Re: [ovirt-users] [Gluster-users] GlusterFS for production use with Ovirt
A few things to clarify 1) are all 4 for Gluster or are they the whole cluster. keep in mind that Ovirt expects that you are running Gluster on different nodes than your VM's. while I do not completely agree with that idea that is how it is now. 2) RAID hardware is not necessarily a bad thing, in fact the cache may help significantly. that said it is not required. things to keep in mind if you are using RAID hardware for performance 2.a) RAID 0 will give you the best speed if you are using 3 nodes for quorum. keep in mind this will require more work in the case of a drive failure to remake the brick. 2.b) if you are only doing a mirror across 2 bricks RAID 0 may be acceptable but consider using 1+0 or RAID 5 the performance on the two may vary depending on the RAID controller but 1+0 is generally faster. 2.c) always optimize for the stripe which in theory should be automatic if the RAID controller reports the required information to do it, but in practice most do not so you should do it manually and Red Hat's support site just added a nice tool to do it for you. 3) for performance more RAM is rarely a bad thing; however it can be with sustained writes.If you are constantly writing faster than the disks can handle you will eventually fill the buffers and block till they flush. so the answer here is if you are mostly dealing with reads more and bursts of writes more ram is better. if you are dealing with constant writes it may cause uneven performance and may in fact be detrimental. 4) On the 10Gb consider using consider using RDMA Iverbs over Ethernet it may help. 5) Look closely at the scheduler on the disks the default these days is CFQ (Completely Fair Queuing). I find DEADLINE works better for Gluster; however depending on if you are using a RAID and you have a properly aligned file system you may find NOOP may provide better performance you need to do some testing with your hardware to determine if this is the case. On Mon, Mar 23, 2015 at 9:43 PM, Punit Dambiwal hypu...@gmail.com wrote: Hi, I want to use Glusterfs with Ovirt 3.5...please help me to make the architecture stable for the production use :- I have 4 servers...every server can host 24 SSD disk(As bricks)..i want to deploy distributed replicated storage with replica =2i don't want to use the Hardware RAID...as i think it will badly impact the performance... 1. Glusterfs 3.5 or 3.6 ?? (which one will be stable for the production use). 2. Do i use the Hardware RAID or Not ?? 3. IF HW RAID then which RAID level and does it impact the performance... 4. I want to make it rock solid...so it can use for production purpose... 5. How much RAM should be sufficient on each server...on the each server i have two E5 CPU's... 6. For Network Connectivity i have 2*10G NIC with bonding on each server... Thanks, Punit ___ Gluster-users mailing list gluster-us...@gluster.org http://www.gluster.org/mailman/listinfo/gluster-users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Did you recently update Cyrus SASL?-- Sent from my HP Pre3On Nov 25, 2014 11:09 AM, Juan Jose jj197...@gmail.com wrote: Hello again,Yes the password is correct, I can login in a Windows machine to my domain siee.local with the user Juanjo. Moreover I have chanbged this user password to simpler one and the result is the same.I have logged in administration portal with internal admin user and I try to navigate through the domain to find user to assign some user in a VM but nothing is showed as you can see in the attached screen image and any error is faced in administration portal, but the /var/log/ovirt-engine/engine.log show this:2014-11-25 17:02:05,355 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24)2014-11-25 17:02:05,356 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password.2014-11-25 17:02:05,357 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server2014-11-25 17:02:05,359 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchUserByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL.2014-11-25 17:02:05,402 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24)2014-11-25 17:02:05,404 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication Failed. Please verify the username and password.2014-11-25 17:02:05,406 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server2014-11-25 17:02:05,408 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.LdapBrokerCommandBase] (ajp--127.0.0.1-8702-5) Failed to run command LdapSearchGroupsByQueryCommand. Domain is siee.local. User is juanjo@SIEE.LOCAL.every time I click Go button. Moreover I havent changed anything from my Samba4 AD and it is working handling my siee.local domain. This error is showed since oVirt 3.5 upgrade.Many thanks in advance,Juanjo.On Tue, Nov 25, 2014 at 2:29 PM, Ondra Machacek omach...@redhat.com wrote:Also, can you please try to search within this domain, not only login to it? Does it fail or works good? (in webadmin go to users tab and click add, select your domain and search for users). - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Juan Jose jj197...@gmail.com Cc: Ondra Machacek omach...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 1:49:20 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue 2014-11-25 12:54:10,687 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server - Original Message - From: Juan Jose jj197...@gmail.com To: Ondra Machacek omach...@redhat.com, alo...@redhat.com, Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 25, 2014 2:29:26 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Ondra and everybody, It works with my other user: engine-manage-domains add --domain=siee.local --provider=ad --user=juanjo --add-permissions Enter password: Successfully added domain siee.local. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully But after restarted ovirt-engine if I try to loging with juanjo in the administrator portal and I receive the error General command validation failure, as you can see in the attached image. Im showing below the engine.log lines with the error: 2014-11-25 12:54:10,680 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Kerberos error: Pre-authentication information was invalid (24) 2014-11-25 12:54:10,681 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.GSSAPIDirContextAuthenticationStrategy] (ajp--127.0.0.1-8702-5) Authentication
