On 23.05.2015 15:04, Martin Perina wrote: > > > ----- Original Message ----- >> From: "Daniel Helgenberger" <daniel.helgenber...@m-box.de> >> To: "Martin Perina" <mper...@redhat.com> >> Cc: users@ovirt.org, "Eli Mesika" <emes...@redhat.com> >> Sent: Thursday, May 21, 2015 9:31:50 PM >> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options >> >> >> >> On 21.05.2015 21:07, Martin Perina wrote: >>> Hi Daniel, >>> >>> I'm cc'ing Eli as we are currently facing issue with fence agents >>> regression for passing boolean flags to fence agents. >> Thanks for getting back to me so quickly. >>> >>> I looked at man page of fence_ilo2 again and I haven't found >>> --tls1.0 option at all. >> Strange? FYI I am running CentOS7.1 hosts; installed fence: >> fence-agents-ilo2-4.0.11-11.el7_1.x86_64 >> >> Here, clearly I have this option. The fence agent itself seems to use >> gnutls successfully: >> >> # fence_ilo2 -a 10.11.0.212 --username=ovirt -p ****** -v -o status >> --ssl-insecure --tls1.0 >> >> Running command: /usr/bin/gnutls-cli --priority >> "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION" >> --insecure --crlf -p 443 10.11.0.212 >> > > Ahh, I looked at older version on F20. But I can't find --tls1.0 option > even on man page for fence-agents-ilo2-4.0.11-11.el7_1.x86_64 :-( > > So if you really see this option, please take a look at the end of man > page, where you can find STDIN format options names and add it along > with ssl_insecure to options in Power Management tab of the hosts (instead > of "tls1_0 use what you find in your man page): Many thanks! Using the STDIN options solved this issue. I finally get: Test succeeded: on
I am using these options in the options field for the ilo2 fencing module: ssl_insecure=1,tls1.0=1 Also working: ssl_insecure=1,notls=1 > > ssl_insecure=1,tls1_0=1 True. What still puzzles me is the tls1.0 option. In the my man pages the STDIN option ins called 'tls1.0'. Also, can you check wherever you have a 'notls' option to force SSL3.0? This also works for me. I think all the info you gave here, esp. using the stdin binary options in a way 'option=0|1' is quite essential to get fenceing working. I had a quick look over some man pages and I think all the standard fence agents are used in the same manner. Also, a hint might be in order that old ilo boards can't cope with TLS and need it disabled. I think here [1] [2]? [1] http://www.ovirt.org/Automatic_Fencing [2] http://www.ovirt.org/OVirt_Administration_Guide#Host_Power_Management_Settings_Explained Thanks! > > Thanks > > Martin Perina > >> I put the whole command output below [1] >> >> >> To specify --ssl-insecure please add following >>> into options in Power Management tab of the host: >>> >>> ssl_insecure=1 >> Thanks for pointing out how to actually use these options. >>> >>> >>> Martin Perina >>> >>> ----- Original Message ----- >>>> From: "Daniel Helgenberger" <daniel.helgenber...@m-box.de> >>>> To: "Martin Perina" <mper...@redhat.com> >>>> Cc: users@ovirt.org >>>> Sent: Thursday, May 21, 2015 8:11:40 PM >>>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options >>>> >>>> >>>> >>>> On 12.05.2015 09:16, Martin Perina wrote: >>>>> Hi Daniel, >>>> Hello Martin, >>>> >>>> sorry for answering that late. And thanks for pointing me to the man >>>> page! I always seem to forget that. >>>>> >>>>> options defined in PM tab are used to pass custom settings >>>>> of specific fence agent. In you case please take a look >>>>> at man page for fence_ilo2. I looked there briefly and >>>>> I'm afraid that your parameter is not supported. >>>> >>>> Ok, this command runs fine and uses XML: >>>> fence_ilo2 -a 10.11.0.212 --username=ovirt -p secret -v -o status >>>> --ssl-insecure --tls1.0 >>>> >>>> However, using options --tls1.0 and --ssl-insecure does not work in the >>>> engine. What puzzles me: the fence agent seems to use an SSL connection >>>> and XML; while the GUI wants an SSH port form me? >>>> >>>> There I get the error: >>>> Unknown options .. >>>> >>>> now I only get >>>> Test succeeded - unknown (witch actually is not successful) >>>> >>>> >>>> Thanks! >>>>> >>>>> I see that fence_ilo3_ssh and fence_ilo4_ssh should support >>>>> passing that option for SSH connection, so you could try them >>>>> if they work with you fence device. >>>>> >>>>> Martin Perina >>>>> >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Daniel Helgenberger" <daniel.helgenber...