Re: [Users] SSH MAC corrupt (Re: Did you get ovirt working?)
my bad! sorry! On Wed, Dec 18, 2013 at 12:03 PM, Fabian Deutsch wrote: > Am Mittwoch, den 18.12.2013, 03:16 -0500 schrieb Antoni Segura Puimedon: > > > > - Original Message - > > > From: "Gabi C" > > > To: "Garry Tiedemann" , > users@ovirt.org > > > Sent: Wednesday, December 18, 2013 7:26:16 AM > > > Subject: Re: [Users] SSH MAC corrupt (Re: Did you get ovirt working?) > > > > > > Hello! > > > I was just about to reply to the list! :-) > > > I moved to oVirt Node - 3.0.3 - 1.1.fc19 on both nodes an updated the > engine > > > to 3.3.2-1.fc19 and it is working now.For the nodes I performed an > clean > > > install ( i.e. I had to reinitialize the array - ServeRaid controller) > and > > > the only bug I encounter was the one related to ssh-selinux, > circumvented by > > > setenforce 0. > > > Of course, every time I reboot nodes I had to go to console and > manually > > > "setenforce 0" > > > > Is there a bug for the oVirt Node for this? > > Hey, > > yes: https://bugzilla.redhat.com/show_bug.cgi?id=1037939 > And also a patch which should land in the next ovirt-node-iso. > > - fabian > > > > > > > > > > > > > On Wed, Dec 18, 2013 at 5:37 AM, Garry Tiedemann < > > > garrytiedem...@networkvideo.com.au > wrote: > > > > > > > > > > > > Hi Gabi, > > > > > > I saw your post on ovirt-users from last week. > > > > > > I am having that problem too. Have you solved it already? > > > > > > I would be glad to exchange information, perhaps we can help each > other. > > > > > > I hope to hear from you soon. > > > > > > Kind regards, > > > -- > > > > > > > > > > > > > > > Garry Tiedemann > > > IT Manager > > > > > > IT Division | The Network Group | 334 Queensberry St, North Melbourne , > > > Victoria , 3051, Australia > > > Phone (03) 9329 0933 | Email garrytiedem...@networkvideo.com.au | > Website > > > www.thenetworkgroup.com.au > > > > > > > > > The Network Group: One of BRW's 50 most innovative companies for 2013, > > > and winner of the 2013 Rental Group/Business of the Year Award > > > > > > > > > > > > > > > This email message and any accompanying attachments may contain > information > > > that is confidential and is subject to legal privilege. If you are not > the > > > intended recipient, do not read, use, disseminate, distribute or copy > this > > > message or attachments. If you have received this message in error, > please > > > notify the sender immediately and delete this message. Network Video > Home > > > Entertainment Experts accepts no liability for any damage caused by > this > > > email or any electronic transmission. Any views expressed in this > message > > > are those of the individual sender, except where the sender expressly, > and > > > with authority, states them to be the views of 'Network Video Home > > > Entertainment Experts'. > > > > > > > > > > > > ___ > > > Users mailing list > > > Users@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SSH MAC corrupt (Re: Did you get ovirt working?)
