[ovirt-users] Re: I wrote an article on using Ansible to backup oVirt VMs

[Jayme]

Gianluca,

Thank you so much for the great feedback, it is very much appreciated! I
too have to carve out some time to test some of these ideas more
thoroughly, but I wanted to offer some of my initial thoughts anyway.

My goal is for the playbook(s) to be as simple as possible with as little
configuration as possible. Ideally I'd love to see the playbooks able to be
run from any host without requiring a connection to the engine database or
needing to have access to storage in order to verify export status.

1. Vault: I am aware of this and have seen this method used in other
oVirt/RHEV documentation. The reason I left it out is because I want to run
the playbook on cron without being prompted for a password. This could
potentially be solved by specifying the vault password as an environment
variable in cron, but in the end the password still needs to be provided
somewhere for the playbook to work hands-off. I suppose it's a matter of
which is the most secure and recommended way to do so.  Open to suggestions
here.

2. Blocks: I am aware of the use of blocks in Ansible but don't personally
have much direct experience using them. Your idea to use a block for SSO
token seems reasonable and likely should be implemented. I need to test
that out.

3. Export Timing: I like your solution for probing the DB for export status
and I'd like to spend some more time looking at that. I wonder if it's
perhaps a bit too complex and if there may be an easier way without
directly interacting with the engine database. One idea I had which I think
could work would be by use of the
https://docs.ansible.com/ansible/latest/modules/ovirt_event_info_module.html#ovirt-event-info-module
module.
I believe this module could be used in a wait_for until the message "Vm X
was exported successfully as a Virtual Appliance to path..." appears in the
VM's event messages. To make sure we don't get prior events we could
register the current event index ID in a variable then use the "from_"
parameter to only search for new events. I do think something like this
could work but I haven't had enough time to thoroughly test it and I'm not
sure if it's the best possible solution. There may be an even easier way to
determine the export status using existing ovirt Ansible modules but I have
not found one yet. What are you thoughts on this method?

I'd also be interested to hear if you have any thoughts or opinions on ways
to improve backup retention policy to make it more versatile.

Thanks again for your feedback!

- Jayme



On Tue, Feb 18, 2020 at 8:15 AM Gianluca Cecchi 
wrote:

> On Mon, Feb 10, 2020 at 5:01 PM Jayme  wrote:
>
>> I've been part of this mailing list for a while now and have received a
>> lot of great advice and help on various subjects. I read the list daily and
>> one thing I've noticed is that many users are curious about backup options
>> for oVirt (myself included). I wanted to share with the community a
>> solution I've come up with to easily backup multiple running oVirt VMs to
>> OVA format using some basic Ansible playbooks. I've put together a blog
>> post detailing the process which also includes links to a Github repo
>> containing the playbooks here:
>> https://blog.silverorange.com/backing-up-ovirt-vms-with-ansible-4c2fca8b3b43
>>
>> Any feedback, suggestions or questions are welcome. I hope this
>> information is helpful.
>>
>> Thanks!
>>
>> - Jayme
>>
>>
> Hi Jayme,
> sorry in advance for the long mail, where I try to give details; I don't
> know your Ansible experience.
> A very nice and clean article indeed, with useful details (apart from text
> not justified: I prefer it but YMMV) and pretty fair with vProtect work and
> also pros and cons of their solution.
> I met Pawel Maczka from vProtect during oVirt Summit last year and I was
> able to appreciate his kindness and skill and efforts in integrating with
> oVirt/RHV.
>
> That said, I have some suggestions for you. In the next days I could work
> on a similar need for a customer, so it will be nice to share efforts and
> hopefully results... ;-)
> This week I have not much time but if you can elaborate and test what
> below, we can share.
>
> 1) engine parameters
> you could use ansible vault to encrypt credential files, to have better
> security and so you can disclose the playbook files without having to care
> abut sensitive information
> In my case I put username, password, ovirt mgr fqdn, ovirt ca file all in
> a file and then encrypt it (and also engine database ones, see below).
> Then I create a securely protected vault file named "vault_file" where I
> store the vault password and then I recall the playbook with:
>
> ansible-playbook  --vault-password-file=vault_file backup_ovirt_vms.yml
>
> Alternatively you are prompted for the vault password each time you run
> the playbook
>
> 2) The best practice of using the oVirt SSO token in Ansible is to use a
> block of kind:
>
>   tasks:
>
> - name: Ansible block to export as OVA
>   block:
>
>  