Re: [ovirt-users] upgrade glusterfs under ovirt
I just did this today but in posixfs mode not native Gluster mode.After the update of each gluster node restart the process and manually trigger a heal on each of the volumes. What ever you do NOT start upgrading the next gluster node until you have verified that the heal is complete on all volumes. If you don't do a manual heal you may wind up in a split brain situation which is fixable but complicated and time consuming-- Sent from my HP Pre3On Nov 12, 2014 2:29 AM, Demeter Tibor tdeme...@itsmart.hu wrote: Hi,I see that glusterfs 3.6 has released.What is the official way to upgrade this under a production ovirt cluster?Can I use the "yum update" command or I need to switch to the host to maintenance and select "reinstall" button?ThanksTibor___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] adding machine to openldap + kerberos with a keytab
Actually I haven't delved very deep into it but I know its not using a keytab its actually authenticating to the Kerberos server and doing a SASL bind.In a way this is actually proper functionality; however I have to admit it would be nice to have the option of using a keytab.-- Sent from my HP Pre3On Sep 10, 2014 6:53 PM, William Law w...@stanford.edu wrote: Hi, When I try to use engine-manage-domains it seems to expect an account to sign in with. Is there any way to use a key tab? It seems like it does all this under the surface eventually; I'd just like to do it up front. Even a pointer to "manual" adding instructions would be very helpful. Thanks, Will ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] adding machine to openldap + kerberos with a keytab
WilliamThank you as well I have noticed from the logs that if the manager interface isn't used in a while it has to reinitialize or renew the ticket in the cache. This process can cause a noticeable delay in logins and using a keytab. This is a part of (but not the whole) reason keytabs exist in kerberos.-- Sent from my HP Pre3On Sep 10, 2014 7:11 PM, William Law w...@stanford.edu wrote: OK, thanks. Is there a way to perform it without manage-domains currently or in 3.5? Regards, Will On Sep 10, 2014, at 4:07 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: "William Law" w...@stanford.edu To: "users" users@ovirt.org Sent: Thursday, September 11, 2014 1:53:04 AM Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab Hi, When I try to use engine-manage-domains it seems to expect an account to sign in with. Is there any way to use a key tab? It seems like it does all this under the surface eventually; I'd just like to do it up front. Even a pointer to "manual" adding instructions would be very helpful. Thanks, Will Hi Will, No way to perform this with manage domains at the moment. Not sure if we will invest in this, as in oVirt 3.5 we introduce a pluggable architecture for AAA, based on extensions + configuration files managed-domains should be used to support existing setups that will undergo upgrade to 3.5 (or of course, will remain in their current versions). ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] adding machine to openldap + kerberos with a keytab
Interesting so does that mean it can support GSSAPI authentication from the browser like the apache modules?-- Sent from my HP Pre3On Sep 10, 2014 7:32 PM, William Law w...@stanford.edu wrote: Cool - I'll start looking at that now. Regards, Will On Sep 10, 2014, at 4:28 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: "William Law" w...@stanford.edu To: "Yair Zaslavsky" yzasl...@redhat.com Cc: "users" users@ovirt.org Sent: Thursday, September 11, 2014 2:11:08 AM Subject: Re: [ovirt-users] adding machine to openldap + kerberos with a keytab OK, thanks. Is there a way to perform it without manage-domains currently or in 3.5? in 3.5 - you can add new authn (authentication) and authz (authorization) providers by using configuration files. Regards, Will On Sep 10, 2014, at 4:07 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: "William Law" w...@stanford.edu To: "users" users@ovirt.org Sent: Thursday, September 11, 2014 1:53:04 AM Subject: [ovirt-users] adding machine to openldap + kerberos with a keytab Hi, When I try to use engine-manage-domains it seems to expect an account to sign in with. Is there any way to use a key tab? It seems like it does all this under the surface eventually; I'd just like to do it up front. Even a pointer to "manual" adding instructions would be very helpful. Thanks, Will Hi Will, No way to perform this with manage domains at the moment. Not sure if we will invest in this, as in oVirt 3.5 we introduce a pluggable architecture for AAA, based on extensions + configuration files managed-domains should be used to support existing setups that will undergo upgrade to 3.5 (or of course, will remain in their current versions). ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt/gluster storage questions for 2-3 node datacenter
On Fri, Aug 29, 2014 at 12:25 PM, Vijay Bellur vbel...@redhat.com wrote: On 08/29/2014 07:34 PM, David King wrote: Paul, Thanks for the response. You mention that the issue is orphaned files during updates when one node is down. However I am less concerned about adding and removing files because the file server will be predominately VM disks so the file structure is fairly static. Those VM files will be quite active however - will gluster be able to keep track of partial updates to a large file when one out of two bricks are down? Yes, gluster only updates regions of the file that need to be synchronized during self-healing. More details on this synchronization can be found in the self-healing section of afr's design document [1]. Right now I am leaning towards using SSD for host local disk - single brick gluster volumes intended for VMs which are node specific and then I wouldn't use single brick gluster volumes for local disk you don't need it and it will actually make it more complicated with no real benefits. 3 way replicas for the higher availability zones which tend to be more read oriented. I presume that read-only access only needs to get data from one of the 3 replicas so that should be reasonably performant. Yes, read operations are directed to only one of the replicas. Regards, Vijay [1] https://github.com/gluster/glusterfs/blob/master/doc/features/afr-v1.md ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt/gluster storage questions for 2-3 node datacenter
