----- Original Message ----- > From: "Martin Perina" <mper...@redhat.com> > To: "Daniel Helgenberger" <daniel.helgenber...@m-box.de> > Cc: users@ovirt.org, "Eli Mesika" <emes...@redhat.com> > Sent: Monday, May 25, 2015 11:23:29 AM > Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options > > > > ----- Original Message ----- > > From: "Daniel Helgenberger" <daniel.helgenber...@m-box.de> > > To: "Martin Perina" <mper...@redhat.com> > > Cc: users@ovirt.org, "Eli Mesika" <emes...@redhat.com> > > Sent: Sunday, May 24, 2015 10:02:34 AM > > Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options > > > > > > > > On 23.05.2015 15:04, Martin Perina wrote: > > > > > > > > > ----- Original Message ----- > > >> From: "Daniel Helgenberger" <daniel.helgenber...@m-box.de> > > >> To: "Martin Perina" <mper...@redhat.com> > > >> Cc: users@ovirt.org, "Eli Mesika" <emes...@redhat.com> > > >> Sent: Thursday, May 21, 2015 9:31:50 PM > > >> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options > > >> > > >> > > >> > > >> On 21.05.2015 21:07, Martin Perina wrote: > > >>> Hi Daniel, > > >>> > > >>> I'm cc'ing Eli as we are currently facing issue with fence agents > > >>> regression for passing boolean flags to fence agents. > > >> Thanks for getting back to me so quickly. > > >>> > > >>> I looked at man page of fence_ilo2 again and I haven't found > > >>> --tls1.0 option at all. > > >> Strange? FYI I am running CentOS7.1 hosts; installed fence: > > >> fence-agents-ilo2-4.0.11-11.el7_1.x86_64 > > >> > > >> Here, clearly I have this option. The fence agent itself seems to use > > >> gnutls successfully: > > >> > > >> # fence_ilo2 -a 10.11.0.212 --username=ovirt -p ****** -v -o status > > >> --ssl-insecure --tls1.0 > > >> > > >> Running command: /usr/bin/gnutls-cli --priority > > >> "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION" > > >> --insecure --crlf -p 443 10.11.0.212 > > >> > > > > > > Ahh, I looked at older version on F20. But I can't find --tls1.0 option > > > even on man page for fence-agents-ilo2-4.0.11-11.el7_1.x86_64 :-( > > > > > > So if you really see this option, please take a look at the end of man > > > page, where you can find STDIN format options names and add it along > > > with ssl_insecure to options in Power Management tab of the hosts > > > (instead > > > of "tls1_0 use what you find in your man page): > > Many thanks! Using the STDIN options solved this issue. I finally get: > > Test succeeded: on > > > > I am using these options in the options field for the ilo2 fencing module: > > > > ssl_insecure=1,tls1.0=1 > > > > Also working: > > ssl_insecure=1,notls=1 > > > > > > > > ssl_insecure=1,tls1_0=1 > > True. What still puzzles me is the tls1.0 option. In the my man pages > > the STDIN option ins called 'tls1.0'. Also, can you check wherever you > > have a 'notls' option to force SSL3.0? This also works for me. > > Ahh, sorry for the confusion. By mistake I looked at older fence-agents > RPM :-( > > I looked again and now I also have "tls1.0". The "notls" options is contained > also in the older version (like the one I have in my F20). > > > > > I think all the info you gave here, esp. using the stdin binary options > > in a way 'option=0|1' is quite essential to get fenceing working. I had > > a quick look over some man pages and I think all the standard fence > > agents are used in the same manner. > > Yes, this is the regression I wrote you about. Latest fence-agents dropped > the support for passing boolean options without value (just sending "notls" > was ok in prior versions), but the last version requires to send "notls=1" > or "notls=true", otherwise the option is not used. We are currenlty preparing > patches to handle it.
This is planned to be fixed for 3.6 by an upgrade script (not including encrypted options) BTW, according to Marek G who is the fence-agents maintainer sending boolean flags by their own was enabled for all agents but was actually working only for the ipmilan agent ... > > > Also, a hint might be in order that old ilo boards can't cope with TLS > > and need it disabled. I think here [1] [2]? > > > > [1] http://www.ovirt.org/Automatic_Fencing > > [2] > > http://www.ovirt.org/OVirt_Administration_Guide#Host_Power_Management_Settings_Explained > > Hmm, thanks for the input, I will talk with Eli and Oved how to make > the documentation more understandable. I had added a comment to the troubleshooting section of [1] regarding that ... > > Thanks > > Martin Perina > > > > > Thanks! > > > > > > Thanks > > > > > > Martin Perina > > > > > >> I put the whole command output below [1] > > >> > > >> > > >> To specify --ssl-insecure please add following > > >>> into options in Power Management tab of the host: > > >>> > > >>> ssl_insecure=1 > > >> Thanks for pointing out how to actually use these options. > > >>> > > >>> > > >>> Martin Perina > > >>> > > >>> ----- Original Message ----- > > >>>> From: "Daniel Helgenberger" <daniel.helgenber...@m-box.de> > > >>>> To: "Martin Perina" <mper...@redhat.com> > > >>>> Cc: users@ovirt.org > > >>>> Sent: Thursday, May 21, 2015 8:11:40 PM > > >>>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options > > >>>> > > >>>> > > >>>> > > >>>> On 12.05.2015 09:16, Martin Perina wrote: > > >>>>> Hi Daniel, > > >>>> Hello Martin, > > >>>> > > >>>> sorry for answering that late. And thanks for pointing me to the man > > >>>> page! I always seem to forget that. > > >>>>> > > >>>>> options defined in PM tab are used to pass custom settings > > >>>>> of specific fence agent. In you case please take a look > > >>>>> at man page for fence_ilo2. I looked there briefly and > > >>>>> I'm afraid that your parameter is not supported. > > >>>> > > >>>> Ok, this command runs fine and uses XML: > > >>>> fence_ilo2 -a 10.11.0.212 --username=ovirt -p secret -v -o status > > >>>> --ssl-insecure --tls1.0 > > >>>> > > >>>> However, using options --tls1.0 and --ssl-insecure does not work in > > >>>> the > > >>>> engine. What puzzles me: the fence agent seems to use an SSL > > >>>> connection > > >>>> and XML; while the GUI wants an SSH port form me? > > >>>> > > >>>> There I get the error: > > >>>> Unknown options .. > > >>>> > > >>>> now I only get > > >>>> Test succeeded - unknown (witch actually is not successful) > > >>>> > > >>>> > > >>>> Thanks! > > >>>>> > > >>>>> I see that fence_ilo3_ssh and fence_ilo4_ssh should support > > >>>>> passing that option for SSH connection, so you could try them > > >>>>> if they work with you fence device. > > >>>>> > > >>>>> Martin Perina > > >>>>> > > >>>>> > > >>>>> ----- Original Message ----- > > >>>>>> From: "Daniel Helgenberger" <daniel.helgenber...@m-box.de> > > >>>>>> To: users@ovirt.org > > >>>>>> Sent: Monday, May 11, 2015 5:53:10 PM > > >>>>>> Subject: [ovirt-users] Configuring ilo2 PM; passing ssh options > > >>>>>> > > >>>>>> Hello, > > >>>>>> > > >>>>>> to make this short - i need to pass ssh options to get the > > >>>>>> connection > > >>>>>> to > > >>>>>> ilo2 working (MACs=hmac-sha1) [1]. > > >>>>>> > > >>>>>> How can this be done? I think the 'options' field is clearly for > > >>>>>> something else? > > >>>>>> > > >>>>>> Using this option in .ssh/config works btw. > > >>>>>> > > >>>>>> Thanks! > > >>>>>> -- > > >>>>>> Daniel Helgenberger > > >>>>>> m box bewegtbild GmbH > > >>>>>> > > >>>>>> P: +49/30/2408781-22 > > >>>>>> F: +49/30/2408781-10 > > >>>>>> > > >>>>>> ACKERSTR. 19 > > >>>>>> D-10115 BERLIN > > >>>>>> > > >>>>>> > > >>>>>> www.m-box.de www.monkeymen.tv > > >>>>>> > > >>>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner > > >>>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 > > >>>>>> _______________________________________________ > > >>>>>> Users mailing list > > >>>>>> Users@ovirt.org > > >>>>>> http://lists.ovirt.org/mailman/listinfo/users > > >>>>>> > > >>>>> > > >>>> > > >>>> -- > > >>>> Daniel Helgenberger > > >>>> m box bewegtbild GmbH > > >>>> > > >>>> P: +49/30/2408781-22 > > >>>> F: +49/30/2408781-10 > > >>>> > > >>>> ACKERSTR. 19 > > >>>> D-10115 BERLIN > > >>>> > > >>>> > > >>>> www.m-box.de www.monkeymen.tv > > >>>> > > >>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner > > >>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 > > >>>> > > >>> > > >> > > >> [1] > > >> > > >> Sent: <?xml version="1.0"?> > > >> > > >> Received: <?xml version="1.0"?> > > >> > > >> Processed 0 CA certificate(s). > > >> Resolving '10.11.0.212'... > > >> Connecting to '10.11.0.212:443'... > > >> - Certificate type: X.509 > > >> - Got a certificate list of 1 certificates. > > >> - Certificate[0] info: > > >> - subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard > > >> Company,OU=ISS,CN=hv02', issuer > > >> `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', RSA > > >> key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05 > > >> 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint > > >> `4db06bc1a74fe2894068d89ea76c0622b3e76bc1' > > >> Public Key ID: > > >> 428f85bc360c8778eb550e4b8ef1c65b111d7108 > > >> Public key's random art: > > >> +--[ RSA 1024]----+ > > >> | Eoo+. | > > >> | . o . .o. | > > >> | . = B + | > > >> | . & X . | > > >> | o # S | > > >> | . + = | > > >> | . . | > > >> | | > > >> | | > > >> +-----------------+ > > >> > > >> - Status: The certificate is NOT trusted. The certificate issuer is > > >> unknown. The name in the certificate does not match the expected. > > >> *** PKI verification of server certificate failed... > > >> - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1) > > >> - Session ID: > > >> AA:C9:08:8C:F5:E7:E6:19:7D:BC:20:D4:A0:C0:DA:E4:0E:C1:C0:2A:BC:93:8E:B3:5F:20:B0:38:67:F2:01:5C > > >> - Version: TLS1.0 > > >> - Key Exchange: RSA > > >> - Cipher: AES-128-CBC > > >> - MAC: SHA1 > > >> - Compression: NULL > > >> - Handshake was completed > > >> > > >> - Simple Client Mode: > > >> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> </RIBCL> > > >> Sent: <RIBCL VERSION="2.0"> > > >> > > >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d"> > > >> > > >> Sent: <RIB_INFO MODE="read"><GET_FW_VERSION /> > > >> > > >> Sent: </RIB_INFO> > > >> > > >> Received: > > >> <RIBCL VERSION="2.0"> > > >> > > >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d"> > > >> > > >> <RIB_INFO MODE="read"><GET_FW_VERSION /> > > >> > > >> </RIB_INFO> > > >> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> </RIBCL> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> </RIBCL> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> </RIBCL> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> <GET_FW_VERSION > > >> > > >> Received: FIRMWARE_VERSION = "2.25" > > >> FIRMWARE_DATE = "Apr 14 2014" > > >> MANAGEMENT_PROCESSOR = "iLO2" > > >> LICENSE_TYPE = "iLO 2 Advanced" > > >> /> > > >> Sent: </LOGIN> > > >> > > >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d"> > > >> > > >> Sent: <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/> > > >> > > >> Sent: </SERVER_INFO></LOGIN> > > >> > > >> Received: > > >> </RIBCL> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> </RIBCL> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> </RIBCL> > > >> </LOGIN> > > >> > > >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "*********"> > > >> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> </RIBCL> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> </RIBCL> > > >> <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/> > > >> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> </RIBCL> > > >> <?xml version="1.0"?> > > >> <RIBCL VERSION="2.22"> > > >> <RESPONSE > > >> STATUS="0x0000" > > >> MESSAGE='No error' > > >> /> > > >> <GET_HOST_POWER > > >> HOST_POWER="ON" > > >> Status: ON > > >> > > > > > > > -- > > Daniel Helgenberger > > m box bewegtbild GmbH > > > > P: +49/30/2408781-22 > > F: +49/30/2408781-10 > > > > ACKERSTR. 19 > > D-10115 BERLIN > > > > > > www.m-box.de www.monkeymen.tv > > > > Geschäftsführer: Martin Retschitzegger / Michaela Göllner > > Handeslregister: Amtsgericht Charlottenburg / HRB 112767 > > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
