Re: [ovirt-users] seria consol setup

2016-03-31 Thread Francesco Romani 
- Original Message -
> From: "Yedidyah Bar David" <d...@redhat.com>
> To: "Christophe TREFOIS" <christophe.tref...@uni.lu>, "Francesco Romani" 
> <from...@redhat.com>
> Cc: "Fabrice Bacchella" <fabrice.bacche...@orange.fr>, "users" 
> <users@ovirt.org>
> Sent: Thursday, March 31, 2016 8:00:04 AM
> Subject: Re: [ovirt-users] seria consol setup
> 
> On Wed, Mar 30, 2016 at 7:28 PM, Christophe TREFOIS
> <christophe.tref...@uni.lu> wrote:
> > Hi,
> >
> > I have a question on this.
> >
> > Can there be multiple SSH keys in that box in the GUI?
> >
> > For instance, we might have 2 keys for our “Admin” account?
> 
> Not sure, Francesco?

Yes, you can paste multiple new-line separated public keys in the same box.

-- 
Francesco Romani
RedHat Engineering Virtualization R & D
Phone: 8261328
IRC: fromani
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-31 Thread Yedidyah Bar David 
On Wed, Mar 30, 2016 at 7:28 PM, Christophe TREFOIS
 wrote:
> Hi,
>
> I have a question on this.
>
> Can there be multiple SSH keys in that box in the GUI?
>
> For instance, we might have 2 keys for our “Admin” account?

Not sure, Francesco?

>
> Thanks for your help,
>
> —
> C
>
>
>
>> On 23 Mar 2016, at 12:46, Fabrice Bacchella  
>> wrote:
>>
>>>
>>> Le 23 mars 2016 à 12:28, Yedidyah Bar David  a écrit :
>>>
>>> On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella
>>>  wrote:
 I'm reading the documentation here :
   http://www.ovirt.org/documentation/admin-guide/serial-console-setup/

 After a few strace, I found the ssh configuration used for the custom ssh 
 that listen on port :
 /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config

 And I have a big problem with it.
 It says "GSSAPIAuthentication no" but public key authentication is not 
 allowed in my data center, we use kerberos every where.
 So I wonder if I can edit this file ? How is it managed by ovirt ?
>>>
>>> In general, things under /usr are only packaged, not "managed". So a
>>> next upgrade will overwrite your changes.
>>
>> Ok, so I just need to take care how modifications and upgrade are done 
>> (using puppet) and everything should be fine.
>>>
>>> Seems like both its systemd unit and sysv init script read
>>> /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add
>>> ${OPTIONS} to sshd's command line. So you can try to:
>>>
>>> echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >>
>>> /etc/sysconfig/ovirt-vmconsole-proxy-sshd
>>>
>>>
>>
>> I tried that. It works. I now have pure kerberos only problems. But that's a 
>> good direction.
>>
>>> and restart it.
>>>
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-30 Thread Christophe TREFOIS 
Hi,

I have a question on this.

Can there be multiple SSH keys in that box in the GUI?

For instance, we might have 2 keys for our “Admin” account?

Thanks for your help,

—
C

  

> On 23 Mar 2016, at 12:46, Fabrice Bacchella  
> wrote:
> 
>> 
>> Le 23 mars 2016 à 12:28, Yedidyah Bar David  a écrit :
>> 
>> On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella
>>  wrote:
>>> I'm reading the documentation here :
>>>   http://www.ovirt.org/documentation/admin-guide/serial-console-setup/
>>> 
>>> After a few strace, I found the ssh configuration used for the custom ssh 
>>> that listen on port :
>>> /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config
>>> 
>>> And I have a big problem with it.
>>> It says "GSSAPIAuthentication no" but public key authentication is not 
>>> allowed in my data center, we use kerberos every where.
>>> So I wonder if I can edit this file ? How is it managed by ovirt ?
>> 
>> In general, things under /usr are only packaged, not "managed". So a
>> next upgrade will overwrite your changes.
> 
> Ok, so I just need to take care how modifications and upgrade are done (using 
> puppet) and everything should be fine.
>> 
>> Seems like both its systemd unit and sysv init script read
>> /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add
>> ${OPTIONS} to sshd's command line. So you can try to:
>> 
>> echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >>
>> /etc/sysconfig/ovirt-vmconsole-proxy-sshd
>> 
>> 
> 
> I tried that. It works. I now have pure kerberos only problems. But that's a 
> good direction.
> 
>> and restart it.
>> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-23 Thread Fabrice Bacchella 
>> 
>> su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys --debug
>> list'
>> ERROR: Internal error
>> 
>> --debug don't provide any help
> 
> You should find them in the journal/system logger; otherwise it is a 
> {different,new} bug.
> 