I'll try to answer some of these.1) its not a serious problem persay the issue is if one node goes down and you delete a file while the second node is down it will be restored when the second node comes back which may cause orphaned files where as if you use 3 servers they will use quorum to figure out what needs to be restored or deleted. Further more your read and write performance may suffer especially in comparison to having 1 replica of the file with stripping.2) see answer 1 and just create the volume with 1 replica and only include the URI for bricks on two of the hosts when you create it.3) I think so but have never tried it you just have to define it as a local storage domain.4) well that's a philosophical question. You can theory have two hosted engines on separate VMs on two separate physical boxes but if for any reason they both go down you will "be living in interesting times" (as in the Chinese curse)5) YES! And have more than one.-- Sent from my HP Pre3On Aug 28, 2014 9:39 AM, David King da...@rexden.us wrote: Hi,I am currently testing oVirt 3.4.3 + gluster 3.5.2 for use in my relatively small home office environment on a single host. I have 2 Intel hosts with SSD and magnetic disk and one AMD host with only magnetic disk. I have been trying to figure out the best way to configure my environment given my previous attempt with oVirt 3.3 encountered storage issues. I will be hosting two types of VMs - VMs that can be tied to a particular system (such as 3 node FreeIPA domain or some test VMs), and VMs which could migrate between systems for improved uptime. The processor issue seems straightforward. Have a single datacenter with two clusters - one for the Intel systems and one for the AMD systems. Put VMs which need to live migrate on the Intel cluster. If necessary VMs can be manually switched between the Intel and AMD cluster with a downtime. The Gluster side of the storage seems less clear. The bulk of the gluster with oVirt issues I experienced and have seen on the list seem to be two node setups with 2 bricks in the Gluster volume. So here are my questions:1) Should I avoid 2 brick Gluster volumes? 2) What is the risk in having the SSD volumes with only 2 bricks given that there would be 3 gluster servers? How should I configure them? 3) Is there a way to use local storage for a host locked VM other than creating a gluster volume with one brick? 4) Should I avoid using the hosted engine configuration? I do have an external VMware ESXi system to host the engine for now but would like to phase it out eventually. 5) If I do the hosted engine should I make the underlying gluster volume 3 brick replicated?Thanks in advance for any help you can provide. -David ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt with 389 server inactive groups
here are the results of the queries you asked for group_ids | groups ---+- - ----,----,----,----,----,---- | core.ux.medi a.cbs.net/groups/sysadmin,domain here/groups/pmarino,domain here/groups/pd managers,domain here/groups/qa managers,domain here/groups/accounting managers,domain here/directory administrat ors (1 row) engine=# select id, name from ad_groups; id | name --+--- eee0----123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | domain here/Groups/sysadmin (2 rows) On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says Active:false on LDAP groups. Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as domain name/Groups/sysadmin I adder the permisions by clicking on the configure link on the top of the screen and set them in the System Permissions tab Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group. I added a user (pmarino) to the system which shows in the Directory Group tab shows sysadmingroups domian name among others however it only shows in the Permissions tab the permissions inherited by Everyone it does not show any permissions inherited by the sysadmin group. This is not good - I mean, should have worked. just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected. Can I please ask you to provide some database info ? It will be awesome if you can provide the following SQL queries results - select group_ids, groups from users where username ilike '%pmarino%'; In addition, please perform - select id, name from ad_groups; Thanks for your help. P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well. Here is the relevant portion of the engine log 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa0----123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User 'domain name/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa0----123456789aaa Type: System, ID: aaa0----123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group domain name/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa0----123456789aaa Type: System, ID: aaa0----123456789aaa Type: System 2014-08-13 16:10
Re: [ovirt-users] ovirt with 389 server inactive groups
