[ovirt-users] Re: LDAP Authentication issues

[Donny Davis]

I am happy to help where I can. I would also not recommend tinkering around
in the database, but I am happy to hear you have it all running. :)

Everything you should every be doing in the engine is available via the
API/UI. Just some general advice.



On Mon, Jun 11, 2018 at 9:31 AM, Callum Smith  wrote:

> Dear All & Donny,
>
> Thank you for the clarifications, very useful indeed.
>
> A note for future users who go down this path and dont want to restore or
> reinstall:
>
> Cleaning out the `permissions` table in the database and restoring the
> defaults will solve the issue, but you need to restore the SuperUser
> permission on the admin@internal account:
>
> Learning from here:
> https://www.ovirt.org/develop/developer-guide/action-permissions-overview/
>
> Clean out your `roles_groups` and `permissions`
> DELETE FROM `permissions`;
> DELETE FROM `roles_groups`;
>
> Restore the defaults:
> https://github.com/oVirt/ovirt-engine/blob/master/
> packaging/dbscripts/data/00600_insert_permissions.sql
> https://github.com/oVirt/ovirt-engine/blob/master/
> packaging/dbscripts/data/00700_insert_roles_groups.sql
>
> Re-assign the SuperUser role to the admin@internal user:
> Either: https://github.com/oVirt/ovirt-engine/blob/
> master/packaging/bin/ovirt-engine-role.sh
> Or just go straight into your localhost psql on your engine, replacing
> information as appropriate:
> Get your external_id from the users table and use it in the function:
> SELECT external_id FROM `users` WHERE `name` = 'admin' AND `domain` =
> 'internal-authz';
> select attach_user_to_role('admin','internal-authz','*','#
> external_id#','SuperUser');
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 11 Jun 2018, at 11:57, Donny Davis  wrote:
>
> https://lists.ovirt.org/pipermail/users/2015-January/030981.html
>
> This is the thread where I discussed a bit of the permissions thing. I am
> sure things have changed since 3.5.1, but should get you down the right
> path.
>
> On Mon, Jun 11, 2018 at 6:54 AM, Callum Smith 
> wrote:
>
>> Yes, in process of trying to fix/identify things - need to undo this.
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. cal...@well.ox.ac.uk
>>
>> On 11 Jun 2018, at 11:48, Donny Davis  wrote:
>>
>> did you add system permissions to the everyone group?
>>
>> On Mon, Jun 11, 2018 at 6:42 AM, Callum Smith 
>> wrote:
>>
>>> Happy for you to link me a guide, googlefu is failing me.
>>>
>>> How do i get around this "It's not allowed to remove system permissions
>>> assigned to built-in Everyone group" - to remove permissions erroneously
>>> added.
>>>
>>> Regards,
>>> Callum
>>>
>>> --
>>>
>>> Callum Smith
>>> Research Computing Core
>>> Wellcome Trust Centre for Human Genetics
>>> University of Oxford
>>> e. cal...@well.ox.ac.uk
>>>
>>> On 11 Jun 2018, at 11:38, Donny Davis  wrote:
>>>
>>> You can create a profile that has the proper permissions to allow what
>>> you are looking for, and then assign that profile to the groups you wish.
>>> I wrote a post on this quite a while back on how to setup oVirt to
>>> appear to be multi-tenant.
>>>
>>> Happy to see you don't have an ldap issue :)
>>>
>>> >This will be a problem for us to now create group permissions for all
>>> 100+ groups since Everyone === No-one. -sigh-
>>>
>>>
>>> On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith 
>>> wrote:
>>>
 Ah, this appears to be an issue with the proxy - setting up the spice
 proxy as indicated in the guides is causing this issue, and likely will
 need support.

 https://www.ovirt.org/documentation/admin-guide/chap-Proxies/

 Regards,
 Callum

 --

 Callum Smith
 Research Computing Core
 Wellcome Trust Centre for Human Genetics
 University of Oxford
 e. cal...@well.ox.ac.uk

 On 11 Jun 2018, at 11:29, Callum Smith  wrote:

 Ok, the user now logs in! This will be a problem for us to now create
 group permissions for all 100+ groups since Everyone === No-one. -sigh-

 A new issue, when in the VM portal as the LDAP user, i get HTTP basic
 auth login prompts, and a "Authorization expired" error, then a page
 reload. Nothing in the logs seem to indicate an issue.

 Regards,
 Callum

 --

 Callum Smith
 Research Computing Core
 Wellcome Trust Centre for Human Genetics
 University of Oxford
 e. cal...@well.ox.ac.uk

 On 11 Jun 2018, at 11:26, Donny Davis  wrote:

 Try giving your user system permissions as a superuser and see if it
 goes away.

 I wouldn't leave it like that, but it will help isolate your issue. I
 don't think you have an ldap issue... the log entry is telling you that
 user has no permissions
 >The user callum@Biomedical 

[ovirt-users] Re: LDAP Authentication issues

[Roy Golan]

On Tue, 12 Jun 2018 at 02:24 Donny Davis  wrote:

> I am happy to help where I can. I would also not recommend tinkering
> around in the database, but I am happy to hear you have it all running. :)
>
> Everything you should every be doing in the engine is available via the
> API/UI. Just some general advice.
>
>
>
> On Mon, Jun 11, 2018 at 9:31 AM, Callum Smith 
> wrote:
>
>> Dear All & Donny,
>>
>> Thank you for the clarifications, very useful indeed.
>>
>> A note for future users who go down this path and dont want to restore or
>> reinstall:
>>
>> Cleaning out the `permissions` table in the database and restoring the
>> defaults will solve the issue, but you need to restore the SuperUser
>> permission on the admin@internal account:
>>
>


>
>> Learning from here:
>> https://www.ovirt.org/develop/developer-guide/action-permissions-overview/
>>
>> Clean out your `roles_groups` and `permissions`
>> DELETE FROM `permissions`;
>> DELETE FROM `roles_groups`;
>>
>> Restore the defaults:
>>
>> https://github.com/oVirt/ovirt-engine/blob/master/packaging/dbscripts/data/00600_insert_permissions.sql
>>
>> https://github.com/oVirt/ovirt-engine/blob/master/packaging/dbscripts/data/00700_insert_roles_groups.sql
>>
>> Re-assign the SuperUser role to the admin@internal user:
>> Either:
>> https://github.com/oVirt/ovirt-engine/blob/master/packaging/bin/ovirt-engine-role.sh
>> Or just go straight into your localhost psql on your engine, replacing
>> information as appropriate:
>> Get your external_id from the users table and use it in the function:
>> SELECT external_id FROM `users` WHERE `name` = 'admin' AND `domain` =
>> 'internal-authz';
>> select
>> attach_user_to_role('admin','internal-authz','*','#external_id#','SuperUser');
>>
>> Regards,
>> Callum
>>
>>


I think the root cause here is that you are trying to login to the webadmin
and not the vm portal. User are authorized to login to the web admin
only if they have a role of type 'admin'. And UserRole is a 'user' type. So
the solution is not the give SuperUser for all those users, this is just a
workaround.

If you want to know for sure, go to Administration - Configure - Roles.

So ask yourself why users need access to the webadmin at all. If they need
admin permission assign them an appropriate role on the DC or the cluster.
If not, they use the VM portal.

Having said all that, if nothing helps and the db needs 'fixing' (I doubt
it though) then this is a bug.

> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. cal...@well.ox.ac.uk
>>
>> On 11 Jun 2018, at 11:57, Donny Davis  wrote:
>>
>> https://lists.ovirt.org/pipermail/users/2015-January/030981.html
>>
>> This is the thread where I discussed a bit of the permissions thing. I am
>> sure things have changed since 3.5.1, but should get you down the right
>> path.
>>
>> On Mon, Jun 11, 2018 at 6:54 AM, Callum Smith 
>> wrote:
>>
>>> Yes, in process of trying to fix/identify things - need to undo this.
>>>
>>> Regards,
>>> Callum
>>>
>>> --
>>>
>>> Callum Smith
>>> Research Computing Core
>>> Wellcome Trust Centre for Human Genetics
>>> University of Oxford
>>> e. cal...@well.ox.ac.uk
>>>
>>> On 11 Jun 2018, at 11:48, Donny Davis  wrote:
>>>
>>> did you add system permissions to the everyone group?
>>>
>>> On Mon, Jun 11, 2018 at 6:42 AM, Callum Smith 
>>> wrote:
>>>
 Happy for you to link me a guide, googlefu is failing me.

 How do i get around this "It's not allowed to remove system permissions
 assigned to built-in Everyone group" - to remove permissions erroneously
 added.

 Regards,
 Callum

 --

 Callum Smith
 Research Computing Core
 Wellcome Trust Centre for Human Genetics
 University of Oxford
 e. cal...@well.ox.ac.uk

 On 11 Jun 2018, at 11:38, Donny Davis  wrote:

 You can create a profile that has the proper permissions to allow what
 you are looking for, and then assign that profile to the groups you wish.
 I wrote a post on this quite a while back on how to setup oVirt to
 appear to be multi-tenant.

 Happy to see you don't have an ldap issue :)

 >This will be a problem for us to now create group permissions for all
 100+ groups since Everyone === No-one. -sigh-


 On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith 
 wrote:

> Ah, this appears to be an issue with the proxy - setting up the spice
> proxy as indicated in the guides is causing this issue, and likely will
> need support.
>
> https://www.ovirt.org/documentation/admin-guide/chap-Proxies/
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 11 Jun 2018, at 11:29, Callum Smith  wrote:
>
> Ok, the user now logs in! This will be a problem for us to 

[ovirt-users] Re: oVirt Metrics

[Karli Sjöberg]