[ovirt-users] Re: I wrote an article on using Ansible to backup oVirt VMs

[Gianluca Cecchi]

On Mon, Feb 10, 2020 at 5:01 PM Jayme  wrote:

> I've been part of this mailing list for a while now and have received a
> lot of great advice and help on various subjects. I read the list daily and
> one thing I've noticed is that many users are curious about backup options
> for oVirt (myself included). I wanted to share with the community a
> solution I've come up with to easily backup multiple running oVirt VMs to
> OVA format using some basic Ansible playbooks. I've put together a blog
> post detailing the process which also includes links to a Github repo
> containing the playbooks here:
> https://blog.silverorange.com/backing-up-ovirt-vms-with-ansible-4c2fca8b3b43
>
> Any feedback, suggestions or questions are welcome. I hope this
> information is helpful.
>
> Thanks!
>
> - Jayme
>
>
Hi Jayme,
sorry in advance for the long mail, where I try to give details; I don't
know your Ansible experience.
A very nice and clean article indeed, with useful details (apart from text
not justified: I prefer it but YMMV) and pretty fair with vProtect work and
also pros and cons of their solution.
I met Pawel Maczka from vProtect during oVirt Summit last year and I was
able to appreciate his kindness and skill and efforts in integrating with
oVirt/RHV.

That said, I have some suggestions for you. In the next days I could work
on a similar need for a customer, so it will be nice to share efforts and
hopefully results... ;-)
This week I have not much time but if you can elaborate and test what
below, we can share.

1) engine parameters
you could use ansible vault to encrypt credential files, to have better
security and so you can disclose the playbook files without having to care
abut sensitive information
In my case I put username, password, ovirt mgr fqdn, ovirt ca file all in a
file and then encrypt it (and also engine database ones, see below).
Then I create a securely protected vault file named "vault_file" where I
store the vault password and then I recall the playbook with:

ansible-playbook  --vault-password-file=vault_file backup_ovirt_vms.yml

Alternatively you are prompted for the vault password each time you run the
playbook

2) The best practice of using the oVirt SSO token in Ansible is to use a
block of kind:

  tasks:

- name: Ansible block to export as OVA
  block:

- name: Obtain SSO token using username/password credentials
  ovirt_auth:
url: https://{{ url_name }}/ovirt-engine/api
username: "{{ ovirt_username }}"
password: "{{ ovirt_password }}"
ca_file: "{{ ovirt_ca }}"

- name: "Backup VMs"
  include_tasks: export_vm.yml
  loop: "{{ vms }}"

  always:

- name: Revoke SSO token
  ovirt_auth:
state: absent
ovirt_auth: "{{ ovirt_auth }}"

So that anyway, thanks to the "always" section, you are sure to revoke the
token

3) To manage timing of export to ova that fires up and suddenly completes
from an ansible job point of view.
Possibly overkill, I don't know if ovirt_job module in any way could do the
same, but I try to solve using the engine db

Please note that engine db credentials are on engine inside file:
/etc/ovirt-engine/engine.conf.d/10-setup-database.conf

and by default you can connect remotely to the database with engine user
and with password being encrypted over the network thanks to pg_hba.conf in
directory
/var/opt/rh/rh-postgresql10/lib/pgsql/data/pg_hba.conf

# TYPE  DATABASEUSERADDRESS METHOD
hostengine  engine  0.0.0.0/0   md5

There are two tables involved
"job_subject_entity" table that you query and where entity_id should be the
id of the VM you are exportng and from this table you get the related job_id
"job" table where you query for the job_id matching from what you got from
previous query (eventually to refine if you have more concurrent jobs
running against your VM and you have to filter what interests to you, eg
action_type= ExportVmToOva ... TBD)

