[ovirt-users] Re: user portal

[Enrico Becchetti]

I've got a new X509 valid certificate signed from official CA , so my 
question is ,

Can I add this cert inside engine ?
Thanks again
Enrico

Il 23/03/21 09:45, Michal Skrivanek ha scritto:



On 23. 3. 2021, at 7:55, Enrico Becchetti 
mailto:enrico.becche...@pg.infn.it>> wrote:


Hi,

I've added a new ip public address and SSO_ALTERNATE_ENGINE_FQDNS,
after that I run engine-setup. and now ovirt can also be access with 
a new name

but the last item is about X509 certificate.
How can I add a second certificate for this new url ?


I think you’d have to use your own CA, the internal one doesn’t 
generate certificates with other names.

or as Didi suggested modify your DNS to use same FQDN for both ways



Best regards.
Enrico

Il 07/03/21 08:51, Yedidyah Bar David ha scritto:

On Fri, Mar 5, 2021 at 10:18 AM Enrico Becchetti
mailto:enrico.becche...@pg.infn.it>> 
wrote:

  Dear all,
I'm using ovirt 4.3.2 with its engine on a virtual machine. The nodes
are all Centos 7.7.

Is this a hosted-engine?

no

Both engine and hypervisor systems work on a 10.0.0.0 private network.
Now I would like to let users access the ovirt web page (user portal)
and for this
I must necessarily add a second network interface to the engine by
inserting a public ip. I can't use NAT.
Can you give me any advice for this operation ?
Can I add the network interface and then run engine-setup ?
Will oVirt be accessible from both ip addresses at the end of this
operation ?

Generally speaking:

1. You should be able to add an IP address to the existing NIC. If this
is a hosted-engine, this might be simpler than adding a NIC. Of course,
this might not be relevant in your case, depending on network topology,
conf, etc.

2. The engine itself does not care at all about which IP addresses are
used to connect to it. Neither is httpd that is running there as a 
frontend
to it - it listens on all addresses. So just add the address 
somehow, perhaps
restart httpd if needed (but I do not think so), and everything 
should work.


3. The engine _does_ care about the _name_. So make sure you use the
existing name. For this, you'll have to change your DNS, or /etc/hosts,
as applicable.

4. If it's complex for you to keep the existing name (e.g. because 
you want

to make it work from both old and new addresses, etc.), you can also add
another name that the engine will agree to be connected to, using
SSO_ALTERNATE_ENGINE_FQDNS, see e.g. [1].

Best regards,

[1] 
https://www.ovirt.org/develop/networking/changing-engine-hostname.html 




Lots of thanks.
Enrico

--
___

Enrico Becchetti    Servizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777 Skype:enrico_becchetti 
  Mail: Enrico.Becchettipg.infn.it
__
___
Users mailing list -- users@ovirt.org 
To unsubscribe send an email to users-le...@ovirt.org 

Privacy Statement: https://www.ovirt.org/privacy-policy.html 

oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/ 

List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZW2SGNYGA4MEGUCA2ONQ3RVBRWIYMUJZ/ 







--
___

Enrico Becchetti    Servizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777Skype:enrico_becchetti 
Mail: Enrico.Becchettipg.infn.it
__
___
Users mailing list --users@ovirt.org 
To unsubscribe send an email tousers-le...@ovirt.org 

Privacy Statement:https://www.ovirt.org/privacy-policy.html 

oVirt Code of 
Conduct:https://www.ovirt.org/community/about/community-guidelines/ 

List 
Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/MTSY7BKGWKFGBQXREFO4IBZESB62ESWG/ 






--
___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di 

[ovirt-users] Re: user portal

[Michal Skrivanek]

> On 23. 3. 2021, at 7:55, Enrico Becchetti  wrote:
> 
> Hi,
> 
> I've added a new ip public address and SSO_ALTERNATE_ENGINE_FQDNS,
> after that I run engine-setup. and now ovirt can also be access with a new 
> name
> but the last item is about X509 certificate.
> How can I add a second certificate for this new url ?