On Tue, 2018-06-12 at 00:10 +0300, Yaniv Kaul wrote:
> 
> 
> On Mon, Jun 11, 2018, 9:13 PM Karli Sjöberg 
> wrote:
> > 
> > On Jun 11, 2018 19:00, Yaniv Kaul  wrote:
> > > 
> > > On Mon, Jun 11, 2018, 6:59 PM Karli Sjöberg 
> > > wrote:
> > > > 
> > > > On Jun 11, 2018 13:59, Shirly Radco  wrote:
> > > > > Dear users,
> > > > > 
> > > > > I would love to get some feedback if someone has tried to
> > > > > install and use the oVirt metrics store, released in 4.2, for
> > > > > collecting metrics and logs, based on Elasticsearch, Kibana,
> > > > > Collectd and Fluentd on top of OpenShift.
> > > > > https://www.ovirt.org/develop/release-management/features/met
> > > > > rics/metrics-store/
> > > > > 
> > > > > How did the installation go? Are you actively using it?
> > > > > And any other feedback would be much appreciated.
> > > > > 
> > > > > Best regards, 
> > > > > --
> > > > > SHIRLY RADCO
> > > > > BI SENIOR SOFTWARE ENGINEER
> > > > > Red Hat Israel
> > > > >   TRIED. TESTED. TRUSTED.
> > > > > ___
> > > > > Users mailing list -- users@ovirt.org
> > > > > To unsubscribe send an email to users-le...@ovirt.org
> > > > > Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> > > > > oVirt Code of Conduct: https://www.ovirt.org/community/about/
> > > > > community-guidelines/
> > > > > List Archives: https://lists.ovirt.org/archives/list/users@ov
> > > > > irt.org/message/3G2M3Q35UQZLOHDRAEBMX2INPDAQCOHO/
> > > > 
> > > > I have, and while I can say that it works, it was far from
> > > > easy! I can't remember all of the gotchas I had to go through
> > > > but most of them stemmed from the fact that I tested it all on
> > > > a three node oVirt HCI cluster that was actually VM's with
> > > > nested virtualization, which meant fairly limited resources but
> > > > eventually got it working.
> > > > 
> > > > Being completely new to OpenShift, a guide that needs more work
> > > > is the single sign on from oVirt to OS. The instructions are
> > > > way too unclear for me, and wrapping your head around how the
> > > > login and permissions system works in OS took a while, to
> > > > create an equal 'admin' account to log in with.
> > > > 
> > > > Second, isn't OS just an above layer of kubernetes under it, or
> > > > is that a misunderstanding on my part? If it is though, where
> > > > is the administration page for Kubernetes in all of that? I'm
> > > > thinking in the sense of how you can add more nodes to continue
> > > > building a larger cluster for containers.
> > > 
> > > OpenShift is much more than just Kubernetes, but specifically
> > > this instance should be used solely for metrics and logging and
> > > is therefore specifically installed as an all-in-one
> > > installation. 
> > > Y. 
> > 
> > OK, yeah, for sure! But is there no Kubernetes console in this all-
> > in-one installation?
> 
> The oc command is available, Cockpit interface as well. 
> Y. 

Wow, have you considered working with politics?:)

/K

> 
> > /K
> > 
> > > > But once everything was setup and able to log in to the Kibana
> > > > interface and loading up the dashboards you've made, I was
> > > > really impressed with how much data you got visualized for
> > > > free. Thumbs up!
> > > > 
> > > > /K
> > > > ___
> > > > Users mailing list -- users@ovirt.org
> > > > To unsubscribe send an email to users-le...@ovirt.org
> > > > Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> > > > oVirt Code of Conduct: https://www.ovirt.org/community/about/co
> > > > mmunity-guidelines/
> > > > List Archives: https://lists.ovirt.org/archives/list/users@ovir
> > > > t.org/message/CWMPCP3ZRT2CR56IVNG6JS7EMNVFSN3W/

signature.asc
Description: This is a digitally signed message part
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ODAX2PQ7U74Q2LOMKUWWUL6HRBNA4DSD/

[ovirt-users] Re: oVirt Metrics

[Yaniv Kaul]

On Mon, Jun 11, 2018, 6:59 PM Karli Sjöberg  wrote:

>
>
> On Jun 11, 2018 13:59, Shirly Radco  wrote:
>
> Dear users,
>
> I would love to get some feedback if someone has tried to install and use
> the oVirt metrics store, released in 4.2, for collecting metrics and logs,
> based on Elasticsearch, Kibana, Collectd and Fluentd on top of OpenShift.
>
> https://www.ovirt.org/develop/release-management/features/metrics/metrics-store/
>
> How did the installation go? Are you actively using it?
> And any other feedback would be much appreciated.
>
> Best regards,
>
> --
>
> SHIRLY RADCO
>
> BI SeNIOR SOFTWARE ENGINEER
>
> Red Hat Israel 
> 
> TRIED. TESTED. TRUSTED. 
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3G2M3Q35UQZLOHDRAEBMX2INPDAQCOHO/
>
>
> I have, and while I can say that it works, it was far from easy! I can't
> remember all of the gotchas I had to go through but most of them stemmed
> from the fact that I tested it all on a three node oVirt HCI cluster that
> was actually VM's with nested virtualization, which meant fairly limited
> resources but eventually got it working.
>
> Being completely new to OpenShift, a guide that needs more work is the
> single sign on from oVirt to OS. The instructions are way too unclear for
> me, and wrapping your head around how the login and permissions system
> works in OS took a while, to create an equal 'admin' account to log in with.
>
> Second, isn't OS just an above layer of kubernetes under it, or is that a
> misunderstanding on my part? If it is though, where is the administration
> page for Kubernetes in all of that? I'm thinking in the sense of how you
> can add more nodes to continue building a larger cluster for containers.
>

OpenShift is much more than just Kubernetes, but specifically this instance
should be used solely for metrics and logging and is therefore specifically
installed as an all-in-one installation.
Y.


> But once everything was setup and able to log in to the Kibana interface
> and loading up the dashboards you've made, I was really impressed with how
> much data you got visualized for free. Thumbs up!
>
> /K
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CWMPCP3ZRT2CR56IVNG6JS7EMNVFSN3W/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3R63OCU5M6FXTPMS4JEPTBA53BGRDAOC/

[ovirt-users] Re: oVirt Metrics

[Karli Sjöberg]

On Jun 11, 2018 19:00, Yaniv Kaul  wrote:On Mon, Jun 11, 2018, 6:59 PM Karli Sjöberg  wrote:On Jun 11, 2018 13:59, Shirly Radco  wrote:Dear users,I would love to get some feedback if someone has tried to install and use the oVirt metrics store, released in 4.2, for collecting metrics and logs, based on Elasticsearch, Kibana, Collectd and Fluentd on top of OpenShift.https://www.ovirt.org/develop/release-management/features/metrics/metrics-store/How did the installation go? Are you actively using it?And any other feedback would be much appreciated.Best regards, --SHIRLY RADCOBI SeNIOR SOFTWARE ENGINEERRed Hat IsraelTRIED. TESTED. TRUSTED.

___Users mailing list -- users@ovirt.orgTo unsubscribe send an email to users-le...@ovirt.orgPrivacy Statement: https://www.ovirt.org/site/privacy-policy/oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3G2M3Q35UQZLOHDRAEBMX2INPDAQCOHO/I have, and while I can say that it works, it was far from easy! I can't remember all of the gotchas I had to go through but most of them stemmed from the fact that I tested it all on a three node oVirt HCI cluster that was actually VM's with nested virtualization, which meant fairly limited resources but eventually got it working.Being completely new to OpenShift, a guide that needs more work is the single sign on from oVirt to OS. The instructions are way too unclear for me, and wrapping your head around how the login and permissions system works in OS took a while, to create an equal 'admin' account to log in with.Second, isn't OS just an above layer of kubernetes under it, or is that a misunderstanding on my part? If it is though, where is the administration page for Kubernetes in all of that? I'm thinking in the sense of how you can add more nodes to continue building a larger cluster for containers.OpenShift is much more than just Kubernetes, but specifically this instance should be used solely for metrics and logging and is therefore specifically installed as an all-in-one installation. Y. OK, yeah, for sure! But is there no Kubernetes console in this all-in-one installation?/KBut once everything was setup and able to log in to the Kibana interface and loading up the dashboards you've made, I was really impressed with how much data you got visualized for free. Thumbs up!/K___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CWMPCP3ZRT2CR56IVNG6JS7EMNVFSN3W/

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JEZSTVXMYX76HMRBL5QOF4JJH4YA5BDT/

[ovirt-users] Re: oVirt Metrics

[Yaniv Kaul]

On Mon, Jun 11, 2018, 9:13 PM Karli Sjöberg  wrote:

>
>
> On Jun 11, 2018 19:00, Yaniv Kaul  wrote:
>
>
>
> On Mon, Jun 11, 2018, 6:59 PM Karli Sjöberg  wrote:
>
>
>
> On Jun 11, 2018 13:59, Shirly Radco  wrote:
>
> Dear users,
>
> I would love to get some feedback if someone has tried to install and use
> the oVirt metrics store, released in 4.2, for collecting metrics and logs,
> based on Elasticsearch, Kibana, Collectd and Fluentd on top of OpenShift.
>
> https://www.ovirt.org/develop/release-management/features/metrics/metrics-store/
>
> How did the installation go? Are you actively using it?
> And any other feedback would be much appreciated.
>
> Best regards,
>
> --
>
> SHIRLY RADCO
>
> BI SeNIOR SOFTWARE ENGINEER
>
> Red Hat Israel 
> 
> TRIED. TESTED. TRUSTED. 
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3G2M3Q35UQZLOHDRAEBMX2INPDAQCOHO/
>
>
> I have, and while I can say that it works, it was far from easy! I can't
> remember all of the gotchas I had to go through but most of them stemmed
> from the fact that I tested it all on a three node oVirt HCI cluster that
> was actually VM's with nested virtualization, which meant fairly limited
> resources but eventually got it working.
>
> Being completely new to OpenShift, a guide that needs more work is the
> single sign on from oVirt to OS. The instructions are way too unclear for
> me, and wrapping your head around how the login and permissions system
> works in OS took a while, to create an equal 'admin' account to log in with.
>
> Second, isn't OS just an above layer of kubernetes under it, or is that a
> misunderstanding on my part? If it is though, where is the administration
> page for Kubernetes in all of that? I'm thinking in the sense of how you
> can add more nodes to continue building a larger cluster for containers.
>
>
> OpenShift is much more than just Kubernetes, but specifically this
> instance should be used solely for metrics and logging and is therefore
> specifically installed as an all-in-one installation.
> Y.
>
>
> OK, yeah, for sure! But is there no Kubernetes console in this all-in-one
> installation?
>

The oc command is available, Cockpit interface as well.
Y.


> /K
>
>
>
> But once everything was setup and able to log in to the Kibana interface
> and loading up the dashboards you've made, I was really impressed with how
> much data you got visualized for free. Thumbs up!
>
> /K
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CWMPCP3ZRT2CR56IVNG6JS7EMNVFSN3W/
>
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JYAUC3SZ54TCHS5YISFC7ZAZKNDPUD6Z/

[ovirt-users] UEFI

[Conrad Jones]

Does ovirt support UEFI yet ?

