] /usr/bin/taskset
>>> --cpu-list 0-3 /usr/sbin/fence_xvm (cwd None) (commands:198)
>>> 2020-12-15 10:51:57,911+ INFO  (jsonrpc/7) [jsonrpc.JsonRpcServer]
>>> RPC call Host.fenceNode failed (error 1) in 0.02 seconds (__init__:312)
>>> 2020-12-15 10:51:58,339+ DEBUG (jsonrpc/5) [jsonrpc.JsonRpcServer]
>>> Calling 'Host.fenceNode' in bridge with {u'username': u'root', u'addr':
>>> u'225.0.0.12', u'agent': u'xvm', u'options': u'port=ovirt-node0',
>>> u'action': u'status', u'password': '', u'port': u'0'} (__init__:329)
>>>
>>
Yes, that's the most probable issue. Eli, do we have a way to prevent
passing default port value 0 for custom fence agent?

> 2020-12-15 10:51:58,340+ DEBUG (jsonrpc/5) [root] /usr/bin/taskset
>>> --cpu-list 0-3 /usr/sbin/fence_xvm (cwd None) (commands:198)
>>> 2020-12-15 10:51:58,356+ INFO  (jsonrpc/5) [jsonrpc.JsonRpcServer]
>>> RPC call Host.fenceNode failed (error 1) in 0.01 seconds (__init__:312
>>>
>>> while at engine at got:
>>> 2020-12-15 10:51:57,873Z INFO
>>>  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>> (default task-5) [a4f30921-37a9-45c1-97e5-26152f844d72] EVENT_ID:
>>> FENCE_OPERATION_USING_AGENT_AND_PROXY_STARTED(9,020), Executing power
>>> management status on Host kvm0.lab.local using Proxy Host kvm1.lab.local
>>> and Fence Agent xvm:225.0.0.1

[ovirt-users] Re: fence_xvm for testing

2020-12-15 Thread Martin Perina
On Tue, Dec 15, 2020 at 11:18 AM Alex K  wrote:

>
>
> On Tue, Dec 15, 2020 at 11:59 AM Martin Perina  wrote:
>
>> Hi,
>>
>> could you please provide engine.log? And also vdsm.log from a host which
>> was acting as a fence proxy?
>>
>
> At proxy host (kvm1) I see the following vdsm.log:
>
> 2020-12-15 10:13:03,933+ INFO  (jsonrpc/0) [jsonrpc.JsonRpcServer] RPC
> call Host.fenceNode failed (error 1) in 0.01 seconds (__init__:312)
> 2020-12-15 10:13:04,376+ INFO  (jsonrpc/7) [jsonrpc.JsonRpcServer] RPC
> call Host.fenceNode failed (error 1) in 0.01 seconds (__init__:312)
>

Isn't there stdout and stderr content of fence_xvm execution a few lines
above, which should reveal the exact error? If not, then could you please
turn on debug logging using below command:

vdsm-client Host setLogLevel level=DEBUG

This should be executed on the host which acts as a fence proxy (if
you have multiple hosts, then you would need to turn on debug on all,
because the fence proxy is selected randomly).

Once we will have vdsm.log with fence_xvm execution details, then you
can change log level to INFO again by running:

vdsm-client Host setLogLevel level=INFO

Thanks,

Martin

2020-12-15 10:13:06,722+ INFO  (jsonrpc/4) [api.host] FINISH getStats
> return={'status': {'message': 'Done', 'code': 0}, 'info': {'cpuStatistics':
> {'1': {'cpuUser': '2.33', 'nodeIndex': 0, 'cpuSys': '1.13', 'cpuIdle':
> '96.54'}, '0': {'cpuUser': '1.66', 'nodeIndex': 0, 'cpuSys': '0.47',
> 'cpuIdle': '97.87'}, '3': {'cpuUser': '0.73', 'nodeIndex': 0, 'cpuSys':
> '0.60', 'cpuIdle': '98.67'}, '2': {'cpuUser': '1.20', 'nodeIndex': 0,
> 'cpuSys': '0.40', 'cpuIdle': '98.40'}}, 'numaNodeMemFree': {'0':
> {'memPercent': 14, 'memFree': '8531'}}, 'memShared': 0, 'haScore': 3400,
> 'thpState': 'always', 'ksmMergeAcrossNodes': True, 'vmCount': 0, 'memUsed':
> '8', 'storageDomains': {u'b4d25e5e-7806-464f-b2e1-4d4ab5a54dee': {'code':
> 0, 'actual': True, 'version': 5, 'acquired': True, 'delay': '0.0027973',
> 'lastCheck': '2.7', 'valid': True},
> u'dc4d507b-954f-4da6-bcc3-b4f2633d0fa1': {'code': 0, 'actual': True,
> 'version': 5, 'acquired': True, 'delay': '0.00285824', 'lastCheck': '5.7',
> 'valid': True}}, 'incomingVmMigrations': 0, 'network': {'ovirtmgmt':
> {'rxErrors': '0', 'txErrors': '0', 'speed': '1000', 'rxDropped': '149',
> 'name': 'ovirtmgmt', 'tx': '2980375', 'txDropped': '0', 'duplex':
> 'unknown', 'sampleTime': 1608027186.703727, 'rx': '27524740', 'state':
> 'up'}, 'lo': {'rxErrors': '0', 'txErrors': '0', 'speed': '1000',
> 'rxDropped': '0', 'name': 'lo', 'tx': '1085188922', 'txDropped': '0',
> 'duplex': 'unknown', 'sampleTime': 1608027186.703727, 'rx': '1085188922',
> 'state': 'up'}, 'ovs-system': {'rxErrors': '0', 'txErrors': '0', 'speed':
> '1000', 'rxDropped': '0', 'name': 'ovs-system', 'tx': '0', 'txDropped':
> '0', 'duplex': 'unknown', 'sampleTime': 1608027186.703727, 'rx': '0',
> 'state': 'down'}, ';vdsmdummy;': {'rxErrors': '0', 'txErrors': '0',
> 'speed': '1000', 'rxDropped': '0', 'name': ';vdsmdummy;', 'tx': '0',
> 'txDropped': '0', 'duplex': 'unknown', 'sampleTime': 1608027186.703727,
> 'rx': '0', 'state': 'down'}, 'br-int': {'rxErrors': '0', 'txErrors': '0',
> 'speed': '1000', 'rxDropped': '0', 'name': 'br-int', 'tx': '0',
> 'txDropped': '0', 'duplex': 'unknown', 'sampleTime': 1608027186.703727,
> 'rx': '0', 'state': 'down'}, 'eth1': {'rxErrors': '0', 'txErrors': '0',
> 'speed': '1000', 'rxDropped': '0', 'name': 'eth1', 'tx': '83685154',
> 'txDropped': '0', 'duplex': 'unknown', 'sampleTime': 1608027186.703727,
> 'rx': '300648288', 'state': 'up'}, 'eth0': {'rxErrors': '0', 'txErrors':
> '0', 'speed': '1000', 'rxDropped': '0', 'name': 'eth0', 'tx': '2980933',
> 'txDropped': '0', 'duplex': 'unknown', 'sampleTime': 1608027186.703727,
> 'rx': '28271472', 'state': 'up'}}, 'txDropped': '149', 'anonHugePages':
> '182', 'ksmPages': 100, 'elapsedTime': '5717.99', 'cpuLoad': '0.42',
> 'cpuSys': '0.63', 'diskStats': {'/var/log': {'free': '16444'},
> '/var/run/vdsm/': {'free': '4909'}, '/tmp': {'free': '16444'}},
> 'cpuUserVdsmd': '1.33', 'netConfigDirty': 'False', 'memCommitted': 0,
> 'ksmState': False, 'vmMigrating': 0, 'ksmCpu': 0, 'memAvailable': 9402,
> 'bootTime': '1608021428', 'haStats': {'active': True, 'configured': True,
> 'score': 3400, 'localMaintenance': False, 'globalMaintenance': True},
> 'momStatus': 'active', 'multipathHealth': {}, 'rxDropped': '0',
> 'outgoingVmMigrations': 0, 'swapTotal': 6015, 'swapFree': 6015,
> 'hugepages': defaultdict(, {1048576: {'resv_hugepages': 0,
> 'free_hugepages': 0, 'nr_overcommit_hugepages': 0, 'surplus_hugepages': 0,
> 'vm.free_hugepages': 0, 'nr_hugepages': 0, 'nr_hugepages_mempolicy': 0},
> 2048: {'resv_hugepages': 0, 'free_hugepages': 0, 'nr_overcommit_hugepages':
>

[ovirt-users] Re: fence_xvm for testing

2020-12-15 Thread Martin Perina
1495d75759] EVENT_ID:
>>> VDS_ALERT_FENCE_TEST_FAILED(9,001), Power Management test failed for Host
>>> kvm0.lab.local.Internal JSON-RPC error
>>> 2020-12-14 08:53:48,582Z INFO
>>>  [org.ovirt.engine.core.vdsbroker.vdsbroker.FenceVdsVDSCommand] (default
>>> task-4) [07c1d540-6d8d-419c-affb-181495d75759] FINISH, FenceVdsVDSCommand,
>>> return: FenceOperationResult:{status='ERROR', powerStatus='UNKNOWN',
>>> message='Internal JSON-RPC error'}, log id: 8607bc9
>>> 2020-12-14 08:53:48,637Z WARN
>>>  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>> (default task-4) [07c1d540-6d8d-419c-affb-181495d75759] EVENT_ID:
>>> FENCE_OPERATION_USING_AGENT_AND_PROXY_FAILED(9,021), Execution of power
>>> management status on Host kvm0.lab.local using Proxy Host kvm1.lab.local
>>> and Fence Agent fence_xvm:225.0.0.12 failed.
>>>
>>>
>>> Any idea?
>>>
>>> Thanx,
>>> Alex
>>>
>>>
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/B7IHC4MYY5LJFJMEJMLRRFSTMD7IK23I/
>>>
>> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/MV3RI22LE4C57R6TUQR5BG3LVZUVWRNX/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HMDTM5EKBU3KCA5SB7HOZEPSX7LABM4M/


[ovirt-users] Re: sshd_config AuthorizedKeysFile

2020-11-12 Thread Martin Perina
Hi,

could you please try if ssh-copy-id works with your non-standard sshd
configuration? Because last time I've checked I haven't noticed that
behavior and keys were always added to $HOME/.ssh/authorized_keys

So feel free to create a bug for that, but up until now you are the first
user using this non-standard configuration ...

Regards,
Martin

On Thu, Nov 12, 2020 at 9:00 AM Angus Clarke  wrote:

> Hello
>
> Sharing for anyone who needs it, this was carried out on OL7, they use
> ovirt 4.3
>
> In short: both the hosted-engine deployment routine and the host add to
> cluster routine distribute public ssh keys to /root/.ssh/authorized_keys
> regardless of the AuthorizedKeysFile setting in /etc/ssh/sshd_config. Both
> routines fail if AuthorizedKeysfile is not default.
>
>
> The hosted-engine setup assumes AuthorizedKeysFile to be default
> (~/.ssh/authorized_keys) and creates a public key there, instead of
> following the sshd_config directive. The setup fails on the back of this.
>
> Once I commented this out of sshd_config file (assumes default) and
> restarted sshd on the KVM host that was running the hosted-engine
> deployment, the hosted-engine setup completed successfully.
>
>
> Similarly, I could not deploy a second KVM host to the compute cluster
> until I had altered this setting on that 2nd KVM host - presumably that
> process has some similar routine that unwittingly writes keys to
> ~/.ssh/authorized_keys.
>
> HTH
> Angus
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/UMJ4Y622RALUU6QKPNREYS43BP324ODT/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SLVELKKOY5C5LWTP3FD6CI3VPRHNC226/


[ovirt-users] Re: Dependencies failure when upgrading from version 4.4.2 to 4.4.3

2020-11-11 Thread Martin Perina
Hi,

We already have https://bugzilla.redhat.com/show_bug.cgi?id=1896799 open to
track this issue. Could you please to upgrade your standalone engine using
below steps?

  # dnf update ovirt\*setup\* --nobest
  # engine-setup
  # dnf update --nobest
  # reboot

If engine upgrade is successful, could you please upgrade yours hosts from
webadmin using below steps?

1. Move the host to Maintenance
2. Execute Check for Update
3. Execute Upgrade

Manual upgrade of host using command line has been deprecated, because
manual steps are missing important parts (for example renewal of
certificates close to expiration date)

Thanks,
Martin



On Wed, Nov 11, 2020 at 7:47 PM  wrote:

> When I update the Engine and Host, many dependencies are missing, as shown
> by the host error log:
>
> Error:
>  Problem 1: package ovirt-hosted-engine-setup-2.4.6-1.el8.noarch requires
> ovirt-ansible-engine-setup >= 1.1.9, but none of the providers can be
> installed
>   - package ovirt-ansible-collection-1.2.1-1.el8.noarch obsoletes
> ovirt-ansible-engine-setup provided by
> ovirt-ansible-engine-setup-1.2.4-1.el8.noarch
>   - cannot install the best update candidate for package
> ovirt-hosted-engine-setup-2.4.6-1.el8.noarch
>   - cannot install the best update candidate for package
> ovirt-ansible-engine-setup-1.2.4-1.el8.noarch
>  Problem 2: package ovirt-host-4.4.1-4.el8.x86_64 requires
> ovirt-hosted-engine-setup, but none of the providers can be installed
>   - package ovirt-hosted-engine-setup-2.4.6-1.el8.noarch requires
> ovirt-ansible-hosted-engine-setup >= 1.0.34, but none of the providers can
> be installed
>   - package ovirt-ansible-collection-1.2.1-1.el8.noarch obsoletes
> ovirt-ansible-hosted-engine-setup provided by
> ovirt-ansible-hosted-engine-setup-1.1.8-1.el8.noarch
>   - cannot install the best update candidate for package
> ovirt-host-4.4.1-4.el8.x86_64
>   - cannot install the best update candidate for package
> ovirt-ansible-hosted-engine-setup-1.1.8-1.el8.noarch
>   - package ovirt-ansible-hosted-engine-setup-1.1.4-1.el8.noarch is
> filtered out by exclude filtering
>   - package ovirt-ansible-hosted-engine-setup-1.1.5-1.el8.noarch is
> filtered out by exclude filtering
>   - package ovirt-ansible-hosted-engine-setup-1.1.6-1.el8.noarch is
> filtered out by exclude filtering
>   - package ovirt-ansible-hosted-engine-setup-1.1.7-1.el8.noarch is
> filtered out by exclude filtering
>   - package ovirt-hosted-engine-setup-2.4.4-1.el8.noarch is filtered out
> by exclude filtering
>   - package ovirt-hosted-engine-setup-2.4.5-1.el8.noarch is filtered out
> by exclude filtering
>   - package ovirt-hosted-engine-setup-2.4.7-1.el8.noarch is filtered out
> by exclude filtering
>   - package ovirt-hosted-engine-setup-2.4.8-1.el8.noarch is filtered out
> by exclude filtering
> (try to add '--skip-broken' to skip uninstallable packages or '--nobest'
> to use not only best candidate packages)
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/W4MLIPGT7CJQVZRFRE2MPJ7VTIZAYYEH/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RHO2UEP573D2AXGQKBPI4CRZBFEX4QPZ/


[ovirt-users] Re: Engine update error from 4.4.2 to 4.4.3

2020-11-11 Thread Martin Perina
Hi,
Could you please try to upgrade from 4.4.2 to 4.4.3 using below steps:

  # dnf update ovirt\*setup\* --nobest
  # engine-setup
  # dnf update --nobest
  # reboot

Thanks,
Martin

On Wed, Nov 11, 2020 at 4:32 PM Gianluca Cecchi 
wrote:

> On Wed, Nov 11, 2020 at 4:12 PM shadow emy  wrote:
>
>> Hello
>>
>> I have updated only the engine first using bellow command and could
>> proceed with the update.
>>
>> dnf update ovirt-engine-setup ovirt-engine-setup-plugin-websocket-proxy
>> ovirt-engine-dwh-setup ovirt-engine-dwh-grafana-integration-setup
>>
>> engine-setup
>>
>>
>> "  yum update ovirt\*setup\* "   --  did not work and had the same error
>> as you
>>
>>
> Thanks for the info.
> Were you then able to run "yum update" on engine without dependency errors?
>
> Can you please add the info into the bugzilla link I provided for this,
> thanks
>
> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/EH4HUAO6SCZCBYF3FEAAYULFHSXU22EI/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/URVPDRH6MR25DONZQ7IFM722SSS7X2QN/


[ovirt-users] Re: Engine update error from 4.4.2 to 4.4.3

2020-11-11 Thread Martin Perina
Hi Gianluca,

could you please file a bug for that? No idea how we could miss such a
blocker :-(

Thanks,
Martin


On Wed, Nov 11, 2020 at 2:46 PM Gianluca Cecchi 
wrote:

> On Wed, Nov 11, 2020 at 2:02 PM Gilboa Davara  wrote:
> [snip]
>
>
>> $ yum update ovirt\*setup\*
>> Last metadata expiration check: 1:50:00 ago on Wed 11 Nov 2020 01:03:00
>> PM IST.
>>
>>
> ??
> Does it mean you too or what?
> Please, words are (still) free so you can use some more... ;-)
>
> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/P433UJQSTT3X2R7AG3SM345XY2WXE6VN/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QNUU3GVYLO47KC6GGSDV4VWJTCTRHHGU/


[ovirt-users] Re: problems installing standard Linux as nodes in 4.4

2020-10-27 Thread Martin Perina
Hi Gianluca,

happy to hear that your issue was fixed!

Just please be aware that iptables support for hosts has been deprecated
and it's completely unsupported for cluster levels 4.4 and up. So unless
you switch your cluster to firewalld, you will not be able to upgrade your
cluster to 4.4 version. You can take a look at documentation how to prepare
custom firewall rules for firewalld:

https://www.ovirt.org/documentation/administration_guide/#Configuring_Host_Firewall_Rules

Regards,
Martin


On Mon, Oct 26, 2020 at 7:22 PM Gianluca Cecchi 
wrote:

> On Thu, Oct 15, 2020 at 12:25 PM Gianluca Cecchi <
> gianluca.cec...@gmail.com> wrote:
>
>> On Thu, Oct 15, 2020 at 10:41 AM Gianluca Cecchi <
>> gianluca.cec...@gmail.com> wrote:
>>
>>>
>>>
>>> Any feedback on my latest comments?
>>> In the meantime here:
>>>
>>> https://drive.google.com/file/d/1iN37znRtCo2vgyGTH_ymLhBJfs-2pWDr/view?usp=sharing
>>> you can find inside the sosreport in tar.gz format, where I have
>>> modified some file names and context in respect of hostnames.
>>> The only file I have not put inside is the dump of the database, but I
>>> can run any query you like in case.
>>>
>>> Gianluca
>>>
>>>
>>
>> I have also tried to put debug into the engine.
>>
>>
> So after huge debugging work with Dana Elfassy and Martin Necas (thank you
> very much to both!) and coordination of Sandro we found the culprit!
>
> Inside firewall custom rules of my engine I had this (note the double
> quotes for the comment about Nagios):
>
> [root@ovmgr1 ovirt-engine]# engine-config -g IPTablesConfigSiteCustom
> IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 5666 -s 10.4.5.99/32 -m
> comment --comment "Nagios NRPE daemon" -j ACCEPT version: general
> [root@ovmgr1 ovirt-engine]#
>
> So those double quotes  caused a wrong formatted json block that
> ansible-runner-service was not able to manage in the http post phase
>
> After changing with single quotes, with this command:
>
> engine-config -s IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 5666 -s
> 10.4.5.99/32 -m comment --comment 'Nagios NRPE daemon' -j ACCEPT"
>
> and restarting the engine so that now I have
>
> [root@ovmgr1 ovirt-engine]# engine-config -g IPTablesConfigSiteCustom
> IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 5666 -s 10.4.5.99/32 -m
> comment --comment 'Nagios NRPE daemon' -j ACCEPT version: general
> [root@ovmgr1 ovirt-engine]#
>
> I was able to add the CentOS 8.2 host.
> So mind if you have the double quotes in any engine-config key before
> upgrading from 4.3 to 4.4.
>
> What a nasty thing to detect...
> Thanks again guys for your help
>
> Gianluca
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QJI6BLUQ43N7RYGEUAPVWKXYOSKY4AVZ/


[ovirt-users] Re: problems installing standard Linux as nodes in 4.4

2020-10-10 Thread Martin Perina
On Sat, 10 Oct 2020, 01:24 Gianluca Cecchi, 
wrote:

> On Fri, Oct 9, 2020 at 7:12 PM Martin Perina  wrote:
>
>>
>>
>> Could you please share with us all logs from engine gathered by
>> logcollector? We will try to find out any clue what's wrong in your env ...
>>
>> Thanks,
>> Martin
>>
>>
> I will try to collect.
> In the mean time I've found that SSH could be in some way involved
>
> When I add the host and get the immediate failure and apparently nothing
> happens at all,  I see these two lines in /var/log/ovirt-engine/server.log
>
> 2020-10-09 18:15:09,369+02 WARN
>  [org.apache.sshd.client.session.ClientConnectionService]
> (sshd-SshClient[7cb54873]-nio2-thread-1)
> globalRequest(ClientConnectionService[ClientSessionImpl[root@ov200
> /10.4.192.32:22]])[hostkeys...@openssh.com, want-reply=false] failed
> (SshException) to process: EdDSA provider not supported
> 2020-10-09 18:15:09,699+02 WARN
>  [org.apache.sshd.client.session.ClientConnectionService]
> (sshd-SshClient[2cbceeab]-nio2-thread-1)
> globalRequest(ClientConnectionService[ClientSessionImpl[root@ov200
> /10.4.192.32:22]])[hostkeys...@openssh.com, want-reply=false] failed
> (SshException) to process: EdDSA provider not supported
>

This harmless, AFAIK EdDSA is not supported by default in OpenJDK 11 and
engine uses only ssh-rsa and ssh-rsa2 anyway


> could it be that the ssh client embedded is not able to connect to the
> CentOS 8.2 for some reason?
>

If that's the case we should see an error either in engine.log or
ansible-runner-service.log


> On host at the moment when I try to add it I see again two sessions opened
> and immediately closed (tried several times), eg in the timeframe above I
> have:
>
> Oct  9 18:15:09 ov200 systemd-logind[1237]: New session 41 of user root.
> Oct  9 18:15:09 ov200 systemd[1]: Started Session 41 of user root.
> Oct  9 18:15:09 ov200 systemd-logind[1237]: Session 41 logged out. Waiting
> for processes to exit.
> Oct  9 18:15:09 ov200 systemd-logind[1237]: Removed session 41.
> Oct  9 18:15:09 ov200 systemd-logind[1237]: New session 42 of user root.
> Oct  9 18:15:09 ov200 systemd[1]: Started Session 42 of user root.
> Oct  9 18:15:09 ov200 systemd-logind[1237]: Session 42 logged out. Waiting
> for processes to exit.
> Oct  9 18:15:09 ov200 systemd-logind[1237]: Removed session 42.
>
> anyway at sshd service level it seems it is ok om the host:
>
> journalctl -u sshd.service has
>
> Oct 09 18:15:09 ov200 sshd[13379]: Accepted password for root from
> 10.4.192.43 port 46008 ssh2
> Oct 09 18:15:09 ov200 sshd[13379]: pam_unix(sshd:session): session opened
> for user root by (uid=0)
> Oct 09 18:15:09 ov200 sshd[13379]: pam_unix(sshd:session): session closed
> for user root
> Oct 09 18:15:09 ov200 sshd[13398]: Accepted password for root from
> 10.4.192.43 port 46014 ssh2
> Oct 09 18:15:09 ov200 sshd[13398]: pam_unix(sshd:session): session opened
> for user root by (uid=0)
> Oct 09 18:15:09 ov200 sshd[13398]: pam_unix(sshd:session): session closed
> for user root
>
> On the host I have not customized anything ssh related:
>
> [root@ov200 ssh]# ps -ef|grep sshd
> root1274   1  0 Oct08 ?00:00:00 /usr/sbin/sshd -D
> -oCiphers=aes256-...@openssh.com,chacha20-poly1...@openssh.com
> ,aes256-ctr,aes256-cbc,aes128-...@openssh.com,aes128-ctr,aes128-cbc
> -oMACs=hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com,
> umac-128-...@openssh.com,hmac-sha2-512-...@openssh.com
> ,hmac-sha2-256,hmac-sha1,umac-...@openssh.com,hmac-sha2-512
> -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1-
> -oKexAlgorithms=curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
> -oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com
> ,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com
> ,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com,ecdsa-sha2-nistp521,
> ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,
> ssh-ed25519-cert-...@openssh.com,ssh-rsa,ssh-rsa-cert-...@openssh.com
> -oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com
> ,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com
> ,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com,ecdsa-sha2-nistp521,
> ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,
> ssh-ed25519-cert-...@openssh.com,ssh-rsa,ssh-rsa-cert-...@openssh.com
> -oCASignatureAlgorithms=r

[ovirt-users] Re: problems installing standard Linux as nodes in 4.4

2020-10-09 Thread Martin Perina
On Fri, Oct 9, 2020 at 6:47 PM Gianluca Cecchi 
wrote:

>
>
> On Fri, Oct 9, 2020 at 6:29 PM Martin Perina  wrote:
>
>>
>>
>> On Fri, Oct 9, 2020 at 5:54 PM Gianluca Cecchi 
>> wrote:
>>
>>> On Fri, Oct 9, 2020 at 4:58 PM Martin Perina  wrote:
>>>
>>>> Hi Gianluca,
>>>>
>>>> could you please check selinux context of
>>>> /var/log/ovirt-engine/ansible-runner-service.log to see if you are not
>>>> affected by https://bugzilla.redhat.com/show_bug.cgi?id=1880171#c5 ?
>>>>
>>>> Thanks,
>>>> Martin
>>>>
>>>
>>> Thanks for answering.
>>> It seems ok. On the engine:
>>> [root@ovmgr1 ~]# ls -Z /var/log/ovirt-engine/ansible-runner-service.log
>>> system_u:object_r:httpd_log_t:s0
>>> /var/log/ovirt-engine/ansible-runner-service.log
>>> [root@ovmgr1 ~]#
>>>
>>> Gianluca
>>>
>>
>> OK, so could you please apply the workaround mentioned in
>> https://bugzilla.redhat.com/show_bug.cgi?id=1880171#c5 to resolve the
>> issue until oVirt 4.4.3 is released?
>>
>>
> Sorry, but isn't it already ok? The SELinux security context for the file
> is already httpd_log_t, so I don't have to apply anything.
> I also applied the more brutal workaround described in
> https://bugzilla.redhat.com/show_bug.cgi?id=1880171#c4 without any
> effect, so I'm not in this bugzilla context.
> Do I have to apply also for the directory /var/log/ovirt-engine itself,
> that currently has a context of var_log_t? I don't think so...
>

Ahh, sorry, I've misunderstood your reply, I thought you replied you are
affected.

Could you please share with us all logs from engine gathered by
logcollector? We will try to find out any clue what's wrong in your env ...