@m-box.de> >>>>>> To: users@ovirt.org >>>>>> Sent: Monday, May 11, 2015 5:53:10 PM >>>>>> Subject: [ovirt-users] Configuring ilo2 PM; passing ssh options >>>>>> >>>>>> Hello, >>>>>> >>>>>> to make this short - i need to pass ssh options to get the connection to >>>>>> ilo2 working (MACs=hmac-sha1) [1]. >>>>>> >>>>>> How can this be done? I think the 'options' field is clearly for >>>>>> something else? >>>>>> >>>>>> Using this option in .ssh/config works btw. >>>>>> >>>>>> Thanks! >>>>>> -- >>>>>> Daniel Helgenberger >>>>>> m box bewegtbild GmbH >>>>>> >>>>>> P: +49/30/2408781-22 >>>>>> F: +49/30/2408781-10 >>>>>> >>>>>> ACKERSTR. 19 >>>>>> D-10115 BERLIN >>>>>> >>>>>> >>>>>> www.m-box.de www.monkeymen.tv >>>>>> >>>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner >>>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users@ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>> >>>>> >>>> >>>> -- >>>> Daniel Helgenberger >>>> m box bewegtbild GmbH >>>> >>>> P: +49/30/2408781-22 >>>> F: +49/30/2408781-10 >>>> >>>> ACKERSTR. 19 >>>> D-10115 BERLIN >>>> >>>> >>>> www.m-box.de www.monkeymen.tv >>>> >>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner >>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 >>>> >>> >> >> [1] >> >> Sent: <?xml version="1.0"?> >> >> Received: <?xml version="1.0"?> >> >> Processed 0 CA certificate(s). >> Resolving '10.11.0.212'... >> Connecting to '10.11.0.212:443'... >> - Certificate type: X.509 >> - Got a certificate list of 1 certificates. >> - Certificate[0] info: >> - subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard >> Company,OU=ISS,CN=hv02', issuer >> `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', RSA >> key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05 >> 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint >> `4db06bc1a74fe2894068d89ea76c0622b3e76bc1' >> Public Key ID: >> 428f85bc360c8778eb550e4b8ef1c65b111d7108 >> Public key's random art: >> +--[ RSA 1024]----+ >> | Eoo+. | >> | . o . .o. | >> | . = B + | >> | . & X . | >> | o # S | >> | . + = | >> | . . | >> | | >> | | >> +-----------------+ >> >> - Status: The certificate is NOT trusted. The certificate issuer is >> unknown. The name in the certificate does not match the expected. >> *** PKI verification of server certificate failed... >> - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1) >> - Session ID: >> AA:C9:08:8C:F5:E7:E6:19:7D:BC:20:D4:A0:C0:DA:E4:0E:C1:C0:2A:BC:93:8E:B3:5F:20:B0:38:67:F2:01:5C >> - Version: TLS1.0 >> - Key Exchange: RSA >> - Cipher: AES-128-CBC >> - MAC: SHA1 >> - Compression: NULL >> - Handshake was completed >> >> - Simple Client Mode: >> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> </RIBCL> >> Sent: <RIBCL VERSION="2.0"> >> >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d"> >> >> Sent: <RIB_INFO MODE="read"><GET_FW_VERSION /> >> >> Sent: </RIB_INFO> >> >> Received: >> <RIBCL VERSION="2.0"> >> >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d"> >> >> <RIB_INFO MODE="read"><GET_FW_VERSION /> >> >> </RIB_INFO> >> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> </RIBCL> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> </RIBCL> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> </RIBCL> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> <GET_FW_VERSION >> >> Received: FIRMWARE_VERSION = "2.25" >> FIRMWARE_DATE = "Apr 14 2014" >> MANAGEMENT_PROCESSOR = "iLO2" >> LICENSE_TYPE = "iLO 2 Advanced" >> /> >> Sent: </LOGIN> >> >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d"> >> >> Sent: <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/> >> >> Sent: </SERVER_INFO></LOGIN> >> >> Received: >> </RIBCL> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> </RIBCL> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> </RIBCL> >> </LOGIN> >> >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "*********"> >> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> </RIBCL> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> </RIBCL> >> <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/> >> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> </RIBCL> >> <?xml version="1.0"?> >> <RIBCL VERSION="2.22"> >> <RESPONSE >> STATUS="0x0000" >> MESSAGE='No error' >> /> >> <GET_HOST_POWER >> HOST_POWER="ON" >> Status: ON >> > -- Daniel Helgenberger m box bewegtbild GmbH P: +49/30/2408781-22 F: +49/30/2408781-10 ACKERSTR. 19 D-10115 BERLIN www.m-box.de www.monkeymen.tv Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users