I think you’d have to use your own CA, the internal one doesn’t generate 
certificates with other names.
or as Didi suggested modify your DNS to use same FQDN for both ways


> Best regards.
> Enrico
> 
> Il 07/03/21 08:51, Yedidyah Bar David ha scritto:
>> On Fri, Mar 5, 2021 at 10:18 AM Enrico Becchetti
>> mailto:enrico.becche...@pg.infn.it>> wrote:
>>>   Dear all,
>>> I'm using ovirt 4.3.2 with its engine on a virtual machine. The nodes
>>> are all Centos 7.7.
>> Is this a hosted-engine?
> no
>>> Both engine and hypervisor systems work on a 10.0.0.0 private network.
>>> Now I would like to let users access the ovirt web page (user portal)
>>> and for this
>>> I must necessarily add a second network interface to the engine by
>>> inserting a public ip. I can't use NAT.
>>> Can you give me any advice for this operation ?
>>> Can I add the network interface and then run engine-setup ?
>>> Will oVirt be accessible from both ip addresses at the end of this
>>> operation ?
>> Generally speaking:
>> 
>> 1. You should be able to add an IP address to the existing NIC. If this
>> is a hosted-engine, this might be simpler than adding a NIC. Of course,
>> this might not be relevant in your case, depending on network topology,
>> conf, etc.
>> 
>> 2. The engine itself does not care at all about which IP addresses are
>> used to connect to it. Neither is httpd that is running there as a frontend
>> to it - it listens on all addresses. So just add the address somehow, perhaps
>> restart httpd if needed (but I do not think so), and everything should work.
>> 
>> 3. The engine _does_ care about the _name_. So make sure you use the
>> existing name. For this, you'll have to change your DNS, or /etc/hosts,
>> as applicable.
>> 
>> 4. If it's complex for you to keep the existing name (e.g. because you want
>> to make it work from both old and new addresses, etc.), you can also add
>> another name that the engine will agree to be connected to, using
>> SSO_ALTERNATE_ENGINE_FQDNS, see e.g. [1].
>> 
>> Best regards,
>> 
>> [1] https://www.ovirt.org/develop/networking/changing-engine-hostname.html
>> 
>>> Lots of thanks.
>>> Enrico
>>> 
>>> --
>>> ___
>>> 
>>> Enrico BecchettiServizio di Calcolo e Reti
>>> 
>>> Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
>>> Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
>>> Phone:+39 075 5852777   Skype:enrico_becchetti
>>>   Mail: Enrico.Becchettipg.infn.it
>>> __
>>> ___
>>> Users mailing list -- users@ovirt.org
>>> To unsubscribe send an email to users-le...@ovirt.org
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> oVirt Code of Conduct: 
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives: 
>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZW2SGNYGA4MEGUCA2ONQ3RVBRWIYMUJZ/
>> 
>> 
> 
> 
> -- 
> ___
> 
> Enrico BecchettiServizio di Calcolo e Reti
> 
> Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
> Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
> Phone:+39 075 5852777 Skype:enrico_becchetti 
> 
> Mail: Enrico.Becchettipg.infn.it
> __
> ___
> Users mailing list -- users@ovirt.org 
> To unsubscribe send an email to users-le...@ovirt.org 
> 
> Privacy Statement: https://www.ovirt.org/privacy-policy.html 
> 
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/ 
> 
> List Archives: 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/MTSY7BKGWKFGBQXREFO4IBZESB62ESWG/
>  
> 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EIFTHZ7D673LAPPQ7WZGUVDDQE3USLIY/

[ovirt-users] Re: user portal

[Enrico Becchetti]

Hi,

I've added a new ip public address and SSO_ALTERNATE_ENGINE_FQDNS,
after that I run engine-setup. and now ovirt can also be access with a 
new name

but the last item is about X509 certificate.
How can I add a second certificate for this new url ?
Best regards.
Enrico

Il 07/03/21 08:51, Yedidyah Bar David ha scritto:

On Fri, Mar 5, 2021 at 10:18 AM Enrico Becchetti
 wrote:

   Dear all,
I'm using ovirt 4.3.2 with its engine on a virtual machine. The nodes
are all Centos 7.7.

Is this a hosted-engine?

no

Both engine and hypervisor systems work on a 10.0.0.0 private network.
Now I would like to let users access the ovirt web page (user portal)
and for this
I must necessarily add a second network interface to the engine by
inserting a public ip. I can't use NAT.
Can you give me any advice for this operation ?
Can I add the network interface and then run engine-setup ?
Will oVirt be accessible from both ip addresses at the end of this
operation ?

Generally speaking:

1. You should be able to add an IP address to the existing NIC. If this
is a hosted-engine, this might be simpler than adding a NIC. Of course,
this might not be relevant in your case, depending on network topology,
conf, etc.

