[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-09 Thread Paul-Erik Törrönen

On 2020-06-09 11:26, Yedidyah Bar David wrote:
On Tue, Jun 9, 2020 at 10:23 AM Paul-Erik Törrönen  
wrote:
You can't eg. have a ed25519-only setup as the installation tries to 
use

RSA.



Thanks for this comment. Added a note for you on Wart's bug 1845271.


Thank you.


Do you think this is a significant limitation?


No, unless you get others requesting this particular support. I only 
stumbled across this as I am setting up my home network from scratch 
with a minimal ansible script collection which includes hardening the 
ssh.


Nonetheless it would be a good to mention it in documentation.

Poltsi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RA5JVERESON4O4ZBI5GMKG73OV5ATVPM/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-09 Thread Yedidyah Bar David
On Tue, Jun 9, 2020 at 10:23 AM Paul-Erik Törrönen  wrote:
>
> On 2020-06-08 08:58, Yedidyah Bar David wrote:
> > I agree it's not detailed enough.
> > We have it briefly mentioned e.g. here:
> > https://www.ovirt.org/documentation/installing_ovirt_as_a_self-hosted_engine_using_the_cockpit_web_interface/#host-firewall-requirements_SHE_cockpit_deploy
> > For some reason it's marked "Optional", not sure why.
>
> I think it should also be pointed out that only certain keys are
> supported.
>
> You can't eg. have a ed25519-only setup as the installation tries to use
> RSA.

Thanks for this comment. Added a note for you on Wart's bug 1845271.

Do you think this is a significant limitation?

In theory, it should not be too hard to make the engine's PKI code
more flexible, allowing configuring it to use whatever algorithms
both openssl/m2crypto and Java support, but in reality this was never
requested. Only relevant change I recall was the request to change
from hash algo SHA1 to SHA256, several years ago (which we did, then,
unconditionally, still hardcoding sha256 in several places).

Thanks and best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KHCN2AKH7RYQKIMZE7AGYZDOQH4P3FMQ/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-09 Thread Paul-Erik Törrönen

On 2020-06-08 08:58, Yedidyah Bar David wrote:

I agree it's not detailed enough.
We have it briefly mentioned e.g. here:
https://www.ovirt.org/documentation/installing_ovirt_as_a_self-hosted_engine_using_the_cockpit_web_interface/#host-firewall-requirements_SHE_cockpit_deploy
For some reason it's marked "Optional", not sure why.


I think it should also be pointed out that only certain keys are 
supported.


You can't eg. have a ed25519-only setup as the installation tries to use 
RSA.


Poltsi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PYY7KT3UYCLDPPPBEK2ZDFEY3AEKYJW5/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-08 Thread Michael Thomas

On 6/8/20 12:58 AM, Yedidyah Bar David wrote:

On Sun, Jun 7, 2020 at 6:37 PM Michael Thomas  wrote:


On 6/7/20 8:42 AM, Yedidyah Bar David wrote:

On Sun, Jun 7, 2020 at 4:07 PM Michael Thomas  wrote:


On 6/7/20 5:01 AM, Yedidyah Bar David wrote:

On Sat, Jun 6, 2020 at 8:42 PM Michael Thomas  wrote:


After a week of iterations, I finally found the problem.  I was setting 
'PermitRootLogin no' in the global section of the bare metal OS sshd_config, as 
we do on all of our servers.  Instead, PermitRootLogin is set to 
'without-password' in a match block to allow root logins only from a well-known 
set of hosts.


I understand that you meant to say that this is already working for
you, right? That you set it to allow without-password from some
addresses and that that was enough. If so:


Correct.  Once I added the engine's IP to the Match block allowing root
logins, it worked again.



Thanks for the report!



Can someone explain why setting 'PermitRootLogin no' in the sshd_config on the 
hypervisor OS would affect the hosted engine deployment?


Because the engine (running inside a VM) uses ssh as root to connect
to the host (in which the engine vm is running).


Would it be sufficient to set, on the host, 'PermitRootLogin
without-password' in a Match block that matches the ovirt management
network?

Match Address 10.10.10.0/24
   PermitRootLogin without-password

?


Do you mean here to ask if 10.10.10.10/24 is enough?