I saw some code reviews in gerrit. But I couldn't find it in my 4.23
install. I'm guessing it's not finished / released yet ?
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M5ON6B36WIDRAH6TQPXBDAD4FR52AEVP/

[ovirt-users] ovirt error

[Арслан]

hello.

when executing the command traceback:


|# hosted-engine --vm-status||
||Traceback (most recent call last):||
||  File "/usr/lib64/python2.6/runpy.py", line 122, in _run_module_as_main||
||    "__main__", fname, loader, pkg_name)||
||  File "/usr/lib64/python2.6/runpy.py", line 34, in _run_code||
||    exec code in run_globals||
||  File 
"/usr/lib/python2.6/site-packages/ovirt_hosted_engine_setup/vm_status.py", 
line 116, in ||

||    if not status_checker.print_status():||
||  File 
"/usr/lib/python2.6/site-packages/ovirt_hosted_engine_setup/vm_status.py", 
line 59, in print_status||

||    all_host_stats = ha_cli.get_all_host_stats()||
||  File 
"/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/client/client.py", 
line 157, in get_all_host_stats||

||    return self.get_all_stats(self.StatModes.HOST)||
||  File 
"/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/client/client.py", 
line 102, in get_all_stats||

||    stats = broker.get_stats_from_storage(service)||
||  File 
"/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/lib/brokerlink.py", 
line 232, in get_stats_from_storage||

||    result = self._checked_communicate(request)||
||  File 
"/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/lib/brokerlink.py", 
line 260, in _checked_communicate||

||    .format(message or response))||
||ovirt_hosted_engine_ha.lib.exceptions.RequestError: Request failed: 




what is the reason?

|

--
С уважением,
Кубанов Арслан
Инженер
Департамент сетевой интеграции
ЛАНИТ
129075, г. Москва, Мурманский проезд, д. 14, корп. 1
Тел.: +7 (495) 967-6650 #18287
www.lanit.ru

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4UAJN4MCO2TX56U3GUDLPTWVD5CFTICB/

[ovirt-users] Re: ovirt and gluster network config

[Bill Dossett]

Sorry, I posted this under the wrong title as I had started a post about 
network config, then figured it out but started out this post without changing 
the subject ☹

Regards, Bill

Bill Dossett
Systems Architect
Enterprise Cloud & Service Excellence
Enterprise IT Services Pitney Bowes


M +1 303 725 8163
bill.doss...@pb.com
pitneybowes.com

Pitney Bowes Inc.
4750 Walnut St | Boulder, CO | 80301




Part of Engineering, Software Support or Professional Services?
Raise a ticket via Remedy Anywhere 
[HERE]
 takes less than a minute

CloudForms User Guide available 
[HERE]




___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VEFYZCGE4F3UXEIIFHDOWRX7DJDQW6NL/

[ovirt-users] Error starting VM after update Ovirt node

[Spickiy Nikita]

Hi, i upgraded oVirt node to 4.2.3.1 version. After upgrade I can not migrate 
VM or run VM  on the node. After viewing logs file i find several errors. One 
of them:

2018-06-07 15:52:20,536+07 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] 
(ForkJoinPool-1-worker-3) [] EVENT_ID: VM_DOWN_ERROR(119), VM 
ansible.example.com is down with error. Exit message: internal error: Process 
exited prior to exec: libvirt: Lock Driver error : Failed to ope
n socket to sanlock daemon: Permission denied.

I run setenforce 0 and VM can running on the node.


audit2allow -a


#= setfiles_t ==

# WARNING: 'bin_t' is a base type.
allow setfiles_t bin_t:file entrypoint;
allow setfiles_t self:capability sys_chroot;

#= svirt_t ==

# The file 
'/rhev/data-center/mnt/10.10.10.100:_var_nfs-ovirt-iso-share_files/dbf9ff5d-2cd4-408e-8a9d-08d39fa9a58a/images/----/CentOS-7-x86_64-Minimal-1708.iso'
 is mislabeled on your system.
# Fix with $ restorecon -R -v 
/rhev/data-center/mnt/10.10.10.100:_var_nfs-ovirt-iso-share_files/dbf9ff5d-2cd4-408e-8a9d-08d39fa9a58a/images/----/CentOS-7-x86_64-Minimal-1708.iso
# This avc can be allowed using the boolean 'virt_use_nfs'
allow svirt_t nfs_t:file open;

# The file '/run/sanlock/sanlock.sock' is mislabeled on your system.
# Fix with $ restorecon -R -v /run/sanlock/sanlock.sock
# This avc can be allowed using the boolean 'virt_use_sanlock'
allow svirt_t sanlock_t:unix_stream_socket connectto;

I run restorecon -R -v /run/sanlock/sanlock.sock, but it did not help
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VJCIWULSAP5EHFZPIFQHRECDYS3YZQM5/

[ovirt-users] Re: ovirt error

[Yanir Quinn]

Hi
Can you share some more information about your enviroment ?
1. Stack (ovirt,libvirt,vdsm, etc)
2. What is your setup ?
3. Did you do any steps like upgrade/add an additional host ?

If possible, please share agent and vdsm logs.

I would check for starters the status of the agent service  (e.g.  systemct

ovirt-ha-agent


On Thu, Jun 7, 2018 at 10:30 PM, Арслан  wrote:

> hello.
>
> when executing the command traceback:
>
>
> # hosted-engine --vm-status
> Traceback (most recent call last):
>   File "/usr/lib64/python2.6/runpy.py", line 122, in _run_module_as_main
> "__main__", fname, loader, pkg_name)
>   File "/usr/lib64/python2.6/runpy.py", line 34, in _run_code
> exec code in run_globals
>   File 
> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_setup/vm_status.py",
> line 116, in 
> if not status_checker.print_status():
>   File 
> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_setup/vm_status.py",
> line 59, in print_status
> all_host_stats = ha_cli.get_all_host_stats()
>   File 
> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/client/client.py",
> line 157, in get_all_host_stats
> return self.get_all_stats(self.StatModes.HOST)
>   File 
> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/client/client.py",
> line 102, in get_all_stats
> stats = broker.get_stats_from_storage(service)
>   File 
> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/lib/brokerlink.py",
> line 232, in get_stats_from_storage
> result = self._checked_communicate(request)
>   File 
> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/lib/brokerlink.py",
> line 260, in _checked_communicate
> .format(message or response))
> ovirt_hosted_engine_ha.lib.exceptions.RequestError: Request failed:  'exceptions.OSError'>
>
>
> what is the reason?
>
> --
> С уважением,
> Кубанов Арслан
> Инженер
> Департамент сетевой интеграции
> ЛАНИТ
> 129075, г. Москва, Мурманский проезд, д. 14, корп. 1
> Тел.: +7 (495) 967-6650 #18287www.lanit.ru
>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/4UAJN4MCO2TX56U3GUDLPTWVD5CFTICB/
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4VPRW26NDYEZCYCKW2BBV6PXPXCSEC2/

[ovirt-users] Re: ovirt error

[Yanir Quinn]

>
> I would check for starters the status of the agent service  (e.g.  systemct
>
> ovirt-ha-agent
>
> ->  systemctl status ovirt-ha-agent


On Mon, Jun 11, 2018 at 11:00 AM, Yanir Quinn  wrote:

> Hi
> Can you share some more information about your enviroment ?
> 1. Stack (ovirt,libvirt,vdsm, etc)
> 2. What is your setup ?
> 3. Did you do any steps like upgrade/add an additional host ?
>
> If possible, please share agent and vdsm logs.
>
> I would check for starters the status of the agent service  (e.g.  systemct
>
> ovirt-ha-agent
>
>
> On Thu, Jun 7, 2018 at 10:30 PM, Арслан  wrote:
>
>> hello.
>>
>> when executing the command traceback:
>>
>>
>> # hosted-engine --vm-status
>> Traceback (most recent call last):
>>   File "/usr/lib64/python2.6/runpy.py", line 122, in _run_module_as_main
>> "__main__", fname, loader, pkg_name)
>>   File "/usr/lib64/python2.6/runpy.py", line 34, in _run_code
>> exec code in run_globals
>>   File 
>> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_setup/vm_status.py",
>> line 116, in 
>> if not status_checker.print_status():
>>   File 
>> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_setup/vm_status.py",
>> line 59, in print_status
>> all_host_stats = ha_cli.get_all_host_stats()
>>   File 
>> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/client/client.py",
>> line 157, in get_all_host_stats
>> return self.get_all_stats(self.StatModes.HOST)
>>   File 
>> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/client/client.py",
>> line 102, in get_all_stats
>> stats = broker.get_stats_from_storage(service)
>>   File 
>> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/lib/brokerlink.py",
>> line 232, in get_stats_from_storage
>> result = self._checked_communicate(request)
>>   File 
>> "/usr/lib/python2.6/site-packages/ovirt_hosted_engine_ha/lib/brokerlink.py",
>> line 260, in _checked_communicate
>> .format(message or response))
>> ovirt_hosted_engine_ha.lib.exceptions.RequestError: Request failed:
>> 
>>
>>
>> what is the reason?
>>
>> --
>> С уважением,
>> Кубанов Арслан
>> Инженер
>> Департамент сетевой интеграции
>> ЛАНИТ
>> 129075, г. Москва, Мурманский проезд, д. 14, корп. 1
>> Тел.: +7 (495) 967-6650 #18287www.lanit.ru
>>
>>
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct: https://www.ovirt.org/communit
>> y/about/community-guidelines/
>> List Archives: https://lists.ovirt.org/archiv
>> es/list/users@ovirt.org/message/4UAJN4MCO2TX56U3GUDLPTWVD5CFTICB/
>>
>>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5VCXLRW27C36P2MI6QC2JNYWXEQUY7WA/

[ovirt-users] Re: Hosted Engine: brick size...is this a bug?

[Simone Tiraboschi]

On Sun, Jun 10, 2018 at 9:18 AM, femi adegoke 
wrote:

> I have now done the oVirt 4.2.3.1 install at least 5 times, no, I don't
> consider myself any kind of expert.
>
> Even though the HE uses less than 10gb of space for some reason the
> install will fail if the brick is less than 58gb.
>
> Why is that?
>
> Look at this error:
> [ ERROR ] Error: Fault reason is "Operation Failed". Fault detail is
> "[Problem while trying to mount target]".
> HTTP response code is 400.
> [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Fault
> reason is \"Operation Failed\".
> Fault detail is \"[Problem while trying to mount target]\". HTTP response
> code is 400."}
>
> The size of the brick was set at 50gb:
> [lv1]
> action=create
> vgname=gluster_vg1
> lvname=engine_lv
> lvtype=thick
> size=50GB
> mount=/gluster_bricks/engine
>
> Solution:
> Edit size to 60gb, re-run & voila, all is good.
>
> Is this a bug or maybe it's a problem with the way I'm doing things.
>

AFAIK 74 GiB is the minimum size.
The HE VM disk will be a sparse file and so the disk usage will seam less
but the disk of the hosted-engine VM is sized as 58 GiB plus ancillary
disks and SD metadata.



> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/3GKOQO4NNJR7WQ6O4XKWDHOSSRBICX6U/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QQC4DXMWEPFIWGAYXYUZ6Z5IGRNOH72T/

[ovirt-users] Re: Hosted Engine: brick size...is this a bug?

[Simone Tiraboschi]

On Sun, Jun 10, 2018 at 1:11 PM, Conrad Jones 
wrote:

> You got further than I did . It kept failing for me trying to determine
> whether the hostname was locally resolvable I managed to track through some
> of what it was doing via ansible but ended up creating a VM and installing
> centos then the engine manually
>
>
Can you please share your failure logs?


>
> On Sun, 10 Jun 2018, 08:19 femi adegoke,  wrote:
>
>> I have now done the oVirt 4.2.3.1 install at least 5 times, no, I don't
>> consider myself any kind of expert.
>>
>> Even though the HE uses less than 10gb of space for some reason the
>> install will fail if the brick is less than 58gb.
>>
>> Why is that?
>>
>> Look at this error:
>> [ ERROR ] Error: Fault reason is "Operation Failed". Fault detail is
>> "[Problem while trying to mount target]".
>> HTTP response code is 400.
>> [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Fault
>> reason is \"Operation Failed\".
>> Fault detail is \"[Problem while trying to mount target]\". HTTP response
>> code is 400."}
>>
>> The size of the brick was set at 50gb:
>> [lv1]
>> action=create
>> vgname=gluster_vg1
>> lvname=engine_lv
>> lvtype=thick
>> size=50GB
>> mount=/gluster_bricks/engine
>>
>> Solution:
>> Edit size to 60gb, re-run & voila, all is good.
>>
>> Is this a bug or maybe it's a problem with the way I'm doing things.
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
>> guidelines/
>> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
>> message/3GKOQO4NNJR7WQ6O4XKWDHOSSRBICX6U/
>>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/IBM3QXU4CZ6YDPKLKOD7MPROSEOECCQC/
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BFSWBYFJVK73TPEGBYB3AKUJ4HU5O3G7/

[ovirt-users] Latency and Bandwidth for Disk level statistics

[Hari Prasanth Loganathan]

Hi Team,

I have created a VM using oVirt, which is in UP state now.

1) I opened the guest console using oVirt
2) I want to get the statistics for disk so I tried to create and write
some content in the file (say test.txt) in loop to increase the latency and
bandwidth in disk.
3) I observed that CPU in VM statistics is increased to 100 % (This is a
good news since I expected this also)
But when I looked into the disk level statistics using the following
API, I observe the data value as '0' always.

https://172.30.X.X/ovirt-engine/api/disks/3bc267c0-a797-4e98-8ae9-217671649287/statistics/


{
"statistic": [
{
"kind": "gauge",
"type": "decimal",
"unit": "bytes_per_second",
"values": {
"value": [
{
"datum": 0
}
]
},
"disk": {
"href":
"/ovirt-engine/api/disks/3bc267c0-a797-4e98-8ae9-217671649287",
"id": "3bc267c0-a797-4e98-8ae9-217671649287"
},
"name": "data.current.read",
"description": "Read data rate",
"href":
"/ovirt-engine/api/disks/3bc267c0-a797-4e98-8ae9-217671649287/statistics/33b9212b-f9cb-3fd0-b364-248fb61e1272",
"id": "33b9212b-f9cb-3fd0-b364-248fb61e1272"
},
{
"kind": "gauge",
"type": "decimal",
"unit": "bytes_per_second",
"values": {
"value": [
{
"datum": 0
}
]
},
"disk": {
"href":
"/ovirt-engine/api/disks/3bc267c0-a797-4e98-8ae9-217671649287",
"id": "3bc267c0-a797-4e98-8ae9-217671649287"
},
"name": "data.current.write",
"description": "Write data rate",
"href":
"/ovirt-engine/api/disks/3bc267c0-a797-4e98-8ae9-217671649287/statistics/2f23addd-4ebd-3d82-a449-c28778bc33eb",
"id": "2f23addd-4ebd-3d82-a449-c28778bc33eb"
}
]
}





*How can I increase the disk statistics using the VM Guest console?*

*Any help is much appreciated.*

Thanks,
Hari
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VNTDNEQDI3AJS763COFHLC3CQ6W4ING2/

[ovirt-users] Re: gdeploy hosted engine failed but host says it is up what now?

[Simone Tiraboschi]

Hi,

\"engine-status\": {\"reason\": \"failed liveliness check\", \"health\":
\"bad\", \"vm\": \"up\", \"detail\": \"Up\"}

means that the engine VM is up at virt side although a liveliness check
over http is failing.
This could happen if your engine VM got a different network configuration
or something like that.

I'd suggest to connect to the engine VM over vnc and check the network
status there.

ovirt-ha-agent will try to keep the engine up so if the http health
liveliness check is failing, ovirt-ha-agent will try to restart the engine
VM.


On Sun, Jun 10, 2018 at 2:05 PM,  wrote:

> Not sure if it helps, but I just noticed I have about 300
>
> Hosted engine host: usbou-rhev01 changed state: EngineStarting-EngineStop.
>
> Then
>
> Hosted engine host: usbou-rhev01 changed state: EngineStop-EngineDown.
>
> Then
>
> Hosted engine host: usbou-rhev01 changed state: EngineDown-EngineStart.
>
> Then
>
> Hosted engine host: usbou-rhev01 changed state: EngineStart-EngineStarting.
>
> And then it starts over... so there is obviously something wrong with the
> VM...
>
> Under the virtualization page,  It says I have 1 running virtual machine
> but I can't see it to delete it or get any visibility into it.
>
> Thanks
> Bill
>
>
> -Original Message-
> From: femi adegoke 
> Sent: Sunday, June 10, 2018 1:07 AM
> To: users@ovirt.org
> Subject: [ovirt-users] Re: gdeploy hosted engine failed but host says it
> is up what now?
>
> Bill,
>
> 3 things that have given me trouble in the past...ymmv!
>
> 1) Static IP for the hosted engine, multiple times, I've tried dhcp with
> no luck
> 2) Size of thick brick for hosted engine must be 60GB or more, I've tried
> 50gb mulitple times & it always fails.
> 3) Hosted engine & admin portal passwords, make them very simple, complex
> passwords with special characters ...always failed
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org Privacy Statement:
> https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/KGE453SG5CEOJ2IQFQGN3JEU52UZXSD3/
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/D7XP52YGAD3CZ4AC2VT6ON2DFP4YGNDV/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2BZOTKSU6IA5DNX3QDDRO7ACFXGJR5UA/

[ovirt-users] Re: LDAP Authentication issues

[Callum Smith]

What would be the next step to help solve this issue? All users authenticating 
through LDAP get "This user is not authorised to perform authentication".

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 11:42, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Ok I spoke too soon, I have resolved the groups, but authentication still isn't 
working for LDAP users, same error as before (114).

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 10:14, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Dear Ondra, all,

Managed to solve this once i got my head around the properties file. 
Conceptually the problem is that users are typically not a member of their 
primary group in a POSIX scenario, and their primary group is set by the 
gidNumber of the user's record, with additional group memberships specified by 
memberUid entries against a posixGroup entry.

search.rfc2307-resolve-groups-memberUid.search-request.filter = 
&(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_encoded})(gidNumber=${seq:_rfc2307_gid_encoded}))

search.rfc2307-resolve-principal-uid.search-request.attributes = uid, gidNumber

sequence.bmrc-resolve-groups.010.description = set dn
sequence.bmrc-resolve-groups.010.type = var-set
sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
sequence.bmrc-resolve-groups.010.description = resolve uid
sequence.bmrc-resolve-groups.020.type = fetch-record
sequence.bmrc-resolve-groups.020.fetch-record.search = 
rfc2307-resolve-principal-uid
sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = _rfc2307_uid
sequence.bmrc-resolve-groups.030.description = resolve gid
sequence.bmrc-resolve-groups.030.type = fetch-record
sequence.bmrc-resolve-groups.030.fetch-record.search = 
rfc2307-resolve-principal-uid
sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name = _rfc2307_gid
sequence.bmrc-resolve-groups.040.description = query groups
sequence.bmrc-resolve-groups.040.type = search-open
sequence.bmrc-resolve-groups.040.search-open.search = 
rfc2307-resolve-groups-memberUid
sequence.bmrc-resolve-groups.040.search-open.variable = queryRFC2307ByMemberUid

sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups


Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 4 Jun 2018, at 15:07, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Dear Ondra,

I went for openldap-rfc2307 as that best describes our ldap setup. The issue 
seems to be that the gidNumber is set, but users are not a member of their 
primary group within the LDAP. So, user's gidNumber represents primary group 
and posixGroup membership (memberUid) represents their secondary groups. What's 
the best way to approach this (fix the filters on oVirt end or change the LDAP? 
This is a question of what is most compliant with standards really).

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 29 May 2018, at 11:29, Ondra Machacek 
mailto:omach...@redhat.com>> wrote:

What's you LDAP and what profile did you choose? This looks like you have 
chosen incorect profile during setup. Are you sure you arent using posix group 
and using non-posix aaa profile? Sharing a debug log of 
ovirt-engine-extensions-tool would be helpfull.


On Fri, May 25, 2018, 10:04 AM Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear All,

I'm having problems getting LDAP running, login works, but I'm getting "user is 
not authorised to perform login" - this is even if i specify the UserRole 
specifically to the LDAP group the user is in.