Am Mittwoch, den 18.12.2013, 03:16 -0500 schrieb Antoni Segura Puimedon: > > - Original Message - > > From: "Gabi C" > > To: "Garry Tiedemann" , users@ovirt.org > > Sent: Wednesday, December 18, 2013 7:26:16 AM > > Subject: Re: [Users] SSH MAC corrupt (Re: Did you get ovirt working?) > > > > Hello! > > I was just about to reply to the list! :-) > > I moved to oVirt Node - 3.0.3 - 1.1.fc19 on both nodes an updated the engine > > to 3.3.2-1.fc19 and it is working now.For the nodes I performed an clean > > install ( i.e. I had to reinitialize the array - ServeRaid controller) and > > the only bug I encounter was the one related to ssh-selinux, circumvented by > > setenforce 0. > > Of course, every time I reboot nodes I had to go to console and manually > > "setenforce 0" > > Is there a bug for the oVirt Node for this? Hey, yes: https://bugzilla.redhat.com/show_bug.cgi?id=1037939 And also a patch which should land in the next ovirt-node-iso. - fabian > > > > > > > On Wed, Dec 18, 2013 at 5:37 AM, Garry Tiedemann < > > garrytiedem...@networkvideo.com.au > wrote: > > > > > > > > Hi Gabi, > > > > I saw your post on ovirt-users from last week. > > > > I am having that problem too. Have you solved it already? > > > > I would be glad to exchange information, perhaps we can help each other. > > > > I hope to hear from you soon. > > > > Kind regards, > > -- > > > > > > > > > > Garry Tiedemann > > IT Manager > > > > IT Division | The Network Group | 334 Queensberry St, North Melbourne , > > Victoria , 3051, Australia > > Phone (03) 9329 0933 | Email garrytiedem...@networkvideo.com.au | Website > > www.thenetworkgroup.com.au > > > > > > The Network Group: One of BRW's 50 most innovative companies for 2013, > > and winner of the 2013 Rental Group/Business of the Year Award > > > > > > > > > > This email message and any accompanying attachments may contain information > > that is confidential and is subject to legal privilege. If you are not the > > intended recipient, do not read, use, disseminate, distribute or copy this > > message or attachments. If you have received this message in error, please > > notify the sender immediately and delete this message. Network Video Home > > Entertainment Experts accepts no liability for any damage caused by this > > email or any electronic transmission. Any views expressed in this message > > are those of the individual sender, except where the sender expressly, and > > with authority, states them to be the views of 'Network Video Home > > Entertainment Experts'. > > > > > > > > ___ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > signature.asc Description: This is a digitally signed message part ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SSH MAC corrupt (Re: Did you get ovirt working?)
No, there is no bug for this, or at least I didnt open one. Hoever trying to snif traffic on node - tcpdump - didn't work as I was unable to save traffic files on /root/ - Read-only mounted. Meantime, I upgraded the engine and also reinstall the hypervisors to a higher version and it is OK now, or at lests until I reboot and lost glsuterfs volume! :-( On Wed, Dec 18, 2013 at 10:16 AM, Antoni Segura Puimedon < asegu...@redhat.com> wrote: > > > - Original Message - > > From: "Gabi C" > > To: "Garry Tiedemann" , > users@ovirt.org > > Sent: Wednesday, December 18, 2013 7:26:16 AM > > Subject: Re: [Users] SSH MAC corrupt (Re: Did you get ovirt working?) > > > > Hello! > > I was just about to reply to the list! :-) > > I moved to oVirt Node - 3.0.3 - 1.1.fc19 on both nodes an updated the > engine > > to 3.3.2-1.fc19 and it is working now.For the nodes I performed an clean > > install ( i.e. I had to reinitialize the array - ServeRaid controller) > and > > the only bug I encounter was the one related to ssh-selinux, > circumvented by > > setenforce 0. > > Of course, every time I reboot nodes I had to go to console and manually > > "setenforce 0" > > Is there a bug for the oVirt Node for this? > > > > > > > On Wed, Dec 18, 2013 at 5:37 AM, Garry Tiedemann < > > garrytiedem...@networkvideo.com.au > wrote: > > > > > > > > Hi Gabi, > > > > I saw your post on ovirt-users from last week. > > > > I am having that problem too. Have you solved it already? > > > > I would be glad to exchange information, perhaps we can help each other. > > > > I hope to hear from you soon. > > > > Kind regards, > > -- > > > > > > > > > > Garry Tiedemann > > IT Manager > > > > IT Division | The Network Group | 334 Queensberry St, North Melbourne , > > Victoria , 3051, Australia > > Phone (03) 9329 0933 | Email garrytiedem...@networkvideo.com.au | > Website > > www.thenetworkgroup.com.au > > > > > > The Network Group: One of BRW's 50 most innovative companies for 2013, > > and winner of the 2013 Rental Group/Business of the Year Award > > > > > > > > > > This email message and any accompanying attachments may contain > information > > that is confidential and is subject to legal privilege. If you are not > the > > intended recipient, do not read, use, disseminate, distribute or copy > this > > message or attachments. If you have received this message in error, > please > > notify the sender immediately and delete this message. Network Video Home > > Entertainment Experts accepts no liability for any damage caused by this > > email or any electronic transmission. Any views expressed in this message > > are those of the individual sender, except where the sender expressly, > and > > with authority, states them to be the views of 'Network Video Home > > Entertainment Experts'. > > > > > > > > ___ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SSH MAC corrupt (Re: Did you get ovirt working?)