The engine VM's IP address should be enough. What this address is,
after deploy finishes, is of course up to you. During deploy it's by
default in libvirt's default network, 192.168.222.0/24, but can be
different if that's already in use by something else (e.g. a physical
NIC).

BTW, I didn't test this myself. I do see in the code that it's
supposed to work. If you find a bug, please report one. Thanks.


I think the two problems that I ran into were:

* Lack of documentation about the requirement that the engine (whether
self-hosted or standalone) be able to ssh into the bare metal hypervisor
host over the ovirt management network using ssh keys.


I agree it's not detailed enough.

We have it briefly mentioned e.g. here:

https://www.ovirt.org/documentation/installing_ovirt_as_a_self-hosted_engine_using_the_cockpit_web_interface/#host-firewall-requirements_SHE_cockpit_deploy

For some reason it's marked "Optional", not sure why.



* No clear error message in the logs describing why this was failing.
The only errors I got were a timeout waiting for the host to be up, and
a generic ""The system may not be provisioned according to the playbook
results: please check the logs for the issue, fix accordingly or
re-deploy from scratch.\n"

I'll file this as a documentation bug.


Very well.



Filed:

https://bugzilla.redhat.com/show_bug.cgi?id=1845271

--Mike
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GTFDN6N7BNCRVJKC4QVHXNCX57F3GFC6/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-08 Thread Yedidyah Bar David
On Sun, Jun 7, 2020 at 6:37 PM Michael Thomas  wrote:
>
> On 6/7/20 8:42 AM, Yedidyah Bar David wrote:
> > On Sun, Jun 7, 2020 at 4:07 PM Michael Thomas  wrote:
> >>
> >> On 6/7/20 5:01 AM, Yedidyah Bar David wrote:
> >>> On Sat, Jun 6, 2020 at 8:42 PM Michael Thomas  wrote:
> 
>  After a week of iterations, I finally found the problem.  I was setting 
>  'PermitRootLogin no' in the global section of the bare metal OS 
>  sshd_config, as we do on all of our servers.  Instead, PermitRootLogin 
>  is set to 'without-password' in a match block to allow root logins only 
>  from a well-known set of hosts.
> >
> > I understand that you meant to say that this is already working for
> > you, right? That you set it to allow without-password from some
> > addresses and that that was enough. If so:
>
> Correct.  Once I added the engine's IP to the Match block allowing root
> logins, it worked again.
>
> >>>
> >>> Thanks for the report!
> >>>
> 
>  Can someone explain why setting 'PermitRootLogin no' in the sshd_config 
>  on the hypervisor OS would affect the hosted engine deployment?
> >>>
> >>> Because the engine (running inside a VM) uses ssh as root to connect
> >>> to the host (in which the engine vm is running).
> >>
> >> Would it be sufficient to set, on the host, 'PermitRootLogin
> >> without-password' in a Match block that matches the ovirt management
> >> network?
> >>
> >> Match Address 10.10.10.0/24
> >>   PermitRootLogin without-password
> >>
> >> ?
> >
> > Do you mean here to ask if 10.10.10.10/24 is enough?
> >
> > The engine VM's IP address should be enough. What this address is,
> > after deploy finishes, is of course up to you. During deploy it's by
> > default in libvirt's default network, 192.168.222.0/24, but can be
> > different if that's already in use by something else (e.g. a physical
> > NIC).
> >
> > BTW, I didn't test this myself. I do see in the code that it's
> > supposed to work. If you find a bug, please report one. Thanks.
>
> I think the two problems that I ran into were:
>
> * Lack of documentation about the requirement that the engine (whether
> self-hosted or standalone) be able to ssh into the bare metal hypervisor
> host over the ovirt management network using ssh keys.

I agree it's not detailed enough.

We have it briefly mentioned e.g. here:

https://www.ovirt.org/documentation/installing_ovirt_as_a_self-hosted_engine_using_the_cockpit_web_interface/#host-firewall-requirements_SHE_cockpit_deploy

For some reason it's marked "Optional", not sure why.