2018-05-25 08:56:16,212+01 INFO  
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-23) [] User 
callum@Biomedical Research Computing successfully logged in with scopes: 
ovirt-app-admin ovirt-app-api ovirt-app-portal 
ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all 
ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search 
ovirt-ext=token-info:validate ovirt-ext=token:password-access
2018-05-25 08:56:16,391+01 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-25) 
[63e60fe9] Running command: CreateUserSessionCommand internal: false.
2018-05-25 08:56:16,430+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-25) [63e60fe9] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User 
callum@Biomedical Research Computing connecting from '192.168.65.254' failed to 
log in.
2018-05-25 08:56:16,430+01 ERROR 

[ovirt-users] Re: guests crashing during live migration(NUMA config issue)

[rni]

Hello,

sorry for my late answer I've been off for a long weekend. :-)

So source:
OS-Version:RHEL - 7 - 4.1708.el7.centos
Kernelversion:3.10.0 - 693.21.1.el7.x86_64
KVM-Version:2.9.0 - 16.el7_4.14.1
LIBVIRT-Version:libvirt-3.2.0-14.el7_4.9
VDSM-Version:vdsm-4.19.45-1.el7.centos
SPICE-Version:0.12.8 - 2.el7.1
CEPH-Version:librbd1-0.94.5-2.el7
Kernel Features:PTI: 1, IBPB: 0, IBRS: 0
Destination:
OS-Version:RHEL - 7 - 4.1708.el7.centos
Kernelversion:3.10.0 - 693.21.1.el7.x86_64
KVM-Version:2.9.0 - 16.el7_4.14.1
LIBVIRT-Version:libvirt-3.2.0-14.el7_4.9
VDSM-Version:vdsm-4.19.45-1.el7.centos
SPICE-Version:0.12.8 - 2.el7.1
CEPH-Version:librbd1-0.94.5-2.el7
Kernel Features:PTI: 1, IBPB: 0, IBRS: 0

qemu.log on destination:
2018-06-11T09:13:20.613605Z qemu-kvm: terminating on signal 15 from pid 3008 
(/usr/sbin/libvirtd)
2018-06-11 09:21:56.071+: starting up libvirt version: 3.2.0, package: 
14.el7_4.9 (CentOS BuildSystem , 2018-03-07-13:51:24, 
x86-01.bsys.centos.org), qemu version: 2.9.0(qemu-kvm-ev-2.9.0-16.el7_4.14.1), 
hostname: abc..x.com
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin 
QEMU_AUDIO_DRV=none /usr/libexec/qemu-kvm -name guest=bbgas102,debug-threads=on 
-S -object 
secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-1932-abcas102/master-key.aes
 -machine pc-i440fx-rhel7.3.0,accel=kvm,usb=off,dump-guest-core=off -cpu 
Westmere,vme=on,pclmuldq=on,x2apic=on,hypervisor=on,arat=on -m 
size=2097152k,slots=16,maxmem=4294967296k -realtime mlock=off -smp 
4,maxcpus=16,sockets=16,cores=1,threads=1 -numa node,nodeid=0,cpus=0-3,mem=2048 
-uuid 4aff4193-ba75-481d-92b3-59b62cd8b111 -smbios 
'type=1,manufacturer=oVirt,product=oVirt 
Node,version=7-4.1708.el7.centos,serial=32393735-3933-5A43-4A32-34333046564B,uuid=4aff4193-ba75-481d-92b3-59b62cd8b111'
 -no-user-config -nodefaults -chardev 
socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-1932-bbgas102/monitor.sock,server,nowait
 -mon chardev=charmonitor,id=monitor,mode=control -rtc 
base=2018-06-11T09:21:55,driftfix=slew -global kvm-pit.lost_tick_p
 olicy=delay -no-hpet -no-shutdown -boot menu=on,splash-time=1,strict=on 
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device 
virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 -device 
virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x4 -drive 
if=none,id=drive-ide0-1-0,readonly=on -device 
ide-cd,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -drive 
file=/rhev/data-center/5849b030-626e-47cb-ad90-3ce782d831b3/68b8aaff-770d-4a08-800b-0c15e94efaa8/images/33235bbf-0156-421e-9391-0749247b6ba6/0d2949b6-af0f-4de2-b29a-10dcb39ad857,format=raw,if=none,id=drive-virtio-disk0,serial=33235bbf-0156-421e-9391-0749247b6ba6,cache=none,werror=stop,rerror=stop,aio=native
 -device 
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x9,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
 -drive 
file=/rhev/data-center/5849b030-626e-47cb-ad90-3ce782d831b3/68b8aaff-770d-4a08-800b-0c15e94efaa8/images/5149067a-b18c-41cf-a355-033317291148/f0afa250-6704-410c-b9be-60b99cb28ce9,format=raw,if=none,id=dri
 
ve-virtio-disk1,serial=5149067a-b18c-41cf-a355-033317291148,cache=none,werror=stop,rerror=stop,aio=native
 -device 
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,id=virtio-disk1
 -netdev tap,fd=37,id=hostnet0,vhost=on,vhostfd=40 -device 
virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:bd:ed:0a,bus=pci.0,addr=0x7 
-netdev tap,fd=42,id=hostnet1,vhost=on,vhostfd=43 -device 
virtio-net-pci,netdev=hostnet1,id=net1,mac=00:1a:4a:bd:ed:26,bus=pci.0,addr=0x8 
-chardev 
socket,id=charchannel0,path=/var/lib/libvirt/qemu/channels/4aff4193-ba75-481d-92b3-59b62cd8b111.com.redhat.rhevm.vdsm,server,nowait
 -device 
virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.rhevm.vdsm
 -chardev 
socket,id=charchannel1,path=/var/lib/libvirt/qemu/channels/4aff4193-ba75-481d-92b3-59b62cd8b111.org.qemu.guest_agent.0,server,nowait
 -device 
virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=org.qemu.guest_agent.0
 -device usb-tablet,id
 =input0,bus=usb.0,port=1 -vnc 10.157.8.40:3,password -k de -device 
qxl-vga,id=video0,ram_size=67108864,vram_size=8388608,vram64_size_mb=0,vgamem_mb=16,max_outputs=1,bus=pci.0,addr=0x2
 -incoming defer -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg 
timestamp=on
2018-06-11T09:21:56.171158Z qemu-kvm: warning: CPU(s) not present in any NUMA 
nodes: 4 5 6 7 8 9 10 11 12 13 14 15
2018-06-11T09:21:56.171319Z qemu-kvm: warning: All CPU(s) up to maxcpus should 
be described in NUMA config

qemu.log on source:
2018-06-11 09:03:32.701+: initiating migration
2018-06-11 09:10:39.758+: initiating migration
2018-06-11 09:13:04.323+: initiating migration
2018-06-11 09:18:32.877+: initiating migration
2018-06-11 09:21:56.308+: initiating migration

vdsm.log on source:
2018-06-11 11:21:54,331+0200 ERROR (migsrc/9d52cd9b) [virt.vm] 

[ovirt-users] Re: VMs hung after migration

[Alejandro Cortina]

Hi Peter,

I have a similar issue. Have you tried downgrading to
kernel-3.10.0-693.21.1.el7.x86_64 ?

Cheers,

Alex

On Fri, Jun 1, 2018 at 7:10 AM, Peter Hudec  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi,
>
> the BZ is private, but I had the same problem. The VM hung after
> migration, but not all.
>
> After migration the VM works for a while and hangs after that, but
> during upgrade to 4.2.3 and hosts update this did not happened.
>
> Peter
>
> On 31/05/2018 17:54, Kapetanakis Giannis wrote:
> > Hi,
> >
> > Please have a look at BZ
> > https://bugzilla.redhat.com/show_bug.cgi?id=1584775 about VM hung
> > problems I have with latest kernels.
> >
> > Problem appeared after upgrading to 4.2.3 but I believe it has only
> > to do with newer kernel and not any part of
> > ovirt/vdsm/libvirt/qemu
> >
> > regards,
> >
> > Giannis ___ Users
> > mailing list -- users@ovirt.org To unsubscribe send an email to
> > users-le...@ovirt.org Privacy Statement:
> > https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct:
> > https://www.ovirt.org/community/about/community-guidelines/ List
> > Archives:
> > https://lists.ovirt.org/archives/list/users@ovirt.org/message/IPORS7MN
> ZJMCP5PYUUMBHBW7BWPK7PDO/
> >
> >
> - --
> *Peter Hudec*
> Infraštruktúrny architekt
> phu...@cnc.sk 
>
> *CNC, a.s.*
> Borská 6, 841 04 Bratislava
> Recepcia: +421 2  35 000 100
>
> Mobil:+421 905 997 203
> *www.cnc.sk* 
>
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlsQctgACgkQQnvVWOJ3
> 5BCcUhAAjbLs9fEx17bwxBC4QukR3rc2WUEgsb85sByZYJDuaSepELkWNkUPY+DO
> QK8WHApI1QrnxCKSt1DEPTY0T5uQO9YTYBuyvamML+mLAqYWGyiWkbITNpVZBvHl
> IrlsjLrUGV78ULwsfWYkvdsd2VyQlnL4PWpfw5NQL88wj6glySdMqREJM7aTYtlZ
> SCFFuvjawbjCDi5dAN1WwYoWYlmGM2LF+wYalV9yGFtqq85dEiXCLL+BFJ+RbzVf
> ayKcvL2vzBAt6DepAv6JxgGfIwmyLjBajWLB3hGShYd6nfJucx8SeGuGf9MYg6Ll
> GR8QRTwSQha6XhGM5wHAjdzhlpwlQcwEXz4jIPvj7oL0ATw8XX8duW2VBKcPbMVC
> 9mJcP7XKpe2vfy7AATrlAiVDbfMh5+NDaTQwyCy9Ul24sLVhVMfJmkrCz+UL68rl
> 5myVmk3D/aB4dE2niJOr1cY4CCs79VymjNu69Li18fwF656Fnk7+vPu0Hq1r8yTC
> 3O//F8JLyXac/iYXuJ6V7wFzafvyZkJAqpg0vmIj10cLT1uqXv8RGJyNTw1YM3ll
> J5P2xgiz8ZUtv6qoZcwLDDmueyVivpPqUgLtxGpOEhlRRQPP1/wcoMrrxn1vCRqi
> FS/qZOSIqdCJxZU6NlcWAkdxXr/uMNXoowl17bYDKFfKaTfqYek=
> =fcLm
> -END PGP SIGNATURE-
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/Z2CV3XZVSGE44O5HYAGXE3AS6KFXZUKE/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EHQHYQXLKE65IRNS75T4ZHGSSBMDUCT6/

[ovirt-users] Re: LDAP Authentication issues

[Callum Smith]

Dear All,

Could this be as our LDAP is fairly short on attributes?

2018-06-11 11:00:52,856+01 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5) 
[5dff9eb0] Running command: CreateUserSessionCommand internal: false.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-5) [5dff9eb0] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical 
Research Computing connecting from '--ipaddr--' failed to log in.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) [] The 
user callum@Biomedical Research Computing is not authorized to perform login

I note that a number of variables are included in this action, but which are 
required and which are optional is the question:

https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java#L88

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 09:35, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

What would be the next step to help solve this issue? All users authenticating 
through LDAP get "This user is not authorised to perform authentication".

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 11:42, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Ok I spoke too soon, I have resolved the groups, but authentication still isn't 
working for LDAP users, same error as before (114).