- Original Message - > From: "Gabi C" > To: "Garry Tiedemann" , users@ovirt.org > Sent: Wednesday, December 18, 2013 7:26:16 AM > Subject: Re: [Users] SSH MAC corrupt (Re: Did you get ovirt working?) > > Hello! > I was just about to reply to the list! :-) > I moved to oVirt Node - 3.0.3 - 1.1.fc19 on both nodes an updated the engine > to 3.3.2-1.fc19 and it is working now.For the nodes I performed an clean > install ( i.e. I had to reinitialize the array - ServeRaid controller) and > the only bug I encounter was the one related to ssh-selinux, circumvented by > setenforce 0. > Of course, every time I reboot nodes I had to go to console and manually > "setenforce 0" Is there a bug for the oVirt Node for this? > > > On Wed, Dec 18, 2013 at 5:37 AM, Garry Tiedemann < > garrytiedem...@networkvideo.com.au > wrote: > > > > Hi Gabi, > > I saw your post on ovirt-users from last week. > > I am having that problem too. Have you solved it already? > > I would be glad to exchange information, perhaps we can help each other. > > I hope to hear from you soon. > > Kind regards, > -- > > > > > Garry Tiedemann > IT Manager > > IT Division | The Network Group | 334 Queensberry St, North Melbourne , > Victoria , 3051, Australia > Phone (03) 9329 0933 | Email garrytiedem...@networkvideo.com.au | Website > www.thenetworkgroup.com.au > > > The Network Group: One of BRW's 50 most innovative companies for 2013, > and winner of the 2013 Rental Group/Business of the Year Award > > > > > This email message and any accompanying attachments may contain information > that is confidential and is subject to legal privilege. If you are not the > intended recipient, do not read, use, disseminate, distribute or copy this > message or attachments. If you have received this message in error, please > notify the sender immediately and delete this message. Network Video Home > Entertainment Experts accepts no liability for any damage caused by this > email or any electronic transmission. Any views expressed in this message > are those of the individual sender, except where the sender expressly, and > with authority, states them to be the views of 'Network Video Home > Entertainment Experts'. > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SSH MAC corrupt
I'll try when i'll be back to work i.e. 13 hours from now... Pe 12.12.2013 15:16, "Alon Bar-Lev" a scris: > > > - Original Message - > > From: "Gabi C" > > To: "Alon Bar-Lev" > > Cc: "Dan Kenigsberg" , users@ovirt.org > > Sent: Thursday, December 12, 2013 3:13:43 PM > > Subject: Re: [Users] SSH MAC corrupt > > > > I've tried and I' logged in!! > > > > > > > > sestatus > > SELinux status: enabled > > SELinuxfs mount:/sys/fs/selinux > > SELinux root directory: /etc/selinux > > Loaded policy name: targeted > > Current mode: permissive > > Mode from config file: enforcing > > Policy MLS status: enabled > > Policy deny_unknown status: allowed > > Max kernel policy version: 28 > > > > > > > > > > Still get those 'denied' in audit.log - node! > > Because you are at permissive mode. > > Now, what do you get in engine.log in this state when you trying to add > node via webadmin? > > > > > > > > > > > > > > > On Thu, Dec 12, 2013 at 2:35 PM, Alon Bar-Lev wrote: > > > > > > > > > > > - Original Message - > > > > From: "Gabi C" > > > > To: "Dan Kenigsberg" > > > > Cc: users@ovirt.org > > > > Sent: Thursday, December 12, 2013 2:32:48 PM > > > > Subject: Re: [Users] SSH MAC corrupt > > > > > > > > I confirm that manual ssh works both ways. > > > > > > > > I'll try to sniff. > > > > > > please try from engine: > > > > > > ssh -i /etc/pki/ovirt-engine/keys/engine_id_rsa root@node > > > > > > this is similar to what engine is trying to do. > > > > > > but as far as I see, the problem is within the selinux policy. > > > > > > > > > > > > > > > On Thu, Dec 12, 2013 at 2:22 PM, Dan Kenigsberg < dan...