Eg:
export running

engine=> \x
Expanded display is on.

engine=> select * from job_subject_entity where
entity_id='442a1321-e366-4ea2-81bc-cad6e860a517';
-[ RECORD 1 ]-
job_id  | 1d4797f3-b1f9-4c19-8c8d-fb8c019399b1
entity_id   | 442a1321-e366-4ea2-81bc-cad6e860a517
entity_type | VM

engine=> select * from job where
job_id='1d4797f3-b1f9-4c19-8c8d-fb8c019399b1';
-[ RECORD 1
]-+---
job_id| 1d4797f3-b1f9-4c19-8c8d-fb8c019399b1
action_type   | ExportVmToOva
description   | Exporting VM c8 as an OVA to
/rhev/data-center/mnt/10.4.192.69:_export_ovirt/dump/c8.ova on Host ov301
status| STARTED
owner_id  | 58823863-00d4-0257-0094-02f3
visible   | t
start_time| 2020-02-18 12:00:16.629+01
end_time 

[ovirt-users] Re: I wrote an article on using Ansible to backup oVirt VMs

[Jan Zmeskal]

Great read, Jayme. Thank you very much for sharing this in the open-source
way!

Jan

On Mon, Feb 10, 2020 at 11:56 PM Torsten Stolpmann <
torsten.stolpm...@verit.de> wrote:

> Thanks Jayme, much appreciated!
>
> On 10.02.2020 16:59, Jayme wrote:
> > I've been part of this mailing list for a while now and have received a
> > lot of great advice and help on various subjects. I read the list daily
> > and one thing I've noticed is that many users are curious about backup
> > options for oVirt (myself included). I wanted to share with the
> > community a solution I've come up with to easily backup multiple running
> > oVirt VMs to OVA format using some basic Ansible playbooks. I've put
> > together a blog post detailing the process which also includes links to
> > a Github repo containing the playbooks here:
> >
> https://blog.silverorange.com/backing-up-ovirt-vms-with-ansible-4c2fca8b3b43
> >
> > Any feedback, suggestions or questions are welcome. I hope this
> > information is helpful.
> >
> > Thanks!
> >
> > - Jayme
> >
> > ___
> > Users mailing list -- users@ovirt.org
> > To unsubscribe send an email to users-le...@ovirt.org
> > Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> > oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> > List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/U65CV5A6WC6SCB2R5N66Y7HPXQ3ZQT2H/
> >
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/SLMGCTPHMQXOL7XV2SCF35V5VH5LP7RV/
>


-- 

Jan Zmeskal

Quality Engineer, RHV Core System

Red Hat 

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FAVZG32TPSX67DTXIHMGIQXUXNG3W3OE/

[ovirt-users] Re: I wrote an article on using Ansible to backup oVirt VMs

[Torsten Stolpmann]

Thanks Jayme, much appreciated!

On 10.02.2020 16:59, Jayme wrote:
I've been part of this mailing list for a while now and have received a 
lot of great advice and help on various subjects. I read the list daily 
and one thing I've noticed is that many users are curious about backup 
options for oVirt (myself included). I wanted to share with the 
community a solution I've come up with to easily backup multiple running 
oVirt VMs to OVA format using some basic Ansible playbooks. I've put 
together a blog post detailing the process which also includes links to 
a Github repo containing the playbooks here: 
https://blog.silverorange.com/backing-up-ovirt-vms-with-ansible-4c2fca8b3b43


Any feedback, suggestions or questions are welcome. I hope this 
information is helpful.


Thanks!

- Jayme

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/U65CV5A6WC6SCB2R5N66Y7HPXQ3ZQT2H/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SLMGCTPHMQXOL7XV2SCF35V5VH5LP7RV/

[ovirt-users] Re: I wrote an article on using Ansible to backup oVirt VMs

[s . panicho]

This is excellent! Thanks for sharing.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MBS4WMAIU3HGEKGIYBIC5HTLGY2VEF6N/