Thanks,
Martin


> Gianluca
>
>
>

-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FM4AGM2OYTXAJCBZLGYJ7MAL7J2IKGCB/


[ovirt-users] Re: problems installing standard Linux as nodes in 4.4

2020-10-09 Thread Martin Perina
On Fri, Oct 9, 2020 at 5:54 PM Gianluca Cecchi 
wrote:

> On Fri, Oct 9, 2020 at 4:58 PM Martin Perina  wrote:
>
>> Hi Gianluca,
>>
>> could you please check selinux context of
>> /var/log/ovirt-engine/ansible-runner-service.log to see if you are not
>> affected by https://bugzilla.redhat.com/show_bug.cgi?id=1880171#c5 ?
>>
>> Thanks,
>> Martin
>>
>
> Thanks for answering.
> It seems ok. On the engine:
> [root@ovmgr1 ~]# ls -Z /var/log/ovirt-engine/ansible-runner-service.log
> system_u:object_r:httpd_log_t:s0
> /var/log/ovirt-engine/ansible-runner-service.log
> [root@ovmgr1 ~]#
>
> Gianluca
>

OK, so could you please apply the workaround mentioned in
https://bugzilla.redhat.com/show_bug.cgi?id=1880171#c5 to resolve the issue
until oVirt 4.4.3 is released?


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7EKVKRO3CPQLHYI6FEC6BTAVJWNYRZZ2/


[ovirt-users] Re: problems installing standard Linux as nodes in 4.4

2020-10-09 Thread Martin Perina
Hi Gianluca,

could you please check selinux context of
/var/log/ovirt-engine/ansible-runner-service.log to see if you are not
affected by https://bugzilla.redhat.com/show_bug.cgi?id=1880171#c5 ?

Thanks,
Martin


On Fri, Oct 9, 2020 at 4:45 PM Gianluca Cecchi 
wrote:

> On Thu, Oct 8, 2020 at 5:13 PM Gianluca Cecchi 
> wrote:
>
>>
>>
>> On Thu, Oct 8, 2020 at 5:08 PM Gianluca Cecchi 
>> wrote:
>>
>>> On Thu, Oct 8, 2020 at 4:59 PM Dana Elfassy  wrote:
>>>
>>>> And also please attach the content of the file found at:
>>>> /etc/ansible-runner-service/config.yaml
>>>>
>>>> On Thu, Oct 8, 2020 at 5:55 PM Dana Elfassy 
>>>> wrote:
>>>>
>>>>> Hi Gianluca,
>>>>> Please execute the following command on your engine, save the output
>>>>> into a file and attach it:
>>>>> sudo journalctl -u ansible-runner-service
>>>>> Dana
>>>>>
>>>>>
>>> Thanks for answering, Dana.
>>>
>>>  [root@ovmgr1 ansible-runner-service]# sudo journalctl -u
>>> ansible-runner-service
>>> -- Logs begin at Tue 2020-10-06 11:12:46 CEST, end at Thu 2020-10-08
>>> 17:02:25 CEST. --
>>> -- No entries --
>>> [root@ovmgr1 ansible-runner-service]#
>>>
>>>
>>> [root@ovmgr1 ansible-runner-service]# cat
>>> /etc/ansible-runner-service/config.yaml
>>>
>>> version: 1
>>> playbooks_root_dir:
>>> '/usr/share/ovirt-engine/ansible-runner-service-project'
>>> ssh_private_key: '/etc/pki/ovirt-engine/keys/engine_id_rsa'
>>> port: 50001
>>> target_user: root
>>> log_path: '/var/log/ovirt-engine'
>>> [root@ovmgr1 ansible-runner-service]#
>>>
>>> I noticed that both on engine and on host the "ansible-runner" package
>>> is not installed. Is it correct and only ansible-runner-service package to
>>> be installed only on the engine?
>>> Also, does the "service" in the name imply that I should have any
>>> systemd or other kind of related service on engine?
>>> Finally, I have to use a proxy for dnf/yum.
>>> To be able to run "engine-setup" on engine I had to set http_proxy and
>>> https_proxy eng variables inside the shell session, because it seems that
>>> engine-setup was not able to leverage the global configuration. Could it be
>>> something similar due to the host having to use a proxy too (that I already
>>> setup in /etc/dnf/dnf.conf)? Just a guess.
>>>
>>> Gianluca
>>>
>>
>> Also, the host already existed in 4.3. I upgraded the standalone engine
>> from 4.3.10 to 4.4.2 following the guide.
>> Now to update my hosts I put a host into maintenance, removed the host
>> from the gui, reinstalled the server in CentOS 8.2 with same network
>> parameters, and then add new host with the same name/hostname as before.
>> Could it be a problem to reuse the host?
>>
>> Gianluca
>>
>
> Any other thing to check to be able to provision a node in 4.4.2 using
> plain CentOS 8.2 host?
> Thanks,
> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/AJN3ENCAXNCTGWD4AXGCXQQEE6KOSXDN/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FSCB3N3KZLBV2RGWEOXAJZBMBK3A2RTY/


[ovirt-users] Re: Upgrade oVirt from 4.3.10 to 4.4.2 and AD users

2020-10-06 Thread Martin Perina
Hi Gianluca,

There is a bug in the documentation. Configuration of all oVirt engine
extensions is included in 4.3 backup, these configuration files are
properly restored and upgraded during engine-setup execution:
https://bugzilla.redhat.com/show_bug.cgi?id=1814212
So further action around extension configuration is needed.

Regards,
Martin

On Tue, Oct 6, 2020 at 3:17 PM Gianluca Cecchi 
wrote:

> Hello,
> I'm upgrading a standalone engine with local database and with 3 hosts
> from oVirt 4.3.10 to 4.4.2 and I'm cross checking both oVirt and RHV
> documents.
> In my oVirt environment I have integration with AD for web admin access.
>
> Inside RHV upgrade guide docs there is this statement regarding manager
> upgrade:
> "
> Install optional extension packages if they were installed on the Red Hat
> Virtualization Manager 4.3 machine.
> # yum install ovirt-engine-extension-aaa-ldap
> ovirt-engine-extension-aaa-misc ovirt-engine-extension-logger-log4j
> NOTE
> The configuration for these package extensions must be manually reapplied
> because they are not migrated as part of the backup and restore process.
> "
>
> In my case I had ovirt-engine-extension-aaa-ldap and
> ovirt-engine-extension-aaa-misc installed on 4.3.10.
> So after "engine-backup --mode=restore " command I executed:
>
> [root@ovmgr1 ~]# yum install ovirt-engine-extension-aaa-ldap
> ovirt-engine-extension-aaa-misc
> Last metadata expiration check: 0:01:11 ago on Tue 06 Oct 2020 11:23:04 AM
> CEST.
> Dependencies resolved.
>
> ==
>  Package  ArchVersion Repository
>   Size
>
> ==
> Installing:
>  ovirt-engine-extension-aaa-ldap  noarch  1.4.1-1.el8 ovirt-4.4
>   127 k
>  ovirt-engine-extension-aaa-misc  noarch  1.1.0-1.el8 ovirt-4.4
>37 k
> Installing dependencies:
>  unboundid-ldapsdknoarch  4.0.14-2.el8
>  ovirt-4.4-centos-ovirt44  4.0 M
>
> Transaction Summary
>
> ==
> Install  3 Packages
>
> Total download size: 4.2 M
> Installed size: 4.5 M
>
> and followed the next upgrade flow steps.
> After finishing the engine upgrade with the "engine-setup" step, it seems
> actually that I can still connect to my engine with my AD accounts, so that
> I don't have to do any manual step described...
>
> Does it match any one other experience?
>
> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/WBQDOZM4PUWJJQ4TBRU33OSLPWVKXDLQ/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SOLX5Y4GMUZZX56UNDEAYLXQFHOSOVER/


[ovirt-users] Re: oVirt Node 4.4.2 is now generally available

2020-10-06 Thread Martin Perina
Hi Gianluca,

please see my replies inline

On Tue, Oct 6, 2020 at 11:37 AM Gianluca Cecchi 
wrote:

> On Tue, Oct 6, 2020 at 11:25 AM Martin Perina  wrote:
>
>>
>>> You say to drive a command form the engine that is a VM that runs inside
>>> the host, but ask to shutdown VMs running on host before...
>>> This is a self hosted engine composed by only one single host.
>>> Normally I would use the procedure from the engine web admin gui, one
>>> host at a time, but with single host it is not possible.
>>>
>>
>> We have said several times, that it doesn't make sense to use oVirt on a
>> single host system. So you either need to attach 2nd host to your setup
>> (preferred) or shutdown all VMS and run manual upgrade of your host OS
>>
>>
> We who
>

So I've spent the past hour deeply investigating our upstream documentation
and you are right, we don't have any clear requirements about the minimal
number of hosts in upstream oVirt documentation.
But here are the facts:

1. To be able to upgrade a host either from UI/RESTAPI or manually using
SSH, the host always needs to be in Maintenance:

https://www.ovirt.org/documentation/administration_guide/#Updating_a_host_between_minor_releases

2. To perform Reinstall or Enroll certificate of a host, the host needs to
be in Maintenance mode

https://www.ovirt.org/documentation/administration_guide/#Reinstalling_Hosts_admin

3. When host is in Maintenance mode, there are no oVirt managed VMs running
on it

https://www.ovirt.org/documentation/administration_guide/#Moving_a_host_to_maintenance_mode

4. When engine is not running (either stopped or crashed), VMs running on
hypervisor hosts are unaffected (meaning they are running independently on
engine), but they are pretty much "pinned to the host they are running on"
(for example VMs cannot be migrated or started/stopped (of course you can
stop this VM from within) without running engine)

So just using above facts here are logical conclusions:

1. Standalone engine installation with only one hypervisor host
- this means that engine runs on bare metal hosts (for example
engine.domain.com) and single hypervisor host is managed by it (for example
host1.domain.com)
- in this case scenario administrator is able to perform all
maintenance task (even though at the cost that VMs running on hypervisor
need to be stopped before switching to Maintenance mode),
  because engine is running independently on hypervisor

2. Hosted engine installation with one hypervisor hosts
- this means that engine runs as a VM (for example engine.domain.com)
inside a single hypervisor host, which is managed by it (for example
host1.domain.com)
- in this scenario maintenance of the host is very limited:
- you cannot move the host to Maintenance, because hosted engine VM
cannot be migrated outside a host
- you can perform global Maintenance and the probably manually stop
hosted engine VM, but then you don't have engine to be able to perform
maintenance tasks (for example, Upgrade, Reinstall or Enroll certificates)

But in both above use cases you cannot use the biggest oVirt advantage and
that's a shared storage among hypervisor hosts, which allows you to perform
live migration of VMs. And thanks to that feature you can perform
maintenance tasks on the host(s) without interruption in providing VM
services.

*From the above it's obvious that we need to really clearly state that in a
production environment oVirt requires to have at least 2 hypervisor hosts
for full functionality.*

In old times there was the all-in-one setup that was substituted from
> single host HCI
>

All-in-one feature has been deprecated in oVirt 3.6 and fully removed in
oVirt 4.0

> ... developers also put extra efforts to setup the wizard comprising the
> single host scenario.
>

Yes, you are right, you can initially set up oVirt with just a single host,
but it's expected that you are going to add an additional host(s) soon.

Obviously it is aimed at test bed / devel / home environments, not
> production ones.
>

Of course, for development use whatever your want, but for production you
care about your setup, because you want the services your offer to run
smoothly

> Do you want me to send you the list of bugzilla contributed by users using
> single host environments that helped Red Hat to have a better working RHV
> too?
>

It's clearly stated that at least 2 hypervisors are required for hosted
engine or standalone RHV installation:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/planning_and_prerequisites_guide/rhv_architecture
But as I mentioned above, we have a bug in oVirt documentation, that such
an important requirement is not clearly stated. And this is not a fault of
a community, this is a fault of oVirt maintainers, that we have forgotten
to me

[ovirt-users] Re: ovirt-engine and host certification is expired in ovirt4.0

2020-10-06 Thread Martin Perina
Hi,

we have mentioned several times that it doesn't make sense to oVirt on a
single host setup. So you really need to add 2nd host to your setup, move
the 1st host to Maintenance and execute Enroll certificates.

Regards,
Martin

On Sun, Oct 4, 2020 at 5:30 PM  wrote:

> From what I observed (but it's not something I try often), if you try to
> enable maintenance on a host and have VMs on it, it will try migrating the
> VMs first, which is a copy-first, state-transfer-afterwards process. So if
> there is no migration target available or if the copying and state-transfer
> fail, the VM will simply continue to run on the original host... and the
> host will refuse to go into maintenance.
>
> It doesn't solve your problem, but the loss of service you fear shouldn't
> happen either... except sometimes oVirt seems to have bugs or the resulting
> network activity cause confusion.
>
> Ah, perhaps this is important: I've only ever tried that by setting a host
> into maintenance (typically for patch updates) via the GUI. I am far less
> convinced that VM migration would also be triggered if you use the
> 'hosted-engine --set-maintenance --mode=local' variant on the host that
> runs the HostedEngine VM. That might just make it unavailable for newly
> started VMs.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/7D6XC4YHIKMWSCJWZC2TJFMMD27PT4LD/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QWKO2IMWKJSEMRYKMTURNZBHEERKU2WW/


[ovirt-users] Re: oVirt Node 4.4.2 is now generally available

2020-10-06 Thread Martin Perina
On Mon, Oct 5, 2020 at 3:25 PM Gianluca Cecchi 
wrote:

>
>
> On Mon, Oct 5, 2020 at 3:13 PM Dana Elfassy  wrote:
>
>> Can you shutdown the vms just for the upgrade process?
>>
>> On Mon, Oct 5, 2020 at 1:57 PM Gianluca Cecchi 
>> wrote:
>>
>>> On Mon, Oct 5, 2020 at 12:52 PM Dana Elfassy 
>>> wrote:
>>>
>>>> In order to run the playbooks you would also need the parameters that
>>>> they use - some are set on the engine side
>>>> Why can't you upgrade the host from the engine admin portal?
>>>>
>>>>
>>> Because when you upgrade a host you put it into maintenance before.
>>> And this implies no VMs in execution on it.
>>> But if you are in a single host composed environment you cannot
>>>
>>> Gianluca
>>>
>>
> we are talking about chicken-egg problem.
>
> You say to drive a command form the engine that is a VM that runs inside
> the host, but ask to shutdown VMs running on host before...
> This is a self hosted engine composed by only one single host.
> Normally I would use the procedure from the engine web admin gui, one host
> at a time, but with single host it is not possible.
>

We have said several times, that it doesn't make sense to use oVirt on a
single host system. So you either need to attach 2nd host to your setup
(preferred) or shutdown all VMS and run manual upgrade of your host OS


> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3ZU43KQXYJO43CWTDDT733H4YZS4JA2U/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7EATX7RPVUOAQWKLHYOTSTRVJG4M2O6Q/


[ovirt-users] Re: ldap auth problem after upgrade from 4.4.1 to 4.4.2

2020-10-01 Thread Martin Perina
On Thu, Oct 1, 2020 at 3:18 PM Jiří Sléžka  wrote:

> Hi,
>
> On 10/1/20 2:53 PM, Martin Perina wrote:
> > Hi,
> >
> > it seems that you are affected by
> > https://bugzilla.redhat.com/show_bug.cgi?id=1880149
> > Could you please try the workaround mentioned there?
>
> bingo! Thanks a lot!
>
> It is interesting behavior as my engine has no public ipv6 address (ipv6
> is set to ignore in nm).
>
> also
>
> [root@ovirt ~]# ping6 google.com
> connect: Network is unreachable
>
> but ok, problem is solved :-)
>

Most probably your LDAP server can be resolved to both IPv4 and IPv6
addresses and we choose a random resolved address in aaa-ldap when
connecting. Enabling IPv6 by default was introduced in
https://bugzilla.redhat.com/1726189 but unfortunately we have missed this
scenario (engine IPv4, LDAP dual IPv4/IPv6) during testing ...


> Jiri
>
>
> >
> > Thanks,
> > Martin
> >
> >
> > On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka  > <mailto:jiri.sle...@slu.cz>> wrote:
> >
> > Hi,
> >
> > I just upgraded my HE to 4.4.2 but now I cannot login using my ldap
> aaa
> > profile anymore.
> >
> > We are using Novell/NetIQ E-directory (load ballanced by haproxy,
> > probably not important...)
> >
> > In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
> > supported by our edir) from default crypto policies but I was able
> > revert it by
> >
> > update-crypto-policies --set LEGACY
> >
> > after upgrade to 4.4.2 the error is
> >
> > server_error: An error occurred while attempting to connect to server
> > ldap1.slu.cz:389 <http://ldap1.slu.cz:389>:
> > IOException(LDAPException(resultCode=91 (connect
> > error), errorMessage='An error occurred while attempting to
> establish a
> > connection to server ldap1.slu.cz/193.84.206.212:389
> > <http://ldap1.slu.cz/193.84.206.212:389>:
> > SocketException(Network is unreachable (connect failed)),
> > ldapSDKVersion=4.0.14,
> > revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
> >
> > but our ldap server is reachable from ovirt, I tested it via (also
> ldaps
> > and startls variants are working)
> >
> > ldapsearch -H ldap://ldap1.slu.cz <http://ldap1.slu.cz> -x -D
> > cn=*,ou=**,o=su -w
> > '' -b 'o=su'
> >
> > As a workaround I tried to set plain ldap protocol in profile
> >
> > cat /etc/ovirt-engine/aaa/CRO.properties
> >
> >
> > include = 
> >
> > vars.server = ldap1.slu.cz <http://ldap1.slu.cz>
> > vars.port = 389
> > vars.user = cn=*,ou=**,o=su
> > vars.password = **
> >
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.serverset.single.port = ${global:vars.port}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > pool.default.ssl.startTLS = false
> > pool.default.ssl.enable = false
> > #pool.default.ssl.protocol = TLSv1
> > #pool.default.ssl.startTLSProtocol = TLSv1
> > #pool.default.ssl.insecure = true
> >
> > sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
> > sequence.my-edir-init-vars.010.description = set baseDN
> > sequence.my-edir-init-vars.010.type = var-set
> > sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
> > sequence.my-edir-init-vars.010.var-set.value = o=su
> >
> > #search.default.search-request.derefPolicy = ALWAYS
> >
> >
> > but the error is the same...
> >
> > ovirt-engine-extensions-tool aaa login-user --profile=CRO
> > --user-name=my_user
> >
> > 
> > WARNING:
> [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
> > TLS/SSL insecure mode
> > ...
> > WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz
> > <http://auth.CRO.slu.cz>] Cannot
> > initialize LDAP framework, deferring initialization. Error: An error
> > occurred while attempting to connect to server ldap1.slu.cz:389
> > <http://ldap1.slu.cz:389>:
> > IOException(LDAPException(resultCode=91 (connect error),
> > errorMessage='An error occurred while attempting to establish a
> > connection to server ldap1.slu.cz/193.84.206.212:389
> > <http://ldap1.slu

[ovirt-users] Re: ldap auth problem after upgrade from 4.4.1 to 4.4.2

2020-10-01 Thread Martin Perina
Hi,

it seems that you are affected by
https://bugzilla.redhat.com/show_bug.cgi?id=1880149
Could you please try the workaround mentioned there?

Thanks,
Martin


On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka  wrote:

> Hi,
>
> I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa
> profile anymore.
>
> We are using Novell/NetIQ E-directory (load ballanced by haproxy,
> probably not important...)
>
> In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
> supported by our edir) from default crypto policies but I was able
> revert it by
>
> update-crypto-policies --set LEGACY
>
> after upgrade to 4.4.2 the error is
>
> server_error: An error occurred while attempting to connect to server
> ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect
> error), errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
> but our ldap server is reachable from ovirt, I tested it via (also ldaps
> and startls variants are working)
>
> ldapsearch -H ldap://ldap1.slu.cz -x -D cn=*,ou=**,o=su -w
> '' -b 'o=su'
>
> As a workaround I tried to set plain ldap protocol in profile
>
> cat /etc/ovirt-engine/aaa/CRO.properties
>
>
> include = 
>
> vars.server = ldap1.slu.cz
> vars.port = 389
> vars.user = cn=*,ou=**,o=su
> vars.password = **
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.serverset.single.port = ${global:vars.port}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> pool.default.ssl.startTLS = false
> pool.default.ssl.enable = false
> #pool.default.ssl.protocol = TLSv1
> #pool.default.ssl.startTLSProtocol = TLSv1
> #pool.default.ssl.insecure = true
>
> sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
> sequence.my-edir-init-vars.010.description = set baseDN
> sequence.my-edir-init-vars.010.type = var-set
> sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
> sequence.my-edir-init-vars.010.var-set.value = o=su
>
> #search.default.search-request.derefPolicy = ALWAYS
>
>
> but the error is the same...
>
> ovirt-engine-extensions-tool aaa login-user --profile=CRO
> --user-name=my_user
>
> 
> WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
> TLS/SSL insecure mode
> ...
> WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to connect to server ldap1.slu.cz:389:
> IOException(LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
> ...
> INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
> profile='CRO' user='my_user'
> Password:
> ...
> WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to connect to server ldap1.slu.cz:389:
> IOException(LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
> Oct 01, 2020 10:57:37 AM
> org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
> SEVERE: An error occurred while attempting to connect to server
> ldap1.slu.cz:389:  IOException(LDAPException(resultCode=91 (connect
> error), errorMessage='An error occurred while attempting to establish a
> connection to server ldap1.slu.cz/193.84.206.212:389:
> SocketException(Network is unreachable (connect failed)),
> ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
>
> debug with tcpdump reveals only that connection is made and there are
> only "bindRequest" and "bindResponse success" messages visible (with
> correct tcp handshake and close) and nothing more
>
> any help would be appreciated
>
> Cheers,
>
> Jiri
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https

[ovirt-users] Re: Adding host fails with Ansible host-deploy role: Internal server error.

2020-09-24 Thread Martin Perina
On Thu, Sep 24, 2020 at 11:38 AM Andrey Andrey via Users 
wrote:

> It all worked. Thank you very much.
>

Hi Andrey,
It looks like https://bugzilla.redhat.com/show_bug.cgi?id=1880171
Have you fixed the problem using the workaround mentioned in the above bug?
Or was it a different issue?

Thanks,
Martin


___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/5WUFJDPPPW5ERK2VJ3FEWY3UVXORMYLR/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NVKG4Y7FBITI3UEQ7BNXGJAP4SA5ZW5O/


[ovirt-users] Re: Upgrade 4.3 to 4.4 node to manager communication error

2020-09-03 Thread Martin Perina
On Thu, Sep 3, 2020 at 2:56 PM Pierre pit  wrote:

> I have a communication problem between all the nodes and the manager
> following the upgrade from 4.3 to 4.4. I followed the procedure of update
> 4.3 to 4.4 everything worked correctly, according to the import export
> scripts as well as the installation setup on the new manager in 4.4, all is
> ok. Only after connection to the manager, all the nodes are in a down
> state, there is no more communication between the manager newly installed
> in 4.4 and the nodes still in production in 4.3.
>
> In the manager I have this message for all the nodes:
> ` VDSM virtdell8 command Get Host Capabilities failed: PKIX path
> validation failed: java.security.cert.CertPathValidatorException: Algorithm
> constraints check failed on signature algorithm: SHA256withRSA`
>

Hi Pierre,

Hmm, the following error is a bit misleading, but it gives a clue to me.
Could you please check the key size of your ovirt-engine CA key?

openssl x509 -text -noout -in /etc/pki/ovirt-engine/ca.pem | grep 'RSA
Public-Key'

If your key size is less than 2048 bits, then you need to change crypto
policy of your CentOS 8 to LEGACY using below steps:

1. Execute 'update-crypto-policies --set LEGACY'
2. Reboot the machine

That should mitigate the issue, but I'm really curious, this should not
happen unless your engine was installed in oVirt 3.0 era and then
continuously upgraded up to 4.4, because we have switched to 2048 bits in
2012:

https://gerrit.ovirt.org/4389

Is this your case?


Regards,
Martin


> And on the nodes:
> ` 2020-09-01 17:38:13,083+0200 ERROR (Reactor thread)
> [ProtocolDetector.SSLHandshakeDispatcher] ssl handshake: SSLError, address:
> :::XXX.XXX.XXX.XXX (sslutils:264)
>  vdsm[4400]: ERROR ssl handshake: SSLError, address:
> :::XXX.XXX.XXX.XXX`
>
> After a search on the forums I found a similar error on version 4.2 only
> the solution of comment `ssl_excludes` in the `/etc/vdsm/vdsm.conf` file
> but does not apply to my problem.
>
> I unfortunately had to backtrack because it was no longer possible to
> control ovirt and use the manager for our production. the new machine with
> the manager in 4.4 is offline while a solution is found
>
> Do you know where should I look in order to solve this problem?
>
> thank you in advance
> Pierre
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CE34HLTRN54HVOJNK3ZCNXH66CIYFSQS/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7HGFTJMMZYUUGW2O3IMP27RKABRISTLD/


[ovirt-users] Re: ovirt4.4 and ldap auth with starttls

2020-08-07 Thread Martin Perina
Hi,

legacy ciphers and protocols are disabled on EL8 by default, for more
information please take a look at crypto-policies:

https://access.redhat.com/articles/3666211
https://access.redhat.com/articles/3642912

So in theory if you switch to LEGACY crypto-policy on ovirt-engine machine,
you could be able to use TLSv1, but we have never tested it and we highly
recommend to use only TLSv1.2 or newer.