Ok, I found it in /var/log/messages :
... ovirt-vmconsole-list: ERROR main:274 Error: hostname 'localhost' doesn't 
match u'FQDN'

But why as I do have in 
/etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d/10-setup.conf 
ENGINE_VERIFY_HOST=False


That's the default, I didn't changed it.




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-23 Thread Francesco Romani 
- Original Message -
> From: "Fabrice Bacchella" <fabrice.bacche...@orange.fr>
> To: "Francesco Romani" <from...@redhat.com>
> Cc: "Yedidyah Bar David" <d...@redhat.com>, "users" <users@ovirt.org>
> Sent: Wednesday, March 23, 2016 4:29:15 PM
> Subject: Re: [ovirt-users] seria consol setup
> 
> I'm trying, my configuration is still incomplete, I added in my httpd.conf:
> 
> 
> ServerName XXX
> DocumentRoot htdocs
> 
> RedirectMatch ^/$ /ovirt-engine/
> 
> SSLEngine on
> SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
> SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass
> SSLCACertificateFile /etc/pki/ovirt-engine/apache-ca.pem
> 
> RequestHeader unset Expect early
> 
>  
> ^/(ovirt-engine($|/)|api($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.key.txt$|rhevm.ssh.key.txt$)>
> ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5
> 
> AddOutputFilterByType DEFLATE text/javascript text/css text/html
> text/xml text/json application/xml application/json
> application/x-yaml
> 
> 
> 
> 
> and in /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d/99-my.conf
> ENGINE_BASE_URL=https://localhost:1443/ovirt-engine/
> 
> but no progress :
> 
> su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys --debug
> list'
> ERROR: Internal error
> 
> --debug don't provide any help

You should find them in the journal/system logger; otherwise it is a 
{different,new} bug.

Bests,


-- 
Francesco Romani
RedHat Engineering Virtualization R & D
Phone: 8261328
IRC: fromani
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-23 Thread Fabrice Bacchella 
I'm trying, my configuration is still incomplete, I added in my httpd.conf:


ServerName XXX
DocumentRoot htdocs

RedirectMatch ^/$ /ovirt-engine/

SSLEngine on
SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer
SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass
SSLCACertificateFile /etc/pki/ovirt-engine/apache-ca.pem

RequestHeader unset Expect early


ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5

AddOutputFilterByType DEFLATE text/javascript text/css text/html 
text/xml text/json application/xml application/json application/x-yaml




and in /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d/99-my.conf
ENGINE_BASE_URL=https://localhost:1443/ovirt-engine/

but no progress :

su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys --debug list'
ERROR: Internal error

--debug don't provide any help

but 
curl -vk -XPOST https://localhost:1443/ovirt-engine/services/vmconsole-proxy
fails of course, but because the query is no good. More messages from 
ovirt-vmconsole-proxy-keys would be very helpfull.