Just for the sake of testing even though some one said previously to ignore it I set the active = t on the group in ad_group on the sysadmin group it had no effect other than changing Active: to true in the iterface and in answer to this I assume also you see the permissiosn in the permissions sub tab when you click the group. yes On Sun, Aug 17, 2014 at 9:33 AM, Paul Robert Marino prmari...@gmail.com wrote: here are the results of the queries you asked for group_ids | groups ---+- - ----,----,----,----,----,---- | core.ux.medi a.cbs.net/groups/sysadmin,domain here/groups/pmarino,domain here/groups/pd managers,domain here/groups/qa managers,domain here/groups/accounting managers,domain here/directory administrat ors (1 row) engine=# select id, name from ad_groups; id | name --+--- eee0----123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | domain here/Groups/sysadmin (2 rows) On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says Active:false on LDAP groups. Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as domain name/Groups/sysadmin I adder the permisions by clicking on the configure link on the top of the screen and set them in the System Permissions tab Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group. I added a user (pmarino) to the system which shows in the Directory Group tab shows sysadmingroups domian name among others however it only shows in the Permissions tab the permissions inherited by Everyone it does not show any permissions inherited by the sysadmin group. This is not good - I mean, should have worked. just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected. Can I please ask you to provide some database info ? It will be awesome if you can provide the following SQL queries results - select group_ids, groups from users where username ilike '%pmarino%'; In addition, please perform - select id, name from ad_groups; Thanks for your help. P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well. Here is the relevant portion of the engine log 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa0----123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User 'domain name/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa0----123456789aaa Type: System, ID: aaa0----123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group
Re: [ovirt-users] ovirt with 389 server inactive groups
confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Ive tried it ever different way I can think of the results are always the same. On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups here are the results of the queries you asked for group_ids | groups ---+- - ----,----,----,----,----,---- | domain here/groups/sysadmin,domain here/groups/pmarino,domain here/groups/pd managers,domain here/groups/qa managers,domain here/groups/accounting managers,domain here/directory administrat ors (1 row) engine=# select id, name from ad_groups; id | name --+--- eee0----123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | domain here/Groups/sysadmin (2 rows) It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Yair On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says Active:false on LDAP groups. Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as domain name/Groups/sysadmin I adder the permisions by clicking on the configure link on the top of the screen and set them in the System Permissions tab Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group. I added a user (pmarino) to the system which shows in the Directory Group tab shows sysadmingroups domian name among others however it only shows in the Permissions tab the permissions inherited by Everyone it does not show any permissions inherited by the sysadmin group. This is not good - I mean, should have worked. just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected. Can I please ask you to provide some database info ? It will be awesome if you can provide the following SQL queries results - select group_ids, groups from users where username ilike '%pmarino%'; In addition, please perform - select id, name from ad_groups; Thanks for your help. P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well. Here is the relevant portion of the engine log 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa0----123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1
Re: [ovirt-users] ovirt with 389 server inactive groups
I found why the group_ids field is wrong If you look at the ad_groups table then mane for the group is domain here/Groups/sysadmin however if you look at the groups field in the users table it says domain here/groups/sysadmin I tried updating the name field in the ad_groups table to match domain here/groups/sysadmin then removed and added a user now the if for that group in the group_ids field is being set correctly. This is at least a usable workaround for now. now we need to find the root cause. On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino prmari...@gmail.com wrote: confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Ive tried it ever different way I can think of the results are always the same. On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups here are the results of the queries you asked for group_ids | groups ---+- - ----,----,----,----,----,---- | domain here/groups/sysadmin,domain here/groups/pmarino,domain here/groups/pd managers,domain here/groups/qa managers,domain here/groups/accounting managers,domain here/directory administrat ors (1 row) engine=# select id, name from ad_groups; id | name --+--- eee0----123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | domain here/Groups/sysadmin (2 rows) It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Yair On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says Active:false on LDAP groups. Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as domain name/Groups/sysadmin I adder the permisions by clicking on the configure link on the top of the screen and set them in the System Permissions tab Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group. I added a user (pmarino) to the system which shows in the Directory Group tab shows sysadmingroups domian name among others however it only shows in the Permissions tab the permissions inherited by Everyone it does not show any permissions inherited by the sysadmin group. This is not good - I mean, should have worked. just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected. Can I please ask you to provide some database info ? It will be awesome if you can provide the following SQL queries results - select group_ids, groups from users where username ilike '%pmarino%'; In addition, please perform - select id, name from ad_groups; Thanks for your help. P.S - As far as I understand the two bugs mentioend
Re: [ovirt-users] ovirt with 389 server inactive groups