Regards,
Martin


On Fri, Aug 7, 2020 at 2:11 PM Jiří Sléžka  wrote:

> Hello,
>
> better start new thread...
>
> it looks like tls1.0 is not supported anymore in
> ovirt-engine-extension-aaa-ldap
>
> I just migrated engine from 4.3 to 4.4 and cannot use my ldap profile
> because
>
> server_error: The connection reader was unable to successfully complete
> TLS negotiation: SSLHandshakeException(The server selected protocol
> version TLS10 is not accepted by client preferences [TLS12]),
> ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
>
> but when I try to force tls 1.0 by setting
>
> ...
> pool.default.ssl.startTLS = true
> pool.default.ssl.startTLSProtocol = TLSv1
> ...
>
> I got
>
> server_error: The connection reader was unable to successfully complete
> TLS negotiation: SSLHandshakeException(No appropriate protocol (protocol
> is disabled or cipher suites are inappropriate)), ldapSDKVersion=4.0.14,
> revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
>
> I can't switch to something better on server side, is it possible to
> allow weak ciphers/protocols on client side?
>
> Thanks in advance,
>
> Jiri
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CBVIAEO3R4BQNJ5453O2D5NJH7FQ7YGR/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IOMG3R7W3RTGWNEIDRYEVHSWLUGCFZMJ/


[ovirt-users] Re: Unassigned hosts

2020-08-06 Thread Martin Perina
t;>>>> Artur
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Aug 6, 2020 at 8:01 AM Nardus Geldenhuys 
>>>>> wrote:
>>>>>
>>>>>> Also see this in engine:
>>>>>>
>>>>>> Aug 6, 2020, 7:37:17 AM
>>>>>> VDSM someserver command Get Host Capabilities failed: Message timeout
>>>>>> which can be caused by communication issues
>>>>>>
>>>>>> On Thu, 6 Aug 2020 at 07:09, Strahil Nikolov 
>>>>>> wrote:
>>>>>>
>>>>>>> Can you fheck for errors on the affected host. Most probably you
>>>>>>> need the vdsm logs.
>>>>>>>
>>>>>>> Best Regards,
>>>>>>> Strahil Nikolov
>>>>>>>
>>>>>>> На 6 август 2020 г. 7:40:23 GMT+03:00, Nardus Geldenhuys <
>>>>>>> nard...@gmail.com> написа:
>>>>>>> >Hi Strahil
>>>>>>> >
>>>>>>> >Hope you are well. I get the following error when I tried to confirm
>>>>>>> >reboot:
>>>>>>> >
>>>>>>> >Error while executing action: Cannot confirm 'Host has been
>>>>>>> rebooted'
>>>>>>> >Host.
>>>>>>> >Valid Host statuses are "Non operational", "Maintenance" or
>>>>>>> >"Connecting".
>>>>>>> >
>>>>>>> >And I can't put it in maintenance, only option is "restart" or
>>>>>>> "stop".
>>>>>>> >
>>>>>>> >Regards
>>>>>>> >
>>>>>>> >Nar
>>>>>>> >
>>>>>>> >On Thu, 6 Aug 2020 at 06:16, Strahil Nikolov >>>>>> >
>>>>>>> >wrote:
>>>>>>> >
>>>>>>> >> After rebooting the node, have you "marked" it that it was
>>>>>>> rebooted ?
>>>>>>> >>
>>>>>>> >> Best Regards,
>>>>>>> >> Strahil Nikolov
>>>>>>> >>
>>>>>>> >> На 5 август 2020 г. 21:29:04 GMT+03:00, Nardus Geldenhuys <
>>>>>>> >> nard...@gmail.com> написа:
>>>>>>> >> >Hi oVirt land
>>>>>>> >> >
>>>>>>> >> >Hope you are well. Got a bit of an issue, actually a big issue.
>>>>>>> We
>>>>>>> >had
>>>>>>> >> >some
>>>>>>> >> >sort of dip of some sort. All the VM's is still running, but
>>>>>>> some of
>>>>>>> >> >the
>>>>>>> >> >hosts is show "Unassigned" or "NonResponsive". So all the hosts
>>>>>>> was
>>>>>>> >> >showing
>>>>>>> >> >UP and was fine before our dip. So I did increase
>>>>>>> >vdsHeartbeatInSecond
>>>>>>> >> >to
>>>>>>> >> >240, no luck.
>>>>>>> >> >
>>>>>>> >> >I still get a timeout on the engine lock even thou I can connect
>>>>>>> to
>>>>>>> >> >that
>>>>>>> >> >host from the engine using nc to test to port 54321. I also did
>>>>>>> >restart
>>>>>>> >> >vdsmd and also rebooted the host with no luck.
>>>>>>> >> >
>>>>>>> >> > nc -v someserver 54321
>>>>>>> >> >Ncat: Version 7.50 ( https://nmap.org/ncat )
>>>>>>> >> >Ncat: Connected to 172.40.2.172:54321.
>>>>>>> >> >
>>>>>>> >> >2020-08-05 20:20:34,256+02 ERROR
>>>>>>> >>
>>>>>>>
>>>>>>> >>[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>>>>> >> >(EE-ManagedThreadFactory-engineScheduled-Thread-70) [] EVENT_ID:
>>>>>>> >> >VDS_BROKER_COMMAND_FAILURE(10,802), VDSM someserver command Get
>>>>>>> Host
>>>>>>> >> >Capabilities failed: Message timeout which can be caused by
>>>>>>> >> >communication
>>>>>>> >> >issues
>>>>>>> >> >
>>>>>>> >> >Any troubleshoot ideas will be gladly appreciated.
>>>>>>> >> >
>>>>>>> >> >Regards
>>>>>>> >> >
>>>>>>> >> >Nar
>>>>>>> >>
>>>>>>>
>>>>>> ___
>>>>>> Users mailing list -- users@ovirt.org
>>>>>> To unsubscribe send an email to users-le...@ovirt.org
>>>>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>>>>> oVirt Code of Conduct:
>>>>>> https://www.ovirt.org/community/about/community-guidelines/
>>>>>> List Archives:
>>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/C4HB2J3MH76FI2325Z4AV4VCCEKH4M3S/
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Artur Socha
>>>>> Senior Software Engineer, RHV
>>>>> Red Hat
>>>>>
>>>>
>>>
>>> --
>>> Artur Socha
>>> Senior Software Engineer, RHV
>>> Red Hat
>>>
>>
>
> --
> Artur Socha
> Senior Software Engineer, RHV
> Red Hat
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FVUGIAOAM6FGPNJO4BHDVNNZ4JZ7ZBIA/


[ovirt-users] Re: ovirt 4.4.1.1 hci and problems with ansible 2.9.10 and/or missing python2

2020-07-17 Thread Martin Perina
I've reverified that install new host, check for upgrades, upgrade host and
enroll certificates work fine even with ansible 2.9.10 on standalone engine
installation. So there is some issue inside HCI installer, which doesn't
handle python interpreter correctly.

Gianluca, could you please create a bug for that?

Thanks,
Martin


On Fri, Jul 17, 2020 at 11:36 AM Gianluca Cecchi 
wrote:

>
>
> On Fri, Jul 17, 2020 at 11:25 AM Gianluca Cecchi <
> gianluca.cec...@gmail.com> wrote:
>
>> On Fri, Jul 17, 2020 at 11:04 AM Gianluca Cecchi <
>> gianluca.cec...@gmail.com> wrote:
>>
>>> On Fri, Jul 17, 2020 at 10:58 AM Gianluca Cecchi <
>>> gianluca.cec...@gmail.com> wrote:
>>>
>>>> On Fri, Jul 17, 2020 at 10:54 AM Martin Perina 
>>>> wrote:
>>>>
>>>>> Hi Gianluca,
>>>>>
>>>>> that's very strange error, because I'm 100% sure we are using yum
>>>>> module with Python3 in several other roles including adding host to engine
>>>>> or upgrading host and so far I haven't heard any issue with ansible 2.9.10
>>>>> and yum module.
>>>>>
>>>>> Gobinda, wouldn't enforcing python interpreter version help there?
>>>>>
>>>>>
>>>>> https://github.com/oVirt/ovirt-engine/blob/master/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-facts/tasks/main.yml#L28
>>>>>
>>>>> Regards,
>>>>> Martin
>>>>>
>>>>>
>>>> I have a very clean install from 4.1.1.1 node ng iso anf I'm the third
>>>> to notice that with this release.
>>>> The engine deployment is going on. Not finished yet, but to have ti go
>>>> I had to modify, with the same strategy ("use: dnf" with package module and
>>>> use "package" instead of "yum" and also specifying "use: dnf") in these
>>>> files under /usr/share/ansible/roles:
>>>>
>>>> ovirt.engine-setup/tasks/engine_setup.yml
>>>> ovirt.engine-setup/tasks/install_packages.yml
>>>> ovirt.hosted_engine_setup/tasks/install_packages.yml
>>>>
>>>> ovirt.hosted_engine_setup/tasks/create_target_vm/03_hosted_engine_final_tasks.yml
>>>> ovirt.hosted_engine_setup/tasks/install_appliance.yml
>>>>
>>>> Gianluca
>>>>
>>>
>>> The installation from the iso was with all default values.
>>> The only "non standard" thing, if we want it to call this way is that
>>> before running the wizard, on the host I pre-installed the appliance
>>> package, to shorten the deploy phase hereafter.
>>> And to do it I executed, because of habit:
>>> yum install ovirt-engine-appliance
>>>
>>> instead of "dnf install...", but I think this doesn't influence ansible
>>> autodetect when using "package" module or the error about python2 when
>>> using "yum" module...
>>>
>>> Gianluca
>>>
>>
>> The engine deployment failed in the phase where it tries to add the host
>> and waits for the host to be up and if I go into the logs in
>>
>> /var/log/ovirt-hosted-engine-setup/engine-logs-2020-07-17T08:30:48Z/ovirt-engine/host-deploy/
>>
>> the file
>> ovirt-host-deploy-ansible-20200717104103-novirt2.example.net-3a710f0c.log
>> contains
>>
>> 020-07-17 10:41:17 CEST - fatal: [novirt2.example.net]: FAILED! =>
>> {"changed": false, "module_stderr": "/bin/sh: /usr/bin
>> /python2: No such file or directory\n", "module_stdout": "", "msg": "The
>> module failed to execute correctly, you probably
>> need to set the interpreter.\nSee stdout/stderr for the exact error",
>> "rc": 127}
>> 2020-07-17 10:41:17 CEST - {
>>   "status" : "OK",
>>   "msg" : "",
>>   "data" : {
>> "uuid" : "00f4c6a8-8423-4a2a-bfd5-f38c34f56ecf",
>> "counter" : 53,
>> "stdout" : "fatal: [novirt2.example.net]: FAILED! => {\"changed\":
>> false, \"module_stderr\": \"/bin/sh: /usr/bin/pytho
>> n2: No such file or directory\\n\", \"module_stdout\": \"\", \"msg\":
>> \"The module failed to execute correctly, you probab
>> ly need to set the interpreter.\\nSee stdout/stderr for the exact
>> error\", \"rc\": 127}"

[ovirt-users] Re: ovirt 4.4.1.1 hci and problems with ansible 2.9.10 and/or missing python2

2020-07-17 Thread Martin Perina
Hi Gianluca,

that's very strange error, because I'm 100% sure we are using yum module
with Python3 in several other roles including adding host to engine or
upgrading host and so far I haven't heard any issue with ansible 2.9.10 and
yum module.

Gobinda, wouldn't enforcing python interpreter version help there?

https://github.com/oVirt/ovirt-engine/blob/master/packaging/ansible-runner-service-project/project/roles/ovirt-host-deploy-facts/tasks/main.yml#L28

Regards,
Martin


On Fri, Jul 17, 2020 at 10:22 AM Gianluca Cecchi 
wrote:

> Same problem for the next stage
>
> [ INFO ] TASK [ovirt.hosted_engine_setup : Install oVirt Hosted Engine
> packages]
> [ ERROR ] fatal: [localhost]: FAILED! => {"attempts": 10, "changed":
> false, "msg": "The Python 2 yum module is needed for this module. If you
> require Python 3 support use the `dnf` Ansible module instead."}
>
> I think this is a major problem for new installations.
> How can I get back python2 to see if it works without having to go through
> all yaml files?
>
> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/QJ54NVDAGWXXPCT7AHEJIQYQR5IZ5IZU/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EY6SIF3FFRQ6PVMRNH3TJJUZAXABCKCD/


[ovirt-users] Re: What permission do I need to get API access

2020-07-15 Thread Martin Perina
Hi Miguel,

So could you please share your playbook with us and the exact error you are
getting during its execution?

On Tue, Jul 14, 2020 at 4:08 PM  wrote:

> We are trying to create vm using ansible scripts. However, also tried to
> log into the API web https://master-server/ovirt-engine/api with
> authentication error messages. I think the problem is authentication method
> since we are using LDAP accounts, to access vm portal or api web URL we use
> email address too.
>

There should be no difference in usernames provided into UI or
RESTAPI/SDK/Ansible modules. The only thing which differs is how to provide
it:

1. In UI you are providing username and the select a profile (for example
username can be 'admin' and profile 'internal')
2. For RESTAPI/SDK/Ansible you are entering in the format of
username@profile (for example 'admin@internal')

Thanks,
Martin

___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/AIHD5BVBI2V4BLM7IEDRJLJZBMJQY4OY/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HS2OQQYGBJQ3IAWCVGPLLBDWX6ACJ4TE/


[ovirt-users] Re: What permission do I need to get API access

2020-07-13 Thread Martin Perina
On Mon, Jul 13, 2020 at 4:37 PM Sandro Bonazzola 
wrote:

> +Martin Perina  can you help here?
>
> Il giorno mar 7 lug 2020 alle ore 19:30  ha
> scritto:
>
>> We use LDAP authentication to login to ovirt cluster, actually, admin and
>> another user account have to access API with no problem. My account does
>> cannot access to API despite that had SuperUser privileges than those
>> accounts that already access API.
>>
>> Every time I tried to access API I get next message:
>> Error during SSO authentication access_denied: Cannot authenticate user '
>> diagsbuil...@ralntdom.rtptgcs.com':
>> No valid profile found in credentials..
>>
>
What part of RESTAPI action are you calling? Do you get the error while
obtaining authentication token or when accessing RESTAPI URL with the token?

http://ovirt.github.io/ovirt-engine-api-model/4.4/#_authentication


>> The account does exist and permissions to enter to portal vms
>>
>
For VM portal you don't need to have administrator permissions, user
permissions are enough

>
>> What do need to do to grant access to API?
>>
>
As mentioned above it depends on the action you want to call using RESTAPI

> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/XFIRPSPCNYTACGWMYKRI275MGREPGTGX/
>>
>
>
> --
>
> Sandro Bonazzola
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV
>
> Red Hat EMEA <https://www.redhat.com/>
>
> sbona...@redhat.com
> <https://www.redhat.com/>
>
> *Red Hat respects your work life balance. Therefore there is no need to
> answer this email out of your office hours.
> <https://mojo.redhat.com/docs/DOC-1199578>*
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HB36VHL4ZAEPZKS2U7YQO673EN3LSPEY/


[ovirt-users] Re: Admin portal will not load after installing updates

2020-07-10 Thread Martin Perina
On Thu, Jul 9, 2020 at 7:07 PM Strahil Nikolov via Users 
wrote:

> If you have access to the HE, can you check the rpm status (rpm -Va) for
> issues.
> Configuration files  could be changed ,  but libraries/binaries  not.
>
> What is the output of hosted-engine --vm-status ?I had a similar issue and
> it was an addon in my browser (as I used profile, the situation was the
> same on Windows and Linux :D )
>
> Best Regards,
> Strahil Nikolov
>
> На 9 юли 2020 г. 18:32:39 GMT+03:00, Michael Watters 
> написа:
> >After installing updates on our ovirt-engine running CentOS 7.8 the
> >administration portal will no longer load.  The engine.log shows an
> >error as follows.
> >
> >2020-07-09 11:26:27,094-04 ERROR
> >[org.ovirt.engine.core.bll.GetConfigurationValuesQuery] (default
> >task-2)
> >[d97ed384-f919-412b-94e2-7ec04a56ea9c] Query
> >'GetConfigurationValuesQuery' failed: null
> >2020-07-09 11:26:27,095-04 ERROR
> >[org.ovirt.engine.core.bll.GetConfigurationValuesQuery] (default
> >task-2)
> >[d97ed384-f919-412b-94e2-7ec04a56ea9c] Exception:
> >java.lang.NullPointerException
> >
> >Does anybody know what would cause this or how to fix it?
>

Hi Michael,

>From and to which oVirt version have you tried to upgrade? Have you
upgraded your oVirt engine according to the upgrade guide?

https://www.ovirt.org/documentation/upgrade_guide/

Because the above error seems to me like an issue when you haven't run
engine-setup after updating setup packages.

Regards,
Martin

> >
> >___
> >Users mailing list -- users@ovirt.org
> >To unsubscribe send an email to users-le...@ovirt.org
> >Privacy Statement: https://www.ovirt.org/privacy-policy.html
> >oVirt Code of Conduct:
> >https://www.ovirt.org/community/about/community-guidelines/
> >List Archives:
> >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/QYGA242ZB4R4SG6ZPXJQGRQX6MJSEBV3/
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/5Y6X5OBCCDWVEYJF2FLXP4VDZWT5KVDZ/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/773Q5EFBRXRGIYRJ5OWAD75UJOIGBHIP/


[ovirt-users] Re: Some nodes periodically display as Non Responsive

2020-07-01 Thread Martin Perina
Hi Anton,

to diagnose the issue we would need to have logs from both engine and
affected host.

Regards,
Martin


On Wed, Jul 1, 2020 at 6:51 AM Anton Louw via Users  wrote:

>
>
> Hi Everybody,
>
>
>
> I am got some strange things happening. I have got two data centers, DC1
> and DC2, in DC1, some of my nodes (Not all the time and not all the nodes)
> go into a “not responding” state. I can still ping the hosts, and I can
> still access the VMs on the hosts. My Engine sits in DC2, and this does not
> happen to any of the hosts in DC2.
>
>
>
> It seems like the Engine loses connectivity to the hosts in DC1, and then
> cannot re-establish the connection.
>
>
>
> Is there anywhere I can check to get more insight into what is actually
> happening?
>
>
>
> Thanks
>
>
>
> *Anton Louw*
> *Cloud Engineer: Storage and Virtualization* at *Vox*
> --
> *T:*  087 805  | *D:* 087 805 1572
> *M:* N/A
> *E:* anton.l...@voxtelecom.co.za
> *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
> [image: F] <https://www.facebook.com/voxtelecomZA>
> [image: T] <https://www.twitter.com/voxtelecom>
> [image: I] <https://www.instagram.com/voxtelecomza/>
> [image: L] <https://www.linkedin.com/company/voxtelecom>
> [image: Y] <https://www.youtube.com/user/VoxTelecom>
>
> [image: #VoxBrand]
> <https://www.vox.co.za/fibre/fibre-to-the-home/?prod=HOME>
> *Disclaimer*
>
> The contents of this email are confidential to the sender and the intended
> recipient. Unless the contents are clearly and entirely of a personal
> nature, they are subject to copyright in favour of the holding company of
> the Vox group of companies. Any recipient who receives this email in error
> should immediately report the error to the sender and permanently delete
> this email from all storage devices.
>
> This email has been scanned for viruses and malware, and may have been
> automatically archived by *Mimecast Ltd*, an innovator in Software as a
> Service (SaaS) for business. Providing a *safer* and *more useful* place
> for your human generated data. Specializing in; Security, archiving and
> compliance. To find out more Click Here
> <https://www.voxtelecom.co.za/security/mimecast/?prod=Enterprise>.
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/TRMWV4Q6AFHG5PIXOJGVM4LKWWI6F6XZ/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FKPLXTTV5RYWOAKQTN3USZWDXSUMMZGM/


[ovirt-users] Re: New fenceType in oVirt code for IBM OpenBMC

2020-07-01 Thread Martin Perina
On Wed, Jul 1, 2020 at 1:57 AM Vinícius Ferrão via Users 
wrote:

> Hello,
>
> After some days scratching my head I found that oVirt is probably missing
> fenceTypes for IBM’s implementation of OpenBMC in the Power Management
> section. The host machine is an OpenPOWER AC922 (ppc64le).
>
> The BMC basically is an “ipmilan” device but the ciphers must be defined
> as 3 or 17 by default:
>
> [root@h01 ~]# ipmitool -I lanplus -H 10.20.10.2 root -P 0penBmc -L
> operator -C 3 channel getciphers ipmi
> ID   IANAAuth AlgIntegrity Alg   Confidentiality Alg
> 3N/A hmac_sha1   hmac_sha1_96aes_cbc_128
> 17   N/A hmac_sha256 sha256_128  aes_cbc_128
>
> The default ipmilan connector forces the option cipher=1 which breaks the
> communication.
>

Hi,

have you tried to overwrite the default by adding cipher=3 into Options
field when adding/updating fence agent configuration for specific host?

Eli, looking at
https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ipmi-second-gen-interface-spec-v2-rev1-1.pdf
I'm not sure our defaults make sense, because by default we enable IPMIv2
(lanplus=1), but we set IPMIv1 cipher support (cipher=1). Or am I missing
something?

Regards,
Martin

>
> So I was reading the code and found this “fenceType” class, but I wasn't
> able to found where to define those classes. So I can create another one
> called something like openbmc to set cipher=17 by default.
>
> Another question is how bad the output is, it only returns a JSON-RPC
> generic error. But I don’t know how to suggest a fix for this.
>
> Thanks,
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/BP33DZ3AET53DGS7TAD6L765WKQIOW7B/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5PKQNM3GUAMYDU4R2PVKS5YGPJZHBOP6/


[ovirt-users] Re: How to renew an Ovirt host certificate (vdsmcert.pem) ?

2020-06-29 Thread Martin Perina
Hi,

just migrate the hosted engine VM to a different host, move the host to
Maintenance, execute Enroll Certificate and after successful finish of
enrolling new certificate you can activate the host again.

Regards,
Martin

On Mon, Jun 29, 2020 at 10:53 AM  wrote:

> Hi,
>
> I have an Ovirt host that the vdsmcert.pem expired. The problem is that
> host contains the self-hosted engine.
> How to renew the certificate without breaking the self-hosted engine ?
>
> Thanks,
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/EEHMUJMOZFXEQUEJSRHLRRYUGBGVFXO6/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VHSWC6WYQUO6AVSKWZRH23CYVMJNJOOY/


[ovirt-users] Re: How to config ovirt-engine to Https ?

2020-06-19 Thread Martin Perina
Hi,

have you used the default certificate created by engine-setup? Or have you
provided your custom HTTPS certificate as described below?

https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html

Anyway in both cases please make sure you are accessing oVirt engine using
the same FQDN which you have provided in engine-setup

Regards,
Martin


On Fri, Jun 19, 2020 at 6:06 AM zhou...@vip.friendtimes.net <
zhou...@vip.friendtimes.net> wrote:

> The https web access is ok,but I cant login the ovirt-engine,how
> to config a https web?
>
>
> --
> zhou...@vip.friendtimes.net
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/43UGIBIJ23HSADJ5XYPRH57MCYPOIFS4/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/N3KFCJ3423KK3SZUV5BZIHO5XJ4GDZ3C/


[ovirt-users] Re: Power Management on IBM AC922 Power9 (ppc64le)

2020-06-09 Thread Martin Perina
Hi Vinicius,

do you have at least one additional host in the same datacenter as your IBM
server (engine requires to have another host acting as fencing proxy)?

If yes, then please check /var/log/vdsm/vdsm.log on the other host, which
acts as a fencing proxy, to see the exact error.

Regards,
Martin


On Mon, Jun 8, 2020 at 7:15 PM Vinícius Ferrão via Users 
wrote:

> Yes… actually IBM uses pretty standard stuff. IPMI is enabled by default
> and as I said, I can use ipmitool on CLI and it’s works normally.
>
> I do have some updates, I upgraded the OpenBMC firmware and now I can use
> ipmitool like anything else with -U and -P; so I was hoping that oVirt
> would handle the Power Management with IPMI over LAN (exactly how you
> suggested) but the issue stays. JSON-RPC error. :(
>
> Now I really think this is a bug, but I would like to get some
> confirmation from the oVirt devs to raise it on bugzilla.
>
> > On 8 Jun 2020, at 14:00, bernadette.pfau--- via Users 
> wrote:
> >
> > Making a guess here -- on Dell iDRAC there is a setting for "IPMI over
> LAN".  Is there an equivalent on the IBM?
> > ___
> > Users mailing list -- users@ovirt.org
> > To unsubscribe send an email to users-le...@ovirt.org
> > Privacy Statement: https://www.ovirt.org/privacy-policy.html
> > oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> > List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/BYLLNDCJ2VO3RRTJXS45CNUQYF3GYR6R/
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3ZTOY2JM3EOHYDQ5XQBPNQ3YATTTX3BE/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GZKJ4WQW7BLT45W34KU45DFQW6NN24SE/


[ovirt-users] Re: PKIX path error

2020-06-02 Thread Martin Perina
Hi,

could you please restart ovirt-engine service and share server.log and
engine.log from /var/log/ovirt-engine ?

Thanks,
Martin


On Fri, May 29, 2020 at 4:36 PM Stack Korora 
wrote:

> On 2020-05-29 08:08, Martin Perina wrote:
>
> Hi Stack,
>
> if I understand correctly your custom SSL certificates are working
> correctly and you are able to login to webadmin using admin@internal,
> right?
>
> Correct.
>
> If the problem is, that your aaa-ldap profile is not visible in the login
> dialog, then there is some issue with aaa-ldap configuration. You have
> mentioned that you used ovirt-engine-extension-aaa-ldap-setup tool to
> create you aaa-ldap profile, have you executed login and search operation
> at the end of setup tool? If so, were they successful?
>
> I did and yes they were.
>
>
> Anyway right you can use following command to debug your aaa extensions
> setup:
>
> # ovirt-engine-extensions-tool info list-extensions
>
> Using above command, could you see authn and authz instance of your
> aaa-ldap profile?
>
> I do see both authz and authn.
>
> If so, please try below tests:
>
> 1. Checking is user search is working:
>
> # ovirt-engine-extensions-tool aaa search --extension-name= AUTHZ NAME> --entity-name=
>
> It does work and it returns valid information.
>
> 2. Checking if login is working
>
> # ovirt-engine-extensions-tool aaa login-user --profile= NAME> --user-name=
>
> A result=SUCCESS on that too!
> However, I still don't see a second profile option on the web login.
>
> Thanks for responding and giving me some help!
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TZ2LJCHYYTKLG6BHJVDNB5TWZLD4TOMY/


[ovirt-users] Re: PKIX path error

2020-05-29 Thread Martin Perina
Hi Stack,

if I understand correctly your custom SSL certificates are working
correctly and you are able to login to webadmin using admin@internal, right?

If the problem is, that your aaa-ldap profile is not visible in the login
dialog, then there is some issue with aaa-ldap configuration. You have
mentioned that you used ovirt-engine-extension-aaa-ldap-setup tool to
create you aaa-ldap profile, have you executed login and search operation
at the end of setup tool? If so, were they successful?

Anyway right you can use following command to debug your aaa extensions
setup:

# ovirt-engine-extensions-tool info list-extensions

Using above command, could you see authn and authz instance of your
aaa-ldap profile?
If so, please try below tests:

1. Checking is user search is working:

# ovirt-engine-extensions-tool aaa search --extension-name= --entity-name=

2. Checking if login is working

# ovirt-engine-extensions-tool aaa login-user --profile=
--user-name=


You can find more informations in:
https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html
https://www.ovirt.org/develop/release-management/features/infra/extension-tester-tool.html

Regards,
Martin


On Fri, May 29, 2020 at 9:32 AM Strahil Nikolov via Users 
wrote:

> You mentioned that  your certificates were different. Did you try
> converting them to the type  used  in the example ?
>
> Best Regards,
> Strahil Nikolov
>
> На 29 май 2020 г. 1:29:51 GMT+03:00, Stack Korora 
> написа:
> >On 2020-05-28 16:07, Strahil Nikolov wrote:
> >> Can you check
> >https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html
> > just  in case you  missed  a  step ?
> >>
> >> Best  Regards,
> >> Strahil  Nikolov
> >
> >Greetings,
> >
> >Thanks for replying.
> >
> >I was going to argue a bit since the way my certs come are in different
> >formats so my commands are a bit different then the directions. But I
> >went through step by step. Got to the end, and the internal
> >authentication was working with the right SSL cert! My LDAP
> >authentication was missing though...it looks correct.
> >
> >So I redid all the steps for adding LDAP. At the end of the
> >ovirt-engine-extension-aaa-ldap-setup script, I can test accounts and
> >search so I know that is correct. My cert is in the right .jks file.
> >Still nothing I do shows anything but internal.
> >
> >So I scrapped the changes and started over. Round three on a fresh
> >reboot (just in case I missed a service) with the SSL certs and
> >configuring LDAP. SSL works, internal works, ldap doesn't show up as a
> >drop-down option for the profile.
> >
> >Grr...Reboot just in case I missed a service again...nope. SSL and
> >internal work, ldap still not shown in the profile. Tried a different
> >browser, same thing. Double Grr...
> >
> >Any suggestions on where I might be going wrong?
> >
> >Thanks!
> >
> >
> >
> >___
> >Users mailing list -- users@ovirt.org
> >To unsubscribe send an email to users-le...@ovirt.org
> >Privacy Statement: https://www.ovirt.org/privacy-policy.html
> >oVirt Code of Conduct:
> >https://www.ovirt.org/community/about/community-guidelines/
> >List Archives:
> >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/A4BKWITWPNPYYVLDVRN4XOSDTN4LPNB3/
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/5ANRX472AJLRXMZBEDPF2QH5UG23GWQP/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3FFDYEN67WNWBWPVUHUB6IZEDT5GWD6U/


[ovirt-users] Re: oVirt engine / node & snmp

2020-05-12 Thread Martin Perina
On Mon, May 11, 2020 at 4:01 PM Andrei Verovski 
wrote:

> Hi,
>
> oVirt node seems to run snmp by defeult, “service snmpd status” returns
> some data.
> I’m going to connect all servers to LibreNMS, and it requires custom snmp
> options.
> What options I should keep in oVirt node default nsmp.conf? Or I may just
> fully overwrite this file with my own?
>

By default oVirt is not using SNMP neither on engine nor on hosts, if you
want to use SNMP, you need to configure it by yourself:

1. Configuring the oVirt Engine to Send SNMP Traps

https://www.ovirt.org/documentation/admin-guide/chap-Event_Notifications.html

2. Monitor oVirt or libvirt with SNMP and Zabbix

http://jensd.be/494/linux/monitor-ovirt-or-libvirt-with-snmp-and-zabbix

So feel free to use above or configure snmp.conf to whatever you need.