>
> * No clear error message in the logs describing why this was failing.
> The only errors I got were a timeout waiting for the host to be up, and
> a generic ""The system may not be provisioned according to the playbook
> results: please check the logs for the issue, fix accordingly or
> re-deploy from scratch.\n"
>
> I'll file this as a documentation bug.

Very well.

Thanks and best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GGOUHZOXWELCPWJJO7IGZVWHO52F7SJ6/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-07 Thread Michael Thomas

On 6/7/20 8:42 AM, Yedidyah Bar David wrote:

On Sun, Jun 7, 2020 at 4:07 PM Michael Thomas  wrote:


On 6/7/20 5:01 AM, Yedidyah Bar David wrote:

On Sat, Jun 6, 2020 at 8:42 PM Michael Thomas  wrote:


After a week of iterations, I finally found the problem.  I was setting 
'PermitRootLogin no' in the global section of the bare metal OS sshd_config, as 
we do on all of our servers.  Instead, PermitRootLogin is set to 
'without-password' in a match block to allow root logins only from a well-known 
set of hosts.


I understand that you meant to say that this is already working for
you, right? That you set it to allow without-password from some
addresses and that that was enough. If so:


Correct.  Once I added the engine's IP to the Match block allowing root 
logins, it worked again.




Thanks for the report!



Can someone explain why setting 'PermitRootLogin no' in the sshd_config on the 
hypervisor OS would affect the hosted engine deployment?


Because the engine (running inside a VM) uses ssh as root to connect
to the host (in which the engine vm is running).


Would it be sufficient to set, on the host, 'PermitRootLogin
without-password' in a Match block that matches the ovirt management
network?

Match Address 10.10.10.0/24
  PermitRootLogin without-password

?


Do you mean here to ask if 10.10.10.10/24 is enough?

The engine VM's IP address should be enough. What this address is,
after deploy finishes, is of course up to you. During deploy it's by
default in libvirt's default network, 192.168.222.0/24, but can be
different if that's already in use by something else (e.g. a physical
NIC).

BTW, I didn't test this myself. I do see in the code that it's
supposed to work. If you find a bug, please report one. Thanks.


I think the two problems that I ran into were:

* Lack of documentation about the requirement that the engine (whether 
self-hosted or standalone) be able to ssh into the bare metal hypervisor 
host over the ovirt management network using ssh keys.


* No clear error message in the logs describing why this was failing. 
The only errors I got were a timeout waiting for the host to be up, and 
a generic ""The system may not be provisioned according to the playbook 
results: please check the logs for the issue, fix accordingly or 
re-deploy from scratch.\n"


I'll file this as a documentation bug.

--Mike
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AKHPSYUEY3EMIVICM2O3M6KFN7AUOOEZ/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-07 Thread Yedidyah Bar David
On Sun, Jun 7, 2020 at 4:07 PM Michael Thomas  wrote:
>
> On 6/7/20 5:01 AM, Yedidyah Bar David wrote:
> > On Sat, Jun 6, 2020 at 8:42 PM Michael Thomas  wrote:
> >>
> >> After a week of iterations, I finally found the problem.  I was setting 
> >> 'PermitRootLogin no' in the global section of the bare metal OS 
> >> sshd_config, as we do on all of our servers.  Instead, PermitRootLogin is 
> >> set to 'without-password' in a match block to allow root logins only from 
> >> a well-known set of hosts.

I understand that you meant to say that this is already working for
you, right? That you set it to allow without-password from some
addresses and that that was enough. If so:

> >
> > Thanks for the report!
> >
> >>
> >> Can someone explain why setting 'PermitRootLogin no' in the sshd_config on 
> >> the hypervisor OS would affect the hosted engine deployment?
> >
> > Because the engine (running inside a VM) uses ssh as root to connect
> > to the host (in which the engine vm is running).
>
> Would it be sufficient to set, on the host, 'PermitRootLogin
> without-password' in a Match block that matches the ovirt management
> network?
>
> Match Address 10.10.10.0/24
>  PermitRootLogin without-password
>
> ?

Do you mean here to ask if 10.10.10.10/24 is enough?

The engine VM's IP address should be enough. What this address is,
after deploy finishes, is of course up to you. During deploy it's by
default in libvirt's default network, 192.168.222.0/24, but can be
different if that's already in use by something else (e.g. a physical
NIC).