Ok I dug in a little further it looks like them memberof plugin in 389 server is making them lowercase which from an LDAP and or Posix perspective is not a problem but this seems to be the root cause of the issue of the difference. while this behavior is strange it is not invalid because DN's are case insensitive. The easiest way to fix this is to change the query of the group from the ad_groups table to an ilike. The potential problem here is it conflicts with SAM in windows where group names are case sensitive. This is definitely a conflict in design between AD and LDAP's core design. Interestingly I can add roles to the group and there is no problem it sets it correctly so somewhere else in the code an ilike is being uses to query the groups table. On Sun, Aug 17, 2014 at 11:05 AM, Paul Robert Marino prmari...@gmail.com wrote: I found why the group_ids field is wrong If you look at the ad_groups table then mane for the group is domain here/Groups/sysadmin however if you look at the groups field in the users table it says domain here/groups/sysadmin I tried updating the name field in the ad_groups table to match domain here/groups/sysadmin then removed and added a user now the if for that group in the group_ids field is being set correctly. This is at least a usable workaround for now. now we need to find the root cause. On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino prmari...@gmail.com wrote: confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Ive tried it ever different way I can think of the results are always the same. On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups here are the results of the queries you asked for group_ids | groups ---+- - ----,----,----,----,----,---- | domain here/groups/sysadmin,domain here/groups/pmarino,domain here/groups/pd managers,domain here/groups/qa managers,domain here/groups/accounting managers,domain here/directory administrat ors (1 row) engine=# select id, name from ad_groups; id | name --+--- eee0----123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | domain here/Groups/sysadmin (2 rows) It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Yair On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says Active:false on LDAP groups. Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as domain name/Groups/sysadmin I adder the permisions by clicking on the configure link on the top of the screen and set them in the System Permissions tab Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group. I added a user (pmarino) to the system which shows in the Directory Group tab shows sysadmingroups domian name among others however it only shows in the Permissions tab
Re: [ovirt-users] ovirt with 389 server inactive groups
I think we now have enough for a proper ticket. I will create one latter today. also since I have RHEV support for my production instances I will also create a matching case with Red Hat. On Sun, Aug 17, 2014 at 11:27 AM, Paul Robert Marino prmari...@gmail.com wrote: Ok I dug in a little further it looks like them memberof plugin in 389 server is making them lowercase which from an LDAP and or Posix perspective is not a problem but this seems to be the root cause of the issue of the difference. while this behavior is strange it is not invalid because DN's are case insensitive. The easiest way to fix this is to change the query of the group from the ad_groups table to an ilike. The potential problem here is it conflicts with SAM in windows where group names are case sensitive. This is definitely a conflict in design between AD and LDAP's core design. Interestingly I can add roles to the group and there is no problem it sets it correctly so somewhere else in the code an ilike is being uses to query the groups table. On Sun, Aug 17, 2014 at 11:05 AM, Paul Robert Marino prmari...@gmail.com wrote: I found why the group_ids field is wrong If you look at the ad_groups table then mane for the group is domain here/Groups/sysadmin however if you look at the groups field in the users table it says domain here/groups/sysadmin I tried updating the name field in the ad_groups table to match domain here/groups/sysadmin then removed and added a user now the if for that group in the group_ids field is being set correctly. This is at least a usable workaround for now. now we need to find the root cause. On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino prmari...@gmail.com wrote: confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Ive tried it ever different way I can think of the results are always the same. On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups here are the results of the queries you asked for group_ids | groups ---+- - ----,----,----,----,----,---- | domain here/groups/sysadmin,domain here/groups/pmarino,domain here/groups/pd managers,domain here/groups/qa managers,domain here/groups/accounting managers,domain here/directory administrat ors (1 row) engine=# select id, name from ad_groups; id | name --+--- eee0----123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | domain here/Groups/sysadmin (2 rows) It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Yair On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky yzasl...@redhat.com wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Yair Zaslavsky yzasl...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says Active:false on LDAP groups. Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as domain name/Groups/sysadmin I adder the permisions by clicking on the configure link on the top of the screen and set them in the System Permissions tab Sounds good so far
Re: [ovirt-users] ovirt with 389 server inactive groups