> Le 23 mars 2016 à 13:32, Francesco Romani <from...@redhat.com> a écrit :
> 
> - Original Message -
>> From: "Fabrice Bacchella" <fabrice.bacche...@orange.fr>
>> To: "Francesco Romani" <from...@redhat.com>
>> Cc: "Yedidyah Bar David" <d...@redhat.com>, "users" <users@ovirt.org>
>> Sent: Wednesday, March 23, 2016 1:21:11 PM
>> Subject: Re: [ovirt-users] seria consol setup
>> 
>> 
>>> Le 23 mars 2016 à 12:32, Francesco Romani <from...@redhat.com> a écrit :
>>> 
>>> - Original Message -
>>>> From: "Yedidyah Bar David" <d...@redhat.com>
>>>> To: "Fabrice Bacchella" <fabrice.bacche...@orange.fr>, "Francesco Romani"
>>>> <from...@redhat.com>
>>>> Cc: "users" <users@ovirt.org>
>>>> Sent: Wednesday, March 23, 2016 12:28:52 PM
>>>> Subject: Re: [ovirt-users] seria consol setup
>>> 
>>>>> I can always use puppet to modify just this line, it will be fine for me.
>>>>> 
>>>>> The point 4 in Automatic Setup is not very helpfull:
>>>>> "   • once the setup succesfully run, and once ovirt-engine is
>>>>> running,
>>>>> you can log in and register a SSH key. (TODO: add picture)"
>>>>> 
>>>>> what does it mean ?
>>> 
>>> It just means that you need to add SSH public keys for the users which want
>>> to use
>>> the serial console.
>>> 
>>> E.g. log in user portal
>>> in the top right corner there is the $user drop down menu, click on it
>>> select "options"
>>> paste public key here
>>> 
>>> HTH,
>> 
>> It tried that, I didn't work.
> 
> What didn't work? Adding the keys or -AFAIK- the full authentication?
> 
>> By digging in log and configuration, I think
>> it's because I have an Apache server in front of ovirt-engine, using a
>> specific SSO authentication module (using CAS), so the certificate-base
>> authentication is failing, if my comprehension is good. So you should add a
>> few line about that in the documentation.
> 
> Will improve in this regard
> 
>> Should I make the proxy helper
>> talks directly to tomcat by playing with ENGINE_BASE_URL in
>> /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d ?
> 
> Yes, the proxy helper is supposed to talk directly with the Engine.
> 
>> There is also a small glitch in the documentation:
>> su - ovirt-vmconsole -c 'ovirt-vmconsole-proxy-keys list'
>> but it should be:
>> su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys list'
> 
> Thanks, will fix.
> 
> Bests,
> 
> -- 
> Francesco Romani
> RedHat Engineering Virtualization R & D
> Phone: 8261328
> IRC: fromani

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-23 Thread Francesco Romani 
- Original Message -
> From: "Fabrice Bacchella" <fabrice.bacche...@orange.fr>
> To: "Francesco Romani" <from...@redhat.com>
> Cc: "Yedidyah Bar David" <d...@redhat.com>, "users" <users@ovirt.org>
> Sent: Wednesday, March 23, 2016 1:21:11 PM
> Subject: Re: [ovirt-users] seria consol setup
> 
> 
> > Le 23 mars 2016 à 12:32, Francesco Romani <from...@redhat.com> a écrit :
> > 
> > - Original Message -
> >> From: "Yedidyah Bar David" <d...@redhat.com>
> >> To: "Fabrice Bacchella" <fabrice.bacche...@orange.fr>, "Francesco Romani"
> >> <from...@redhat.com>
> >> Cc: "users" <users@ovirt.org>
> >> Sent: Wednesday, March 23, 2016 12:28:52 PM
> >> Subject: Re: [ovirt-users] seria consol setup
> > 
> >>> I can always use puppet to modify just this line, it will be fine for me.
> >>> 
> >>> The point 4 in Automatic Setup is not very helpfull:
> >>> "   • once the setup succesfully run, and once ovirt-engine is
> >>> running,
> >>> you can log in and register a SSH key. (TODO: add picture)"
> >>> 
> >>> what does it mean ?
> > 
> > It just means that you need to add SSH public keys for the users which want
> > to use
> > the serial console.
> > 
> > E.g. log in user portal
> > in the top right corner there is the $user drop down menu, click on it
> > select "options"
> > paste public key here
> > 
> > HTH,
> 
> It tried that, I didn't work.