> Please note my oVirt node installed manually on CentOS, I don’t use node
> DVD image from oVirt project.
>
>
> with best regards
> Thanks in advance.
> Andrei
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/BBMLCEMMOKAO3DULZWVQ5VQGC7GPUDEC/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YAUWKFA4GN3HWEWWO3PX66NPWRPVNN6O/


[ovirt-users] Re: Unable to import CA certificate list

2020-05-06 Thread Martin Perina
On Wed, May 6, 2020 at 9:00 AM Sakari Poussa  wrote:

> Hi Martin,
>
> Seems that I am running the correct versions. Can you elaborate what the
> issue is/was and where is the fix? I can then dive deeper with my debugging.
>

We have changed the way how parameters are passed from engine through
ansible-runner-service to ansible-runner to eliminate parameter escaping
and still allowing parallel playbooks execution. So you also need to have
patch https://gerrit.ovirt.org/108532 included in your ovirt-engine, which
removes the additional escaping.

>
> Thanks, Sakari
>
> $ dnf info python3-ansible-runner ansible-runner-service
> Last metadata expiration check: 0:02:12 ago on Wed 06 May 2020 09:51:37 AM
> EEST.
> Installed Packages
> Name : ansible-runner-service
> Version  : 1.0.2
> Release  : 1.el8
> Architecture : noarch
> Size : 252 k
> Source   : ansible-runner-service-1.0.2-1.el8.src.rpm
> Repository   : @System
> From repo: ovirt-4.4-centos-ovirt44
> Summary  : RESTful API for ansible/ansible_runner execution
> License  : ASL 2.0
> Description  : This package provides the Ansible Runner Service source
> files. Ansible runner service exposes a REST API interface on top of the
> functionality provided by ansible and
>  : ansible_runner.
>  :
>  : The Ansible Runner Service provided in this packages is
> intended to be used as uwgsi app exposed by Nginx in a Container.
>  : Dependencies, and configuration tasks must be performed in
> the container.
>  :
>  : Ansible Runner Service listens on https://localhost:5001
> by default for playbook or ansible inventory requests. For developers
> interested in using the API, all the available
>  : endpoints are documented at https://localhost:5001/api.
>  :
>  : In addition to the API endpoints, the daemon also provides
> a /metrics endpoint for prometheus integration. A sample Grafana dashboard
> is provided within
>  : /usr/share/doc/ansible-runner-service
>
> Name : python3-ansible-runner
> Version  : 1.4.5
> Release  : 1.el8
> Architecture : noarch
> Size : 340 k
> Source   : ansible-runner-1.4.5-1.el8.src.rpm
> Repository   : @System
> From repo: ovirt-4.4-centos-ovirt44
> Summary  : A tool and python library to interface with Ansible
> URL  : https://github.com/ansible/ansible-runner
> License  : ASL 2.0
> Description  : Ansible Runner is a tool and python library that helps when
> interfacing with
>  : Ansible from other systems whether through a container
> image interface, as a
>  : standalone tool, or imported into a python project.
>
>
> On Wed, May 6, 2020 at 9:27 AM Martin Perina  wrote:
>
>> Hi,
>>
>> the issue has been fixed on master, it seems that you are using old
>> ovirt-engine and/or old ansible-runner-service. Please upgrade to latest
>> released ovirt-engine with ansible-runner-service-1.0.2 and
>> python3-ansible-runner-1.4.5
>>
>> Regards,
>> Martin
>>
>>
>> On Wed, May 6, 2020 at 6:50 AM Sakari Poussa  wrote:
>>
>>> Hi,
>>>
>>> I am using 4.4 beta4 and not able to add new hosts to the datacenter.
>>> Also "Enroll Certificate" fails.
>>>
>>> On nodes, I get the following error message:
>>>
>>> libvirtd[20399]: Unable to import CA certificate list
>>> /etc/pki/vdsm/certs/cacert.pem
>>>
>>> The root cause is the malformed cert:
>>>
>>> $ cat /etc/pki/vdsm/certs/cacert.pem
>>> -BEGIN CERTIFICATE-\nMIID XXX
>>>
>>> That, is the .pem file is just one long line with \n characters instead
>>> of real newlines. If I convert the \n to real newlines libvirtd starts but
>>> that is not the end solution since other issues surfaces.
>>>
>>> The malforming happens when the engine copies (via ansible) the CA cert
>>> to the node(s).
>>>
>>> Any ideas what is going on?
>>>
>>> Thanks, Sakari
>>>
>>>
>>>
>>>
>>> _______
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/TZ6EA3X257YGFYQTLFRILGGCQKQKTT2V/
>>>
>>
>>
>> --
>> Martin Perina
>> Manager, Software Engineering
>> Red Hat Czech s.r.o.
>>
>
>
> --
> Sakari Poussa
> 040 348 2970
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OXRUJGZCZUOIFULIFMBZDTS5DJOFJGTI/


[ovirt-users] Re: Unable to import CA certificate list

2020-05-06 Thread Martin Perina
Hi,

the issue has been fixed on master, it seems that you are using old
ovirt-engine and/or old ansible-runner-service. Please upgrade to latest
released ovirt-engine with ansible-runner-service-1.0.2 and
python3-ansible-runner-1.4.5

Regards,
Martin


On Wed, May 6, 2020 at 6:50 AM Sakari Poussa  wrote:

> Hi,
>
> I am using 4.4 beta4 and not able to add new hosts to the datacenter. Also
> "Enroll Certificate" fails.
>
> On nodes, I get the following error message:
>
> libvirtd[20399]: Unable to import CA certificate list
> /etc/pki/vdsm/certs/cacert.pem
>
> The root cause is the malformed cert:
>
> $ cat /etc/pki/vdsm/certs/cacert.pem
> -BEGIN CERTIFICATE-\nMIID XXX
>
> That, is the .pem file is just one long line with \n characters instead of
> real newlines. If I convert the \n to real newlines libvirtd starts but
> that is not the end solution since other issues surfaces.
>
> The malforming happens when the engine copies (via ansible) the CA cert to
> the node(s).
>
> Any ideas what is going on?
>
> Thanks, Sakari
>
>
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/TZ6EA3X257YGFYQTLFRILGGCQKQKTT2V/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/REDL7UPJOU6WAWWD3X7DJ6MYVXE5RCW2/


[ovirt-users] Re: oVirt 4.4.0 Beta release refresh is now available for testing

2020-04-09 Thread Martin Perina
es and bugs fixed.
>
> If you manage more than one oVirt instance, OKD or RDO we also recommend
> to try ManageIQ <http://manageiq.org/>.
>
> In such a case, please be sure  to take the qc2 image and not the ova
> image.
>
> Notes:
>
> - oVirt Appliance is already available for CentOS Linux 8
>
> - oVirt Node NG is already available for CentOS Linux 8
>
> Additional Resources:
>
> * Read more about the oVirt 4.4.0 release highlights:
> http://www.ovirt.org/release/4.4.0/
>
> * Get more oVirt project updates on Twitter: https://twitter.com/ovirt
>
> * Check out the latest project news on the oVirt blog:
> http://www.ovirt.org/blog/
>
>
> [1] http://www.ovirt.org/release/4.4.0/
> [2] http://resources.ovirt.org/pub/ovirt-4.4-pre/iso/
>
> --
>
> Sandro Bonazzola
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV
>
> Red Hat EMEA <https://www.redhat.com/>
>
> sbona...@redhat.com
> <https://www.redhat.com/>*
> <https://www.redhat.com/en/summit?sc_cid=7013a02D2QxAAK>*
> *Red Hat respects your work life balance. Therefore there is no need to
> answer this email out of your office hours.*
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/WX4RDSHWQWGHHYPT4JGRJRMTR43W6Q6X/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZMPAFVZQNPX3R33IYMCEIALQXXGF6JOJ/


[ovirt-users] Re: List VMS with ansible version 2.9 ovirt_vms_info module

2019-12-19 Thread Martin Perina
On Thu, 19 Dec 2019, 09:37 ,  wrote:

> Hi Martin
>
> thanks for your information.
>
> but when i try on one of my testlab  RHV 4.3 farm, ansible 2.9 complain
> that ovirt_vm_facts not found, detail refer to below command output
>
> based on  RHV 4.3 ansible version as below:
>
> # ansible --version
> ansible 2.9.0
>   config file = /etc/ansible/ansible.cfg
>   configured module search path = [u'/root/.ansible/plugins/modules',
> u'/usr/share/ansible/plugins/modules']
>   ansible python module location = /usr/lib/python2.7/site-packages/ansible
>   executable location = /usr/bin/ansible
>   python version = 2.7.5 (default, Jun 11 2019, 14:33:56) [GCC 4.8.5
> 20150623 (Red Hat 4.8.5-39)]
>
>
>
> # ansible-doc --list | egrep -i ovirt_vm   --> not showing ovirt_vm_facts
> module
> [WARNING]: win_template parsing did not produce documentation.
> [WARNING]: template parsing did not produce documentation.
> ovirt_vm_info Retrieve
> information about one or more oVirt/RHV virtual machines
> ovirt_vmpool  Module to
> manage VM pools in oVirt/RHV
> ovirt_vmpool_info Retrieve
> information about one or more oVirt/RHV vmpools
> ovirt_vm  Module to
> manage Virtual Machines in oVirt/RHV
> [root@rhvm100 ~]#
>
>
>  use ovirt_vms_facts module
> # cat list_vms01.yml
> - hosts: localhost
>   connection: local
>   vars_files:
> - engine_vars.yml
> - password.yml
>
>   tasks:
>   - name: Obtain SSO token
> ovirt_auth:
>   url: "{{ engine_url }}"
>   username: "{{ engine_user }}"
>   password: "{{ engine_password }}"
>   ca_file: "{{ engine_cafile | default(omit) }}"
> #  insecure: "{{ engine_insecure }}"
>
>   - name: List vms
> ovirt_vms_facts:
>

Shouldn't there be ovirt_vm_facts?

  fetch_nested: true
>   nested_attributes:
> - description
>   auth: "{{ ovirt_auth }}"
>
>   - name: set vms
> set_fact:
>vm: "{{ item.name }}: {{ item.snapshots |
> map(attribute='description') | join(',') }}"
> with_items: "{{ ovirt_vms }}"
> loop_control:
>   label: "{{ item.name }}"
> register: all_vms
>
>   - name: make a list
> set_fact: vms="{{ all_vms.results | map(attribute='ansible_facts.vm')
> | list }}"
>
>   - name: Print vms
> debug:
>   var: vms
>
>
> # ansible-playbook list_vms01.yml --syntax-check
> [WARNING]: provided hosts list is empty, only localhost is available. Note
> that the implicit localhost does not match 'all'
>
> ERROR! couldn't resolve module/action 'ovirt_vms_facts'. This often
> indicates a misspelling, missing collection, or incorrect module path.
>
> The error appears to be in '/root/rhv_ansible/list_vms01.yml': line 16,
> column 5, but may
> be elsewhere in the file depending on the exact syntax problem.
>
> The offending line appears to be:
>
>
>   - name: List vms
> ^ here
>
>
> thanks
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/TUTNDLLOMOWX6RBBOQ5CQXNI5B23Z53L/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZRUQILT5PRPVC4TPXP3772OT43OHTRYN/


[ovirt-users] Re: List VMS with ansible version 2.9 ovirt_vms_info module

2019-12-18 Thread Martin Perina
On Thu, Dec 19, 2019 at 7:22 AM  wrote:

> Hi All
>
> is someone use ansible to list guest vm and ovirt node on ansible 2.9 with
> ovirt_vms_info  ?
> i read this https://lists.ovirt.org/pipermail/users/2017-May/081956.html
> but this is for ansible 2.8 and below  with ovirt_vms_facts module.
>

ovirt_vm_facts was just recently removed to ovirt_vm_info, but their
functionality is the same. From Ansible 2.9 both modules names works, but
ovirt_vm_facts is deprecated and it should be removed in 2.12 AFAIR.

More information about the module can be found in docs:

https://docs.ansible.com/ansible/latest/modules/ovirt_vm_info_module.html#ovirt-vm-info-module


> i new to ansible, hope someone manage to provide some sample playbook to
> start list vm on ovirt
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/M54DXWXTALU6EZLGV7VRKVUZJ2DOKLEW/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RY63PM2UVIQBDF7EJSYCLPZMIPCZQ5NF/


[ovirt-users] Re: Did a change in Ansible 2.9 in the ovirt_vm_facts module break the hosted-engine-setup?

2019-12-12 Thread Martin Perina
On Thu, Dec 12, 2019 at 9:40 AM  wrote:

> This seems to be a much bigger generic issue with Ansible 2.9. Here is an
> excerpt from the release notes:
>
> "Renaming from _facts to _info
>
> Ansible 2.9 renamed a lot of modules from _facts to
> _info, because the modules do not return Ansible facts. Ansible
> facts relate to a specific host. For example, the configuration of a
> network interface, the operating system on a unix server, and the list of
> packages installed on a Windows box are all Ansible facts. The renamed
> modules return values that are not unique to the host. For example, account
> information or region data for a cloud provider. Renaming these modules
> should provide more clarity about the types of return values each set of
> modules offers."
>
> I guess that means all the oVirt playbooks need to be adapted for Ansible
> 2.9 and that evidently didn't happen or not completely.
>

We are going to adapt, but this is not a breaking change. Till Ansible 2.11
there is automatic linking between *_facts and *_info, only in 2.12 *_facts
will be removed. There is just deprecation warning about this tissue, but
no breakage.

Also please be aware that we will require Ansible 2.9 as minimum version
for oVirt 4.4.


> It would also seem to suggest that there is no automated integration
> testing before an oVirt release... which contradicts the opening clause of
> the opening phrase of the ovirt.org download page: "oVirt 4.3.7 is
> intended for production use and is available for the following platforms..."
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/ROWX54XPPIGHBDRYR6VRHVFXD4WZ4VBM/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CLOOMXRACNETEKCH6PA6PFH2G4RCOVNU/


[ovirt-users] Re: Ansible setup host network fails on comparing sorted dictionaries

2019-11-05 Thread Martin Perina
; },
>
> "ipv6_boot_protocol": "none",
>
> "mac": {
>
> "address": "b4:96:91:3f:47:1c"
>
> },
>
> "mtu": 9000,
>
> "name": "bond28",
>
> "network": {
>
> "href":
> "/ovirt-engine/api/networks/f3ef80cf-bf3a-4fa5-aed9-7d9e7455f804",
>
> "id": "f3ef80cf-bf3a-4fa5-aed9-7d9e7455f804"
>
> },
>
> "network_labels": [],
>
> "properties": [],
>
> "speed": 100,
>
> "statistics": [],
>
> "status": "up"
>
> },
>
> "id": "abce07fa-cb7f-46f2-b967-69d1feaa4075",
>
> "invocation": {
>
> "module_args": {
>
> "bond": {
>
> "interfaces": [
>
> "p2p1",
>
> "p2p2"
>
> ],
>
> "mode": 4,
>
> "name": "bond28"
>
> },
>
> "check": true,
>
> "fetch_nested": false,
>
> "interface": null,
>
> "labels": null,
>
> "name": "ovirt-staging-hv-02.avinity.tv",
>
> "nested_attributes": [],
>
> "networks": [
>
> {
>
> "address": "172.17.28.212",
>
> "boot_protocol": "static",
>
> "id": "3e40ff7d-5384-45f1-b036-13e6f91aff56",
>
> "name": "backbone",
>
> "netmask": "255.255.255.0",
>
> "version": "v4"
>
> }
>
> ],
>
> "poll_interval": 3,
>
> "save": true,
>
> "state": "present",
>
> "sync_networks": false,
>
> "timeout": 180,
>
> "wait": true
>
> }
>
> },
>
> "item": {
>
> "bond": {
>
> "interfaces": [
>
> "p2p1",
>
> "p2p2"
>
> ],
>
> "mode": 4,
>
> "name": "bond28"
>
> },
>
> "check": true,
>
> "name": "ovirt-staging-hv-02.avinity.tv",
>
> "networks": [
>
> {
>
> "address": "172.17.28.212",
>
> "boot_protocol": "static",
>
> "name": "backbone",
>
> "netmask": "255.255.255.0",
>
> "version": "v4"
>
> }
>
> ],
>
> "save": true
>
> }
>
> }
>
> Read vars_file 'vars/engine_vars.yml'
>
> Read vars_file 'vars/secrets.yml'
>
> Read vars_file 'vars/ovirt_infra_vars.yml'
>
>
>
> Changes resulted in applying configuration exactly as intended.
>
> Not sure it this was the actual intention, but please let me know if the
> made change was as initially intended for sorted compare to work.
>
>
>
> My pipenv setup:
>
> Python 3.7
>
> ansible==2.8.6
>
> asn1crypto==1.1.0
>
> bcrypt==3.1.7
>
> cffi==1.13.1
>
> cryptography==2.8
>
> dnspython==1.16.0
>
> ipaddress==1.0.23
>
> Jinja2==2.10.3
>
> jmespath==0.9.4
>
> lxml==4.4.1
>
> MarkupSafe==1.1.1
>
> netaddr==0.7.19
>
> ovirt-engine-sdk-python==4.3.3
>
> paramiko==2.6.0
>
> passlib==1.7.1
>
> pyasn1==0.4.5
>
> pycparser==2.19
>
> pycurl==7.43.0.3
>
> PyNaCl==1.3.0
>
> PyYAML==5.1.2
>
> six==1.12.0
>
>
>
> Ansible vars and play:
>
> =
>
> host_networks:
>
>  - name: ovirt-staging-hv-02.avinity.tv
>
> check: true
>
> save: true
>
> bond:
>
>  name: bond28
>
>   mode: 4
>
>   interfaces:
>
> - p2p1
>
> - p2p2
>
> networks:
>
>   - name: backbone
>
> boot_protocol: static
>
> address: 172.17.28.212
>
> netmask: 255.255.255.0
>
> version: v4
>
> =
>
> - name: Setup host networks
>
>   ovirt_host_network:
>
> auth: "{{ ovirt_auth }}"
>
> name: "{{ item.name }}"
>
> state: "{{ item.state | default(omit) }}"
>
> check: "{{ item.check | default(omit) }}"
>
> save: "{{ item.save | default(omit) }}"
>
> bond: "{{ item.bond | default(omit) }}"
>
> networks: "{{ item.networks | default(omit) }}"
>
> labels: "{{ item.labels | default(omit) }}"
>
> interface: "{{ item.interface | default(omit) }}"
>
>   with_items:
>
> - "{{ host_networks | default([]) }}"
>
>   tags:
>
> - host_networks
>
> - networks
>
> 
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/QWOPC2TMAU565LUWAVGTAAUTJ7KNP5WX/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DYMQA5AI7LKGHDSB6SR6OFCK6EIBAF5R/


[ovirt-users] Re: Cannot enable maintenance mode

2019-11-05 Thread Martin Perina
ttps://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/64GZQKZA7LX7KLMXZ5K2BS46AJVVAMPZ/
> ___
> Users mailing list -- mailto:users@ovirt.org To unsubscribe send an email
> to mailto:users-le...@ovirt.org Privacy Statement:
> https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/JJPEC7RDG3AUSAQAYJO4EZNKONUA3D5F/
>
>
> --
> LUKAS SVATY
> RHV QE
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/YZB2L7MK6SGQIF73QO6GGZG3VZPIBLGA/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5G7PN466PY5LDPEKFM43YIMP6BP65U5L/


[ovirt-users] Re: ovirt and jackson security

2019-10-16 Thread Martin Perina
On Wed, Oct 16, 2019 at 12:12 PM Fabrice Bacchella <
fabrice.bacche...@icloud.com> wrote:

> When I launch ovirt 4.3.6, I see in the command line of the ovirt-engine:
>
> -Djackson.deserialization.whitelist.packages=org,com,java,javax
>
> That whitelist almost everything. Isn't that dangerous ?
>

There is no other easy way how to do that, because we are using huge number
of classes, which can be serialized into JSON. This was breaking backward
compatibility way how CVE for jackson was fixed, but oVirt is not affected
by this CVE, because we use jackson directly only when storing data in
database or for internal engine - VDSM communication. So unless you have an
attacker being able to tamper data in your database or an attacker in
internal network, who is able to masquerade as proper host and return
problematic JSON back to engine, you are not affected.


> When I read this:
> https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
> I think the white list should be as small as possible.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/GZODZPENEN2RU5LJDWXSEYKVRCFPIHOU/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MLLQEJEVP64YRPMVVA7F3VMFGJU7KDMY/


[ovirt-users] Re: Host "install failed"

2019-10-15 Thread Martin Perina
On Tue, Oct 15, 2019 at 1:13 PM Jess Zanne Uy  wrote:

> Hi Ma'am Lucie,
>
> Please see attached of my
> ovirt-host-deploy-20191014174056-10.8.105.116-54aeb232.log.
>
>  ovirtlog1.txt
> <https://drive.google.com/file/d/1WEdBVk7c_cyb9fHbx0icFC9mvjSjscbE/view?usp=drive_web>
>
>
> Thanks,
> Jess
>

Hi,

looking at the log you can see very clear error, which is also visible in
webadmin UI in Events tab:

RuntimeError: Hardware does not support virtualization

So please make sure that kvm_intel or kvm_amd (depending on the processor
you have) is loaded to you host kernel


Regards,
M.


> On Tue, Oct 15, 2019 at 5:47 PM Lucie Leistnerova 
> wrote:
>
>> Hi Jess,
>>
>> please send the host deploy log, e.g.
>> ovirt-host-deploy-20191014174056-10.8.105.116-54aeb232.log
>>
>> Thanks.
>> On 10/15/19 10:34 AM, Jess Zanne Uy wrote:
>>
>> Hi Sir/Madaam,
>> I'm trying to search for hours now but still no luck
>> I can already access the oVirt engine web port via IP address. I'm
>> running via Virtualbox machine.
>> Configured data center, cluster. Then after adding new host. Error occur
>> "Install failed".
>> Tried to check the engine log. It says "EVENT ID: VDS
>> INSTALL_FAILED(505), Host ovirt host installation failed. Command returned
>> failure code 1 during SSH session"
>> My IP address and password is exact. And edited the /etc/host IP_ADDRESS
>> localhost.localdomain
>> My hostname is default, BTW
>> Any help what's wrong with the configuration.
>> Please see attached logs
>>  ovirtlog.txt
>> <https://drive.google.com/file/d/13PK8wgJPwlxFB08Ve6hXxYMcDpiLHkmF/view?usp=drive_web>
>>
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct: 
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives: 
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/M26BAA6V7JRIYGAZ5WPL5K77K4GFLZ6C/
>>
>> --
>> Lucie Leistnerova
>> Senior Quality Engineer, QE Cloud, RHVM
>> Red Hat EMEA
>>
>> IRC: lleistne @ #rhev-qe
>>
>> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/I3BGQ3J57O64QMAIP2I4VBS3VP3CXCOJ/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XEPLXAILHDVXB2TWHSQ2PCR6ZE723VBO/


[ovirt-users] Re: how to put or conditions in filters in web admin gui

2019-10-02 Thread Martin Perina
On Wed, Oct 2, 2019 at 1:08 PM Gianluca Cecchi 
wrote:

> On Wed, Oct 2, 2019 at 11:15 AM Lucie Leistnerova 
> wrote:
>
>> Hi Gianluca,
>>
>> 'or' should work, please send what exact search you enter in the box.
>>
>> Thanks.
>> On 10/2/19 11:05 AM, Gianluca Cecchi wrote:
>>
>> Hello,
>> environment tin 4.3.6.
>> Suppose I'm in Web Admin GUI in Storage --> Disks and I want to get
>> displayed only the disks with "pattern1" together with the disks with
>> "string2" ("or" condition), limiting output to these two conditions, how
>> can I do it?
>> I tried some combinations without success
>>
>> BTW: also the "and" condition seems not to work
>>
>>
Hi Gianluca,

when using condition you need to use key and not just value, so below
should just work fine:

Disks: name=engine* or name=host*
Disks: alias=engine* or alias=host*

name and alias are similar (mapped to the same database field) and they are
default for disks search, so below should produce same results:

Disks: engine
Disks: name=engine*
Disks: alias=engine*

You just need to be aware that if you use key name, you need to append '*'
to search for prefix, otherwise you search for exact value.


Regards,
M.

>
> engine search
>
> https://drive.google.com/file/d/1kglcnmLMUzgIKxOvjqJt8B1uppLhqQNU/view?usp=sharing
>
> host search
>
> https://drive.google.com/file/d/1gbFTuTo2BLDUfn1D0E0aG8iX_PbQpc8T/view?usp=sharing
>
> engine or host search (empty result list)
>
> https://drive.google.com/file/d/1SHeIqYbarzxbWX9r_jzuzeGCT8SXI63q/view?usp=sharing
>
> Gianluca
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/G44G2GJID6RSXP6OKYMF4IHZ76EVVA42/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/72QNKOBZDVDQBK7D4RQIJB56V2QRRPXS/


[ovirt-users] Re: Does cluster upgrade wait for heal before proceeding to next host?

2019-08-09 Thread Martin Perina
On Thu, Aug 8, 2019 at 10:25 AM Sandro Bonazzola 
wrote:

>
>
> Il giorno mar 6 ago 2019 alle ore 23:17 Jayme  ha
> scritto:
>
>> I’m aware of the heal process but it’s unclear to me if the update
>> continues to run while the volumes are healing and resumes when they are
>> done. There doesn’t seem to be any indication in the ui (unless I’m
>> mistaken)
>>
>
> Adding @Martin Perina  , @Sahina Bose
>and @Laura Wright   on this,
> hyperconverged deployments using cluster upgrade command would probably
> need some improvement.
>

The cluster upgrade process continues to the 2nd host after the 1st host
becomes Up. If 2nd host then fails to switch to maintenance, we stop the
upgrade process to prevent breakage.
Sahina, is gluster healing process status exposed in RESTAPI? If so, does
it makes sense to wait for healing to be finished before trying to move
next host to maintenance? Or any other ideas how to improve?