for presentation purpose only. Presentation wise only - means that it is not used for our permissions calculation , for example. Alon has addressed our plans for this in his previous comments. I hope this clarifies more.. Yair - Original Message - From: Itamar Heim ih...@redhat.com To: Alon Bar-Lev alo...@redhat.com, Paul Robert Marino prmari...@gmail.com Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: - Original Message - From: Paul Robert Marino prmari...@gmail.com To: Alon Bar-Lev alo...@redhat.com Cc: Maurice James mja...@media-node.com, users@ovirt.org Sent: Sunday, August 10, 2014 10:43:14 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups Sorry for my delayed response to this I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match. User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of. finally I can't see any error in the logs when adding a role to a group Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z. It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists. could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Maurice James mja...@media-node.com To: Alon Bar-Lev alo...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Saturday, August 9, 2014 3:47:04 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups Does this still require the use of kerberos? Will 389-ds work on its own? In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix. It will be great to receive feedback[2]. 389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly. Regards, Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Itamar Heim ih...@redhat.com Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups - Original Message - From: Itamar Heim ih...@redhat.com To: Paul Robert Marino prmari...@gmail.com, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups On 08/07/2014 07:06 PM, Paul Robert Marino wrote: I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly. I can add users and assign them to roles without any issues. when I look at a user I can see all the LDAP groups they are a member of. when I run engine-manage-domains -action=validate it tells me the domain is valid. here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive. dose any one know how to enable the group? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users 3.4 or new 3.5 Generic LDAP provider? On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored. Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt with 389 server inactive groups
Sorry for my delayed response to this I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match. User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of. finally I can't see any error in the logs when adding a role to a group On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev alo...@redhat.com wrote: - Original Message - From: Maurice James mja...@media-node.com To: Alon Bar-Lev alo...@redhat.com Cc: Itamar Heim ih...@redhat.com, users@ovirt.org Sent: Saturday, August 9, 2014 3:47:04 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups Does this still require the use of kerberos? Will 389-ds work on its own? In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix. It will be great to receive feedback[2]. 389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly. Regards, Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Itamar Heim ih...@redhat.com Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups - Original Message - From: Itamar Heim ih...@redhat.com To: Paul Robert Marino prmari...@gmail.com, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups On 08/07/2014 07:06 PM, Paul Robert Marino wrote: I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly. I can add users and assign them to roles without any issues. when I look at a user I can see all the LDAP groups they are a member of. when I run engine-manage-domains -action=validate it tells me the domain is valid. here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive. dose any one know how to enable the group? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users 3.4 or new 3.5 Generic LDAP provider? On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored. Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] ovirt with 389 server inactive groups
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly. I can add users and assign them to roles without any issues. when I look at a user I can see all the LDAP groups they are a member of. when I run engine-manage-domains -action=validate it tells me the domain is valid. here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive. dose any one know how to enable the group? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] New member and first question...
By the way David have you ever done a Red Hat kickstart with the nobase option. You get an OS install thats as stripped down as possible. you can even create a node for ovirt which is smaller than the ESXi install base last I checked. just be aware you will not have many of the tools you would normally expect to see for example bind-utils isn't installed so the box wont have nslookup or dig unless you install it. On Thu, Aug 7, 2014 at 10:44 AM, David BERCOT ov...@bercot.org wrote: Le Thu, 7 Aug 2014 10:29:20 -0400 (EDT), Fabian Deutsch fdeut...@redhat.com a écrit : - Original Message - Am 07.08.2014 15:10, schrieb David BERCOT: Ah, great !!! And is there a Debian flavor ? No. Currently not. But Node became more stable over the last months, and you might want to try this snapshot build: http://resources.ovirt.org/pub/ovirt-3.5-pre/iso/ovirt-node-iso-3.5.0.ovirt35.20140805.0.el6.iso It is my favorite distribution ;-) Not yet, and I don't know if it is on the roadmap. you could maybe create your own, it's basically this workflow: install $distro throw out all unneeded stuff install virt stuff (libvirt+vdsm) apply hardening (selinux etc) create iso I go with centos minimal and customize that myself, works really well. I don't know if vdsm is already complete platform independent (afaik it should be). the initial development was all on fedora and el6, so this is where it runs best atm. but I know for sure there are plans to make it distribution agnostic, but I don't know if this includes a pre-created iso for ovirt-node based on debian or gentoo. maybe fabian can shed some light on the future plans. The current Node can really only be created for Fedora related distrios, so CentOS, RHEL and Fedora itself. The reason for this is that all parts the build process is tailored around Fedora related tools. Namely kickstarts, and lviecd-tools. We are currently thinking about how we can change Node and make it more friendly, the distro agnostic idea also goes into this thoughts - but there is nothing concrete on that front yet. That's it from the Node side. - fabian Thank you for all these answers. I'm going to test this soon and I'll tell you about the results... David. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] How do i use local storage of hosts with ovirt?