What didn't work? Adding the keys or -AFAIK- the full authentication?

> By digging in log and configuration, I think
> it's because I have an Apache server in front of ovirt-engine, using a
> specific SSO authentication module (using CAS), so the certificate-base
> authentication is failing, if my comprehension is good. So you should add a
> few line about that in the documentation.

Will improve in this regard

> Should I make the proxy helper
> talks directly to tomcat by playing with ENGINE_BASE_URL in
> /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d ?

Yes, the proxy helper is supposed to talk directly with the Engine.

> There is also a small glitch in the documentation:
> su - ovirt-vmconsole -c 'ovirt-vmconsole-proxy-keys list'
> but it should be:
> su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys list'

Thanks, will fix.

Bests,

-- 
Francesco Romani
RedHat Engineering Virtualization R & D
Phone: 8261328
IRC: fromani
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-23 Thread Fabrice Bacchella 

> Le 23 mars 2016 à 12:32, Francesco Romani <from...@redhat.com> a écrit :
> 
> - Original Message -
>> From: "Yedidyah Bar David" <d...@redhat.com>
>> To: "Fabrice Bacchella" <fabrice.bacche...@orange.fr>, "Francesco Romani" 
>> <from...@redhat.com>
>> Cc: "users" <users@ovirt.org>
>> Sent: Wednesday, March 23, 2016 12:28:52 PM
>> Subject: Re: [ovirt-users] seria consol setup
> 
>>> I can always use puppet to modify just this line, it will be fine for me.
>>> 
>>> The point 4 in Automatic Setup is not very helpfull:
>>> "   • once the setup succesfully run, and once ovirt-engine is running,
>>> you can log in and register a SSH key. (TODO: add picture)"
>>> 
>>> what does it mean ?
> 
> It just means that you need to add SSH public keys for the users which want 
> to use
> the serial console.
> 
> E.g. log in user portal
> in the top right corner there is the $user drop down menu, click on it
> select "options"
> paste public key here
> 
> HTH,

It tried that, I didn't work. By digging in log and configuration, I think it's 
because I have an Apache server in front of ovirt-engine, using a specific SSO 
authentication module (using CAS), so the certificate-base authentication is 
failing, if my comprehension is good. So you should add a few line about that 
in the documentation. Should I make the proxy helper talks directly to tomcat 
by playing with ENGINE_BASE_URL in 
/etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d ? On a https enabled 
connector for tomcat ?

I have actually in my apache configuration:


AuthType CAS
Require valid-user
CASAuthNHeader X-Remote-User

ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5

AddOutputFilterByType DEFLATE text/javascript text/css text/html 
text/xml text/json application/xml application/json application/x-yaml





There is also a small glitch in the documentation:
su - ovirt-vmconsole -c 'ovirt-vmconsole-proxy-keys list'
but it should be:
su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys list'
  
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-23 Thread Yedidyah Bar David 
On Wed, Mar 23, 2016 at 1:46 PM, Fabrice Bacchella
 wrote:
>
>> Le 23 mars 2016 à 12:28, Yedidyah Bar David  a écrit :
>>
>> On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella
>>  wrote:
>>> I'm reading the documentation here :
>>>http://www.ovirt.org/documentation/admin-guide/serial-console-setup/
>>>
>>> After a few strace, I found the ssh configuration used for the custom ssh 
>>> that listen on port :
>>> /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config
>>>
>>> And I have a big problem with it.
>>> It says "GSSAPIAuthentication no" but public key authentication is not 
>>> allowed in my data center, we use kerberos every where.
>>> So I wonder if I can edit this file ? How is it managed by ovirt ?
>>
>> In general, things under /usr are only packaged, not "managed". So a
>> next upgrade will overwrite your changes.
>
> Ok, so I just need to take care how modifications and upgrade are done (using 
> puppet) and everything should be fine.