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 10:14, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Dear Ondra, all,

Managed to solve this once i got my head around the properties file. 
Conceptually the problem is that users are typically not a member of their 
primary group in a POSIX scenario, and their primary group is set by the 
gidNumber of the user's record, with additional group memberships specified by 
memberUid entries against a posixGroup entry.

search.rfc2307-resolve-groups-memberUid.search-request.filter = 
&(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_encoded})(gidNumber=${seq:_rfc2307_gid_encoded}))

search.rfc2307-resolve-principal-uid.search-request.attributes = uid, gidNumber

sequence.bmrc-resolve-groups.010.description = set dn
sequence.bmrc-resolve-groups.010.type = var-set
sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
sequence.bmrc-resolve-groups.010.description = resolve uid
sequence.bmrc-resolve-groups.020.type = fetch-record
sequence.bmrc-resolve-groups.020.fetch-record.search = 
rfc2307-resolve-principal-uid
sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = _rfc2307_uid
sequence.bmrc-resolve-groups.030.description = resolve gid
sequence.bmrc-resolve-groups.030.type = fetch-record
sequence.bmrc-resolve-groups.030.fetch-record.search = 
rfc2307-resolve-principal-uid
sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name = _rfc2307_gid
sequence.bmrc-resolve-groups.040.description = query groups
sequence.bmrc-resolve-groups.040.type = search-open
sequence.bmrc-resolve-groups.040.search-open.search = 
rfc2307-resolve-groups-memberUid
sequence.bmrc-resolve-groups.040.search-open.variable = queryRFC2307ByMemberUid

sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups


Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 4 Jun 2018, at 15:07, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Dear Ondra,

I went for openldap-rfc2307 as that best describes our ldap setup. The issue 
seems to be that the gidNumber is set, but users are not a member of their 
primary group within the LDAP. So, user's gidNumber represents primary group 
and posixGroup membership (memberUid) represents their secondary groups. What's 
the best way to approach this (fix the filters on oVirt end or change the LDAP? 
This is a question of what is most compliant with standards really).

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 29 May 2018, at 11:29, Ondra Machacek 
mailto:omach...@redhat.com>> wrote:

What's you LDAP and what profile did you choose? This looks like you have 
chosen incorect profile during setup. Are you sure you arent using posix group 
and using non-posix aaa profile? Sharing a debug log of 
ovirt-engine-extensions-tool 

[ovirt-users] Re: LDAP Authentication issues

[Donny Davis]

Just a shot in the dark, but after you setup ldap did you go in as the
default admin and give an ldap account permissions?

On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith  wrote:

> Dear All,
>
> Could this be as our LDAP is fairly short on attributes?
>
> 2018-06-11 11:00:52,856+01 INFO  
> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
> (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand
> internal: false.
> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.
> dbbroker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0]
> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research
> Computing connecting from '--ipaddr--' failed to log in.
> 2018-06-11 11:00:52,884+01 ERROR 
> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
> (default task-5) [] The user callum@Biomedical Research Computing is not
> authorized to perform login
>
> I note that a number of variables are included in this action, but which
> are required and which are optional is the question:
>
> https://github.com/oVirt/ovirt-engine/blob/master/
> backend/manager/modules/aaa/src/main/java/org/ovirt/
> engine/core/aaa/servlet/SsoPostLoginServlet.java#L88
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 11 Jun 2018, at 09:35, Callum Smith  wrote:
>
> What would be the next step to help solve this issue? All users
> authenticating through LDAP get "This user is not authorised to perform
> authentication".
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 5 Jun 2018, at 11:42, Callum Smith  wrote:
>
> Ok I spoke too soon, I have resolved the groups, but authentication still
> isn't working for LDAP users, same error as before (114).
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 5 Jun 2018, at 10:14, Callum Smith  wrote:
>
> Dear Ondra, all,
>
> Managed to solve this once i got my head around the properties file.
> Conceptually the problem is that users are typically not a member of their
> primary group in a POSIX scenario, and their primary group is set by the
> gidNumber of the user's record, with additional group memberships specified
> by memberUid entries against a posixGroup entry.
>
> search.rfc2307-resolve-groups-memberUid.search-request.filter =
> &(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_
> encoded})(gidNumber=${seq:_rfc2307_gid_encoded}))
>
> search.rfc2307-resolve-principal-uid.search-request.attributes = uid,
> gidNumber
>
> sequence.bmrc-resolve-groups.010.description = set dn
> sequence.bmrc-resolve-groups.010.type = var-set
> sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
> sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
> sequence.bmrc-resolve-groups.010.description = resolve uid
> sequence.bmrc-resolve-groups.020.type = fetch-record
> sequence.bmrc-resolve-groups.020.fetch-record.search =
> rfc2307-resolve-principal-uid
> sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = _rfc2307_uid
> sequence.bmrc-resolve-groups.030.description = resolve gid
> sequence.bmrc-resolve-groups.030.type = fetch-record
> sequence.bmrc-resolve-groups.030.fetch-record.search =
> rfc2307-resolve-principal-uid
> sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name =
> _rfc2307_gid
> sequence.bmrc-resolve-groups.040.description = query groups
> sequence.bmrc-resolve-groups.040.type = search-open
> sequence.bmrc-resolve-groups.040.search-open.search =
> rfc2307-resolve-groups-memberUid
> sequence.bmrc-resolve-groups.040.search-open.variable =
> queryRFC2307ByMemberUid
>
> sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups
>
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 4 Jun 2018, at 15:07, Callum Smith  wrote:
>
> Dear Ondra,
>
> I went for openldap-rfc2307 as that best describes our ldap setup. The
> issue seems to be that the gidNumber is set, but users are not a member of
> their primary group within the LDAP. So, user's gidNumber represents
> primary group and posixGroup membership (memberUid) represents their
> secondary groups. What's the best way to approach this (fix the filters on
> oVirt end or change the LDAP? This is a question of what is most compliant
> with standards really).
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 29 May 2018, at 11:29, Ondra Machacek  wrote:
>
> What's you LDAP and what profile did you choose? This looks like you have
> chosen incorect profile during setup. 

[ovirt-users] Re: LDAP Authentication issues

[Callum Smith]

Dear Donny,

No, though the user shows the permissions inherited from the Everyone group:
[cid:3C4DA68E-6FBF-4D50-AA88-9E063CFBED6C@well.ox.ac.uk]
Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:21, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Just a shot in the dark, but after you setup ldap did you go in as the default 
admin and give an ldap account permissions?

On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear All,

Could this be as our LDAP is fairly short on attributes?

2018-06-11 11:00:52,856+01 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5) 
[5dff9eb0] Running command: CreateUserSessionCommand internal: false.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-5) [5dff9eb0] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical 
Research Computing connecting from '--ipaddr--' failed to log in.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) [] The 
user callum@Biomedical Research Computing is not authorized to perform login

I note that a number of variables are included in this action, but which are 
required and which are optional is the question:

https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java#L88

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 09:35, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

What would be the next step to help solve this issue? All users authenticating 
through LDAP get "This user is not authorised to perform authentication".

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 11:42, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Ok I spoke too soon, I have resolved the groups, but authentication still isn't 
working for LDAP users, same error as before (114).

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 10:14, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Dear Ondra, all,

Managed to solve this once i got my head around the properties file. 
Conceptually the problem is that users are typically not a member of their 
primary group in a POSIX scenario, and their primary group is set by the 
gidNumber of the user's record, with additional group memberships specified by 
memberUid entries against a posixGroup entry.

search.rfc2307-resolve-groups-memberUid.search-request.filter = 
&(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_encoded})(gidNumber=${seq:_rfc2307_gid_encoded}))

search.rfc2307-resolve-principal-uid.search-request.attributes = uid, gidNumber

sequence.bmrc-resolve-groups.010.description = set dn
sequence.bmrc-resolve-groups.010.type = var-set
sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
sequence.bmrc-resolve-groups.010.description = resolve uid
sequence.bmrc-resolve-groups.020.type = fetch-record
sequence.bmrc-resolve-groups.020.fetch-record.search = 
rfc2307-resolve-principal-uid
sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name
 = _rfc2307_uid
sequence.bmrc-resolve-groups.030.description = resolve gid
sequence.bmrc-resolve-groups.030.type = fetch-record
sequence.bmrc-resolve-groups.030.fetch-record.search = 
rfc2307-resolve-principal-uid
sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name
 = _rfc2307_gid
sequence.bmrc-resolve-groups.040.description = query groups
sequence.bmrc-resolve-groups.040.type = search-open
sequence.bmrc-resolve-groups.040.search-open.search = 
rfc2307-resolve-groups-memberUid
sequence.bmrc-resolve-groups.040.search-open.variable = queryRFC2307ByMemberUid

sequence.rfc2307-resolve-groups.020.call.name
 = bmrc-resolve-groups


Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 4 Jun 2018, at 15:07, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Dear Ondra,

I went for openldap-rfc2307 as that best describes our ldap setup. The issue 
seems to be that the gidNumber is set, but users are not a member of their 

[ovirt-users] Re: LDAP Authentication issues

[Donny Davis]

Try giving your user system permissions as a superuser and see if it goes
away.

I wouldn't leave it like that, but it will help isolate your issue. I don't
think you have an ldap issue... the log entry is telling you that user has
no permissions
>The user callum@Biomedical Research Computing is not authorized to perform
login

On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith  wrote:

> Dear Donny,
>
> No, though the user shows the permissions inherited from the Everyone
> group:
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 11 Jun 2018, at 11:21, Donny Davis  wrote:
>
> Just a shot in the dark, but after you setup ldap did you go in as the
> default admin and give an ldap account permissions?
>
> On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith 
> wrote:
>
>> Dear All,
>>
>> Could this be as our LDAP is fairly short on attributes?
>>
>> 2018-06-11 11:00:52,856+01 INFO  
>> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
>> (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand
>> internal: false.
>> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbb
>> roker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0]
>> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research
>> Computing connecting from '--ipaddr--' failed to log in.
>> 2018-06-11 11:00:52,884+01 ERROR 
>> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
>> (default task-5) [] The user callum@Biomedical Research Computing is not
>> authorized to perform login
>>
>> I note that a number of variables are included in this action, but which
>> are required and which are optional is the question:
>>
>> https://github.com/oVirt/ovirt-engine/blob/master/backend/
>> manager/modules/aaa/src/main/java/org/ovirt/engine/core/
>> aaa/servlet/SsoPostLoginServlet.java#L88
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. cal...@well.ox.ac.uk
>>
>> On 11 Jun 2018, at 09:35, Callum Smith  wrote:
>>
>> What would be the next step to help solve this issue? All users
>> authenticating through LDAP get "This user is not authorised to perform
>> authentication".
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. cal...@well.ox.ac.uk
>>
>> On 5 Jun 2018, at 11:42, Callum Smith  wrote:
>>
>> Ok I spoke too soon, I have resolved the groups, but authentication still
>> isn't working for LDAP users, same error as before (114).
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. cal...@well.ox.ac.uk
>>
>> On 5 Jun 2018, at 10:14, Callum Smith  wrote:
>>
>> Dear Ondra, all,
>>
>> Managed to solve this once i got my head around the properties file.
>> Conceptually the problem is that users are typically not a member of their
>> primary group in a POSIX scenario, and their primary group is set by the
>> gidNumber of the user's record, with additional group memberships specified
>> by memberUid entries against a posixGroup entry.
>>
>> search.rfc2307-resolve-groups-memberUid.search-request.filter =
>> &(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_enc
>> oded})(gidNumber=${seq:_rfc2307_gid_encoded}))
>>
>> search.rfc2307-resolve-principal-uid.search-request.attributes = uid,
>> gidNumber
>>
>> sequence.bmrc-resolve-groups.010.description = set dn
>> sequence.bmrc-resolve-groups.010.type = var-set
>> sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
>> sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
>> sequence.bmrc-resolve-groups.010.description = resolve uid
>> sequence.bmrc-resolve-groups.020.type = fetch-record
>> sequence.bmrc-resolve-groups.020.fetch-record.search =
>> rfc2307-resolve-principal-uid
>> sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = _rfc2307_uid
>> sequence.bmrc-resolve-groups.030.description = resolve gid
>> sequence.bmrc-resolve-groups.030.type = fetch-record
>> sequence.bmrc-resolve-groups.030.fetch-record.search =
>> rfc2307-resolve-principal-uid
>> sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name
>> 
>> = _rfc2307_gid
>> sequence.bmrc-resolve-groups.040.description = query groups
>> sequence.bmrc-resolve-groups.040.type = search-open
>> sequence.bmrc-resolve-groups.040.search-open.search =
>> rfc2307-resolve-groups-memberUid
>> sequence.bmrc-resolve-groups.040.search-open.variable =
>> queryRFC2307ByMemberUid
>>
>> sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups
>>
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of 

