[ovirt-users] Re: VM Migration Failed
Hi, To resolve the issue of VM migration failure in oVirt 4.4.5 due to certificate authentication errors, you should re-establish trust between the hosts. This can be done by redistributing the newly renewed certificates to all hosts and ensuring they recognize each other as trusted peers. Additionally, verify the configuration files for any discrepancies in certificate paths or settings, and restart the necessary services to apply the changes. Thanks ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WFG6RC5B4EA3ZYNDT4HZLPZD2EMP3HWF/
[ovirt-users] Re: VM Migration Failed
Hello, Does this new setings with "migrate_tls_x509_verify = 1" in "etc/libvirt/qemu.conf" fix the issue ? I have the same error on my ovirt 4.4.10 cluster but this solution doesn't work. Regads, Julien ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HFVXQHM6YFXQO4FVS5DMZQIBAAUGCGTE/
[ovirt-users] Re: VM migration failed after upgrade to 4.4
oVirt definitely involves a lot of paddling. I see now that you are right about HCI (Hyper Converged Platform), it was never specifically documented how to upgrade it. I have stepped away from HCI a long time ago, after testing and working with it in oVirt 3.x. There were just too many dependencies and things that could go wrong. Too much functionality depending on the same hardware and software. I have also stepped away from Gluster since and in production we are not using self-hosted engines either. A standalone engine on a different hypervisor cluster gives me much more peace of mind. However, I cannot see from the original post if this is Hyperconverged or even if it is self-hosted. Maybe I'm just missing it :-) The procedures for self-hosted and standalone engine are described and I have been able to upgrade clusters in the past using them. Make sure you follow all the steps one by one in the correct order. But I agree, if something goes wrong on the way, you are a bit on your own in dangerous territory paddling up the creek :-P It sounds like the upgrade went fine though... and migrating VMs from a 4.3 host to a 4.4 host should be a standard procedure when upgrading the nodes one by one in a live environment. The upgrade from 4.3 to 4.4 I cannot remember if we did live, but from 4.4 to 4.5 worked for us without taking the VMs down. This kind of upgrade is best done in a service window though, and you should have backups of everything before you start. I'm 100% with Thomas on this. Looking at "12.6. Migrating hosts and virtual machines from oVirt 4.3 to 4.4" from the upgrade guide, I see lots of caveats. It is really depending whether or not the oVirt node appliance is used or a Linux Enterprise server (as it needs to be upgraded first by the looks of it). And whether or not there are VMs with CPU-passthrough. I have also looked around for bugs in 4.4, as that is the version you are upgrading to... I find this for example: Bug 1774064. It seem this error occurs in various versions of 4.4, even none related to upgrades. I'm wondering, if you should not just push through with updating all the oVirt nodes, which then allows you to change the cluster compatibility level to 4.4. This would mean not migrating VMs live, but shutting them down and possibly starting them on an upgraded node, until all nodes are upgraded. If you upgrade one more node, you would be able to check if migration works between upgraded 4.4 nodes, which would then confirm that pushing through and upgrade all nodes to 4.4 would be the way forward, even if it means that you have to shutdown all the VMs at some point during the migration. I hope this helps. Good luck with it. Ps. I have resorted in few cases, to simply reinstalling a node from scratch on the new version, and then simply add i to the (upgraded) engine, to make them work again. oVirt is a lot of paddling, but in my experience it works fine when you just let it run and don't do anything too fancy to it (like upgrading, which has to be done from time to time). ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HP7NL7GPRMZMLW4AF2QDHNH6HGBOLE6Y/
[ovirt-users] Re: VM migration failed after upgrade to 4.4
Live migration across major releases sounds like the sort of feature everybody would just love to have but oVirt would support as little as operating clusters with mixed release nodes. AFAIK HCI upgrades from 4.3 to 4.4 were never even described and definitely didn't involve live VMs. I exported all my VMs to an NFS based export domain, redid the HCI from scratch and then imported the VMs from the export domain. And I kept the 4.3 disks around so I could to back if things failed. The described (non-HCI) upgrade procedures had you up the creek without a paddle if things failed half-way... oVirt was never really enterprise grade. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FIGAL34KPA5QFRGETTL5QMWVOEF5AHCW/
[ovirt-users] Re: vm migration failed with certifacate issue