But isn't the below enough?

>>
>> Seems like both its systemd unit and sysv init script read
>> /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add
>> ${OPTIONS} to sshd's command line. So you can try to:
>>
>> echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >>
>> /etc/sysconfig/ovirt-vmconsole-proxy-sshd
>>
>>
>
> I tried that. It works. I now have pure kerberos only problems. But that's a 
> good direction.

Good.

So that should be enough, no? IIRC command-line options override conf
file in sshd, no need to play games with rpm/yum.

Thanks for the report.

Best,
-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-23 Thread Fabrice Bacchella 

> Le 23 mars 2016 à 12:28, Yedidyah Bar David  a écrit :
> 
> On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella
>  wrote:
>> I'm reading the documentation here :
>>http://www.ovirt.org/documentation/admin-guide/serial-console-setup/
>> 
>> After a few strace, I found the ssh configuration used for the custom ssh 
>> that listen on port :
>> /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config
>> 
>> And I have a big problem with it.
>> It says "GSSAPIAuthentication no" but public key authentication is not 
>> allowed in my data center, we use kerberos every where.
>> So I wonder if I can edit this file ? How is it managed by ovirt ?
> 
> In general, things under /usr are only packaged, not "managed". So a
> next upgrade will overwrite your changes.

Ok, so I just need to take care how modifications and upgrade are done (using 
puppet) and everything should be fine.
> 
> Seems like both its systemd unit and sysv init script read
> /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add
> ${OPTIONS} to sshd's command line. So you can try to:
> 
> echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >>
> /etc/sysconfig/ovirt-vmconsole-proxy-sshd
> 
> 

I tried that. It works. I now have pure kerberos only problems. But that's a 
good direction.

> and restart it.
> 


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-23 Thread Francesco Romani 
- Original Message -
> From: "Yedidyah Bar David" <d...@redhat.com>
> To: "Fabrice Bacchella" <fabrice.bacche...@orange.fr>, "Francesco Romani" 
> <from...@redhat.com>
> Cc: "users" <users@ovirt.org>
> Sent: Wednesday, March 23, 2016 12:28:52 PM
> Subject: Re: [ovirt-users] seria consol setup

> > I can always use puppet to modify just this line, it will be fine for me.
> >
> > The point 4 in Automatic Setup is not very helpfull:
> > "   • once the setup succesfully run, and once ovirt-engine is running,
> > you can log in and register a SSH key. (TODO: add picture)"
> >
> > what does it mean ?

It just means that you need to add SSH public keys for the users which want to 
use
the serial console.

E.g. log in user portal
in the top right corner there is the $user drop down menu, click on it
select "options"
paste public key here

HTH,

-- 
Francesco Romani
RedHat Engineering Virtualization R & D
Phone: 8261328
IRC: fromani
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] seria consol setup

2016-03-23 Thread Yedidyah Bar David 
On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella
 wrote:
> I'm reading the documentation here :
> http://www.ovirt.org/documentation/admin-guide/serial-console-setup/
>
> After a few strace, I found the ssh configuration used for the custom ssh 
> that listen on port :
> /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config
>
> And I have a big problem with it.
> It says "GSSAPIAuthentication no" but public key authentication is not 
> allowed in my data center, we use kerberos every where.
> So I wonder if I can edit this file ? How is it managed by ovirt ?

In general, things under /usr are only packaged, not "managed". So a
next upgrade will overwrite your changes.

Seems like both its systemd unit and sysv init script read
/etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add
${OPTIONS} to sshd's command line. So you can try to:

echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >>
/etc/sysconfig/ovirt-vmconsole-proxy-sshd

and restart it.

> I can always use puppet to modify just this line, it will be fine for me.
>
> The point 4 in Automatic Setup is not very helpfull:
> "   • once the setup succesfully run, and once ovirt-engine is running, 
> you can log in and register a SSH key. (TODO: add picture)"
>
> what does it mean ?

No idea. Adding Francesco.
-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users