On Mon, Aug 8, 2022 at 9:47 AM Yedidyah Bar David <d...@redhat.com> wrote: > > On Sun, Aug 7, 2022 at 6:34 AM P F <p...@patfruth.com> wrote: > > > > I'm unable to recreate the original problem. > > > > The good news is, the process moves past the engine_setup now. > > The ovirt-engine server actually starts, and is exposed on > > https://<ovirthost>:6900/ovirt-engine > > > > The bad news is, when I try to access the engine Web UI at that URL, I get > > a '500 Internal Server Error'. > > I don't see any obvious errors in the log files in /var/log/ovirt-engine > > Can you check/share all of /var/log/ovirt-engine and /var/log/httpd? > > > > > I'm able to access the URL https://<ovirthost>:6900/ovirt-engine > > However, as soon as I click the "Administration Portal" link on the main > > page, I see the '500 Internal Server Error' > > > > I do notice the following error in /var/log/httpd/ssl_error_log; > > > > [Sat Aug 06 18:45:32.106641 2022] [auth_openidc:error] [pid 1648:tid > > 139896547178240] [client 192.168.222.3:58098] oidc_authenticate_user: the > > URL hostname (ovirt-engine.internal.net) of the configured OIDCRedirectURI > > does not match the URL hostname of the URL being accessed > > (ovirt-node04.internal.net): the "state" and "session" cookies will not be > > shared between the two!, referer: > > https://ovirt-node04.internal.net:6900/ovirt-engine/ > > I am not an expert on how this should work. Adding Martin. In any > case, this sounds like a bug to me, even though not sure it's > possible/easy to fix - would you like to create one? > > > > > The error above would suggest that it will not be possible to access the > > engine Web UI which is temporarily exposed on port 6900. > > Seems so. > > > How has this ever been possible in the past? > > Most likely this is a result of enabling keycloak integration. Perhaps > you can try again and answer 'No' to 'Configure Keycloak integration > on the engine'. If this works, it might be the simplest way for now - > you can enable keycloak integration later if you want. > > > What do I need to do in order to access the engine Web UI, since I need to > > configure the hosts's network to include several VLANs necessary to > > complete the restore of the engine DB? > > I am just guessing here, not knowing anything about openidc. Perhaps > it does not like being accessed as a different hostname and/or port. > > The engine does not like this either, but we "convince" it: > > [1] > https://github.com/oVirt/ovirt-ansible-collection/blob/master/roles/hosted_engine_setup/tasks/bootstrap_local_vm/04_engine_final_tasks.yml#L30 > > - name: Allow the webadmin UI to be accessed over the first host > block: > - name: Saving original value > ansible.builtin.replace: > path: /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf > regexp: '^(SSO_ALTERNATE_ENGINE_FQDNS=.*)' > replace: '#\1 # pre hosted-engine-setup' > - name: Adding new SSO_ALTERNATE_ENGINE_FQDNS line > ansible.builtin.lineinfile: > path: /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf > line: 'SSO_ALTERNATE_ENGINE_FQDNS="{{ he_host_address }}" # > hosted-engine-setup' > > But this isn't mandatory, it's just a convenience we added at some point. > > Instead, you can do something similar to what we do to allow access on > port 6900: > > [2] > https://github.com/oVirt/ovirt-ansible-collection/blob/master/roles/hosted_engine_setup/tasks/bootstrap_local_vm/05_add_host.yml#L12 > > - name: Open a port on firewalld > ansible.builtin.command: firewall-cmd --zone=public --add-port {{ > he_webui_forward_port }}/tcp > changed_when: true > - name: Expose engine VM webui over a local port via ssh port forwarding > ansible.builtin.command: >- > sshpass -e ssh -tt -o ServerAliveInterval=5 -o > StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -g -L > {{ he_webui_forward_port }}:{{ he_fqdn }}:443 {{ he_fqdn }} > environment: > "{{ he_cmd_lang | combine( { 'SSHPASS': he_appliance_password } ) }}" > changed_when: true > async: 86400 > poll: 0 > register: sshpf > > But instead of opening the port on firewalld from the host, do the > entire tunnelling from your laptop (or where you run the web browser): > > 1. Add the engine VM's name to your /etc/hosts, to the line of '127.0.0.1' > > 2. Find the (temporary, local) IP address of the engine VM, in your > case that's '192.168.222.3' > > 3. Create an ssh tunnel - something like: > > # ssh -L443:192.168.222.3:443 r...@ovirt-node04.internal.net
Forgot to mention: You should do this as root - can use sudo. This is inconvenient, because you quite likely already have your local account's public ssh key in the authorized_keys of the host, but with root/sudo you can't use it - not easily, anyway. I personally simply type in root's password and forget about it. Maybe one day I'll learn how to make ssh running as root use my own key (likely requires some selinux tricks) or even how to make my account be able to listen on 443... > > Then you can access the engine (and keycloak) web UI via the "real" FQDN: > > https://ovirt-engine.internal.net/ovirt-engine/ > > Good luck and best regards, > -- > Didi -- Didi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5AFMJWPQXEUGPX3J6HQ2C4IUQPWCC2QQ/