@redhat.com> > > > wrote: > > > > > > > > > > > > > > > > On Thu, Dec 12, 2013 at 11:43:10AM +0200, Gabi C wrote: > > > > > Hello! > > > > > > > > > > 1 engine running ovirt-engine-3.3.1-2.fc19.noarch, in virtual > machine > > > - on > > > > > esxi 5.5 host - when I try to add ovirt node hypervisor > > > > > 3.0.3-1.1.fc19,after "setenforce 0" on node, of course, this fails > > > with: > > > > > > > > > > /var/log/secure > > > > > > > > > > > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: Corrupted MAC on input. > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: Disconnecting: Packet corrupt > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: do_cleanup > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: cleanup > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: closing session > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: pam_unix(sshd:session): > session > > > closed > > > > > for user root > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: deleting > credentials > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: error: getsockname failed: Bad > > > file > > > > > descriptor > > > > > > > > > > > > > > > > > > > > > > > > > and > > > > > > > > > > /var/log/audit/audit.log > > > > > > > > > > type=AVC msg=audit(1386840940.650:589): avc: denied { sigchld } for > > > > > pid=3898 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 > > > > > tcontext=system_u:system_r:initrc_t:s0 tclass=process > > > > > type=SYSCALL msg=audit(1386840940.650:589): arch=c03e > syscall=61 > > > > > success=yes exit=3899 a0=f3b a1=7fff76fe9ad0 a2=0 a3=0 items=0 > > > ppid=3834 > > > > > pid=3898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > sgid=0 > > > > > fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" > > > > > subj=system_u:system_r:initrc_t:s0 key=(null) > > > > > > > > > > > > > > > type=AVC msg=audit(1386840940.751:595): avc: denied { > dyntransition } > > > > > for pid=3898 comm="sshd" scontext=system_u:system_r:initrc_t:s0 > > > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > any ideea? > > > > > > > > Does manual ssh from Engine to the node work? > > > > Could you sniff the traffic to see where it's being garbled? > > > > > > > > > > > > ___ > > > > Users mailing list > > > > Users@ovirt.org > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SSH MAC corrupt
- Original Message - > From: "Gabi C" > To: "Alon Bar-Lev" > Cc: "Dan Kenigsberg" , users@ovirt.org > Sent: Thursday, December 12, 2013 3:13:43 PM > Subject: Re: [Users] SSH MAC corrupt > > I've tried and I' logged in!! > > > > sestatus > SELinux status: enabled > SELinuxfs mount:/sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: targeted > Current mode: permissive > Mode from config file: enforcing > Policy MLS status: enabled > Policy deny_unknown status: allowed > Max kernel policy version: 28 > > > > > Still get those 'denied' in audit.log - node! Because you are at permissive mode. Now, what do you get in engine.log in this state when you trying to add node via webadmin? > > > > > > > On Thu, Dec 12, 2013 at 2:35 PM, Alon Bar-Lev wrote: > > > > > > > - Original Message - > > > From: "Gabi C" > > > To: "Dan Kenigsberg" > > > Cc: users@ovirt.org > > > Sent: Thursday, December 12, 2013 2:32:48 PM > > > Subject: Re: [Users] SSH MAC corrupt > > > > > > I confirm that manual ssh works both ways. > > > > > > I'll try to sniff. > > > > please try from engine: > > > > ssh -i /etc/pki/ovirt-engine/keys/engine_id_rsa root@node > > > > this is similar to what engine is trying to do. > > > > but as far as I see, the problem is within the selinux policy. > > > > > > > > > > > On Thu, Dec 12, 2013 at 2:22 PM, Dan Kenigsberg < dan...