BTW, I didn't test this myself. I do see in the code that it's
supposed to work. If you find a bug, please report one. Thanks.

Best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/F7FIW65YWL246J2FZKSGRNXDWX3ITPS5/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-07 Thread Michael Thomas

On 6/7/20 5:01 AM, Yedidyah Bar David wrote:

On Sat, Jun 6, 2020 at 8:42 PM Michael Thomas  wrote:


After a week of iterations, I finally found the problem.  I was setting 
'PermitRootLogin no' in the global section of the bare metal OS sshd_config, as 
we do on all of our servers.  Instead, PermitRootLogin is set to 
'without-password' in a match block to allow root logins only from a well-known 
set of hosts.


Thanks for the report!



Can someone explain why setting 'PermitRootLogin no' in the sshd_config on the 
hypervisor OS would affect the hosted engine deployment?


Because the engine (running inside a VM) uses ssh as root to connect
to the host (in which the engine vm is running).


Would it be sufficient to set, on the host, 'PermitRootLogin 
without-password' in a Match block that matches the ovirt management 
network?


Match Address 10.10.10.0/24
PermitRootLogin without-password

?

--Mike
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/35TSUAZ35YB3LCB3QM2CL6VG2KG4IHNF/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-07 Thread Strahil Nikolov via Users
On top of that Ansible is  also using ssh, so  you need to 'override' the 
settings for the engine.

Best  Regards,
Strahil Nikolov

На 7 юни 2020 г. 13:01:08 GMT+03:00, Yedidyah Bar David  
написа:
>On Sat, Jun 6, 2020 at 8:42 PM Michael Thomas  wrote:
>>
>> After a week of iterations, I finally found the problem.  I was
>setting 'PermitRootLogin no' in the global section of the bare metal OS
>sshd_config, as we do on all of our servers.  Instead, PermitRootLogin
>is set to 'without-password' in a match block to allow root logins only
>from a well-known set of hosts.
>
>Thanks for the report!
>
>>
>> Can someone explain why setting 'PermitRootLogin no' in the
>sshd_config on the hypervisor OS would affect the hosted engine
>deployment?
>
>Because the engine (running inside a VM) uses ssh as root to connect
>to the host (in which the engine vm is running).
>
>Best regards,
>--
>Didi
>___
>Users mailing list -- users@ovirt.org
>To unsubscribe send an email to users-le...@ovirt.org
>Privacy Statement: https://www.ovirt.org/privacy-policy.html
>oVirt Code of Conduct:
>https://www.ovirt.org/community/about/community-guidelines/
>List Archives:
>https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZOSVMS4LQFTKD7USTNJ5T73J6HWECRCV/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SBGU46FKWTF2ZN3Y45HP7NGPJAIUKWYP/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-07 Thread Yedidyah Bar David
On Sat, Jun 6, 2020 at 8:42 PM Michael Thomas  wrote:
>
> After a week of iterations, I finally found the problem.  I was setting 
> 'PermitRootLogin no' in the global section of the bare metal OS sshd_config, 
> as we do on all of our servers.  Instead, PermitRootLogin is set to 
> 'without-password' in a match block to allow root logins only from a 
> well-known set of hosts.

Thanks for the report!

>
> Can someone explain why setting 'PermitRootLogin no' in the sshd_config on 
> the hypervisor OS would affect the hosted engine deployment?

Because the engine (running inside a VM) uses ssh as root to connect
to the host (in which the engine vm is running).

Best regards,
--
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZOSVMS4LQFTKD7USTNJ5T73J6HWECRCV/


[ovirt-users] Re: First ovirt 4.4 installation failing

2020-06-06 Thread Michael Thomas
After a week of iterations, I finally found the problem.  I was setting 
'PermitRootLogin no' in the global section of the bare metal OS sshd_config, as 
we do on all of our servers.  Instead, PermitRootLogin is set to 
'without-password' in a match block to allow root logins only from a well-known 
set of hosts.

Can someone explain why setting 'PermitRootLogin no' in the sshd_config on the 
hypervisor OS would affect the hosted engine deployment?

--Mike
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IM2O4JP4H2SVHYNQELTPIJIXMXPIXRJY/