On May 12, 2020 6:56:45 PM GMT+03:00, Giorgio Biacchi <[email protected]> wrote: >Il 12/05/2020 17:07, Dominik Holler ha scritto: >> >> >> On Tue, May 12, 2020 at 4:25 PM Giorgio Biacchi <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 5/12/20 12:28 PM, Dominik Holler wrote: >> > >> > >> > On Tue, May 12, 2020 at 8:49 AM Giorgio Biacchi >> <[email protected] <mailto:[email protected]> >> > <mailto:[email protected] <mailto:[email protected]>>> >wrote: >> > >> > On 5/11/20 5:53 PM, Dominik Holler wrote: >> > > >> > > >> > > On Mon, May 11, 2020 at 12:31 PM Giorgio Biacchi >> > <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> > > <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>> >wrote: >> > > >> > > Hi list, >> > > I've spent a couple of days trying to understand why >> this was >> > > happening... >> > > >> > > For the installation I have a well tested >installation >> server >> > with a >> > > custom kickstart file to setup ssh keys and custom >> hooks for >> > infiniband >> > > and I'm installing Ovirt Node 4.3.9 via pxe, this is >> particularly >> > > useful >> > > when I have to install a bunch of blades at once.. >In >> the past >> > I had no >> > > issues and all was working like a charm until now >when some >> > hardware >> > > failed and I had to replace it. >> > > >> > > As expected I have no issues in the node >installation >> > process.. the >> > > troubles begins when I try to add the node, >> installation fails >> > and in >> > > the UI I have an exclamation mark with the message >> "Host has >> > no default >> > > route." but I can ping and do ssh to the host from >the >> > manager.. the >> > > problem is somewhere else in the communication >between the >> > engine and >> > > vdsmd preventing the engine to refresh the host >> capabilities. >> > > >> > > So from the engine I tried: >> > > >> > > [root@manager ~]# openssl s_client -connect >> 172.20.22.78:54321 <http://172.20.22.78:54321> >> > <http://172.20.22.78:54321> >> > > <http://172.20.22.78:54321> >> > > CONNECTED(00000003) >> > > --- >> > > Certificate chain >> > > 0 s:/CN=cn128.lagrange.di.unimi.it/O=VDSM >> <http://cn128.lagrange.di.unimi.it/O=VDSM> >> > <http://cn128.lagrange.di.unimi.it/O=VDSM> >> > > <http://cn128.lagrange.di.unimi.it/O=VDSM> >Certificate >> > > i:/CN=VDSM Certificate Authority >> > > 1 s:/CN=VDSM Certificate Authority >> > > i:/CN=VDSM Certificate Authority >> > > --- >> > > >> > > The host has still the self signed vdsm >certificate.. >> and on the >> > > host in >> > > vdsm.log I find: >> > > >> > > 2020-05-11 09:52:25,433+0000 ERROR (Reactor thread) >> > > [ProtocolDetector.SSLHandshakeDispatcher] ssl >> handshake: SSLError, >> > > address: ::ffff:159.149.129.220 (sslutils:264) >> > > >> > > So I tried to enroll the certificate from the UI and >> from the >> > events >> > > tab >> > > I sow the enrolling was successful but: >> > > >> > > [root@manager ~]# openssl s_client -connect >> 172.20.22.78:54321 <http://172.20.22.78:54321> >> > <http://172.20.22.78:54321> >> > > <http://172.20.22.78:54321> >> > > >> > > 140084336994192:error:140790E5:SSL >routines:ssl23_write:ssl >> > handshake >> > > failure:s23_lib.c:177: >> > > CONNECTED(00000003) >> > > --- >> > > no peer certificate available >> > > --- >> > > >> > > there's still some issue with the certificates.. so >on the >> > host again: >> > > >> > > [root@cn128 vdsm]# find /etc/pki/vdsm/ -type f -cmin >-10| >> > xargs ls -l >> > > -rw-------. 1 root kvm 1424 May 11 09:56 >> > /etc/pki/vdsm/certs/cacert.pem >> > > -rw-------. 1 root kvm 5108 May 11 09:57 >> > > /etc/pki/vdsm/certs/vdsmcert.pem >> > > -r--r-----. 1 root kvm 1704 May 11 09:56 >> > /etc/pki/vdsm/keys/vdsmkey.pem >> > > -rw-r--r--. 1 root root 1424 May 11 09:57 >> > > /etc/pki/vdsm/libvirt-spice/ca-cert.pem >> > > -rw-r--r--. 1 root root 5108 May 11 09:57 >> > > /etc/pki/vdsm/libvirt-spice/server-cert.pem >> > > -r--r-----. 1 root root 1704 May 11 09:56 >> > > /etc/pki/vdsm/libvirt-spice/server-key.pem >> > > >> > > It seems that cacert.pem and vdsmcert.pem have wrong >> permissions.. >> > > let's >> > > try to fix it.. >> > > >> > > [root@cn128 vdsm]# chown 36:36 >> /etc/pki/vdsm/certs/cacert.pem >> > > /etc/pki/vdsm/certs/vdsmcert.pem >> > > >> > > And now: >> > > >> > > [root@manager ~]# openssl s_client -connect >> > 172.20.22.78:54321| less >> > > CONNECTED(00000003) >> > > --- >> > > Certificate chain >> > > 0 s:/O=lagrange.di.unimi.it/CN=172.20.22.78 >> <http://lagrange.di.unimi.it/CN=172.20.22.78> >> > <http://lagrange.di.unimi.it/CN=172.20.22.78> >> > > <http://lagrange.di.unimi.it/CN=172.20.22.78> >> > > >> > > >> > >> > i:/C=US/O=lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941 ><http://lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941> >> > > <http://lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941> >> > > >> > <http://lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941> >> > > 1 >> > > >> > >> > s:/C=US/O=lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941 ><http://lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941> >> > > <http://lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941> >> > > >> > <http://lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941> >> > > >> > > >> > >> > i:/C=US/O=lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941 ><http://lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941> >> > > <http://lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941> >> > > >> > <http://lagrange.di.unimi.it/CN=cn305.lagrange.di.unimi.it.35941> >> > > --- >> > > >> > > Now I can finally refresh the host capabilities and >> setup the host >> > > networks.. >> > > >> > > In attachment all the relevant logs, I don't know if >I've >> > found some >> > > bug.. this is the first time i had so many troubles >> adding a >> > new host.. >> > > so I decided to share my experience with the list.. >> > > >> > > >> > > Thanks for raising this. >> > > >> > > On adding the host there is an error about >> vdsm-hook-nestedvt which I >> > > cannot interprete, maybe someone else can do. >> > > In vdsm.log I noticed a strange behavior of >setupNetworks, >> can you >> > > please share the corresponding supervdsm.log, too? >> > > >> > > >> > > >> > > Cheers >> > > -- >> > > gb >> > > >> > > PGP Key: http://pgp.mit.edu/ >> > > Primary key fingerprint: C510 0765 943E EBED A4F2 >69D3 >> 16CC DC90 >> > > B9CB 0F34 >> > > _______________________________________________ >> > > Users mailing list -- [email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> >> > <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> > > To unsubscribe send an email to >[email protected] >> <mailto:[email protected]> >> > <mailto:[email protected] ><mailto:[email protected]>> >> > > <mailto:[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> >> > > Privacy Statement: >> https://www.ovirt.org/privacy-policy.html >> > > oVirt Code of Conduct: >> > > >https://www.ovirt.org/community/about/community-guidelines/ >> > > List Archives: >> > > >> > >> >https://lists.ovirt.org/archives/list/[email protected]/message/6JTU3HB4WCI27WSLGEOSLMPYFU22EX5H/ >> > > >> > Hi, >> > I don't think that the missing vdsm-hook-nestedvt is a >> problem, in our >> > environment we have one engine but multiple clusters and >that >> hook is >> > only needed on one cluster to enable nested >virtualization. >> > >> > See attachment for supervdsm.log. >> > >> > >> > Thanks, network config flows looked fine. >> > >> > Maybe >> > https://bugzilla.redhat.com/1794485 >> > is the root for this issue? >> > >> > >> > Regards >> > -- >> > gb >> > >> > PGP Key: http://pgp.mit.edu/ >> > Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 >16CC DC90 >> > B9CB 0F34 >> > >> >> I removed the file >> >/usr/share/ovirt-host-deploy/plugins/ovirt-host-deploy/vdsmhooks/packages.d/vdsm-hook-nestedvt.centos >> from the engine host ( the content of the file was >"vdsm-hook-nestedvt" >> ) and reinstalled another host and now the installation works >correctly. >> >> >> This is a great hint. Do you have an idea where this file comes from? > >Yes, it was a change made by another member of our staff to automate >the >installation of that hook.. as far as I know this is the correct way to > >add additional packages during the host installation, but I still have >no idea why the required package can not be found, even via yum install > >as I wrote before. > >So now the real question is: why can't I install vdsm-hook-nestedvt via >yum? > >And even if it's now clear that this is the reason why the installation > >process fails I wasn't expecting such a big failure.. the hook itself >it's not strictly necessary to have a working host.. I was expecting a >warning more than a fail.. > >But at least I'm glad I've found the cause of the failure > >> >> So the problem is that during the host installation >vdsm-hook-nestedvt >> cannot be found/downloaded from the repos and this, somehow, >breaks the >> installation process, the certificate enrollment and so on.. >> >> As a matter of fact if I try: >> >> [root@cn127 ~]# yum install vdsm-hook-nestedvt >> Loaded plugins: enabled_repos_upload, fastestmirror, >imgbased-persist, >> package_upload, product-id, >> : search-disabled-repos, subscription-manager, >> vdsmupgrade, versionlock >> This system is not registered with an entitlement server. You can >use >> subscription-manager to register. >> Loading mirror speeds from cached hostfile >> * ovirt-4.3-epel: epel.mirror.far.fi ><http://epel.mirror.far.fi> >> No package vdsm-hook-nestedvt available. >> Error: Nothing to do >> Uploading Enabled Repositories Report >> Cannot upload enabled repos report, is this client registered? >> >> Thanks for the support. >> >> -- >> gb >> >> PGP Key: http://pgp.mit.edu/ >> Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 >> B9CB 0F34 >>
Hi, I can see the package in 'ovirt-4.3' repo . Do you have the repo available at the time that package is called ? Best Regards, Strahil Nikolov _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/WZREWC7BDYHN4U4IXPV3IYBRSSLJZYRC/