@redhat.com > > > wrote: > > > > > > > > > > > > On Thu, Dec 12, 2013 at 11:43:10AM +0200, Gabi C wrote: > > > > Hello! > > > > > > > > 1 engine running ovirt-engine-3.3.1-2.fc19.noarch, in virtual machine > > - on > > > > esxi 5.5 host - when I try to add ovirt node hypervisor > > > > 3.0.3-1.1.fc19,after "setenforce 0" on node, of course, this fails > > with: > > > > > > > > /var/log/secure > > > > > > > > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: Corrupted MAC on input. > > > > Dec 12 09:35:40 virtual4 sshd[3898]: Disconnecting: Packet corrupt > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: do_cleanup > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: cleanup > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: closing session > > > > Dec 12 09:35:40 virtual4 sshd[3898]: pam_unix(sshd:session): session > > closed > > > > for user root > > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: deleting credentials > > > > Dec 12 09:35:40 virtual4 sshd[3898]: error: getsockname failed: Bad > > file > > > > descriptor > > > > > > > > > > > > > > > > > > > > and > > > > > > > > /var/log/audit/audit.log > > > > > > > > type=AVC msg=audit(1386840940.650:589): avc: denied { sigchld } for > > > > pid=3898 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 > > > > tcontext=system_u:system_r:initrc_t:s0 tclass=process > > > > type=SYSCALL msg=audit(1386840940.650:589): arch=c03e syscall=61 > > > > success=yes exit=3899 a0=f3b a1=7fff76fe9ad0 a2=0 a3=0 items=0 > > ppid=3834 > > > > pid=3898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > sgid=0 > > > > fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" > > > > subj=system_u:system_r:initrc_t:s0 key=(null) > > > > > > > > > > > > type=AVC msg=audit(1386840940.751:595): avc: denied { dyntransition } > > > > for pid=3898 comm="sshd" scontext=system_u:system_r:initrc_t:s0 > > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process > > > > > > > > > > > > > > > > > > > > > > > > any ideea? > > > > > > Does manual ssh from Engine to the node work? > > > Could you sniff the traffic to see where it's being garbled? > > > > > > > > > ___ > > > Users mailing list > > > Users@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SSH MAC corrupt
I've tried and I' logged in!! sestatus SELinux status: enabled SELinuxfs mount:/sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Still get those 'denied' in audit.log - node! On Thu, Dec 12, 2013 at 2:35 PM, Alon Bar-Lev wrote: > > > - Original Message - > > From: "Gabi C" > > To: "Dan Kenigsberg" > > Cc: users@ovirt.org > > Sent: Thursday, December 12, 2013 2:32:48 PM > > Subject: Re: [Users] SSH MAC corrupt > > > > I confirm that manual ssh works both ways. > > > > I'll try to sniff. > > please try from engine: > > ssh -i /etc/pki/ovirt-engine/keys/engine_id_rsa root@node > > this is similar to what engine is trying to do. > > but as far as I see, the problem is within the selinux policy. > > > > > > > On Thu, Dec 12, 2013 at 2:22 PM, Dan Kenigsberg < dan...@redhat.com > > wrote: > > > > > > > > On Thu, Dec 12, 2013 at 11:43:10AM +0200, Gabi C wrote: > > > Hello! > > > > > > 1 engine running ovirt-engine-3.3.1-2.fc19.noarch, in virtual machine > - on > > > esxi 5.5 host - when I try to add ovirt node hypervisor > > > 3.0.3-1.1.fc19,after "setenforce 0" on node, of course, this fails > with: > > > > > > /var/log/secure > > > > > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: Corrupted MAC on input. > > > Dec 12 09:35:40 virtual4 sshd[3898]: Disconnecting: Packet corrupt > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: do_cleanup > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: cleanup > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: closing session > > > Dec 12 09:35:40 virtual4 sshd[3898]: pam_unix(sshd:session): session > closed > > > for user root > > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: deleting credentials > > > Dec 12 09:35:40 virtual4 sshd[3898]: error: getsockname failed: Bad > file > > > descriptor > > > > > > > > > > > > > > > and > > > > > > /var/log/audit/audit.log > > > > > > type=AVC msg=audit(1386840940.650:589): avc: denied { sigchld } for > > > pid=3898 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 > > > tcontext=system_u:system_r:initrc_t:s0 tclass=process > > > type=SYSCALL msg=audit(1386840940.650:589): arch=c03e syscall=61 > > > success=yes exit=3899 a0=f3b a1=7fff76fe9ad0 a2=0 a3=0 items=0 > ppid=3834 > > > pid=3898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 > > > fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" > > > subj=system_u:system_r:initrc_t:s0 key=(null) > > > > > > > > > type=AVC msg=audit(1386840940.751:595): avc: denied { dyntransition } > > > for pid=3898 comm="sshd" scontext=system_u:system_r:initrc_t:s0 > > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process > > > > > > > > > > > > > > > > > > any ideea? > > > > Does manual ssh from Engine to the node work? > > Could you sniff the traffic to see where it's being garbled? > > > > > > ___ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SSH MAC corrupt