[ovirt-users] Re: LDAP Authentication issues

[Callum Smith]

Ok, the user now logs in! This will be a problem for us to now create group 
permissions for all 100+ groups since Everyone === No-one. -sigh-

A new issue, when in the VM portal as the LDAP user, i get HTTP basic auth 
login prompts, and a "Authorization expired" error, then a page reload. Nothing 
in the logs seem to indicate an issue.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:26, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Try giving your user system permissions as a superuser and see if it goes away.

I wouldn't leave it like that, but it will help isolate your issue. I don't 
think you have an ldap issue... the log entry is telling you that user has no 
permissions
>The user callum@Biomedical Research Computing is not authorized to perform 
>login

On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear Donny,

No, though the user shows the permissions inherited from the Everyone group:

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:21, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Just a shot in the dark, but after you setup ldap did you go in as the default 
admin and give an ldap account permissions?

On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear All,

Could this be as our LDAP is fairly short on attributes?

2018-06-11 11:00:52,856+01 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5) 
[5dff9eb0] Running command: CreateUserSessionCommand internal: false.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-5) [5dff9eb0] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical 
Research Computing connecting from '--ipaddr--' failed to log in.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) [] The 
user callum@Biomedical Research Computing is not authorized to perform login

I note that a number of variables are included in this action, but which are 
required and which are optional is the question:

https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java#L88

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 09:35, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

What would be the next step to help solve this issue? All users authenticating 
through LDAP get "This user is not authorised to perform authentication".

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 11:42, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Ok I spoke too soon, I have resolved the groups, but authentication still isn't 
working for LDAP users, same error as before (114).

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 10:14, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Dear Ondra, all,

Managed to solve this once i got my head around the properties file. 
Conceptually the problem is that users are typically not a member of their 
primary group in a POSIX scenario, and their primary group is set by the 
gidNumber of the user's record, with additional group memberships specified by 
memberUid entries against a posixGroup entry.

search.rfc2307-resolve-groups-memberUid.search-request.filter = 
&(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_encoded})(gidNumber=${seq:_rfc2307_gid_encoded}))

search.rfc2307-resolve-principal-uid.search-request.attributes = uid, gidNumber

sequence.bmrc-resolve-groups.010.description = set dn
sequence.bmrc-resolve-groups.010.type = var-set
sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
sequence.bmrc-resolve-groups.010.description = resolve uid
sequence.bmrc-resolve-groups.020.type = fetch-record
sequence.bmrc-resolve-groups.020.fetch-record.search = 
rfc2307-resolve-principal-uid
sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name
 = _rfc2307_uid
sequence.bmrc-resolve-groups.030.description = resolve gid
sequence.bmrc-resolve-groups.030.type = fetch-record
sequence.bmrc-resolve-groups.030.fetch-record.search = 
rfc2307-resolve-principal-uid

[ovirt-users] oVirt Metrics

[Shirly Radco]

Dear users,

I would love to get some feedback if someone has tried to install and use
the oVirt metrics store, released in 4.2, for collecting metrics and logs,
based on Elasticsearch, Kibana, Collectd and Fluentd on top of OpenShift.
https://www.ovirt.org/develop/release-management/features/metrics/metrics-store/

How did the installation go? Are you actively using it?
And any other feedback would be much appreciated.

Best regards,

--

SHIRLY RADCO

BI SeNIOR SOFTWARE ENGINEER

Red Hat Israel 

TRIED. TESTED. TRUSTED. 
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3G2M3Q35UQZLOHDRAEBMX2INPDAQCOHO/

[ovirt-users] Re: LDAP Authentication issues

[Callum Smith]

Ah, this appears to be an issue with the proxy - setting up the spice proxy as 
indicated in the guides is causing this issue, and likely will need support.

https://www.ovirt.org/documentation/admin-guide/chap-Proxies/

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:29, Callum Smith  wrote:

Ok, the user now logs in! This will be a problem for us to now create group 
permissions for all 100+ groups since Everyone === No-one. -sigh-

A new issue, when in the VM portal as the LDAP user, i get HTTP basic auth 
login prompts, and a "Authorization expired" error, then a page reload. Nothing 
in the logs seem to indicate an issue.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:26, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Try giving your user system permissions as a superuser and see if it goes away.

I wouldn't leave it like that, but it will help isolate your issue. I don't 
think you have an ldap issue... the log entry is telling you that user has no 
permissions
>The user callum@Biomedical Research Computing is not authorized to perform 
>login

On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear Donny,

No, though the user shows the permissions inherited from the Everyone group:

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:21, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Just a shot in the dark, but after you setup ldap did you go in as the default 
admin and give an ldap account permissions?

On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear All,

Could this be as our LDAP is fairly short on attributes?

2018-06-11 11:00:52,856+01 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5) 
[5dff9eb0] Running command: CreateUserSessionCommand internal: false.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-5) [5dff9eb0] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical 
Research Computing connecting from '--ipaddr--' failed to log in.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) [] The 
user callum@Biomedical Research Computing is not authorized to perform login

I note that a number of variables are included in this action, but which are 
required and which are optional is the question:

https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java#L88

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 09:35, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

What would be the next step to help solve this issue? All users authenticating 
through LDAP get "This user is not authorised to perform authentication".

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 11:42, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Ok I spoke too soon, I have resolved the groups, but authentication still isn't 
working for LDAP users, same error as before (114).

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 10:14, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Dear Ondra, all,

Managed to solve this once i got my head around the properties file. 
Conceptually the problem is that users are typically not a member of their 
primary group in a POSIX scenario, and their primary group is set by the 
gidNumber of the user's record, with additional group memberships specified by 
memberUid entries against a posixGroup entry.

search.rfc2307-resolve-groups-memberUid.search-request.filter = 
&(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_encoded})(gidNumber=${seq:_rfc2307_gid_encoded}))

search.rfc2307-resolve-principal-uid.search-request.attributes = uid, gidNumber

sequence.bmrc-resolve-groups.010.description = set dn
sequence.bmrc-resolve-groups.010.type = var-set
sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
sequence.bmrc-resolve-groups.010.description = resolve uid
sequence.bmrc-resolve-groups.020.type = fetch-record

[ovirt-users] Re: LDAP Authentication issues

[Donny Davis]

You can create a profile that has the proper permissions to allow what you
are looking for, and then assign that profile to the groups you wish.
I wrote a post on this quite a while back on how to setup oVirt to appear
to be multi-tenant.

Happy to see you don't have an ldap issue :)

>This will be a problem for us to now create group permissions for all 100+
groups since Everyone === No-one. -sigh-


On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith  wrote:

> Ah, this appears to be an issue with the proxy - setting up the spice
> proxy as indicated in the guides is causing this issue, and likely will
> need support.
>
> https://www.ovirt.org/documentation/admin-guide/chap-Proxies/
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 11 Jun 2018, at 11:29, Callum Smith  wrote:
>
> Ok, the user now logs in! This will be a problem for us to now create
> group permissions for all 100+ groups since Everyone === No-one. -sigh-
>
> A new issue, when in the VM portal as the LDAP user, i get HTTP basic auth
> login prompts, and a "Authorization expired" error, then a page reload.
> Nothing in the logs seem to indicate an issue.
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 11 Jun 2018, at 11:26, Donny Davis  wrote:
>
> Try giving your user system permissions as a superuser and see if it goes
> away.
>
> I wouldn't leave it like that, but it will help isolate your issue. I
> don't think you have an ldap issue... the log entry is telling you that
> user has no permissions
> >The user callum@Biomedical Research Computing is not authorized to
> perform login
>
> On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith 
> wrote:
>
>> Dear Donny,
>>
>> No, though the user shows the permissions inherited from the Everyone
>> group:
>> 
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. cal...@well.ox.ac.uk
>>
>> On 11 Jun 2018, at 11:21, Donny Davis  wrote:
>>
>> Just a shot in the dark, but after you setup ldap did you go in as the
>> default admin and give an ldap account permissions?
>>
>> On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith 
>> wrote:
>>
>>> Dear All,
>>>
>>> Could this be as our LDAP is fairly short on attributes?
>>>
>>> 2018-06-11 11:00:52,856+01 INFO  
>>> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
>>> (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand
>>> internal: false.
>>> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbb
>>> roker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0]
>>> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research
>>> Computing connecting from '--ipaddr--' failed to log in.
>>> 2018-06-11 11:00:52,884+01 ERROR 
>>> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
>>> (default task-5) [] The user callum@Biomedical Research Computing is
>>> not authorized to perform login
>>>
>>> I note that a number of variables are included in this action, but which
>>> are required and which are optional is the question:
>>>
>>> https://github.com/oVirt/ovirt-engine/blob/master/backend/ma
>>> nager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/
>>> servlet/SsoPostLoginServlet.java#L88
>>>
>>> Regards,
>>> Callum
>>>
>>> --
>>>
>>> Callum Smith
>>> Research Computing Core
>>> Wellcome Trust Centre for Human Genetics
>>> University of Oxford
>>> e. cal...@well.ox.ac.uk
>>>
>>> On 11 Jun 2018, at 09:35, Callum Smith  wrote:
>>>
>>> What would be the next step to help solve this issue? All users
>>> authenticating through LDAP get "This user is not authorised to perform
>>> authentication".
>>>
>>> Regards,
>>> Callum
>>>
>>> --
>>>
>>> Callum Smith
>>> Research Computing Core
>>> Wellcome Trust Centre for Human Genetics
>>> University of Oxford
>>> e. cal...@well.ox.ac.uk
>>>
>>> On 5 Jun 2018, at 11:42, Callum Smith  wrote:
>>>
>>> Ok I spoke too soon, I have resolved the groups, but authentication
>>> still isn't working for LDAP users, same error as before (114).
>>>
>>> Regards,
>>> Callum
>>>
>>> --
>>>
>>> Callum Smith
>>> Research Computing Core
>>> Wellcome Trust Centre for Human Genetics
>>> University of Oxford
>>> e. cal...@well.ox.ac.uk
>>>
>>> On 5 Jun 2018, at 10:14, Callum Smith  wrote:
>>>
>>> Dear Ondra, all,
>>>
>>> Managed to solve this once i got my head around the properties file.
>>> Conceptually the problem is that users are typically not a member of their
>>> primary group in a POSIX scenario, and their primary group is set by the
>>> gidNumber of the user's record, with additional group memberships specified
>>> by memberUid entries against a posixGroup entry.
>>>
>>> search.rfc2307-resolve-groups-memberUid.search-request.filter =
>>> 

[ovirt-users] Re: LDAP Authentication issues

[Callum Smith]

Happy for you to link me a guide, googlefu is failing me.