solved reloaded libvirtd on servers involved in certificate renewal thanks чт, 8 сент. 2022 г. в 17:57, Milan Zamazal : > parallax writes: > > > ovirt 4.4.4.7 > > > > not able to migrate VMs between hosts with following vdsm error: > > > > operation failed: Failed to connect to remote libvirt URI > > qemu+tls://kvm4.imp.loc/system: authentication failed: Failed to verify > > peer's certificate > > You should be able to see a more exact reason for the certificate > verification failure in libvirtd logs on the source host (perhaps after > adjusting logging settings in /etc/libvirt/libvirtd.conf + restarting > libvirtd). > > Anyway, you should check the certificates in /etc/pki/vdsm/certs on both > the source and destination hosts: > > - cacert.pem should be the Engine CA certificate. > > - vdsmcert.pem should be a certificate signed by the CA certificate, > with the right host name and not expired. > > If you are using encrypted migrations then you should additionally check > the certificates in /etc/pki/vdsm/libvirt-migrate. cacert.pem should be > the CA certificate, server-cert.pem a valid certificate signed by the CA > certificate and there should be links client-cert.pem and client-key.pem > to server-cert.pem and server-key.pem respectively. > > > hosts certificates was renewed recently but hosts hasn't been reloaded > > how to fix this issue > > Regards, > Milan > > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6URQYJKFDF6H46XVPU4MAUDOBLJBVNO6/
[ovirt-users] Re: vm migration failed with certifacate issue
parallax writes: > ovirt 4.4.4.7 > > not able to migrate VMs between hosts with following vdsm error: > > operation failed: Failed to connect to remote libvirt URI > qemu+tls://kvm4.imp.loc/system: authentication failed: Failed to verify > peer's certificate You should be able to see a more exact reason for the certificate verification failure in libvirtd logs on the source host (perhaps after adjusting logging settings in /etc/libvirt/libvirtd.conf + restarting libvirtd). Anyway, you should check the certificates in /etc/pki/vdsm/certs on both the source and destination hosts: - cacert.pem should be the Engine CA certificate. - vdsmcert.pem should be a certificate signed by the CA certificate, with the right host name and not expired. If you are using encrypted migrations then you should additionally check the certificates in /etc/pki/vdsm/libvirt-migrate. cacert.pem should be the CA certificate, server-cert.pem a valid certificate signed by the CA certificate and there should be links client-cert.pem and client-key.pem to server-cert.pem and server-key.pem respectively. > hosts certificates was renewed recently but hosts hasn't been reloaded > how to fix this issue Regards, Milan ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7M73Y6X27IW6DSBQLJKH4HWUA3KX7EDO/
[ovirt-users] Re: VM Migration Failed
"KSNull Zero" writes: > Is it safe to restart libvirtd on hosts with workloads without entering > Maintenance mode ? Generally no, often yes. Restarting libvirtd shouldn't cause harm to the VMs themselves but it can disrupt running jobs managed by libvirt or confuse oVirt if some actions are being performed at the given moment. It's best to do it when there are no migrations (host migrations don't work for you currently anyway) or other jobs (e.g. snapshots) or actions (e.g. VM startup or shutdown) running on the host. Even if they are, it doesn't necessarily mean something breaks but it's best-effort/no-guarantees workflow instead of the normal workflow. I think just adding the certificate links doesn't require libvirtd restart. And reload may be enough after changing libvirt configuration files. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/55HGK5PK2P6WKM4RGPR73HQQUBTJO3AX/
[ovirt-users] Re: VM Migration Failed
Is it safe to restart libvirtd on hosts with workloads without entering Maintenance mode ? ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SXJLR2PZ5PRK3VAVAU4T7V7GGIX46RNN/
[ovirt-users] Re: VM Migration Failed
"KSNull Zero" writes: > Running oVirt 4.4.5 > VM cannot migrate between hosts. > > vdsm.log contains the following error: > libvirt.libvirtError: operation failed: Failed to connect to remote > libvirt URI qemu+tls://ovhost01.local/system: authentication failed: > Failed to verify peer's certificate > > Certificates on hosts was renewed some time ago. How this issue can be fixed ? I think it's https://bugzilla.redhat.com/show_bug.cgi?id=1948376, which was fixed in 4.4.6.5. IIRC you need to create links in /etc/pki/vdsm/libvirt-migrate on the source host from server-*.pem to client-*.pem and make sure migrate_tls_x509_verify = 1 is set (it is by default) in /etc/libvirt/qemu.conf. Restarting libvirtd may be needed afterwards. Regards, Milan ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Q7MBTVNUABJSGXFFAVR6WS72COJ4ZOR4/
[ovirt-users] Re: VM Migration Failed
Moreover - host now stuck in PreparingForMaintenance status because VM migration does not working. Any solutions ? ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/W2FZN3AC6OQSXGIJSGYHTNS7ZSLFM3T2/