>
>
>
>>
>> On Tue, Aug 6, 2019 at 6:06 PM Robert O'Kane  wrote:
>>
>>> Hello,
>>>
>>> Often(?), updates to a hypervisor that also has (provides) a Gluster
>>> brick takes the hypervisor offline (updates often require a reboot).
>>>
>>> This reboot then makes the brick "out of sync" and it has to be resync'd.
>>>
>>> I find it a "feature" than another host that is also part of a gluster
>>> domain can not be updated (rebooted) before all the bricks are updated
>>> in order to guarantee there is not data loss. It is called Quorum, or?
>>>
>>> Always let the heal process end. Then the next update can start.
>>> For me there is ALWAYS a healing time before Gluster is happy again.
>>>
>>> Cheers,
>>>
>>> Robert O'Kane
>>>
>>>
>>> Am 06.08.2019 um 16:38 schrieb Shani Leviim:
>>> > Hi Jayme,
>>> > I can't recall such a healing time.
>>> > Can you please retry and attach the engine & vdsm logs so we'll be
>>> smarter?
>>> >
>>> > *Regards,
>>> > *
>>> > *Shani Leviim
>>> > *
>>> >
>>> >
>>> > On Tue, Aug 6, 2019 at 5:24 PM Jayme >> > <mailto:jay...@gmail.com>> wrote:
>>> >
>>> > I've yet to have cluster upgrade finish updating my three host HCI
>>> > cluster.  The most recent try was today moving from oVirt 4.3.3 to
>>> > 4.3.5.5.  The first host updates normally, but when it moves on to
>>> > the second host it fails to put it in maintenance and the cluster
>>> > upgrade stops.
>>> >
>>> > I suspect this is due to that fact that after my hosts are updated
>>> > it takes 10 minutes or more for all volumes to sync/heal.  I have
>>> > 2Tb SSDs.
>>> >
>>> > Does the cluster upgrade process take heal time in to account
>>> before
>>> > attempting to place the next host in maintenance to upgrade it? Or
>>> > is there something else that may be at fault here, or perhaps a
>>> > reason why the heal process takes 10 minutes after reboot to
>>> complete?
>>> > ___
>>> > Users mailing list -- users@ovirt.org <mailto:users@ovirt.org>
>>> > To unsubscribe send an email to users-le...@ovirt.org
>>> > <mailto:users-le...@ovirt.org>
>>> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>> > oVirt Code of Conduct:
>>> > https://www.ovirt.org/community/about/community-guidelines/
>>> > List Archives:
>>> >
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/5XM3QB3364ZYIPAKY4KTTOSJZMCWHUPD/
>>> >
>>> >
>>> > ___
>>> > Users mailing list -- users@ovirt.org
>>> > To unsubscribe send an email to users-le...@ovirt.org
>>> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>> > oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> > List Archives:
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/GBX3L23MWGMTF7Q4KGVR63RIQZFYXGWK/
>>> >
>>>
>>> --
>>> Systems Administrator
>>> Kunsthochschule für Medien Köln
>>> Peter-Welter-Platz 2
>>> 50676 Köln
>>> ___
>>>

[ovirt-users] Re: RFE: Add the ability to the engine to serve as a fencing proxy

2019-08-09 Thread Martin Perina
On Thu, Aug 8, 2019 at 8:04 PM Strahil  wrote:

> I think poison pill-based  fencing is easier  to implement but it requires
> either  Network-based  (iSCSI or NFS)  or FC-based  shared  storage.
>
> It is used  in corosync/pacemaker clusters and is easier to implement.
>

Corosync/pacemake uses completely different way how to perform fencing and
this is not applicable for oVirt.
But oVirt also uses shared storage information (we call it storage leases)
which can detect that host is still running and only connection between
enigne and host is broken. For details about VM leases please take a look:

https://ovirt.org/documentation/vmm-guide/chap-Administrative_Tasks.html#configuring-a-highly-available-virtual-machine

> Best Regards,
> Strahil Nikolov
> On Aug 8, 2019 11:29, Sandro Bonazzola  wrote:
>
>
>
> Il giorno ven 2 ago 2019 alle ore 10:50 Sandro E 
> ha scritto:
>
> Hi,
>
> i hope that this hits the right people i found  an RFE (Bug 1373957) which
> would be a realy nice feature for my company as we have to request firewall
> rules for every new host and this ends up in a lot of mess and work. Is
> there any change that this RFE gets implemented ?
>
>
You can specify custom firewalld rules, which are applied during host
installation/reinstallation:

https://ovirt.org/documentation/admin-guide/chap-Hosts.html#configuring-host-firewall-rules

So is there anything you are missing?

>
> Thanks for any help or tips
>
>
> This RFE has been filed in 2016 and didn't got much interest so far. Can
> you elaborate a bit on the user story for this?
>
>
>
>
>
> BR,
> Sandro
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/UP7NZWXZBNHM7B7MNY5NMCAUK6UBPXXD/
>
>
>
> --
>
> Sandro Bonazzola
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV
>
> Red Hat EMEA <https://www.redhat.com/>
>
> sbona...@redhat.com
> <https://www.redhat.com/>*Red Hat respects your work life balance.
> Therefore there is no need to answer this email out of your office hours.
> <https://mojo.redhat.com/docs/DOC-1199578>*
>
>

-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/N7BXHMFXSFMSUOEZK66POQOIU63TMCPL/


[ovirt-users] Re: Info about soft fencing mechanism

2019-06-17 Thread Martin Perina
On Fri, Jun 14, 2019 at 3:02 PM Strahil  wrote:

>
> On Jun 13, 2019 16:14, Gianluca Cecchi  wrote:
> >
> > Hello,
> > I would like to know in better detail how soft fencing works in 4.3.
> > In particular, with "soft fencing" we "only" mean vdsmd restart attempt,
> correct?
>

Yes, it just restarts vdsmd service using SSH connection. In the past we
had several cases, where VDSM was non-responsive, but VMs were running
fine, that's why we added this as the 1st step in non-responding treatment
flow.
We try to connect to host using SSH, restarts VDSM and waits if host start
communicate again. If there is an error during SSH connection or service
restart, we immediately continue to next phase of the treatment.

> Who is responsible for issuing the command? Manager or host itself?
>
> The manager should take the decision, but the actual command should be
> done by another  host.
>

The manager, this flow is started  from host monitoring if there a network
error or connection timeout ...

> > Because in case of Manager, if the host has already lost connection, how
> could the manager be able to do it?
>
> Soft fencing is ussed when ssh is available. In all other cases it doesn't
> work.
>

So if engine cannot communicate with host, we don't know the reason, so
there are several steps in non-responding treatment:

1. SSH Soft Fencing
2. Kdump detection (if it's configured for the host and we detecte host is
dumping, we can restart HA VMs on different host)
3. Power Management restart
- according to cluster fencing policy we can skip restarting host if
for exampl host is renewing its storage lease or gluster cluster is healing
- this part is executed on different host in the same cluster/data
center

If you want to know more about fencing in oVirt, please take a look at
below links:

Host fencing in oVirt - Fixing the unknown and allowing VMs to be highly
available
https://www.youtube.com/watch?v=V1JQtmdleaM

Integrating kdump into oVirt
https://www.youtube.com/watch?v=RAGV_za_Qvw

Automatic fencing in oVirt
https://www.ovirt.org/develop/developer-guide/engine/automatic-fencing.html

Fence-kdump integration in oVirt
https://www.ovirt.org/develop/release-management/features/infra/fence-kdump.html


And course feel free to ask questions

Martin

> Thanks in advance for clarifications and eventually documentation pointers
>
> oVirt DOCs need a lot of updates, but I never found a way to add or edit a
> page.
>
> Best Regards,
> Strahil Nikolov
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/OQIENJDAWQNHORWFLSUYWJKH7SS7E5JE/
>


-- 
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SRBPLSHWUZNILFG4KJRVFO4LBB37OODF/


[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina
On Mon, Oct 3, 2016 at 8:18 AM,  wrote:

>
> Hello, Martin
>
> Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working
> successfully from Internet Explorer & Forefox.
> Kerberos authentication NOT working with oVirt Web-Portals.
>
> I expect that the users opening the oVirt web portal in the browser did
> not enter a password, and used instead of the transparent sign-on using
> Kerberos.
> It is impossible ??
>

​It's possible and it's working fine when everything is properly set up.
But please bear in mind kerberos SSO is one of the most complicated oVirt
setup, but usually the error is on kerberos side (environment issues on the
client).

So, you are saying that using curl you are able to access API using
kerberos ticket but when you try to access the same API from the browser it
does not work, right?
I don't use IE, but you need to set following options in "about:config" URL
for Firefox to work properly with kerberos:

 network.negotiate-auth.delegation-uris = .ad.holding.com
 network.negotiate-auth.trusted-uris = .ad.holding.com

If you have those options set, what exactly happen when you try to access ​
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
​

​in Firefox?

Martin Perina

​

>
> 03.10.2016, 09:08, "Martin Perina" :
>
> Hi Aleksey,
>
> in your last email you wrote that everything works (at least that's my
> understanding, email pasted below). So what exactly doesn't work for you?
>
> Regards
>
> Martin Perina
>
>
> > # kinit aleksey
> >
> > Password for alek...@ad.holding.com: ***
> >
> > # klist
> >
> > Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> > Default principal: alek...@ad.holding.com
> >
> > Valid starting   Expires  Service principal
> > 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM@AD.
> HOLDING.COM
> > renew until 10/07/2016 16:50:29
> >
> >
> > # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
> ​​
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> >
> > 
> > 
> >  ... output truncated ...
> > 
> >
> > It Works.
> > The browsers are configured.
> > Kerberos authentication for Windows web servers working successfully
> from Internet Explorer & Forefox
>
>
> On Mon, Oct 3, 2016 at 7:37 AM,  wrote:
>
>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru"  >:
> > Any other ideas?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7N2X5BUW7DIAIQYYANECLNEAHHTTEYHA/


[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina
Hi Aleksey,

in your last email you wrote that everything works (at least that's my
understanding, email pasted below). So what exactly doesn't work for you?

Regards

Martin Perina


> # kinit aleksey
>
> Password for alek...@ad.holding.com: ***
>
> # klist
>
> Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> Default principal: alek...@ad.holding.com
>
> Valid starting   Expires  Service principal
> 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM@AD.
HOLDING.COM
> renew until 10/07/2016 16:50:29
>
>
> # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
>
> 
> 
>  ... output truncated ...
> 
>
> It Works.
> The browsers are configured.
> Kerberos authentication for Windows web servers working successfully from
Internet Explorer & Forefox


On Mon, Oct 3, 2016 at 7:37 AM,  wrote:

>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru"  >:
> > Any other ideas?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/X4HQWTZK7FWOAB32CPBMNUOWDUK7A3G2/


[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina
On Tue, Oct 4, 2016 at 5:16 PM,  wrote:

> Martin, thanks for the help. It works.
>

​Glad to hear that, thanks.

Martin
​


>
> 03.10.2016, 15:01, "Martin Perina" :
> > ​Ahh, this is the issue. Above configuration is valid for oVirt 3.x, but
> in 4.0 we have quite new OAuth base SSO, so you need to use following
> configuration:
> >
> >  oauth/token-http-auth)|^/ovirt-engine/api>
> >   
> > RewriteEngine on
> > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> > RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> > RequestHeader set X-Remote-User %{REMOTE_USER}s
> > AuthType Kerberos
> > AuthName "Kerberos Login"
> > Krb5Keytab /etc/httpd/s-oVirt-Krb.keytab
> > KrbAuthRealms AD.HOLDING.COM
> > KrbMethodK5Passwd off
> > Require valid-user
> > ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> >   
> > 
> > ​
> >
> > ​Also as 4.0 is working on EL7 you may use mod_auth_gssapi/mod_session
> instead of quite old mod_auth_krb. For mod_auth_gssapi/mod_sessions you
> need to do following:
> >
> >   1. yum install mod_session mod_auth_gssapi
> >   2. Use following Apache configuration ​
> >
> > ​ oauth/token-http-auth)|^/ovirt-engine/api>
> >   
> > RewriteEngine on
> > RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> > RewriteRule ^(.*)$ - [L,NS,P,E=REMOTE_USER:%1]
> > RequestHeader set X-Remote-User %{REMOTE_USER}s
> >
> > AuthType GSSAPI
> > AuthName "Kerberos Login"
> >
> > # Modify to match installation
> > GssapiCredStore keytab:/etc/httpd/s-oVirt-Krb.keytab
> > GssapiUseSessions On
> > Session On
> > SessionCookieName ovirt_gssapi_session path=/private;httponly;secure;
> >
> > Require valid-user
> > ErrorDocument 401 " url=/ovirt-engine/sso/login-unauthorized\"/> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> >   
> > ​
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GIIYYLGSCVGHCHAQPJ2EYNSQCU7KRCHC/


[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina
ifact.arg = X-Remote-User
>
> 
> =
> # cat /etc/ovirt-engine/extensions.d/ad.holding.com-http-mapping.
> properties
>
> ovirt.engine.extension.name = ad.holding.com-http-mapping
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.
> extensions.aaa.Mapping
> config.mapAuthRecord.type = regex
> config.mapAuthRecord.regex.mustMatch = true
> config.mapAuthRecord.regex.pattern = ^(?.*?)(((?@)(?<
> suffix>.*?)@.*)|(?@.*))$
> config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}${realm}
>
>
> 03.10.2016, 09:56, "Martin Perina" :
>
> > ​Ahh, so kerberos SSO works fine for API, but not for portals. Could you
> please share your Apache configuration with oVirt kerberos configuration?
> Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QZALCIV6D3YYY5YQXJOOJMQYUGT2Q6D4/


[ovirt-users] Re: oVirt 4.0.4 and Active Directory Kerberos SSO for Administration/User Portal. Troubleshooting

2019-05-14 Thread Martin Perina
On Mon, Oct 3, 2016 at 8:52 AM,  wrote:

>  > network.negotiate-auth.delegation-uris = .ad.holding.com
>  > network.negotiate-auth.trusted-uris = .ad.holding.com
>
> Yes. Configured
>
> The URL https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api in IE and
> Firefox opens without problems and without password prompts
>
> But when opening links from start page...
>
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/
> userportal/?locale=en_US
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/webadmin/?locale=en_US
>
> ...opens a oVirt form prompting for credentials with a single profile
> "internal"
>

​Ahh, so kerberos SSO works fine for API, but not for portals. Could you
please share your Apache configuration with oVirt kerberos configuration?
Usually it's in /etc/ovirt-engine/aaa/ovirt-sso.conf

Thanks

Martin Perina
​


>
>
> 03.10.2016, 09:37, "Martin Perina" :
>
>
>
> On Mon, Oct 3, 2016 at 8:18 AM,  wrote:
>
>
> Hello, Martin
>
> Before I wrote: Kerberos authentication FOR WINDOWS WEB SERVERS working
> successfully from Internet Explorer & Forefox.
> Kerberos authentication NOT working with oVirt Web-Portals.
>
> I expect that the users opening the oVirt web portal in the browser did
> not enter a password, and used instead of the transparent sign-on using
> Kerberos.
> It is impossible ??
>
>
> ​It's possible and it's working fine when everything is properly set up.
> But please bear in mind kerberos SSO is one of the most complicated oVirt
> setup, but usually the error is on kerberos side (environment issues on the
> client).
>
> So, you are saying that using curl you are able to access API using
> kerberos ticket but when you try to access the same API from the browser it
> does not work, right?
> I don't use IE, but you need to set following options in "about:config"
> URL for Firefox to work properly with kerberos:
>
>  network.negotiate-auth.delegation-uris = .ad.holding.com
>  network.negotiate-auth.trusted-uris = .ad.holding.com
>
> If you have those options set, what exactly happen when you try to access ​
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> ​
>
> ​in Firefox?
>
> Martin Perina
>
> ​
>
>
> 03.10.2016, 09:08, "Martin Perina" :
>
> Hi Aleksey,
>
> in your last email you wrote that everything works (at least that's my
> understanding, email pasted below). So what exactly doesn't work for you?
>
> Regards
>
> Martin Perina
>
>
> > # kinit aleksey
> >
> > Password for alek...@ad.holding.com: ***
> >
> > # klist
> >
> > Ticket cache: KEYRING:persistent:0:krb_ccache_9W86VN9
> > Default principal: alek...@ad.holding.com
> >
> > Valid starting   Expires  Service principal
> > 09/30/2016 16:50:32  10/01/2016 02:50:32  krbtgt/AD.HOLDING.COM@AD.
> HOLDING.COM
> > renew until 10/07/2016 16:50:29
> >
> >
> > # curl --negotiate -u : -X GET -H "Accept: application/xml" -k
> ​​ <https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api>
> https://kom-ad01-ovirt1.ad.holding.com/ovirt-engine/api
> >
> > 
> > 
> >  ... output truncated ...
> > 
> >
> > It Works.
> > The browsers are configured.
> > Kerberos authentication for Windows web servers working successfully
> from Internet Explorer & Forefox
>
>
> On Mon, Oct 3, 2016 at 7:37 AM,  wrote:
>
>
> Up
>
> 30.09.2016, 18:55, "aleksey.maksi...@it-kb.ru"  >:
> > Any other ideas?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZMDXHINKZ4VOF4YIC6BSIQYFBUZYHEDV/


[ovirt-users] Re: oVirt 4.3.1 with AD creates new user at every login

2019-03-11 Thread Martin Perina
On Sat, Mar 9, 2019 at 10:43 AM  wrote:

> > I just did a clean install of oVirt 4.3.1 (engine and nodes).
> >
> > I setup AD authentication and gave an AD group permissions needed work
> with
> > VMs. I gave them PowerUserRole on the Cluster and Storage.
> >
> > Users in the AD group can login and create VMs but after they log out and
> > log back in they don't see any of the VMs created in the previous
> session.
> >
> > I noticed that in Administration -> Users a new row is created for each
> > user every time they login. All columns for each user are the same: same
> > first and last name, same user name, authorization provider, and so on
> but
> > the behavior looks very much like they are being treated as new user
> every
> > time they login.
>

Ravi, is above the same issue as tracked in
https://bugzilla.redhat.com/show_bug.cgi?id=1672860 ?

>
>
> I have observed the same behaviour with oVirt 4.3.XY
>
> Delving deeper, in the oVirt engine 'users' table,  external_id is *not*
> being set for AD users as documented in (e.g.)
> engines/packaging/dbscripts/common_sp.sql
>
> "The external identifier is the user identifier converted to an array of
> bytes:"
>
> ovirt 4.3.0
> user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f |
> ece7b8c2-4983-4c1e-9a33-c28d58d40213
>
>
> And under ovirt 4.2.8 for comparison:
>
> username   |   user_id| external_id
> user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c |
> af5bbg/eTkuktBPXW4Ak5g==
>
>
> Further information on replicating the issue:
>
> 1) Configure LDAP authentication:
>
>
> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html#configuring-an-external-ldap-provider
>
>
> 2) Add an LDAP group via the Administration Portal:
>
> Administration >> Users > 'Add' button, click 'Group'
> radio-button, select the relevant LDAP authorization
> select the relevant LDAP authorization provider in the
> drop-down list under 'Search', enter the LDAP group
> in the search text-box then click 'GO'.
>
> The found group should appear below.  Select the
> toggle-button to the left of the group then click
> 'Add and Close'.
>
>
> 3) Add SuperUser system permission for the LDAP group.
>
> Back under Administration >> Users, click the 'Group'
> button if groups are not already displayed.  Click on
> the LDAP group added in the previous step then click
> 'Permissions' -> 'Add System Permissions'
>
>
> 4) Log into the Administration Portal as an LDAP group member.
> Logout then log back into the Administration Portal as a
> member of the LDAP group specified above.  Login should be
> successful because that user will inherit the SuperUser
> system permission but note the following issues below:
>
> - under Administration >> Users, note that a 'User' icon
> is displayed for the LDAP user rather than an 'Admin' icon.
> This is in contrast to 4.2.8, where an Admin icon would
> be displayed.
>
>
> 5) Repeat step 4 above.
> If you logout then log back into the Administration Portal as
> the same member of the LDAP group specified above then
> check Administration >> Users, an additional user entry appears:
> same First Name, Last Name, Authorization provider, Namespace
> and E-mail.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/PC2JLU65QED36MLLN7I5BJEPYEADKUO2/
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CTX3S6ULXXJB2RMCLLRYPACPWJHJT55T/


[ovirt-users] Re: Info about firewall type and 4.3

2019-03-08 Thread Martin Perina
Hi Gianluca,

I'd like to mention FirewallD support for hosts is oVirt 4.2 feature, so it
was available to you even before upgrade to 4.3.

Anyway, if you want to switch firewall type of a cluster, then you need to
do that in following steps:

1. Change firewall type in the Edit cluster dialog
- when done all hosts in the cluster are marked and message "host
reinstallation is required" is shown

2. For all hosts in the cluster perform following operations:
a. Put host into Maintenance
b. Perform Reinstall on the host from webadmin
c. Activate the host

In the case you have used custom IPTables rules defined using
engine-config, then please take a look at blog post [1], which mentions how
to define those custom rules using FirewallD:

https://www.ovirt.org/blog/2017/12/host-deploy-customization.html

The definition of those custom rules needs to be performed even before you
start host reinstallation.

Please let us know if you have any issues during the process

Regards,
Martin


On Tue, Mar 5, 2019 at 2:10 PM Gianluca Cecchi 
wrote:

> Hello,
> I have updated a 4.2.8 environment to 4.3.1
> So far so good, I have updated cluster level and dc level from 4.2 to 4.3
>
> I notice the field "Firewall type" in my cluster and it is currently set
> to "iptables".
> My 3 hosts are CentOS 7.6 plain servers.
> My external engine is CentOS 7.6 and already with firewalld
>
> I seem to remember in the long run only firewalld supported also on hosts.
> Is this correct and in case is there an ETA/version?
> What would be the steps to pass my current hosts to firewalld in case?
>
> Currently I see:
> iptables enabled and running
> ip6tables disabled
> ebtables disabled
>
> Thanks in advance,
> Gianluca
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/D62RXQO2XYCBQVOCTMAMKQ572HKWST23/
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/T27S6ERY6KRUWGQSXWBQPYEHW2QHLEZA/


[ovirt-users] Re: Upgrade 4.2.8 to 4.3.1 failed: Constraint violation found in vm_interface (vmt_guid) |1

2019-03-01 Thread Martin Perina
On Fri, Mar 1, 2019 at 3:12 PM John Florian  wrote:

> I tried to upgrade my engine and was running engine-setup when:
>
> [ INFO  ] Checking the Engine database consistency
> [ ERROR ] Failed to execute stage 'Setup validation': Failed checking
> Engine database: an exception occurred while validating the Engine
> database, please check the logs for getting more info:
>   Constraint violation found in  vm_interface (vmt_guid) |1
>
> I found https://bugzilla.redhat.com/show_bug.cgi?id=1528316 but that
> looks to have been resolved already.
>

This seems like a new issue, could you please create new bug for that and
attach engine logs (especially those from /var/log/ovirt-engine/setup?

Thanks,
Martin


> How should I proceed?
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/FD5GAOK6Y5X25IJNNQ56TCQOKEXCZBKT/
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7SMATXVAD3PJQJRMVODBXXOMJ4HQOQOR/


[ovirt-users] Re: Fencing : SSL or not?

2019-02-22 Thread Martin Perina
On Fri, Feb 22, 2019 at 4:00 PM Nicolas Ecarnot  wrote:

> Le 22/02/2019 à 15:45, Martin Perina a écrit :
>
> If I understand that correctly, this is a request to open session to IPMI.
> If you haven't received any response, then I'd check:
>
> 1. Do you have IPMI enabled?
>
>
> Hello Martin,
>
> you hit the point.
>
> IPMI was not unable (anymore).
>
> IPMI is activated by default since years in all our hosts.
>
> But recent firmware upgrades on some of our Dell hosts, and especially on
> iDRAC firmwares led to the disabling of IPMI.
>
>
> I'm sorry for having bothered you and the audience. Sorry for this waste
> of time. Thank you Dell :-\
>

No problem, I'm glad the issue is solved.

Have a nice weekend!
Martin

>
> --
> Nicolas ECARNOT
>
>

-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PHDG6E226SDO64UQGQ3HXUPXU3KKGHDZ/


[ovirt-users] Re: Fencing : SSL or not?

2019-02-22 Thread Martin Perina
On Fri, Feb 22, 2019 at 2:21 PM Nicolas Ecarnot  wrote:

> Le 22/02/2019 à 12:13, Martin Perina a écrit :
>
> Unfortunately using fence_ipmilan is not possible to display more
> debugging details, so as mentioned earlier could you please run ipmitool
> directly?
>
> ipmitool vv -I lanplus -H c-hv05.prd.sdis38.fr -p 623 -U stonith -P
>  -L ADMINISTRATOR chassis power status
>
> Above should display more details ...
>
>
> root@hv04:/etc# ipmitool -vv -I lanplus -H c-hv05.prd.sdis38.fr -p 623 -U 
> stonith -P 'xxx' -L ADMINISTRATOR chassis power status
>
> >> Sending IPMI command payload
> >>netfn   : 0x06
> >>command : 0x38
> >>data: 0x8e 0x04
>
>
If I understand that correctly, this is a request to open session to IPMI.
If you haven't received any response, then I'd check:

1. Do you have IPMI enabled?
2. Is it exposed on the relevant IP/port?
3. Isn't there any firewall blocking access the client to the IPMI
interface?


>
> >> Sending IPMI command payload
> >>netfn   : 0x06
> >>command : 0x38
> >>data: 0x8e 0x04
>
>
> >> Sending IPMI command payload
> >>netfn   : 0x06
> >>command : 0x38
> >>data: 0x8e 0x04
>
>
> >> Sending IPMI command payload
> >>netfn   : 0x06
> >>command : 0x38
> >>data: 0x8e 0x04
>
>
> >> Sending IPMI command payload
> >>netfn   : 0x06
> >>command : 0x38
> >>data: 0x0e 0x04
>
>
> >> Sending IPMI command payload
> >>netfn   : 0x06
> >>command : 0x38
> >>data: 0x0e 0x04
>
>
> >> Sending IPMI command payload
> >>netfn   : 0x06
> >>command : 0x38
> >>    data: 0x0e 0x04
>
>
> >> Sending IPMI command payload
> >>netfn   : 0x06
> >>command : 0x38
> >>data: 0x0e 0x04
>
> Get Auth Capabilities error
> Error issuing Get Channel Authentication Capabilities request
> Error: Unable to establish IPMI v2 / RMCP+ session
> root@hv04:/etc#
>
> --
> Nicolas ECARNOT
>
>

-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IVJH7Y4V4TTETTXRJ5I4UT4SESI5RSR2/


[ovirt-users] Re: Fencing : SSL or not?