How do i get around this "It's not allowed to remove system permissions 
assigned to built-in Everyone group" - to remove permissions erroneously added.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:38, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

You can create a profile that has the proper permissions to allow what you are 
looking for, and then assign that profile to the groups you wish.
I wrote a post on this quite a while back on how to setup oVirt to appear to be 
multi-tenant.

Happy to see you don't have an ldap issue :)

>This will be a problem for us to now create group permissions for all 100+ 
>groups since Everyone === No-one. -sigh-


On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Ah, this appears to be an issue with the proxy - setting up the spice proxy as 
indicated in the guides is causing this issue, and likely will need support.

https://www.ovirt.org/documentation/admin-guide/chap-Proxies/

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:29, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Ok, the user now logs in! This will be a problem for us to now create group 
permissions for all 100+ groups since Everyone === No-one. -sigh-

A new issue, when in the VM portal as the LDAP user, i get HTTP basic auth 
login prompts, and a "Authorization expired" error, then a page reload. Nothing 
in the logs seem to indicate an issue.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:26, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Try giving your user system permissions as a superuser and see if it goes away.

I wouldn't leave it like that, but it will help isolate your issue. I don't 
think you have an ldap issue... the log entry is telling you that user has no 
permissions
>The user callum@Biomedical Research Computing is not authorized to perform 
>login

On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear Donny,

No, though the user shows the permissions inherited from the Everyone group:

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:21, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Just a shot in the dark, but after you setup ldap did you go in as the default 
admin and give an ldap account permissions?

On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear All,

Could this be as our LDAP is fairly short on attributes?

2018-06-11 11:00:52,856+01 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5) 
[5dff9eb0] Running command: CreateUserSessionCommand internal: false.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-5) [5dff9eb0] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical 
Research Computing connecting from '--ipaddr--' failed to log in.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) [] The 
user callum@Biomedical Research Computing is not authorized to perform login

I note that a number of variables are included in this action, but which are 
required and which are optional is the question:

https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java#L88

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 09:35, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

What would be the next step to help solve this issue? All users authenticating 
through LDAP get "This user is not authorised to perform authentication".

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 11:42, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Ok I spoke too soon, I have resolved the groups, but authentication still isn't 
working for LDAP users, same error as before (114).

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 5 Jun 2018, at 10:14, Callum Smith 

[ovirt-users] Re: LDAP Authentication issues

[Donny Davis]

did you add system permissions to the everyone group?

On Mon, Jun 11, 2018 at 6:42 AM, Callum Smith  wrote:

> Happy for you to link me a guide, googlefu is failing me.
>
> How do i get around this "It's not allowed to remove system permissions
> assigned to built-in Everyone group" - to remove permissions erroneously
> added.
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 11 Jun 2018, at 11:38, Donny Davis  wrote:
>
> You can create a profile that has the proper permissions to allow what you
> are looking for, and then assign that profile to the groups you wish.
> I wrote a post on this quite a while back on how to setup oVirt to appear
> to be multi-tenant.
>
> Happy to see you don't have an ldap issue :)
>
> >This will be a problem for us to now create group permissions for all
> 100+ groups since Everyone === No-one. -sigh-
>
>
> On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith 
> wrote:
>
>> Ah, this appears to be an issue with the proxy - setting up the spice
>> proxy as indicated in the guides is causing this issue, and likely will
>> need support.
>>
>> https://www.ovirt.org/documentation/admin-guide/chap-Proxies/
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. cal...@well.ox.ac.uk
>>
>> On 11 Jun 2018, at 11:29, Callum Smith  wrote:
>>
>> Ok, the user now logs in! This will be a problem for us to now create
>> group permissions for all 100+ groups since Everyone === No-one. -sigh-
>>
>> A new issue, when in the VM portal as the LDAP user, i get HTTP basic
>> auth login prompts, and a "Authorization expired" error, then a page
>> reload. Nothing in the logs seem to indicate an issue.
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. cal...@well.ox.ac.uk
>>
>> On 11 Jun 2018, at 11:26, Donny Davis  wrote:
>>
>> Try giving your user system permissions as a superuser and see if it goes
>> away.
>>
>> I wouldn't leave it like that, but it will help isolate your issue. I
>> don't think you have an ldap issue... the log entry is telling you that
>> user has no permissions
>> >The user callum@Biomedical Research Computing is not authorized to
>> perform login
>>
>> On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith 
>> wrote:
>>
>>> Dear Donny,
>>>
>>> No, though the user shows the permissions inherited from the Everyone
>>> group:
>>> 
>>> Regards,
>>> Callum
>>>
>>> --
>>>
>>> Callum Smith
>>> Research Computing Core
>>> Wellcome Trust Centre for Human Genetics
>>> University of Oxford
>>> e. cal...@well.ox.ac.uk
>>>
>>> On 11 Jun 2018, at 11:21, Donny Davis  wrote:
>>>
>>> Just a shot in the dark, but after you setup ldap did you go in as the
>>> default admin and give an ldap account permissions?
>>>
>>> On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith 
>>> wrote:
>>>
 Dear All,

 Could this be as our LDAP is fairly short on attributes?

 2018-06-11 11:00:52,856+01 INFO  
 [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
 (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand
 internal: false.
 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbb
 roker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0]
 EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research
 Computing connecting from '--ipaddr--' failed to log in.
 2018-06-11 11:00:52,884+01 ERROR 
 [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
 (default task-5) [] The user callum@Biomedical Research Computing is
 not authorized to perform login

 I note that a number of variables are included in this action, but
 which are required and which are optional is the question:

 https://github.com/oVirt/ovirt-engine/blob/master/backend/ma
 nager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/se
 rvlet/SsoPostLoginServlet.java#L88

 Regards,
 Callum

 --

 Callum Smith
 Research Computing Core
 Wellcome Trust Centre for Human Genetics
 University of Oxford
 e. cal...@well.ox.ac.uk

 On 11 Jun 2018, at 09:35, Callum Smith  wrote:

 What would be the next step to help solve this issue? All users
 authenticating through LDAP get "This user is not authorised to perform
 authentication".

 Regards,
 Callum

 --

 Callum Smith
 Research Computing Core
 Wellcome Trust Centre for Human Genetics
 University of Oxford
 e. cal...@well.ox.ac.uk

 On 5 Jun 2018, at 11:42, Callum Smith  wrote:

 Ok I spoke too soon, I have resolved the groups, but authentication
 still isn't working for LDAP users, same error as before (114).

 Regards,
 Callum

[ovirt-users] Re: LDAP Authentication issues

[Callum Smith]

Yes, in process of trying to fix/identify things - need to undo this.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:48, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

did you add system permissions to the everyone group?

On Mon, Jun 11, 2018 at 6:42 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Happy for you to link me a guide, googlefu is failing me.

How do i get around this "It's not allowed to remove system permissions 
assigned to built-in Everyone group" - to remove permissions erroneously added.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:38, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

You can create a profile that has the proper permissions to allow what you are 
looking for, and then assign that profile to the groups you wish.
I wrote a post on this quite a while back on how to setup oVirt to appear to be 
multi-tenant.

Happy to see you don't have an ldap issue :)

>This will be a problem for us to now create group permissions for all 100+ 
>groups since Everyone === No-one. -sigh-


On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Ah, this appears to be an issue with the proxy - setting up the spice proxy as 
indicated in the guides is causing this issue, and likely will need support.

https://www.ovirt.org/documentation/admin-guide/chap-Proxies/

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:29, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Ok, the user now logs in! This will be a problem for us to now create group 
permissions for all 100+ groups since Everyone === No-one. -sigh-

A new issue, when in the VM portal as the LDAP user, i get HTTP basic auth 
login prompts, and a "Authorization expired" error, then a page reload. Nothing 
in the logs seem to indicate an issue.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:26, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Try giving your user system permissions as a superuser and see if it goes away.

I wouldn't leave it like that, but it will help isolate your issue. I don't 
think you have an ldap issue... the log entry is telling you that user has no 
permissions
>The user callum@Biomedical Research Computing is not authorized to perform 
>login

On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear Donny,

No, though the user shows the permissions inherited from the Everyone group:

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:21, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Just a shot in the dark, but after you setup ldap did you go in as the default 
admin and give an ldap account permissions?

On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear All,

Could this be as our LDAP is fairly short on attributes?

2018-06-11 11:00:52,856+01 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5) 
[5dff9eb0] Running command: CreateUserSessionCommand internal: false.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-5) [5dff9eb0] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical 
Research Computing connecting from '--ipaddr--' failed to log in.
2018-06-11 11:00:52,884+01 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) [] The 
user callum@Biomedical Research Computing is not authorized to perform login

I note that a number of variables are included in this action, but which are 
required and which are optional is the question:

https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java#L88

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 09:35, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

What would be the next step to help solve this issue? All users authenticating 
through LDAP get "This user is not authorised to perform authentication".

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. 

[ovirt-users] Re: LDAP Authentication issues

[Donny Davis]

https://lists.ovirt.org/pipermail/users/2015-January/030981.html

This is the thread where I discussed a bit of the permissions thing. I am
sure things have changed since 3.5.1, but should get you down the right
path.

On Mon, Jun 11, 2018 at 6:54 AM, