On 6/8/20 12:58 AM, Yedidyah Bar David wrote:
On Sun, Jun 7, 2020 at 6:37 PM Michael Thomas <w...@caltech.edu> wrote:

On 6/7/20 8:42 AM, Yedidyah Bar David wrote:
On Sun, Jun 7, 2020 at 4:07 PM Michael Thomas <w...@caltech.edu> wrote:

On 6/7/20 5:01 AM, Yedidyah Bar David wrote:
On Sat, Jun 6, 2020 at 8:42 PM Michael Thomas <w...@caltech.edu> wrote:

After a week of iterations, I finally found the problem.  I was setting 
'PermitRootLogin no' in the global section of the bare metal OS sshd_config, as 
we do on all of our servers.  Instead, PermitRootLogin is set to 
'without-password' in a match block to allow root logins only from a well-known 
set of hosts.

I understand that you meant to say that this is already working for
you, right? That you set it to allow without-password from some
addresses and that that was enough. If so:

Correct.  Once I added the engine's IP to the Match block allowing root
logins, it worked again.


Thanks for the report!


Can someone explain why setting 'PermitRootLogin no' in the sshd_config on the 
hypervisor OS would affect the hosted engine deployment?

Because the engine (running inside a VM) uses ssh as root to connect
to the host (in which the engine vm is running).

Would it be sufficient to set, on the host, 'PermitRootLogin
without-password' in a Match block that matches the ovirt management
network?

Match Address 10.10.10.0/24
       PermitRootLogin without-password

?

Do you mean here to ask if 10.10.10.10/24 is enough?

The engine VM's IP address should be enough. What this address is,
after deploy finishes, is of course up to you. During deploy it's by
default in libvirt's default network, 192.168.222.0/24, but can be
different if that's already in use by something else (e.g. a physical
NIC).

BTW, I didn't test this myself. I do see in the code that it's
supposed to work. If you find a bug, please report one. Thanks.

I think the two problems that I ran into were:

* Lack of documentation about the requirement that the engine (whether
self-hosted or standalone) be able to ssh into the bare metal hypervisor
host over the ovirt management network using ssh keys.

I agree it's not detailed enough.

We have it briefly mentioned e.g. here:

https://www.ovirt.org/documentation/installing_ovirt_as_a_self-hosted_engine_using_the_cockpit_web_interface/#host-firewall-requirements_SHE_cockpit_deploy

For some reason it's marked "Optional", not sure why.


* No clear error message in the logs describing why this was failing.
The only errors I got were a timeout waiting for the host to be up, and
a generic ""The system may not be provisioned according to the playbook
results: please check the logs for the issue, fix accordingly or
re-deploy from scratch.\n"

I'll file this as a documentation bug.

Very well.


Filed:

https://bugzilla.redhat.com/show_bug.cgi?id=1845271

--Mike
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GTFDN6N7BNCRVJKC4QVHXNCX57F3GFC6/

Reply via email to