Um I missed the earlier part of this thread but I can tell you from experience not using shared storage of one kind or an other for virtualization is always a mistake you will regret latter. Its a common (almost default) mistake people who are just getting started with virtualization make. Fibre (which includes optical fiber and copper using the same protocols ) channel at best or a pNFS or Gluster solution will server you a lot better as long as you have a decent number of spindles and a lot of ram for cache on the storage servers/controllers. -- Sent from my HP Pre3On May 28, 2014 20:51, Grant Tailor therealwebg...@gmail.com wrote: I plan NOT to use shared storage or network storage and will be using local storage of hosts to provision storage for VMsHow do i do this?For example in this screenshot, no way to configure local storage Thanks ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] gluster performance oVirt 3.4
On the Gluster site there is a QEMU repo I'll send you the link latter today. But essentially CentOS doesn't include the Gluster client or libraries so they can't compile against it.I'm not sure why CentOS and Scientific Linux don't include it but I think it might just be an over site since Gluster 3.4 is new set of packages which were added in the latest release of RHEL 6.In truth you can simply unpack the source RPM and rebuild it with Gluster support its not difficult but I don't remember the flags you need to pass the rpmbuild command off the top of my head. That said I'd probably use the ones off the Gluster site anyway.If you are using Gluster 3.5 the ones included in RHEL are incompatible because Gluster still has large API changes between minor releases and they were compiled against 3.4.Also Gluster 3.5 is a brand new release so I wouldn't rule out the possibility of abug. Soif the Gluster enabled QEMU rpms don't help you may need to inquire on the Gluster mailing list.-- Sent from my HP Pre3On May 12, 2014 8:58, Tobias Honacker tob...@honacker.info wrote: Ive got the same issue using the same versions as Korsaks, using CentOS 6.5, too.I could launch vms with gluster block backend driver using the standard package of libvirt from centos repo. but ovirt does not run the VM with the qemu GFAPI integration, the path of the disk using the fuse mount. disk type=file device=disk snapshot=no driver name=qemu type=raw cache=none error_policy=stop io=threads/ source file=/rhev/data-center/mnt/glusterSD/localhost:VMDATA/0add493f-0a7f-4b32-bcd5-ff25ca504b8b/images/68dbbc67-ea24-45a9-8727-4f85d100d1bb/8fe386f7-2aeb-43c2-bcb0-f76829c876b4 seclabel model=selinux relabel=no/ /source target dev=vda bus=virtio/ serial/serial alias name=virtio-disk0/ address type=pci domain=0x bus=0x00 slot=0x06 function=0x0/ /diskor am i wrong?On Mon, May 12, 2014 at 7:41 AM, Vadims Korsaks tru...@inbox.lv wrote: Underlying FS is XFS GlusterFS - glusterfs-3.5.0-2.el6 Im using CentOS, if this is problem could RHEL packages be used? why CentOS packages are compiled without native glusterfs support? Citējot Paul Robert Marino prmari...@gmail.com : Whats the underlying filesystem for gluster is it XFS? What version of gluster are you using? What distro are you using and if its not RHEL or Fedora are you using a version of QEMU with gluster support compiled in keep in mind the versions with CentOS and Scientific Linux do not include Gluster native support compiled in. -- Sent from my HP Pre3 On May 11, 2014 5:40, Vadims Korsaks tru...@inbox.lv wrote: Citējot Vijay Bellur vbel...@redhat.com : On 05/11/2014 02:04 AM, Vadims Korsaks wrote: HI! Created 2 node setup with oVirt 3.4 and CentOS 6.5, for storage created 2 node replicated gluster (3.5) fs on same hosts with oVirt. mount looks like this: 127.0.0.1:/gluster01 on /rhev/data-center/mnt/glusterSD/127.0.0.1:_gluster01 type fuse.glusterfs (rw,default_permissions,allow_other,max_read=131072) when i making gluster test with dd, something like dd if=/dev/zero bs=1M count=2 of=/rhev/data-center/mnt/glusterSD/127.0.0.1\:_gluster01/kaka im gettting speed ~ 110 MB/s, so this is 1Gbps speed of ethernet adapter but with in VM created in oVirt speed is lower than 20 MB/s why there is so huge difference? how can improve VMs disks speed? What are your gluster volume settings? Have you applied the following performance tunables in glusters virt profile: eager-lock=enable remote-dio=enable Regards, Vijay setting were: [root@centos155 ~]# gluster volume info gluster01 Volume Name: gluster01 Type: Replicate Volume ID: 436edaa3-ac8b-421f-aa35-68b5bd7064b6 Status: Started Number of Bricks: 1 x 2 = 2 Transport-type: tcp Bricks: Brick1: 10.2.75.152:/mnt/gluster01/brick Brick2: 10.2.75.155:/mnt/gluster01/brick Options Reconfigured: storage.owner-gid: 36 storage.owner-uid: 36 add your settings settings now it looks [root@centos155 ~]# gluster volume info gluster01 Volume Name: gluster01 Type: Replicate Volume ID: 436edaa3-ac8b-421f-aa35-68b5bd7064b6 Status: Started Number of Bricks: 1 x 2 = 2 Transport-type: tcp Bricks: Brick1: 10.2.75.152:/mnt/gluster01/brick Brick2: 10.2.75.155:/mnt/gluster01/brick Options Reconfigured: network.remote-dio: enable cluster.eager-lock: enable storage.owner-gid: 36 storage.owner-uid: 36 but this didnt affected performace in any big way should hosts to be restarted? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users
Re: [ovirt-users] gluster performance oVirt 3.4
What's the underlying filesystem for gluster is it XFS?What version of gluster are you using?What distro are you using and if its not RHEL or Fedora are you using a version of QEMU with gluster support compiled in keep in mind the versions with CentOS and Scientific Linux do not include Gluster native support compiled in.-- Sent from my HP Pre3On May 11, 2014 5:40, Vadims Korsaks tru...@inbox.lv wrote: Citējot Vijay Bellur vbel...@redhat.com : On 05/11/2014 02:04 AM, Vadims Korsaks wrote: HI! Created 2 node setup with oVirt 3.4 andCentOS 6.5, for storage created 2 node replicated gluster (3.5) fs on samehosts with oVirt. mount looks like this: 127.0.0.1:/gluster01 on /rhev/data-center/mnt/glusterSD/127.0.0.1:_gluster01type fuse.glusterfs (rw,default_permissions,allow_other,max_read=131072) when i making gluster test with dd, somethinglike dd if=/dev/zero bs=1M count=2 of=/rhev/data-center/mnt/glusterSD/127.0.0.1\:_gluster01/kaka i'm gettting speed ~ 110 MB/s, so this is1Gbps speed of ethernet adapter but with in VM created in oVirt speed islower than 20 MB/s why there is so huge difference? how can improve VMs disks speed? What are your gluster volume settings? Have youapplied the following performance tunables in gluster's virt profile:eager-lock=enable remote-dio=enableRegards, Vijaysetting were:[root@centos155 ~]# gluster volume info gluster01Volume Name: gluster01Type: ReplicateVolume ID: 436edaa3-ac8b-421f-aa35-68b5bd7064b6Status: StartedNumber of Bricks: 1 x 2 = 2Transport-type: tcpBricks:Brick1: 10.2.75.152:/mnt/gluster01/brickBrick2: 10.2.75.155:/mnt/gluster01/brickOptions Reconfigured:storage.owner-gid: 36storage.owner-uid: 36add your settings settings now it looks[root@centos155 ~]# gluster volume info gluster01Volume Name: gluster01Type: ReplicateVolume ID: 436edaa3-ac8b-421f-aa35-68b5bd7064b6Status: StartedNumber of Bricks: 1 x 2 = 2Transport-type: tcpBricks:Brick1: 10.2.75.152:/mnt/gluster01/brickBrick2: 10.2.75.155:/mnt/gluster01/brickOptions Reconfigured:network.remote-dio: enablecluster.eager-lock: enablestorage.owner-gid: 36storage.owner-uid: 36but this didn't affected performace in any big wayshould hosts to be restarted?___Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