2. The engine itself does not care at all about which IP addresses are
used to connect to it. Neither is httpd that is running there as a frontend
to it - it listens on all addresses. So just add the address somehow, perhaps
restart httpd if needed (but I do not think so), and everything should work.

3. The engine _does_ care about the _name_. So make sure you use the
existing name. For this, you'll have to change your DNS, or /etc/hosts,
as applicable.

4. If it's complex for you to keep the existing name (e.g. because you want
to make it work from both old and new addresses, etc.), you can also add
another name that the engine will agree to be connected to, using
SSO_ALTERNATE_ENGINE_FQDNS, see e.g. [1].

Best regards,

[1] https://www.ovirt.org/develop/networking/changing-engine-hostname.html


Lots of thanks.
Enrico

--
___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777   Skype:enrico_becchetti
   Mail: Enrico.Becchettipg.infn.it
__
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZW2SGNYGA4MEGUCA2ONQ3RVBRWIYMUJZ/






--
___

Enrico BecchettiServizio di Calcolo e Reti

Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
Phone:+39 075 5852777   Skype:enrico_becchetti
 Mail: Enrico.Becchettipg.infn.it
__
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MTSY7BKGWKFGBQXREFO4IBZESB62ESWG/

[ovirt-users] Re: user portal

[Yedidyah Bar David]

On Fri, Mar 5, 2021 at 10:18 AM Enrico Becchetti
 wrote:
>
>   Dear all,
> I'm using ovirt 4.3.2 with its engine on a virtual machine. The nodes
> are all Centos 7.7.

Is this a hosted-engine?

> Both engine and hypervisor systems work on a 10.0.0.0 private network.
> Now I would like to let users access the ovirt web page (user portal)
> and for this
> I must necessarily add a second network interface to the engine by
> inserting a public ip. I can't use NAT.
> Can you give me any advice for this operation ?
> Can I add the network interface and then run engine-setup ?
> Will oVirt be accessible from both ip addresses at the end of this
> operation ?

Generally speaking:

1. You should be able to add an IP address to the existing NIC. If this
is a hosted-engine, this might be simpler than adding a NIC. Of course,
this might not be relevant in your case, depending on network topology,
conf, etc.

2. The engine itself does not care at all about which IP addresses are
used to connect to it. Neither is httpd that is running there as a frontend
to it - it listens on all addresses. So just add the address somehow, perhaps
restart httpd if needed (but I do not think so), and everything should work.

3. The engine _does_ care about the _name_. So make sure you use the
existing name. For this, you'll have to change your DNS, or /etc/hosts,
as applicable.

4. If it's complex for you to keep the existing name (e.g. because you want
to make it work from both old and new addresses, etc.), you can also add
another name that the engine will agree to be connected to, using
SSO_ALTERNATE_ENGINE_FQDNS, see e.g. [1].

Best regards,

[1] https://www.ovirt.org/develop/networking/changing-engine-hostname.html

> Lots of thanks.
> Enrico
>
> --
> ___
>
> Enrico BecchettiServizio di Calcolo e Reti
>
> Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
> Via Pascoli,c/o Dipartimento di Fisica  06123 Perugia (ITALY)
> Phone:+39 075 5852777   Skype:enrico_becchetti
>   Mail: Enrico.Becchettipg.infn.it
> __
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives: 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZW2SGNYGA4MEGUCA2ONQ3RVBRWIYMUJZ/



-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/W43FAAGHLM5ZAUEESCPBJHPZ5PNGNNQB/

[ovirt-users] Re: User portal and DNS entries removal

[Strahil Nikolov via Users]

Have you thought to use a vdsm hook that executes your logic once a VM is 
removed ? This way users won't have the ability to alter the DNS records 
themselves ,which is way more secure and reliable.

Best Regards,
Strahil Nikolov






В събота, 21 ноември 2020 г., 10:26:45 Гринуич+2, Nathanaël Blanchet 
 написа: 





Hello,
We project to use User portal to give more autonomy to users for creating VMs. 
Creation, modifications are easy et friendship, and network is dealt with 
external dhcp/ddns. 
But when deleting a VM, DNS leases with a long TTL still remains and it is not 
possible to access a new VM that is named as same as the precedent one. I wrote 
a playbook that erases all related DNS entries and I'm used to run it with AWX 
for other cases. Is there a way to integrate this playbook into User portal to 
be run when deleting a VM so as the DNS database to be still clean?
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PPEDJKD6NUJONACMFFJFQJ7YR3TC2QFN/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4Q7FDMX566YOLL6WIATBNTQAMLSUKI2K/