2019-02-22 Thread Martin Perina
On Fri, Feb 22, 2019 at 11:39 AM Nicolas Ecarnot 
wrote:

> Hi Martin,
>
> Le 21/02/2019 à 13:04, Martin Perina a écrit :
> > Hi Nicolas,
> >
> > see my reply inline
>
> See mine below.
>
> >
> > On Mon, Feb 18, 2019 at 9:51 AM Nicolas Ecarnot  > <mailto:nico...@ecarnot.net>> wrote:
> >
> > Hello,
> >
> > As fence_idrac has never worked for us, and as fence_ipmilan has
> worked
> > nicely since years, we are using fence_ipmilan with the lanplus=1
> > option
> > and we're happy with it.
> >
> > We upgraded to 4.3.0.4 and we're witnessing that we cannot fence our
> > hosts anymore :
> >
> > 2019-02-18 09:42:08,678+01 ERROR
> > [org.ovirt.engine.core.bll.pm
> > <http://org.ovirt.engine.core.bll.pm>.FenceProxyLocator] (default
> > task-11)
> > [2f78ed99-6703-4d92-b7cb-948c2d24b623] Can not run fence action on
> host
> > 'x', no suitable proxy host was found.
> >
> >
> > This is not related fence_ipmi issue below. Engine, is order to be able
> > to execute fencing operation, needs at least one other hosts in Up
> > status, which is used as a proxy host to perform fencing operation. So
> > do you have at least one host in Up status in the same
> > cluster/datacenter as the host you want to run fencing operation on?
>
> Yes.
>
> > If so, then please enable debug information to find out why we cannot
> > find any host acting as fence proxy:
> >
> > 1. Please download log-control.sh script from
> > https://github.com/oVirt/ovirt-engine/tree/master/contrib#log-control-sh
> > and save on engine machine
> > 2. Please execute following on engine machine
> >log-control.sh org.ovirt.engine.core.bll.pm
> > <http://org.ovirt.engine.core.bll.pm> DEBUG
> > 3. Go to the problematic host, click Edit, go to Power Management tab,
> > click on the existing fence agent and click on Test button
> > 4. Take a look at engine.log, there should be logged information, why we
> > were not able to find out fence proxy
>
> I followed the instructions above, but I feel this is not the best debug
> path. I learned nothing new.
> The fence proxy is not missing. It is known and found, and it is trying
> to do its job, as written below :
>
> >
> >
> > and on the SPM :
> >
> > fence_ipmilan: Failed: Unable to obtain correct plug status or plug
> is
> > not available
> >
> >
> > Could you please provide debug output of below command?
> >
> > ipmitool -vv -I lanplus -H  -p 623 -U
> 
> > -P  -L ADMINISTRATOR chassis power status
>
> See below a debug session.
> I'm comparing two hosts, and one only is answering fence status queries.
>
> I must add that before the upgrade to 4.3, both hosts were responding
> correctly.
>
> fence_ipmilan --username=stonith --password='xxx' --lanplus
> --ip=c-serv-hv-prds01.sdis.isere.fr --action=status -v
> 2019-02-22 11:34:01,537 INFO: Executing: /usr/bin/ipmitool -I lanplus -H
> c-serv-hv-prds01.sdis.isere.fr -p 623 -U stonith -P [set] -L
> ADMINISTRATOR chassis power status
>
> 2019-02-22 11:34:01,654 DEBUG: 0 Chassis Power is on
>
>
> Status: ON
> root@hv04:/etc# fence_ipmilan --username=stonith --password='xxx'
> --lanplus --ip=c-hv05.prd.sdis38.fr --action=status -v
> 2019-02-22 11:34:15,335 INFO: Executing: /usr/bin/ipmitool -I lanplus -H
> c-hv05.prd.sdis38.fr -p 623 -U stonith -P [set] -L ADMINISTRATOR chassis
> power status
>
> 2019-02-22 11:34:35,338 ERROR: Connection timed out
>

Unfortunately using fence_ipmilan is not possible to display more debugging
details, so as mentioned earlier could you please run ipmitool directly?

ipmitool vv -I lanplus -H c-hv05.prd.sdis38.fr -p 623 -U stonith -P
 -L ADMINISTRATOR chassis power status

Above should display more details ...


>
> root@hv04:/etc# nmap c-serv-hv-prds01.sdis.isere.fr
>
> Starting Nmap 6.40 ( http://nmap.org ) at 2019-02-22 11:34 CET
> Nmap scan report for c-serv-hv-prds01.sdis.isere.fr (192.168.53.2)
> Host is up (0.010s latency).
> rDNS record for 192.168.53.2: c-5g3yxx1.sdis.isere.fr
> Not shown: 996 closed ports
> PORT STATE SERVICE
> 22/tcp   open  ssh
> 80/tcp   open  http
> 443/tcp  open  https
> 5900/tcp open  vnc
>
> Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds
> root@hv04:/etc# nmap c-hv05.prd.sdis38.fr
>
> Starting Nmap 6.40 ( http://nmap.org ) at 2019-02-22 11:34 CET
> Nmap scan report for c-hv05.prd.sdis38.fr (192.168.50.194)
> Host is up (0.00060s latency).
> rDNS record for 192.168.50.194: C-550W2S2

[ovirt-users] Re: Fencing : SSL or not?

2019-02-21 Thread Martin Perina
Hi Nicolas,

see my reply inline

On Mon, Feb 18, 2019 at 9:51 AM Nicolas Ecarnot  wrote:

> Hello,
>
> As fence_idrac has never worked for us, and as fence_ipmilan has worked
> nicely since years, we are using fence_ipmilan with the lanplus=1 option
> and we're happy with it.
>
> We upgraded to 4.3.0.4 and we're witnessing that we cannot fence our
> hosts anymore :
>
> 2019-02-18 09:42:08,678+01 ERROR
> [org.ovirt.engine.core.bll.pm.FenceProxyLocator] (default task-11)
> [2f78ed99-6703-4d92-b7cb-948c2d24b623] Can not run fence action on host
> 'x', no suitable proxy host was found.
>

This is not related fence_ipmi issue below. Engine, is order to be able to
execute fencing operation, needs at least one other hosts in Up status,
which is used as a proxy host to perform fencing operation. So do you have
at least one host in Up status in the same cluster/datacenter as the host
you want to run fencing operation on?

If so, then please enable debug information to find out why we cannot find
any host acting as fence proxy:

1. Please download log-control.sh script from
https://github.com/oVirt/ovirt-engine/tree/master/contrib#log-control-sh
and save on engine machine
2. Please execute following on engine machine
  log-control.sh org.ovirt.engine.core.bll.pm DEBUG
3. Go to the problematic host, click Edit, go to Power Management tab,
click on the existing fence agent and click on Test button
4. Take a look at engine.log, there should be logged information, why we
were not able to find out fence proxy


> and on the SPM :
>
> fence_ipmilan: Failed: Unable to obtain correct plug status or plug is
> not available
>

Could you please provide debug output of below command?

ipmitool -vv -I lanplus -H  -p 623 -U  -P
 -L ADMINISTRATOR chassis power status

Above is the command which fence_ipmi is internally executing, and -vv adds
debugging output which can reveal issue with the plug status

Regards,
Martin


> I found the suggested workaround here :
>
> https://access.redhat.com/solutions/3349841
>
> but no combination of
> - lanplus={0,1}
> - -z
> - ssl=={0,1}
>
> lead to no solution.
>
> The package version is the same as what's described in the KB :
> fence-agents-rhevm-4.2.1-11.el7_6.7.x86_64
>
> What should I test now?
>
> Thank you.
>
> --
> Nicolas ECARNOT
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/SEUAZ6JB6CIYY2GOBNJN2XSWOSH6DHDJ/
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SM6GFR6NTVHGRS3MO623EL56J4HVEI5K/


[ovirt-users] Re: Cluster upgrade

2019-02-07 Thread Martin Perina
On Thu, Feb 7, 2019 at 12:24 PM Misak Khachatryan  wrote:

> Thanks Martin,
>
> you are right, on all hosts which i did upgrade ovirt-4.3 repo is not
> present. Seems like a bug.
>

This is not a bug, you need to update repos on hosts manually prior to the
upgrade.

>
> Best regards,
> Misak Khachatryan
>
>
> On Tue, Feb 5, 2019 at 10:03 PM Martin Perina  wrote:
>
>>
>>
>> On Tue, 5 Feb 2019, 14:54 Misak Khachatryan >
>>> Hi,
>>>
>>> I've successfully upgraded to 4.3, but when I'm trying to upgrade
>>> Cluster version I'm getting this:
>>>
>>> "Error while executing action: Cannot change Cluster Compatibility
>>> Version to higher version when there are active Hosts with lower version.
>>> -Please move Host virt2 with lower version to maintenance first."
>>>
>>
>> It seems that on host virt2 you have installed VDSM which doesn't support
>> higher cluster version. Please try to upgrade the host before upgrading the
>> cluster.
>>
>>
>>> Any clues?
>>>
>>> Best regards,
>>> Misak Khachatryan
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/6R64SOEIYXFGTDTWOWZDHREJDUKL6IEP/
>>>
>>

-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CDDTOYVVNP7L4RHQADZOVFDIRTCUORC5/


[ovirt-users] Re: Cluster upgrade

2019-02-05 Thread Martin Perina
On Tue, 5 Feb 2019, 14:54 Misak Khachatryan  Hi,
>
> I've successfully upgraded to 4.3, but when I'm trying to upgrade Cluster
> version I'm getting this:
>
> "Error while executing action: Cannot change Cluster Compatibility Version
> to higher version when there are active Hosts with lower version.
> -Please move Host virt2 with lower version to maintenance first."
>

It seems that on host virt2 you have installed VDSM which doesn't support
higher cluster version. Please try to upgrade the host before upgrading the
cluster.


> Any clues?
>
> Best regards,
> Misak Khachatryan
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/6R64SOEIYXFGTDTWOWZDHREJDUKL6IEP/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PYNHTH6A2M45PJTJGVQTRVXASXFCQ7IS/


[ovirt-users] Re: Host compatibility issue after upgrade from 4.2.8 to 4.3.0

2019-02-05 Thread Martin Perina
Hi,

If you execute Check for update for specific host, you should see list of
packages which can be updated in Events view after check for updates
process finishes.

Martin


On Tue, 5 Feb 2019, 16:01  > Please disregard, this was caused by an oversight on my part...  I
> forgot to enable the
> > ovirt-4.3 repo on the node in question :-(  My bad.
>
> This leads to a "Feature Request".
> What happened was that I updated the first two hosts using yum from the
> command line, so it was plainly visible what yum was going to
> upgrade/install.  With the last host, I thought I would try upgrading it
> from the WebUI.  The problem is: from the WebUI, there is no way (that I
> know of) to see what packages are slated for upgrade.  I've run into this
> before when the WebUI shows there are updates available, the first thing I
> wonder is... what is going to be updated?
>
> So long story short, in my opinion, it would be tremendously useful to be
> able to get a listing like yum list updates produces from the WebUI, prior
> to hitting the "Upgrade" button.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/UEH4735DRUQVVWH6MMKHRM5WGZZJUKDK/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IMSRMWTMVX6SIQXCCS6WSHLKKFEZYPMH/


[ovirt-users] Re: Ansible and SHE deployment

2019-01-15 Thread Martin Perina
Hi Marko,

please take a look at official oVirt roles:
https://github.com/ovirt/ovirt-ansible they should cover everything around
oVirt installation, data center setup and even daily maintenance tasks like
VM management.

Regards,

Martin


On Mon, Jan 14, 2019 at 12:12 PM Vrgotic, Marko 
wrote:

> Dear oVirt team,
>
>
>
> I would like to ask you help in get some general guidelines, do’s & don’ts
> in deploying complete oVirt environment using Ansible.
>
>
>
> The first Production deployment I made was done manual:
>
>
>
> 12 Hypervsiors – all exact same HW Brand and Specs
>
> 3/12 used for HA Env for SHE
>
> oVirt version 4.2.1 (now we are at 4.2.7)
>
> 4Gluster nodes, managed externally of oVirt
>
>
>
> This is environment I would like to convert into deployable by Ansible
>
>
>
> Atm, I am working on second Production env, for Eng/Dev department, and I
> want to go all way Ansible.
>
> I am aware of your playbooks, and location on github, but what I want to
> ask is an advice on how to approach using them:
>
>
>
> The second Env will have:
>
>
>
> 7Hypervisors different specs / all provisioned using Foreman
>
> oVirt version, latest 4.2.x at that point.
>
> 3/7 providing HA for SHE engine
>
> Storage used is to be NetApp.
>
>
>
> Please let me know how to proceed with modifying Ansible playbooks and
> what should be the recommended executing order, and what to look for? Also,
> If you need additional info, I will be happy to provide.
>
>
>
> Kind regards,
>
> Marko Vrgotic
>
>
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/D6BMPCYVHL6EP3ICN475TXZ4EWJSY7HZ/
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WUQ2O646AQYBI7FLQELT6WQL3BXSIHF4/


[ovirt-users] Re: Ansible upgrade procedures?

2018-11-14 Thread Martin Perina
On Wed, Nov 14, 2018 at 6:11 PM Jayme  wrote:

> I've been giving this a try but have been running in to a few issues.
> Namely, it seems to upgrade the first host properly but after that the
> ansible job completes successfully without any errors, but does not upgrade
> my other two hosts.  It only seems to update the first host then completes
> while leaving the others untouched.
>

That's strange, could you please create a bug for that and attach engine
logs so we can investigate the issue on your setup?

We were testing this role on role with many hosts and we have never seen
the behaviour that only first host would be upgraded and other ignored.

Thanks

Martin


> could it be because after the first host comes up from a reboot the
> gluster healing prevents the other host statuses from being "up" thus
> ansible skips over them?
>
> On Wed, Nov 14, 2018 at 11:49 AM Martin Perina  wrote:
>
>> Hi Jayme,
>>
>> you can upgrade the whole cluster using our cluster upgrade Ansible role:
>>
>> https://github.com/ovirt/ovirt-ansible-cluster-upgrade
>>
>> Martin
>>
>>
>> On Wed, 14 Nov 2018, 14:25 Jayme >
>>> Is it possible to update oVirt HCI environment automatically with
>>> ansible? If so are there any specific instructions or details on the
>>> process?
>>>
>>> Thanks!
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/JPBQOWKM7RIU2CTXM2KXMV43RJZL2GSY/
>>>
>>

-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/E5HYWO2RKJC6NAQMMM4S7EEFJCXQWSQW/


[ovirt-users] Re: Ansible upgrade procedures?

2018-11-14 Thread Martin Perina
Hi Jayme,

you can upgrade the whole cluster using our cluster upgrade Ansible role:

https://github.com/ovirt/ovirt-ansible-cluster-upgrade

Martin


On Wed, 14 Nov 2018, 14:25 Jayme  Is it possible to update oVirt HCI environment automatically with ansible?
> If so are there any specific instructions or details on the process?
>
> Thanks!
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/JPBQOWKM7RIU2CTXM2KXMV43RJZL2GSY/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2VTHNDTXHHAMEVGA56QGWTQ2LO7WPFQ6/


[ovirt-users] Re: ovirt - in docker

2018-10-12 Thread Martin Perina
On Fri, Oct 12, 2018 at 10:18 AM Sandro Bonazzola 
wrote:

>
>
> Il giorno ven 12 ott 2018 alle ore 09:06 Roman Mohr  ha
> scritto:
>
>> On Tue, Oct 9, 2018 at 11:16 AM ReSearchIT Eng
>>  wrote:
>> >
>> > Hello!
>> > I am interested to run ovirt in docker container.
>> > It was noticed that there is an official repo for it:
>> > https://github.com/oVirt/ovirt-container-engine
>>
>> Yaniv Bronheim mostly worked on it when the repo was moved to oVirt.
>>
>> Sandro,  Simone, since he is now working on other things, do you guys
>> know anything about plans for updating the repo?
>>
>
> No. Martin?
>

No, this effort was stopped long time ago

>
>
>
>>
>> Best Regards,
>>
>> Roman
>>
>> > Unfortunately it did not get an update for 2 years (4.1).
>> >
>> > Can anyone help with the required answers/entrypoint/patch files for
>> > the new 4.2 ?
>> >
>> > Thanks!
>> > ___
>> > Users mailing list -- users@ovirt.org
>> > To unsubscribe send an email to users-le...@ovirt.org
>> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> > oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> > List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/C66CSW7CY7RCTC56V5YNSZ6KQKHLADIS/
>>
>
>
> --
>
> SANDRO BONAZZOLA
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV
>
> Red Hat EMEA <https://www.redhat.com/>
>
> sbona...@redhat.com
> <https://red.ht/sig>
> <https://www.redhat.com/en/events/red-hat-open-source-day-italia?sc_cid=701f200RgRyAAK>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TW7GJEM3SXWCJ42ZWJTCGK2UIG3TWLV3/


[ovirt-users] Re: [aaa-ldap-setup] Login sequence fails on setup

2018-09-19 Thread Martin Perina
On Wed, 19 Sep 2018, 15:19 mopiel games, 
wrote:

> When running setup for openldap , bind is successful with the provided
> user and pass but login fails.
>
>  [ INFO  ] Connection succeeded
>   Enter search user DN (for example uid=username,dc=example,dc=com
> or leave empty for anonymous): cn=admin,dc=exalt,dc=ps
>   Enter search user password:
> [ INFO  ] Attempting to bind using 'cn=admin,dc=exalt,dc=ps'
>   Please enter base DN (dc=exalt,dc=ps) [dc=exalt,dc=ps]:
> ou=users,dc=exalt,dc=ps
>   Are you going to use Single Sign-On for Virtual Machines (Yes,
> No) [Yes]:
>
>   NOTE:
>   Profile name has to match domain name, otherwise Single Sign-On
> for Virtual Machines will not work.
>
>   Please specify profile name that will be visible to users [
> ldap23.exalt.ps]:
> [ INFO  ] Stage: Setup validation
>
>   NOTE:
>   It is highly recommended to test drive the configuration before
> applying it into engine.
>   Login sequence is executed automatically, but it is recommended
> to also execute Search sequence manually after successful Login sequence.
>
>   Please provide credentials to test login flow:
>   Enter user name: uid=user,ou=users,dc=exalt,dc=ps
>

You are supposed to enter only the username and not the LDAP DN. So
according to above you should enter only 'user'

  Enter user password:
> [ INFO  ] Executing login sequence...
>   Login output:
>   2018-09-19 15:29:22,982+03 INFO
> 
>   2018-09-19 15:29:22,999+03 INFO
> Initialization 
>   2018-09-19 15:29:23,000+03 INFO
> 
>   2018-09-19 15:29:23,025+03 INFOLoading extension
> 'ldap23.exalt.ps-authn'
>   2018-09-19 15:29:23,086+03 INFOExtension
> 'ldap23.exalt.ps-authn' loaded
>   2018-09-19 15:29:23,089+03 INFOLoading extension '
> ldap23.exalt.ps'
>   2018-09-19 15:29:23,098+03 INFOExtension 'ldap23.exalt.ps'
> loaded
>   2018-09-19 15:29:23,099+03 INFOInitializing extension
> 'ldap23.exalt.ps-authn'
>   2018-09-19 15:29:23,101+03 INFO
> [ovirt-engine-extension-aaa-ldap.authn::ldap23.exalt.ps-authn] Creating
> LDAP pool 'authz'
>   2018-09-19 15:29:23,796+03 INFO
> [ovirt-engine-extension-aaa-ldap.authn::ldap23.exalt.ps-authn] LDAP pool
> 'authz' information: vendor='null' version='null'
>   2018-09-19 15:29:23,797+03 INFO
> [ovirt-engine-extension-aaa-ldap.authn::ldap23.exalt.ps-authn] Creating
> LDAP pool 'authn'
>   2018-09-19 15:29:24,196+03 INFO
> [ovirt-engine-extension-aaa-ldap.authn::ldap23.exalt.ps-authn] LDAP pool
> 'authn' information: vendor='null' version='null'
>   2018-09-19 15:29:24,197+03 INFOExtension
> 'ldap23.exalt.ps-authn' initialized
>   2018-09-19 15:29:24,197+03 INFOInitializing extension '
> ldap23.exalt.ps'
>   2018-09-19 15:29:24,198+03 INFO
> [ovirt-engine-extension-aaa-ldap.authz::ldap23.exalt.ps]Creating LDAP
> pool 'authz'
>   2018-09-19 15:29:24,614+03 INFO
> [ovirt-engine-extension-aaa-ldap.authz::ldap23.exalt.ps]LDAP pool 'authz'
> information: vendor='null' version='null'
>   2018-09-19 15:29:24,615+03 INFO
> [ovirt-engine-extension-aaa-ldap.authz::ldap23.exalt.ps]   Available
> Namespaces: [ou=users,dc=exalt,dc=ps]
>   2018-09-19 15:29:24,615+03 INFOExtension 'ldap23.exalt.ps'
> initialized
>   2018-09-19 15:29:24,615+03 INFOStart of enabled extensions
> list
>   2018-09-19 15:29:24,616+03 INFOInstance name:
> 'ldap23.exalt.ps-authn', Extension name: '
> ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.7', Notes: 'Display
> name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', License: 'ASL
> 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
> interface Version: '0',  File:
> '/tmp/tmphILEhJ/extensions.d/ldap23.exalt.ps-authn.properties',
> Initialized: 'true'
>   2018-09-19 15:29:24,616+03 INFOInstance name: '
> ldap23.exalt.ps', Extension name:
> 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes: 'Display
> name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', License: 'ASL
> 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project',  Build
> interface Version: '0',  File:
> '/tmp/tmphILEhJ/extensions.d/ldap23.exalt.ps.properties', Initialized:
> 'true'
>   2018-09-19 15:29:24,616+03 INFOEnd of enabled extensions list
>   2018-09-19 15:29:24,616+03 INFO
> 
>   2018-09-19 15:29:24,616+03 INFO
> == Execution ===
>   2018-09-19 15:29:24,616+03 INFO
> 

[ovirt-users] Re: oVirt 4.2.6.1 - 4.2.6.2 upgrade fails

2018-08-14 Thread Martin Perina
Adding Eli

On Tue, Aug 14, 2018 at 9:03 AM, Yedidyah Bar David  wrote:

> On Tue, Aug 14, 2018 at 9:27 AM, Maton, Brett 
> wrote:
> >
> > Just tried to update my test cluster to 4.2.6.2 :
> >
> >
> > [ INFO  ] Stage: Misc configuration
> > [ INFO  ] Running vacuum full on the engine schema
> > [ INFO  ] Running vacuum full elapsed 0:00:04.523561
> > [ INFO  ] Upgrading CA
> > [ INFO  ] Backing up database localhost:ovirt_engine_history to
> > '/var/lib/ovirt-engine-dwh/backups/dwh-20180814071815.xVSlda.dump'.
> > [ INFO  ] Creating/refreshing DWH database schema
> > [ INFO  ] Configuring Image I/O Proxy
> > [ INFO  ] Configuring WebSocket Proxy
> > [ INFO  ] Backing up database localhost:engine to
> > '/var/lib/ovirt-engine/backups/engine-20180814071825.af3Hq2.dump'.
> > [ INFO  ] Creating/refreshing Engine database schema
> > [ ERROR ] schema.sh: FATAL: Cannot execute sql command:
> > --file=/usr/share/ovirt-engine/dbscripts/upgrade/04_
> 02_1220_default_all_search_engine_string_fields_to_not_null.sql
> > [ ERROR ] Failed to execute stage 'Misc configuration': Engine schema
> > refresh failed
> > [ INFO  ] Yum Performing yum transaction rollback
> >
> >
> > May or may not be relevant in this case but /tmp and /var/tmp are mounted
> > noexec.
>
> I do not think this is tested regularly, but I guess it should be ok.
>
> > Any more logs you need let me know.
>
> Can you please check/share full setup log? engine-setup should output the
> full path, it should be in /var/log/ovirt-engine/setup . Thanks.
> --
> Didi
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/KQGLRAXYPMUBZMIMWDISVUHBNLV4BLHX/
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HEUCWGSLJNGIWWG3JRW3TZMN4L7UCUHB/


[ovirt-users] Re: AD authentication not working after upgrade to 4.2.5

2018-08-09 Thread Martin Perina
Ondro, could you please take a look?

On Thu, 9 Aug 2018, 16:30 Sandro Bonazzola,  wrote:

> Martin can you please look at this?
>
> 2018-08-09 15:58 GMT+02:00 :
>
>> Hello,
>>  I have upgraded from 4.2.4 to 4.2.5 and in our AD profile users
>> can no longer login.
>>
>> in the engine log I am getting
>> ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet]
>> (default task-15) [] Internal Server Error: Cannot resolve principal
>> 'LEEDSBECKETT\stanif02'
>> ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-15) []
>> Cannot resolve principal 'LEEDSBECKETT\stanif02'
>> ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default
>> task-15) [] server_error: Cannot resolve principal 'LEEDSBECKETT\stanif02'
>> ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet]
>> (default task-15) [] Internal Server Error: Cannot resolve principal
>> 'LEEDSBECKETT\stanif02'
>> ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-15) []
>> Cannot resolve principal 'LEEDSBECKETT\stanif02'
>>
>> although I can test authentication using "ovirt-engine-extensions-tool
>> aaa login-user"
>>
>> Thanks,
>>Paul S.
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/GVDAT7PMPD2WTHOLUIWQ3KKVF76NH5L7/
>>
>
>
>
> --
>
> SANDRO BONAZZOLA
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV
>
> Red Hat EMEA 
>
> sbona...@redhat.com
> 
> 
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QRIRDOF36ZCSETLACHRZ5MITPZMGMPWW/


[ovirt-users] Re: ERROR: integer out of range

2018-07-19 Thread Martin Perina
xtension.undertow.deployment.
> UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(
> UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:812)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> [rt.jar:1.8.0_171]
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> [rt.jar:1.8.0_171]
> at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_171]
> Caused by: org.postgresql.util.PSQLException: ERROR: integer out of range
> at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(
> QueryExecutorImpl.java:2157)
> at org.postgresql.core.v3.QueryExecutorImpl.processResults(
> QueryExecutorImpl.java:1886)
> at org.postgresql.core.v3.QueryExecutorImpl.execute(
> QueryExecutorImpl.java:255)
> at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(
> AbstractJdbc2Statement.java:555)
> at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(
> AbstractJdbc2Statement.java:403)
> at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(
> AbstractJdbc2Statement.java:283)
> at org.jboss.jca.adapters.jdbc.WrappedStatement.executeQuery(
> WrappedStatement.java:397)
> at org.springframework.jdbc.core.JdbcTemplate$1QueryStatementCallback.
> doInStatement(JdbcTemplate.java:458) [spring-jdbc.jar:4.3.9.RELEASE]
> at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:408)
> [spring-jdbc.jar:4.3.9.RELEASE]
> ... 151 more
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BHAZ3EIHZXR4NFA5OKKEXAQOHUQKF2KF/


[ovirt-users] Re: change from LDAP to AD authentication

2018-07-08 Thread Martin Perina
On Thu, Jul 5, 2018 at 12:36 PM,  wrote:

> Hello,
>  as part of our policy I have to change from LDAP to Active
> Directory for authentication in our oVirt system.


​Hmm, do I understand that correctly that you were moving oVirt users from
some other LDAP server to AD? Any reason other than political to do that?
​

> I have managed to configure a test system that allows users to login using
> the CN (sAMAccountName) as before. The users in the system using the AD
> namespace are using their UPN for their user name.
> Do we have to copy permissions from all the old accounts to their new
> accounts or is there a way to rename them to the UPN retaining there old
> permissions?
>

​I don't think there is any other way than to copy permissions. But you can
automate the process using for example
ovirt_permissions/ovirt_permissions​_facts Ansible modules [1] or one of
our SDKs (Python, Java, Ruby).