- Original Message - > From: "Gabi C" > To: "Dan Kenigsberg" > Cc: users@ovirt.org > Sent: Thursday, December 12, 2013 2:32:48 PM > Subject: Re: [Users] SSH MAC corrupt > > I confirm that manual ssh works both ways. > > I'll try to sniff. please try from engine: ssh -i /etc/pki/ovirt-engine/keys/engine_id_rsa root@node this is similar to what engine is trying to do. but as far as I see, the problem is within the selinux policy. > > > On Thu, Dec 12, 2013 at 2:22 PM, Dan Kenigsberg < dan...@redhat.com > wrote: > > > > On Thu, Dec 12, 2013 at 11:43:10AM +0200, Gabi C wrote: > > Hello! > > > > 1 engine running ovirt-engine-3.3.1-2.fc19.noarch, in virtual machine - on > > esxi 5.5 host - when I try to add ovirt node hypervisor > > 3.0.3-1.1.fc19,after "setenforce 0" on node, of course, this fails with: > > > > /var/log/secure > > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: Corrupted MAC on input. > > Dec 12 09:35:40 virtual4 sshd[3898]: Disconnecting: Packet corrupt > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: do_cleanup > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: cleanup > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: closing session > > Dec 12 09:35:40 virtual4 sshd[3898]: pam_unix(sshd:session): session closed > > for user root > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: deleting credentials > > Dec 12 09:35:40 virtual4 sshd[3898]: error: getsockname failed: Bad file > > descriptor > > > > > > > > > > and > > > > /var/log/audit/audit.log > > > > type=AVC msg=audit(1386840940.650:589): avc: denied { sigchld } for > > pid=3898 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 > > tcontext=system_u:system_r:initrc_t:s0 tclass=process > > type=SYSCALL msg=audit(1386840940.650:589): arch=c03e syscall=61 > > success=yes exit=3899 a0=f3b a1=7fff76fe9ad0 a2=0 a3=0 items=0 ppid=3834 > > pid=3898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" > > subj=system_u:system_r:initrc_t:s0 key=(null) > > > > > > type=AVC msg=audit(1386840940.751:595): avc: denied { dyntransition } > > for pid=3898 comm="sshd" scontext=system_u:system_r:initrc_t:s0 > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process > > > > > > > > > > > > any ideea? > > Does manual ssh from Engine to the node work? > Could you sniff the traffic to see where it's being garbled? > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SSH MAC corrupt
I confirm that manual ssh works both ways. I'll try to sniff. On Thu, Dec 12, 2013 at 2:22 PM, Dan Kenigsberg wrote: > On Thu, Dec 12, 2013 at 11:43:10AM +0200, Gabi C wrote: > > Hello! > > > > 1 engine running ovirt-engine-3.3.1-2.fc19.noarch, in virtual machine - > on > > esxi 5.5 host - when I try to add ovirt node hypervisor > > 3.0.3-1.1.fc19,after "setenforce 0" on node, of course, this fails with: > > > > /var/log/secure > > > > > > Dec 12 09:35:40 virtual4 sshd[3898]: Corrupted MAC on input. > > Dec 12 09:35:40 virtual4 sshd[3898]: Disconnecting: Packet corrupt > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: do_cleanup > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: cleanup > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: closing session > > Dec 12 09:35:40 virtual4 sshd[3898]: pam_unix(sshd:session): session > closed > > for user root > > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: deleting credentials > > Dec 12 09:35:40 virtual4 sshd[3898]: error: getsockname failed: Bad file > > descriptor > > > > > > > > > > and > > > > /var/log/audit/audit.log > > > > type=AVC msg=audit(1386840940.650:589): avc: denied { sigchld } for > > pid=3898 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 > > tcontext=system_u:system_r:initrc_t:s0 tclass=process > > type=SYSCALL msg=audit(1386840940.650:589): arch=c03e syscall=61 > > success=yes exit=3899 a0=f3b a1=7fff76fe9ad0 a2=0 a3=0 items=0 ppid=3834 > > pid=3898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" > > subj=system_u:system_r:initrc_t:s0 key=(null) > > > > > > type=AVC msg=audit(1386840940.751:595): avc: denied { dyntransition } > > for pid=3898 comm="sshd" scontext=system_u:system_r:initrc_t:s0 > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process > > > > > > > > > > > > any ideea? > > Does manual ssh from Engine to the node work? > Could you sniff the traffic to see where it's being garbled? > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] SSH MAC corrupt
On Thu, Dec 12, 2013 at 11:43:10AM +0200, Gabi C wrote: > Hello! > > 1 engine running ovirt-engine-3.3.1-2.fc19.noarch, in virtual machine - on > esxi 5.5 host - when I try to add ovirt node hypervisor > 3.0.3-1.1.fc19,after "setenforce 0" on node, of course, this fails with: > > /var/log/secure > > > Dec 12 09:35:40 virtual4 sshd[3898]: Corrupted MAC on input. > Dec 12 09:35:40 virtual4 sshd[3898]: Disconnecting: Packet corrupt > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: do_cleanup > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: cleanup > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: closing session > Dec 12 09:35:40 virtual4 sshd[3898]: pam_unix(sshd:session): session closed > for user root > Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: deleting credentials > Dec 12 09:35:40 virtual4 sshd[3898]: error: getsockname failed: Bad file > descriptor > > > > > and > > /var/log/audit/audit.log > > type=AVC msg=audit(1386840940.650:589): avc: denied { sigchld } for > pid=3898 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 > tcontext=system_u:system_r:initrc_t:s0 tclass=process > type=SYSCALL msg=audit(1386840940.650:589): arch=c03e syscall=61 > success=yes exit=3899 a0=f3b a1=7fff76fe9ad0 a2=0 a3=0 items=0 ppid=3834 > pid=3898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" > subj=system_u:system_r:initrc_t:s0 key=(null) > > > type=AVC msg=audit(1386840940.751:595): avc: denied { dyntransition } > for pid=3898 comm="sshd" scontext=system_u:system_r:initrc_t:s0 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process > > > > > > any ideea? Does manual ssh from Engine to the node work? Could you sniff the traffic to see where it's being garbled? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] SSH MAC corrupt
Hello! 1 engine running ovirt-engine-3.3.1-2.fc19.noarch, in virtual machine - on esxi 5.5 host - when I try to add ovirt node hypervisor 3.0.3-1.1.fc19,after "setenforce 0" on node, of course, this fails with: /var/log/secure Dec 12 09:35:40 virtual4 sshd[3898]: Corrupted MAC on input. Dec 12 09:35:40 virtual4 sshd[3898]: Disconnecting: Packet corrupt Dec 12 09:35:40 virtual4 sshd[3898]: debug1: do_cleanup Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: cleanup Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: closing session Dec 12 09:35:40 virtual4 sshd[3898]: pam_unix(sshd:session): session closed for user root Dec 12 09:35:40 virtual4 sshd[3898]: debug1: PAM: deleting credentials Dec 12 09:35:40 virtual4 sshd[3898]: error: getsockname failed: Bad file descriptor and /var/log/audit/audit.log type=AVC msg=audit(1386840940.650:589): avc: denied { sigchld } for pid=3898 comm="sshd" scontext=system_u:system_r:sshd_net_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process type=SYSCALL msg=audit(1386840940.650:589): arch=c03e syscall=61 success=yes exit=3899 a0=f3b a1=7fff76fe9ad0 a2=0 a3=0 items=0 ppid=3834 pid=3898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1386840940.751:595): avc: denied { dyntransition } for pid=3898 comm="sshd" scontext=system_u:system_r:initrc_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process any ideea? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users