Martin

[1]
https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html#ovirt


> Thanks,
> Paul S.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/3W3UAU3G3V53E7GT4CKT2MIH3GAFZ4DU/
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XQZ66LBZSP3FMMZBM3DGMD45I5552SQZ/


[ovirt-users] Re: fence_rhevm and ovirt 4.2

2018-07-08 Thread Martin Perina
On Sat, Jul 7, 2018 at 5:14 PM, Gianluca Cecchi 
wrote:

> Hello,
> I'm configuring a virtual rhcs cluster and would like to use fence_rhevm
> agent for stonith.
> As VMs composing the 4-nodes cluster I'm using CentOS 7.4 os
> with fence-agents-rhevm-4.0.11-66.el7_4.4.x86_64; I see that in 7.5 the
> agent is fence-agents-rhevm-4.0.11-86.el7_5.2.x86_64 but with no
> modification for the /usr/sbin/fence_rhevm python script apart the
> BUILD_DATE line.
>
> Some questions:
> - it seems it is still in API v3 even if deprecated; any particular
> reason? Possible to update to V4? Can I create a RFE bugzilla?
>

​We already have a bug for that:

https://bugzilla.redhat.com/show_bug.cgi?id=1402862​

Let's hope it will be delivered in CentOS 7.6


> This is in fact what I get in engine events registering connection:
>
> ​​
> Client from address "10.4.4.68"
> ​​
> is using version 3 of the API,
> ​​
> which has been deprecated since version 4.0 of the engine, and will no
> longer be supported starting with version 4.3. Make sure to update that
> client to use a supported versions of the API and the SDKs, before
> upgrading to version 4.3 of the engine.
> 7/7/184:56:11 PM
>

​We need to get this message fixed, we already know that APIv3 will not be
removed in oVirt 4.3, created https://bugzilla.redhat.com/1599054 to track
that
​

>
> User fenceuser@internal-authz connecting from '10.4.4.68' using session '
> OVgdzMofRFDS4ZKSdL83mRyGUFEdc+++onJHzGiAfpYuS07xa/
> EbBqFEPtztpwEeRzCn9mBOTGXE69rBbHlhXQ==' logged in.
> 7/7/184:56:11 PM
>
> - UserRole ok
> Back in April 2017 for version 4.1.1 I had problems and it seems I had to
> set super user privileges for the "fencing user"
> See thread here
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/
> FS5YFU5ZXIYDC5SWQY4MZS65UDKSX7JS/
>
> Now instead I only set UserRole for the defined "fenceuser" on the virtual
> cluster VMS and it works ok
>
> - for a VM with permissions already setup:
> [root@cl1 ~]# fence_rhevm -a 10.4.192.49 -l "fenceuser@internal" -S
> /usr/local/bin/pwd_ovmgr01.sh -z  --ssl-insecure -o status
> --shell-timeout=20 --power-wait=10 -n cl1
> Status: ON
>
> - for a VM still without permissions
> [root@cl1 ~]# fence_rhevm -a 10.4.192.49 -l "fenceuser@internal" -S
> /usr/local/bin/pwd_ovmgr01.sh -z  --ssl-insecure -o status
> --shell-timeout=20 --power-wait=10 -n cl2
> Failed: Unable to obtain correct plug status or plug is not available
>
> - for a VM with permissions already setup:
> I'm able to make power off / power on of the VM
>

​Eli, please take a look at above, that might be the issue you saw with
fence_rhevm


> Thanks,
> Gianluca
>
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/YIZUMYY5OFHIOBYVALGDKOEDYM5KMPGY/
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YXAOD6DCNLXNW2DWYJOW7A6SWO2VFWQN/


[ovirt-users] Re: ENGINE_SSO_AUTH_URL configuration

2018-07-04 Thread Martin Perina
On Wed, Jul 4, 2018 at 3:06 PM, Hari Prasanth Loganathan <
hariprasant...@msystechnologies.com> wrote:

> Hi Martin,
>
> Thanks for pointing this url.
>
> 1) Based on this post, I created a client id using the
> 'ovirt-register-sso-client-tool'
>
>
> select * from sso_clients;
>
>   3 | *test*   | eyJhcnRpZmFjdCI6IkVudmVsb3BlUE
> JFIiwic2FsdCI6IjFuYktJa3JrWEFCc2R5NzNnNFIrc09NWitGNHI1dW5UY2
> s1U2t3cWlCMGs9Iiwic2VjcmV0
> IjoiRTVwNExDQXpxenhGSHFxdmQwNDhTNDRkN3dNMEwrZVQrYTZlK3lXR044
> VT0iLCJ2ZXJzaW9uIjoiMSIsIml0ZXJhdGlvbnMiOiI0MDAwIiwiYWxnb3Jp
> dGhtIjoiUEJLREYyV2l0aEh
> tYWNTSEExIn0= | http://172.30.39.176:9090/api/auth/sso  |
> /root/ssl/ssl/certificate.pem  |
>
>  | oVirt Engine Client |   | openid
> ovirt-app-portal ovirt-app-admin ovirt-app-api ovirt-ext=auth:identity
> ovirt-ex
> t=token:password-access ovirt-ext=auth:sequence-priority
> ovirt-ext=token:login-on-behalf ovirt-ext=token-info:authz-search
> ovirt-ext=token-info
> :public-authz-search ovirt-ext=token-info:validate
> ovirt-ext=revoke:revoke-all | t   | TLS|
> f
>| t
>
>
>
> I will store this sso_client information in my application too.
>
>
> 2) Is it possible to use *JUST* this 'client_id' and 'client_secret' to
> communicate from my application to oVirt instead of oVirt token?
>
>   I mean like My_Application ---> (using client id - test) oVirt
> API
>

​I don't think so, the client id/secret is used only to authenticate OIDC
client to the OIDC server, and not real client to the application ​using
SSO. But leaving this final answer to this question to Ravi, he is our
expert on OIDC. Ravi?


>
> Thanks,
> Hari
>
>
>
>
>
>
> On Wed, Jul 4, 2018 at 5:32 PM, Martin Perina  wrote:
>
>>
>>
>> On Wed, Jul 4, 2018 at 1:54 PM, Hari Prasanth Loganathan <
>> hariprasant...@msystechnologies.com> wrote:
>>
>>> Okay Thanks Martin.
>>> I already come across this blog but curious any way to point the
>>> authentication and authorization to my HTTP URL. so that I don't want to
>>> depend on the ovirt token.
>>>
>>
>> ​There's no way how to replace oVirt SSO with different implementation,
>> you need to use oVirt token.
>>
>> But other than relying on Apache you could also configure your
>> application as OpenID Connect client to oVirt SSO similarly as it's
>> described for Kibana/Elastic search  integration:
>>
>> https://www.ovirt.org/blog/2017/05/openshift-openId-integrat
>> ion-with-engine-sso/​
>>
>> Then you would have only single token for both your application and oVirt
>>
>>
>>>
>>>
>>>
>>>
>>> On Wed, Jul 4, 2018 at 5:04 PM, Martin Perina 
>>> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Jul 4, 2018 at 12:02 PM, Hari Prasanth Loganathan <
>>>> hariprasant...@msystechnologies.com> wrote:
>>>>
>>>>> Hi Team,
>>>>>
>>>>> I want oVirt to point to my Authentication / Authorization HTTP URL,
>>>>> so I modified the following property in
>>>>> */etc/ovirt-engine/engine.conf.d/11-setup-sso.conf*
>>>>>
>>>>>
>>>>> #ENGINE_SSO_AUTH_URL="https://${ENGINE_FQDN}:443/ovirt-engine/sso;
>>>>>   ENGINE_SSO_AUTH_URL="http://172.30.39.176:9090/api/auth/sso;
>>>>>
>>>>> #SSO_ENGINE_URL="https://${ENGINE_FQDN}:443/ovirt-engine/;
>>>>>   SSO_ENGINE_URL="http://172.30.39.176:9090/api/auth/;
>>>>> ​
>>>>>
>>>>
>>>>> I verified in the log and found the following message :
>>>>>
>>>>> engine.log:2018-07-04 15:12:46,238+05 INFO
>>>>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService
>>>>> Thread Pool -- 42) [] Value of property 'ENGINE_SSO_AUTH_URL' is '
>>>>> http://172.30.39.176:9090/api/auth/sso'.
>>>>> engine.log:2018-07-04 15:12:46,244+05 INFO
>>>>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService
>>>>> Thread Pool -- 42) [] Value of property 'SSO_ENGINE_URL' is '
>>>>> http://172.30.39.176:9090/api/auth/'.
>>>>>
>>>>>
>>>>> But still it is not point to my Authentication URL, Is there any other
>>>>> change we need to make to point the oVirt Authentication to my HTTP URL?
>>>>>
>>>>
>>>> ​Hi,
>>&g

[ovirt-users] Re: ENGINE_SSO_AUTH_URL configuration

2018-07-04 Thread Martin Perina
On Wed, Jul 4, 2018 at 1:54 PM, Hari Prasanth Loganathan <
hariprasant...@msystechnologies.com> wrote:

> Okay Thanks Martin.
> I already come across this blog but curious any way to point the
> authentication and authorization to my HTTP URL. so that I don't want to
> depend on the ovirt token.
>

​There's no way how to replace oVirt SSO with different implementation, you
need to use oVirt token.

But other than relying on Apache you could also configure your application
as OpenID Connect client to oVirt SSO similarly as it's described for
Kibana/Elastic search  integration:

https://www.ovirt.org/blog/2017/05/openshift-openId-integration-with-engine-sso/
​

Then you would have only single token for both your application and oVirt


>
>
>
>
> On Wed, Jul 4, 2018 at 5:04 PM, Martin Perina  wrote:
>
>>
>>
>> On Wed, Jul 4, 2018 at 12:02 PM, Hari Prasanth Loganathan <
>> hariprasant...@msystechnologies.com> wrote:
>>
>>> Hi Team,
>>>
>>> I want oVirt to point to my Authentication / Authorization HTTP URL, so
>>> I modified the following property in
>>> */etc/ovirt-engine/engine.conf.d/11-setup-sso.conf*
>>>
>>>
>>> #ENGINE_SSO_AUTH_URL="https://${ENGINE_FQDN}:443/ovirt-engine/sso;
>>>   ENGINE_SSO_AUTH_URL="http://172.30.39.176:9090/api/auth/sso;
>>>
>>> #SSO_ENGINE_URL="https://${ENGINE_FQDN}:443/ovirt-engine/;
>>>   SSO_ENGINE_URL="http://172.30.39.176:9090/api/auth/;
>>> ​
>>>
>>
>>> I verified in the log and found the following message :
>>>
>>> engine.log:2018-07-04 15:12:46,238+05 INFO
>>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService
>>> Thread Pool -- 42) [] Value of property 'ENGINE_SSO_AUTH_URL' is '
>>> http://172.30.39.176:9090/api/auth/sso'.
>>> engine.log:2018-07-04 15:12:46,244+05 INFO
>>> [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (ServerService
>>> Thread Pool -- 42) [] Value of property 'SSO_ENGINE_URL' is '
>>> http://172.30.39.176:9090/api/auth/'.
>>>
>>>
>>> But still it is not point to my Authentication URL, Is there any other
>>> change we need to make to point the oVirt Authentication to my HTTP URL?
>>>
>>
>> ​Hi,
>>
>> what exactly are you trying to achieve? To change URL where engine is
>> available or to replace existing oVirt SSO module with custom
>> implementation? If the latter, then this is not supported.
>>
>> But if you need to configure additional authentication methods, for
>> example kerberos SSO or CAS, you can do this using combination of Apache
>> with relevant modules + ovirt-engine-extension-aaa-lda
>> p/ovirt-engine-extension-aaa-misc packages:
>>
>> https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/
>> blob/master/README
>> https://github.com/oVirt/ovirt-engine-extension-aaa-misc/
>> blob/master/README.http
>> https://www.ovirt.org/blog/2016/04/sso/
>>
>> Regards
>>
>> Martin
>> ​
>>
>>>
>>> Thanks,
>>> Hari
>>>
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>> oVirt Code of Conduct: https://www.ovirt.org/communit
>>> y/about/community-guidelines/
>>> List Archives: https://lists.ovirt.org/archiv
>>> es/list/users@ovirt.org/message/NZKOGON5PKXSE47J25X72WYCOIGOJ3NW/
>>>
>>>
>>
>>
>> --
>> Martin Perina
>> Associate Manager, Software Engineering
>> Red Hat Czech s.r.o.
>>
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7WJWKAPT2ZKFWOENVU64LIHCTNLKE7JE/


[ovirt-users] Re: LDAP login extension

2018-07-04 Thread Martin Perina
On Wed, Jun 27, 2018 at 9:14 AM, Mariusz Kozakowski <
mariusz.kozakow...@sallinggroup.com> wrote:

> Hello,
>
> We managed to setup oVirt Engine with your help, now we're facing other
> issue.
>
> I'm trying to configure AD auth for web portal, but unfortunately I got
> error during ovirt-engine-extension-aaa-ldap-setup:
>
>
>   2018-06-27 09:06:21,926+02 INFO==
> ==
>   2018-06-27 09:06:21,926+02 INFO==
> Execution ===
>   2018-06-27 09:06:21,926+02 INFO==
> ==
>   2018-06-27 09:06:21,927+02 INFOIteration: 0
>   2018-06-27 09:06:21,928+02 INFOProfile='ad' authn='ad-authn'
> authz='ad-authz' mapping='null'
>   2018-06-27 09:06:21,928+02 INFOAPI: 
> -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
> profile='ad' user='username'
>   2018-06-27 09:06:21,945+02 INFOAPI: 
> <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
> profile='ad' result=SUCCESS
>   2018-06-27 09:06:21,948+02 INFO--- Begin AuthRecord ---
>   2018-06-27 09:06:21,949+02 INFOAAA_AUTHN_AUTH_RECORD_PRINCIPAL:
> username
>   2018-06-27 09:06:21,949+02 INFO--- End   AuthRecord ---
>   2018-06-27 09:06:21,950+02 INFOAPI:
> -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='username'
>   2018-06-27 09:06:21,952+02 WARNING Ignoring records from pool:
> 'gc'
>   2018-06-27 09:06:21,953+02 SEVERE  Cannot resolve principal
> 'username'
>

​Hi,

are you sure that you are trying to configure either "standalone AD domain"
or "AD forrest with ​multi-domain trust" using the tool? I'm asking because
if want to configure AD which is part of AD forrest, you cannot do that
using the tool, as this is advanced configuration. And we don't support
multi-forrest with multi-domain trusts at all.

Could you please describe your AD setup and share with us full output of
aaa-ldap-setup tool?

Thanks

Martin


> Do you have any idea what's the issue and what we're missing? As it looks
> like credentials are correct - passing wrong username gives fail earlier,
> so issue is somewhere after authentication.
>
> --
>
> Best regards/Pozdrawiam/MfG
>
> *Mariusz Kozakowski*
>
> Site Reliability Engineer
>
> Dansk Supermarked Group
> Baltic Business Park
> ul. 1 Maja 38-39
> 71-627 Szczecin
> dansksupermarked.com
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/6BZXOA6ZXMSN5EPC67LNBUSANJLUBHA7/
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VD2CTLJTEA2MUKM3DHF2TFMBFIANAGKQ/


[ovirt-users] Re: oVirt Authentication and Authorization

2018-07-04 Thread Martin Perina
t;>> org.ovirt.engine
>>> .core.aaa.filters.SsoRestApiAuthFilter
>>>  
>>>  
>>>  SsoRestApiAuthFilter
>>>  /*
>>>  
>>>
>>>  
>>>  SsoRestApiNegotiationFilter
>>> org.ovirt.engine
>>> .core.aaa.filters.SsoRestApiNegotiationFilter
>>>  
>>>  
>>>  SsoRestApiNegotiationFilter
>>>  /*
>>>  
>>>
>>> If my query is not clear, please let me know.
>>>
>>> Thanks,
>>> Hari
>>>
>>>
>>>
>>>
>>>
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>> oVirt Code of Conduct: https://www.ovirt.org/communit
>>> y/about/community-guidelines/
>>> List Archives: https://lists.ovirt.org/archiv
>>> es/list/users@ovirt.org/message/R5QK6VPZ5OQXHBODY4BY5JHJCC4X2ZKV/
>>>
>>>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/TYQ54CXHZWYU2N7ZFMUERBD44TERMTBE/
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FOPQSFFDD7543XQ2VKGGN7PLMRKR7KZL/


[ovirt-users] Re: ENGINE_SSO_AUTH_URL configuration

2018-07-04 Thread Martin Perina
On Wed, Jul 4, 2018 at 12:02 PM, Hari Prasanth Loganathan <
hariprasant...@msystechnologies.com> wrote:

> Hi Team,
>
> I want oVirt to point to my Authentication / Authorization HTTP URL, so I
> modified the following property in
> */etc/ovirt-engine/engine.conf.d/11-setup-sso.conf*
>
>
> #ENGINE_SSO_AUTH_URL="https://${ENGINE_FQDN}:443/ovirt-engine/sso;
>   ENGINE_SSO_AUTH_URL="http://172.30.39.176:9090/api/auth/sso;
>
> #SSO_ENGINE_URL="https://${ENGINE_FQDN}:443/ovirt-engine/;
>   SSO_ENGINE_URL="http://172.30.39.176:9090/api/auth/;
> ​
>

> I verified in the log and found the following message :
>
> engine.log:2018-07-04 15:12:46,238+05 INFO  
> [org.ovirt.engine.core.uutils.config.ShellLikeConfd]
> (ServerService Thread Pool -- 42) [] Value of property
> 'ENGINE_SSO_AUTH_URL' is 'http://172.30.39.176:9090/api/auth/sso'.
> engine.log:2018-07-04 15:12:46,244+05 INFO  
> [org.ovirt.engine.core.uutils.config.ShellLikeConfd]
> (ServerService Thread Pool -- 42) [] Value of property 'SSO_ENGINE_URL' is '
> http://172.30.39.176:9090/api/auth/'.
>
>
> But still it is not point to my Authentication URL, Is there any other
> change we need to make to point the oVirt Authentication to my HTTP URL?
>

​Hi,

what exactly are you trying to achieve? To change URL where engine is
available or to replace existing oVirt SSO module with custom
implementation? If the latter, then this is not supported.

But if you need to configure additional authentication methods, for example
kerberos SSO or CAS, you can do this using combination of Apache with
relevant modules +
ovirt-engine-extension-aaa-ldap/ovirt-engine-extension-aaa-misc packages:

https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README
https://github.com/oVirt/ovirt-engine-extension-aaa-misc/blob/master/README.http
https://www.ovirt.org/blog/2016/04/sso/

Regards

Martin
​

>
> Thanks,
> Hari
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/NZKOGON5PKXSE47J25X72WYCOIGOJ3NW/
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CGH2QSKU27JLP635KZ63SKTWA3O5VUBC/


[ovirt-users] Re: oVirt Version 4.2.3.5-1.el7.centos cannot change password from user (Bad Request)

2018-06-08 Thread Martin Perina
On Fri, Jun 8, 2018 at 6:47 AM, Alejandro Cortina <
alejandro.corti...@gmail.com> wrote:

> Hi there,
>
> I have created a new user from hosted engine by:
>
> ovirt-aaa-jdbc-tool user add test_user --attribute=description='test user'
> --attribute=firstName=test_user
> ovirt-aaa-jdbc-tool user password-reset test_user --password=pass:changeme
>

​You need to specify password expiration date, otherwise it's expired at
the same moment you set it. Please take a look at [1]
​

>
> then I try to login and I get the message:
>
>  *Unable to log in because the password has expired. Change the password
> to proceed. *
>
> When I click "Change the password" the browser redirects to:
>
> https://FQDN/ovirt-engine/sso/%s
>
> and I get
>
>
>
>
> *Bad RequestYour browser sent a request that this server could not
> understand.*
>
> Last time I tried with 4.2.1 and it was working with no issues.
>

​Could you please share engine.log so we can get more details about the
issue?
​

Thanks

Martin

​[1]
https://www.ovirt.org/develop/release-management/features/infra/aaa-jdbc/#password-management
​


> Cheers,
>
> Alex
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/JALESO5IC4PMEJPX5UMOZUZPKSC2SDYT/
>
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KCQPFZNUO2C3IV3DLB5QARREZCUSR3BG/


[ovirt-users] Re: Ovirt 4.2.4 upgrade

2018-05-25 Thread Martin Perina
On Fri, May 25, 2018 at 1:30 PM, Maton, Brett <mat...@ltresources.co.uk>
wrote:

> It would be from the last 4.2.3 release in the ovirt-4.2-pre repositories
>
> I haven't got the logs unfortunately, I'll try to recreate the scenario
> over the weekend.
>

​Please try and share upgrade logs. I've just quickly tried the upgrade
from 4.2.3.7 to 4.2.4 and db upgrade was OK.​

Thanks

Martin


> On 25 May 2018 at 12:09, Martin Perina <mper...@redhat.com> wrote:
>
>> Hi,
>>
>> from which oVirt version are you upgrading to 4.2.4? Could you please
>> share with us complete upgrade logs from engine host?
>>
>> Thanks
>>
>> Martin
>>
>>
>> On Fri, May 25, 2018 at 10:38 AM, Sandro Bonazzola <sbona...@redhat.com>
>> wrote:
>>
>>>
>>>
>>> 2018-05-25 9:41 GMT+02:00 Maton, Brett <mat...@ltresources.co.uk>:
>>>
>>>> The 4.2.4 upgrade appears to have a database issue, i'm seeing these
>>>> errors in the postgresql logs:
>>>>
>>>> 2018-05-24 16:27:08.292 UTC ERROR:  relation "provider_binding_host_id"
>>>> does not exist at character 15
>>>> 2018-05-24 16:27:08.292 UTC QUERY:  SELECT 1 FROM
>>>> provider_binding_host_id WHERE vds_id = v_vds_id FOR UPDATE
>>>> 2018-05-24 16:27:08.292 UTC CONTEXT:  PL/pgSQL function
>>>> updatehostproviderbinding(uuid,character varying[],character
>>>> varying[]) line 3 at PERFORM
>>>>
>>>> Any suggestions ?
>>>>
>>>
>>> Thanks for having tested 4.2.4 RC1 and giving feedback! Adding Martin
>>> and Eli for further investigations.
>>>
>>>
>>>
>>>>
>>>> _______
>>>> Users mailing list -- users@ovirt.org
>>>> To unsubscribe send an email to users-le...@ovirt.org
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> SANDRO BONAZZOLA
>>>
>>> ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R
>>>
>>> Red Hat EMEA <https://www.redhat.com/>
>>>
>>> sbona...@redhat.com
>>> <https://red.ht/sig>
>>> <https://redhat.com/summit>
>>>
>>
>>
>>
>> --
>> Martin Perina
>> Associate Manager, Software Engineering
>> Red Hat Czech s.r.o.
>>
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


[ovirt-users] Re: Ovirt 4.2.4 upgrade

2018-05-25 Thread Martin Perina
Hi,

from which oVirt version are you upgrading to 4.2.4? Could you please share
with us complete upgrade logs from engine host?

Thanks

Martin


On Fri, May 25, 2018 at 10:38 AM, Sandro Bonazzola <sbona...@redhat.com>
wrote:

>
>
> 2018-05-25 9:41 GMT+02:00 Maton, Brett <mat...@ltresources.co.uk>:
>
>> The 4.2.4 upgrade appears to have a database issue, i'm seeing these
>> errors in the postgresql logs:
>>
>> 2018-05-24 16:27:08.292 UTC ERROR:  relation "provider_binding_host_id"
>> does not exist at character 15
>> 2018-05-24 16:27:08.292 UTC QUERY:  SELECT 1 FROM
>> provider_binding_host_id WHERE vds_id = v_vds_id FOR UPDATE
>> 2018-05-24 16:27:08.292 UTC CONTEXT:  PL/pgSQL function
>> updatehostproviderbinding(uuid,character varying[],character varying[])
>> line 3 at PERFORM
>>
>> Any suggestions ?
>>
>
> Thanks for having tested 4.2.4 RC1 and giving feedback! Adding Martin and
> Eli for further investigations.
>
>
>
>>
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>>
>>
>
>
> --
>
> SANDRO BONAZZOLA
>
> ASSOCIATE MANAGER, SOFTWARE ENGINEERING, EMEA ENG VIRTUALIZATION R
>
> Red Hat EMEA <https://www.redhat.com/>
>
> sbona...@redhat.com
> <https://red.ht/sig>
> <https://redhat.com/summit>
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


[ovirt-users] Re: Custom Intel AMT fencing question

2018-05-15 Thread Martin Perina
On Mon, May 14, 2018 at 8:13 PM, Shawn Southern <shawn.south...@entegrus.com
> wrote:

> I'm now using Intel AMT and the wsmancli package to reboot/power off/power
> on my entry level systems... but now I want oVirt to use this for fencing.
>
> I created 3 xml files: powercycle.xml (uses PowerState 10), poweron.xml
> (uses PowerState 2) and poweroff.xml (uses PowerState 8).  Here is the
> poweroff.xml file:
> http://schemas.dmtf.
> org/wbem/wscim/1/cim-schema/2/CIM_PowerManagementService">
>   8
>   http://schemas.xmlsoap.org/ws/2004/08/
> addressing"
> xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd;>
> http://schemas.xmlsoap.org/ws/2004/08/
> addressing/role/anonymous
> 
>   http://schemas.dmtf.org/wbem/wscim/1/
> cim-schema/2/CIM_ComputerSystem
>   
> CIM_
> ComputerSystem
> ManagedSystem
>   
> 
>   
> 
>
> I can then reboot or power on/off the server with:
> wsman invoke -a RequestPowerStateChange http://schemas.dmtf.org/wbem/
> wscim/1/cim-schema/2/CIM_PowerManagementService -h [AMT IP] -P 16992 -u
> admin -p [amt password] -J /fencing/poweron.xml  (or poweroff.xml, etc).
>
> My question is, how do I move from this to using this for fencing in oVirt?
>

​At the moment oVirt doesn't officially support AMT as fence agent. But
I've just looked that on CentOS 7 we already have fence-agents-amt-ws
package, so please try to install fence-agents-amt-ws package and test if
it's working for your server​.

If above agent is working fine, then please take a look Custom Fencing
oVirt feature [1], which should allow you to use fence_agent_amt_ws agent
in oVirt. Am I right Eli?

Regards

Martin


[1] https://www.ovirt.org/develop/developer-guide/engine/custom-fencing/


> Thanks!
> _______
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives:


Re: [ovirt-users] managing local users in 4.2 ?

2018-05-06 Thread Martin Perina
On Fri, 4 May 2018, 15:59 Matthias Leopold, <
matthias.leop...@meduniwien.ac.at> wrote:

> Am 2018-05-04 um 12:36 schrieb Matthias Leopold:
> > Hi,
> >
> > i tried to create a local user in oVirt 4.2 with "ovirt-aaa-jdbc-tool
> > user add" (like i did in oVirt 4.1.9). the command worked ok, but the
> > created user wasn't visible in the web gui. i then used the "add" button
> > in admin portal to add the already existing user and after that the user
> > was visible. i didn't have to do that in 4.1.9, the "add" button was
> > already there the, but i didn't know what to do with it. how did
> > managing local users change in 4.2?
> >
>
> ok, i got it: only after setting actual permissions for a user he/she
> appears automatically in Admin Portal - Administration - Users. this was
> different in 4.1.9 IIRC
>

Sorry, but that behavior didn't change since 3.5/3.6. Only users which has
directly assigned a permission are listed there. But those users are
visible in all Add Permission tabs right after creating by aaa-jdbc tool.


> matthias
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] admin account constantly gets locked

2018-04-12 Thread Martin Perina
On Thu, Apr 12, 2018 at 1:04 PM, Martin Perina <mper...@redhat.com> wrote:

>
>
> On Thu, Apr 12, 2018 at 12:44 PM, Eitan Raviv <era...@redhat.com> wrote:
>
>> The recurring denied access for every SyncNetworkProvider might be
>> because you changed the admin password on the engine but not on the
>> provider.
>>
>> Dominik, will updating to the same password on the provider solve the
>> denied access?
>> Martin, does the engine lock out the admin user for failed retries?
>>
>
> ​Of course, after 5 incorrect logins the account is locked. But I looked
> at logs and I can't see any login errors, so currently trying to reproduce
> to find out what's going on ...
>

​OK, so confirmed. If you change password for admin@internal using
aaa-jdbc-tool and you don't change immediately for OVN provider, then
admin@interal account is locked.

We should probably change logic in OVN provider to shutdown the OVN
provider service if authentication failure to engine is raised. Using this
we will break OVN provider, but
it seems to me much less severe than locking admin@internal account.
Dominik, what do you think?
​


> ​
>
>
>>
>>
>> HTH
>>
>>
>> On Thu, Apr 12, 2018 at 12:29 PM, Käfer Marcel <
>> marcel.kae...@putzbrunn.de> wrote:
>>
>>> Here are the logfiles…
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> *Von:* Eitan Raviv [mailto:era...@redhat.com]
>>> *Gesendet:* Donnerstag, 12. April 2018 11:12
>>> *An:* Käfer Marcel
>>> *Cc:* users@ovirt.org; Martin Perina
>>> *Betreff:* Re: [ovirt-users] admin account constantly gets locked
>>>
>>>
>>>
>>> The sync network command is probably unrelated.
>>>
>>> Can you attach the full engine and the setup logs?
>>>
>>> Martin, this looks a bit like [1]. Any idea?
>>>
>>> Thanks
>>>
>>>
>>>
>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1410955
>>>
>>>
>>>
>>> On Thu, Apr 12, 2018 at 10:22 AM, Käfer Marcel <
>>> marcel.kae...@putzbrunn.de> wrote:
>>>
>>> Hello,
>>>
>>> a few days ago I installed an ovirt-engine 4.2.2.6 following the steps
>>> of the documentation. After the installation I logged in to the admin page,
>>> configured a datadomain and changed the admin password. After a few hours I
>>> tried to login again, using the new password and got "Unable to log in
>>> because the user account is disabled or locked. Contact the system
>>> administrator." So I unlocked the admin account from the shell using
>>> "ovirt-aaa-jdbc-tool user unlock admin" which worked fine and I was able to
>>> continue working till the next login.
>>>
>>> I traced the /var/log/ovirt-engine/engine.log and found this after
>>> unlocking the admin account again.
>>>
>>> 2018-04-12 09:06:19,984+02 INFO  [org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand] 
>>> (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>>> [2ed5aa42] Lock Acquired to object 'EngineLock:{exclusiveLocks='[
>>> e37c0b9e-09bc-4893-9b0c-c70f56d6ecfc=PROVIDER]', sharedLocks=''}'
>>> 2018-04-12 09:06:19,991+02 INFO  [org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand] 
>>> (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>>> [2ed5aa42] Running command: SyncNetworkProviderCommand internal: true.
>>> 2018-04-12 09:06:20,102+02 INFO  
>>> [org.ovirt.engine.extension.aaa.jdbc.core.Authentication]
>>> (default task-239) [] locking user: admin due to interval failures
>>> 2018-04-12 09:06:25,046+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils]
>>> (default task-239) [] OAuthException access_denied: Cannot authenticate
>>> user 'admin@internal': The username or password is incorrect..
>>> 2018-04-12 09:06:25,049+02 ERROR [org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand] 
>>> (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>>> [2ed5aa42] Command 'org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand' failed: EngineException:
>>> (Failed with error Unauthorized and code 5050)
>>> 2018-04-12 09:06:25,050+02 INFO  [org.ovirt.engine.core.bll.pro
>>> vider.network.SyncNetworkProviderCommand] 
>>> (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>>> [2ed5aa42] Lock freed to object 'EngineLock:{exclusiveLocks='[
>>>

Re: [ovirt-users] admin account constantly gets locked

2018-04-12 Thread Martin Perina
On Thu, Apr 12, 2018 at 12:44 PM, Eitan Raviv <era...@redhat.com> wrote:

> The recurring denied access for every SyncNetworkProvider might be because
> you changed the admin password on the engine but not on the provider.
>
> Dominik, will updating to the same password on the provider solve the
> denied access?
> Martin, does the engine lock out the admin user for failed retries?
>

​Of course, after 5 incorrect logins the account is locked. But I looked at
logs and I can't see any login errors, so currently trying to reproduce to
find out what's going on ...
​


>
>
> HTH
>
>
> On Thu, Apr 12, 2018 at 12:29 PM, Käfer Marcel <marcel.kae...@putzbrunn.de
> > wrote:
>
>> Here are the logfiles…
>>
>>
>>
>> Thanks
>>
>>
>>
>> *Von:* Eitan Raviv [mailto:era...@redhat.com]
>> *Gesendet:* Donnerstag, 12. April 2018 11:12
>> *An:* Käfer Marcel
>> *Cc:* users@ovirt.org; Martin Perina
>> *Betreff:* Re: [ovirt-users] admin account constantly gets locked
>>
>>
>>
>> The sync network command is probably unrelated.
>>
>> Can you attach the full engine and the setup logs?
>>
>> Martin, this looks a bit like [1]. Any idea?
>>
>> Thanks
>>
>>
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1410955
>>
>>
>>
>> On Thu, Apr 12, 2018 at 10:22 AM, Käfer Marcel <
>> marcel.kae...@putzbrunn.de> wrote:
>>
>> Hello,
>>
>> a few days ago I installed an ovirt-engine 4.2.2.6 following the steps of
>> the documentation. After the installation I logged in to the admin page,
>> configured a datadomain and changed the admin password. After a few hours I
>> tried to login again, using the new password and got "Unable to log in
>> because the user account is disabled or locked. Contact the system
>> administrator." So I unlocked the admin account from the shell using
>> "ovirt-aaa-jdbc-tool user unlock admin" which worked fine and I was able to
>> continue working till the next login.
>>
>> I traced the /var/log/ovirt-engine/engine.log and found this after
>> unlocking the admin account again.
>>
>> 2018-04-12 09:06:19,984+02 INFO  [org.ovirt.engine.core.bll.pro
>> vider.network.SyncNetworkProviderCommand] 
>> (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>> [2ed5aa42] Lock Acquired to object 'EngineLock:{exclusiveLocks='[
>> e37c0b9e-09bc-4893-9b0c-c70f56d6ecfc=PROVIDER]', sharedLocks=''}'
>> 2018-04-12 09:06:19,991+02 INFO  [org.ovirt.engine.core.bll.pro
>> vider.network.SyncNetworkProviderCommand] 
>> (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>> [2ed5aa42] Running command: SyncNetworkProviderCommand internal: true.
>> 2018-04-12 09:06:20,102+02 INFO  
>> [org.ovirt.engine.extension.aaa.jdbc.core.Authentication]
>> (default task-239) [] locking user: admin due to interval failures
>> 2018-04-12 09:06:25,046+02 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils]
>> (default task-239) [] OAuthException access_denied: Cannot authenticate
>> user 'admin@internal': The username or password is incorrect..
>> 2018-04-12 09:06:25,049+02 ERROR [org.ovirt.engine.core.bll.pro
>> vider.network.SyncNetworkProviderCommand] 
>> (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>> [2ed5aa42] Command 'org.ovirt.engine.core.bll.pro
>> vider.network.SyncNetworkProviderCommand' failed: EngineException:
>> (Failed with error Unauthorized and code 5050)
>> 2018-04-12 09:06:25,050+02 INFO  [org.ovirt.engine.core.bll.pro
>> vider.network.SyncNetworkProviderCommand] 
>> (EE-ManagedThreadFactory-engineScheduled-Thread-87)
>> [2ed5aa42] Lock freed to object 'EngineLock:{exclusiveLocks='[
>> e37c0b9e-09bc-4893-9b0c-c70f56d6ecfc=PROVIDER]', sharedLocks=''}'
>>
>> It seems like the SyncNetworkProviderCommand is somehow locking the admin
>> account. I already restarted the whole machine but it didn't help.
>>
>> Can someone please point me in the right direction, where to find the
>> error?
>>
>> Thanks in advance
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>>
>> --
>>
>> Eitan Raviv
>> IRC: erav (#ovirt #vdsm #devel #rhev-dev)
>>
>
>
>
> --
> Eitan Raviv
> IRC: erav (#ovirt #vdsm #devel #rhev-dev)
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] firewalld rules - snmp

2018-03-29 Thread Martin Perina
Hi,

please take a look at relevant blog post about customizing host deploy
process:

https://www.ovirt.org/blog/2017/12/host-deploy-customization/

Regards

Martin


On Thu, Mar 29, 2018 at 3:29 PM, Riaan Timmerman <ri...@networkedge.co.nz>
wrote:

> Hi
>
>
>
> I am running oVirt 4.2 and need to open the firewall (firewalld) to allow
> an external monitoring system to connect via snmp.
>
>
>
> Documentation is not exactly clear on how to do this?
>
>
>
> Regards
>
>
>
> Riaan
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ILO2 Fencing

2018-03-29 Thread Martin Perina
On Thu, Mar 29, 2018 at 7:24 AM, TomK <tomk...@mdevsys.com> wrote:

> Hey Guy's,
>
> I've tested my ILO2 fence from the ovirt engine CLI and that works:
>
> fence_ilo2 -a 192.168.0.37 -l  --password="" --ssl-insecure
> --tls1.0 -v -o status
>

​You are using additional options on command line, please add below to the
Options field in Edit Fence Agent dialog and retry

  ssl_insecure=1,tls1.0=1

​


>
> The UI gives me:
>
> Test failed: Failed to run fence status-check on host 'ph-host01.my.dom'.
> No other host was available to serve as proxy for the operation.
>

​This is normal, fencing requires to have at least 2 working hosts in the
setup
​


>
> Going to add a second host in a bit but anyway to get this working with
> just one host?  I'm just adding the one host to oVirt for some POC we are
> doing atm but the UI forces me to adjust Power Management settings before
> proceeding.
>

​You have the options to disable fencing completely for cluster, it's
enough to turn off Enable fencing option in Fencing Policy tab in Edit
Cluster dialog.
​


>
> Also:
>
> 2018-03-28 02:04:15,183-04 WARN 
> [org.ovirt.engine.core.bll.network.NetworkConfigurator]
> (EE-ManagedThreadFactory-engine-Thread-335) [2d691be9] Failed to find a
> valid interface for the management network of host ph-host01.my.dom. If the
> interface br0 is a bridge, it should be torn-down manually.
> 2018-03-28 02:04:15,184-04 ERROR [org.ovirt.engine.core.bll.hos
> tdeploy.InstallVdsInternalCommand] (EE-ManagedThreadFactory-engine-Thread-335)
> [2d691be9] Exception: org.ovirt.engine.core.bll.netw
> ork.NetworkConfigurator$NetworkConfiguratorException: Interface br0 is
> invalid for management network
>

​Petr/Edward could you please take a look?
​


>
>
> I've these defined as such but not clear what it is expecting:
>
> [root@ph-host01 ~]# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
>valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
>valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master
> bond0 state UP qlen 1000
> link/ether 78:e7:d1:8c:b1:ba brd ff:ff:ff:ff:ff:ff
> 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc mq
> master bond0 state DOWN qlen 1000
> link/ether 78:e7:d1:8c:b1:ba brd ff:ff:ff:ff:ff:ff
> 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc mq
> master bond0 state DOWN qlen 1000
> link/ether 78:e7:d1:8c:b1:ba brd ff:ff:ff:ff:ff:ff
> 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc mq
> master bond0 state DOWN qlen 1000
> link/ether 78:e7:d1:8c:b1:ba brd ff:ff:ff:ff:ff:ff
> 21: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc
> noqueue master br0 state UP qlen 1000
> link/ether 78:e7:d1:8c:b1:ba brd ff:ff:ff:ff:ff:ff
> inet6 fe80::7ae7:d1ff:fe8c:b1ba/64 scope link
>valid_lft forever preferred_lft forever
> 23: ;vdsmdummy;: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen
> 1000
> link/ether fe:69:c7:50:0d:dd brd ff:ff:ff:ff:ff:ff
> 24: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UP qlen 1000
> link/ether 78:e7:d1:8c:b1:ba brd ff:ff:ff:ff:ff:ff
> inet 192.168.0.39/23 brd 192.168.1.255 scope global br0
>valid_lft forever preferred_lft forever
> inet6 fe80::7ae7:d1ff:fe8c:b1ba/64 scope link
>valid_lft forever preferred_lft forever
> [root@ph-host01 ~]# cd /etc/sysconfig/network-scripts/
> [root@ph-host01 network-scripts]# cat ifcfg-br0
> DEVICE=br0
> TYPE=Bridge
> BOOTPROTO=none
> IPADDR=192.168.0.39
> NETMASK=255.255.254.0
> GATEWAY=192.168.0.1
> ONBOOT=yes
> DELAY=0
> USERCTL=no
> DEFROUTE=yes
> NM_CONTROLLED=no
> DOMAIN="my.dom nix.my.dom"
> SEARCH="my.dom nix.my.dom"
> HOSTNAME=ph-host01.my.dom
> DNS1=192.168.0.224
> DNS2=192.168.0.44
> DNS3=192.168.0.45
> ZONE=public
> [root@ph-host01 network-scripts]# cat ifcfg-bond0
> DEVICE=bond0
> ONBOOT=yes
> BOOTPROTO=none
> USERCTL=no
> NM_CONTROLLED=no
> BONDING_OPTS="miimon=100 mode=2"
> BRIDGE=br0
> #
> #
> # IPADDR=192.168.0.39
> # NETMASK=255.255.254.0
> # GATEWAY=192.168.0.1
> # DNS1=192.168.0.1
> [root@ph-host01 network-scripts]#
>
>
> --
> Cheers,
> Tom K.
> 
> -
>
> Living on earth is expensive, but it includes a free trip around the sun.
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Cannot activate host from maintenance mode

2018-02-28 Thread Martin Perina
On 28 Feb 2018 10:14 am, "Tal Bar-Or"  wrote:

Hello,

I have Ovirt Version:4.2.1.7-1.el7.centos, I did upgrade according to host
indication  ,and since then I get the following error when trying to
activate host " Cannot activate Host. Host has no unique id. "


Could you please share all engine logs with us so we can investigate?

Thanks

Martin

Any idea how to fix this issue, please advice
Thanks

-- 
Tal Bar-or

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Power Management - Supermicro SuperBlade

2018-02-28 Thread Martin Perina
On Tue, Feb 27, 2018 at 10:13 PM, Scott Harvanek <sco...@sourcemirrors.org>
wrote:

> Well I can get all that the issue is how to I specify the blade ID to the
> fence agent? Since we don’t want to power cycle the entire shelf
>

​I haven't seen this hardware, but generally there are 2 possibilities:

1. Withing your SuperBlade management you need to specify unique IP address
for IPMI interface of each host

2. If 1. is not possible, but you have other identification of a host, then
you can try to pass that value using '-n' option on command line or
'plug=XXX' in Options field of a Fence Agent in webadmin

Martin


> -Scott H
>
> On Feb 26, 2018, at 3:34 AM, Martin Perina <mper...@redhat.com> wrote:
>
>
>
> On Sun, Feb 25, 2018 at 7:53 AM, Scott Harvanek <sco...@sourcemirrors.org>
> wrote:
>
>> Hoping someone can help here, I've looked and can't find any examples on
>> this.
>>
>> I've got some SuperBlade chassis and the blades are managed via the
>> chassis controller.  What is the proper way to configure power management
>> then via the controller? You can control individual blades via the
>> SMCIPMItool but I'm not entirely sure how to configure that inside of Ovirt
>> for power management, does anyone have any experience on this or can point
>> me to some good docs?
>>
>
> ​According to [1] those servers should support IPMI, so you could try
> ipmilan fence agent and most probably try to add lanplus=1 into Options
> field of an agent. If it doesn't work as expected, could you please try to
> execute below commands and share the output?
>
> fence_ipmilan -a  -l  -p  -P
> -vvv -o status
>
> Thanks
>
> Martin
>
>
> [1] https://www.supermicro.com/products/SuperBlade/management/​
>
>
>
>> Cheers!
>>
>> Scott H.
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
>
> --
> Martin Perina
> Associate Manager, Software Engineering
> Red Hat Czech s.r.o.
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Power management - oVirt 4,2

2018-02-28 Thread Martin Perina
On Wed, Feb 28, 2018 at 9:13 AM, Terry hey <recreati...@gmail.com> wrote:

> Dear Martin,
> Please see the following result.
> [root@X ~]# fence_ilo4 -a XXX.XXX.XXX.XXX -l X -p X -v -o
> status
> Executing: /usr/bin/ipmitool -I lanplus -H XXX.XXX.XXX.XXX -p 623 -U X
> -P X -L ADMINISTRATOR chassis power status
>
> Connection timed out
>
>
> [root@X~]#
> As you can see it just said connection timed out.
> But i can actually access iLO5 ( same account and password) through
> Internet Explorer ,
>

​This is completely different protocol (HTTP) using a browser,  it's
independent of IPMI.

Are you sure that some firewall doesn't block access to the IPMI interface?
Are you executing the command from different host than the host which you
want access the IPMI interface of?
​
​If above is not an issue, then please login to iLO5 management using a
browser and check if IPMI interface is enabled according to your iLO5
documentation
​


>
> I want to ask.. do you know what port did the manger use when compile this
> command?
>

​623 is the default IPMI port
​


>
> Regards
> Terry
>
>
> 2018-02-26 17:38 GMT+08:00 Martin Perina <mper...@redhat.com>:
>
>>
>>
>> On Fri, Feb 23, 2018 at 11:34 AM, Terry hey <recreati...@gmail.com>
>> wrote:
>>
>>> Dear Martin,
>>> I am very sorry that i reply you so late.
>>> Do you mean that 4.2 can support ilo5 by selecting the option "ilo4" in
>>> power management?
>>>
>>
>> ​Yes
>> ​
>>
>>
>>> "from the error message below I'd say that you are either not using
>>> correct IP address of iLO5 interface or you haven't enabled remote access
>>> to your iLO5 interface"
>>> I just try it and double confirm that i did not type a wrong IP. But the
>>> error message is same.
>>>
>>
>> ​Unfortunately I don't have iLO5 server available, so I cannot provide
>> more details. Anyway could you please double check your server
>> documentation, that you have enabled access to iLO5 IPMI interface
>> correctly? And could you please share output of following command?
>>
>> ​
>> f
>> ​​
>> ence_ilo4 -a  -l  -p  -v -o status
>>
>> Thanks
>>
>> Martin
>> ​
>>
>>
>>>
>>> Regards
>>> Terry
>>>
>>> 2018-02-08 16:13 GMT+08:00 Martin Perina <mper...@redhat.com>:
>>>
>>>> Hi Terry,
>>>>
>>>> from the error message below I'd say that you are either not using
>>>> correct IP address of iLO5 interface or you haven't enabled remote access
>>>> to your iLO5 interface.
>>>> According to [1] iLO5 should fully IPMI compatible. So are you sure
>>>> that you enabled the remote access to your iLO5 address in iLO5 management?
>>>> Please consult [1] how to enable everything and use a user with at
>>>> least Operator privileges.
>>>>
>>>> Regards
>>>>
>>>> Martin
>>>>
>>>> [1] https://support.hpe.com/hpsc/doc/public/display?docId=a00018
>>>> 324en_us
>>>>
>>>>
>>>> On Thu, Feb 8, 2018 at 7:57 AM, Terry hey <recreati...@gmail.com>
>>>> wrote:
>>>>
>>>>> Dear Martin,
>>>>>
>>>>> Thank you for helping me. To answer your question,
>>>>> 1. Does the Test in Edit fence agent dialog work​?
>>>>> Ans: it shows that "Test failed: Internal JSON-RPC error"
>>>>>
>>>>> Regardless the fail result, i press "OK" to enable power management.
>>>>> There are four event log appear in "Events"
>>>>> ********The follwing are the log in
>>>>> "Event""
>>>>> Host host01 configuration was updated by admin@internal-authz.
>>>>> Kdump integration is enabled for host hostv01, but kdump is not
>>>>> configured properly on host.
>>>>> Health check on Host host01 indicates that future attempts to Stop
>>>>> this host using Power-Management are expected to fail.
>>>>> Health check on Host host01 indicates that future attempts to Start
>>>>> this host using Power-Management are expected to fail.
>>>>>
>>>>> 2. If not could you please try to install fence-agents-all package on
>>>>> different host and execute?
>>>>> Ans: It just shows "Con

Re: [ovirt-users] Hosts firewall custom setup

2018-02-26 Thread Martin Perina
On Mon, Feb 26, 2018 at 2:49 PM, Nicolas Ecarnot <nico...@ecarnot.net>
wrote:

> Le 26/02/2018 à 14:03, Yedidyah Bar David a écrit :
>
>> On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nico...@ecarnot.net>
>> wrote:
>>
>>> Hello,
>>>
>>> On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing
>>> since years with engine-config --set IPTablesConfigSiteCustom="blah blah
>>> blah".
>>>
>>> On my hosts, I can see in my hosts that /etc/sysconfig/iptables does
>>> contain
>>> the correct custom rules I added, but when manually checking with
>>> iptables
>>> -L, I don't see my rules active.
>>>
>>> On my hosts, I see that the iptables services is stopped and disabled,
>>> and
>>> that the firewalld service is up and running.
>>>
>>> That explains why iptables customization has no effect.
>>>
>>
>> Indeed.
>>
>> IIRC the type of firewall is now set per cluster or something like that,
>> not
>> sure about the details - adding Ondra.
>>
>
> Per cluster, one can indeed choose the firewall type.
> I suppose it translates on the hosts into the activation of the adequate
> service.
> But how do we add custom rules in case of firewalld type?
>
> On the hosts, I imagine that could translate into changes in :
> /etc/firewalld/zones/public.xml
>

​Please take a look at below RFE introducing firewalld support for host and
blog post to read about new possibilities to customize host-deploy process
(which also can be used for custom firewalld rules) in oVirt 4.2:

https://bugzilla.redhat.com/show_bug.cgi?id=995362
https://www.ovirt.org/blog/2017/12/host-deploy-customization/​



> --
> Nicolas ECARNOT
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Power management - oVirt 4,2

2018-02-26 Thread Martin Perina
On Fri, Feb 23, 2018 at 11:34 AM, Terry hey <recreati...@gmail.com> wrote:

> Dear Martin,
> I am very sorry that i reply you so late.
> Do you mean that 4.2 can support ilo5 by selecting the option "ilo4" in
> power management?
>

​Yes
​


> "from the error message below I'd say that you are either not using
> correct IP address of iLO5 interface or you haven't enabled remote access
> to your iLO5 interface"
> I just try it and double confirm that i did not type a wrong IP. But the
> error message is same.
>

​Unfortunately I don't have iLO5 server available, so I cannot provide more
details. Anyway could you please double check your server documentation,
that you have enabled access to iLO5 IPMI interface correctly? And could
you please share output of following command?

​
f
​​
ence_ilo4 -a  -l  -p  -v -o status

Thanks

Martin
​


>
> Regards
> Terry
>
> 2018-02-08 16:13 GMT+08:00 Martin Perina <mper...@redhat.com>:
>
>> Hi Terry,
>>
>> from the error message below I'd say that you are either not using
>> correct IP address of iLO5 interface or you haven't enabled remote access
>> to your iLO5 interface.
>> According to [1] iLO5 should fully IPMI compatible. So are you sure that
>> you enabled the remote access to your iLO5 address in iLO5 management?
>> Please consult [1] how to enable everything and use a user with at least
>> Operator privileges.
>>
>> Regards
>>
>> Martin
>>
>> [1] https://support.hpe.com/hpsc/doc/public/display?docId=a00018324en_us
>>
>>
>> On Thu, Feb 8, 2018 at 7:57 AM, Terry hey <recreati...@gmail.com> wrote:
>>
>>> Dear Martin,
>>>
>>> Thank you for helping me. To answer your question,
>>> 1. Does the Test in Edit fence agent dialog work​?
>>> Ans: it shows that "Test failed: Internal JSON-RPC error"
>>>
>>> Regardless the fail result, i press "OK" to enable power management.
>>> There are four event log appear in "Events"
>>> The follwing are the log in
>>> "Event""
>>> Host host01 configuration was updated by admin@internal-authz.
>>> Kdump integration is enabled for host hostv01, but kdump is not
>>> configured properly on host.
>>> Health check on Host host01 indicates that future attempts to Stop this
>>> host using Power-Management are expected to fail.
>>> Health check on Host host01 indicates that future attempts to Start this
>>> host using Power-Management are expected to fail.
>>>
>>> 2. If not could you please try to install fence-agents-all package on
>>> different host and execute?
>>> Ans: It just shows "Connection timed out".
>>>
>>> So, does it means that it is not support iLo5 now or i configure wrongly?
>>>
>>> Regards,
>>> Terry
>>>
>>> 2018-02-02 15:46 GMT+08:00 Martin Perina <mper...@redhat.com>:
>>>
>>>>
>>>>
>>>> On Fri, Feb 2, 2018 at 5:40 AM, Terry hey <recreati...@gmail.com>
>>>> wrote:
>>>>
>>>>> Dear Martin,
>>>>>
>>>>> Um..Since i am going to use HPE ProLiant DL360 Gen10 Server to setup
>>>>> oVirt Node(Hypervisor). HP G10 is using ilo5 rather than ilo4. Therefore, 
>>>>> i
>>>>> would like to ask whether oVirt power management support iLO5 or not.
>>>>>
>>>>
>>>> ​We don't have any hardware with iLO5 available, but there is a good
>>>> chance that it will be compatible with iLO4. Have you tried to setup your
>>>> server with iLO4? Does the Test in Edit fence agent dialog work​? If not
>>>> could you please try to install fence-agents-all package on different host
>>>> and execute following:
>>>>
>>>> ​​
>>>> f
>>>> ​​
>>>> ence_ilo4 -a  -l  -p  -v -o status
>>>>
>>>> and share the output?
>>>>
>>>> Thanks
>>>>
>>>> Martin
>>>>
>>>>
>>>>> If not, do you have any idea to setup power management with HP G10?
>>>>>
>>>>> Regards,
>>>>> Terry
>>>>>
>>>>> 2018-02-01 16:21 GMT+08:00 Martin Perina <mper...@redhat.com>:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Jan 31, 2018 at 11:19 PM, Luca 'remix_tj' Lore

Re: [ovirt-users] Power Management - Supermicro SuperBlade

2018-02-26 Thread Martin Perina
On Sun, Feb 25, 2018 at 7:53 AM, Scott Harvanek <sco...@sourcemirrors.org>
wrote:

> Hoping someone can help here, I've looked and can't find any examples on
> this.
>
> I've got some SuperBlade chassis and the blades are managed via the
> chassis controller.  What is the proper way to configure power management
> then via the controller? You can control individual blades via the
> SMCIPMItool but I'm not entirely sure how to configure that inside of Ovirt
> for power management, does anyone have any experience on this or can point
> me to some good docs?
>

​According to [1] those servers should support IPMI, so you could try
ipmilan fence agent and most probably try to add lanplus=1 into Options
field of an agent. If it doesn't work as expected, could you please try to
execute below commands and share the output?

fence_ipmilan -a  -l  -p  -P -vvv
-o status

Thanks

Martin


[1] https://www.supermicro.com/products/SuperBlade/management/​



> Cheers!
>
> Scott H.
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>


-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


  1   2   3   4   >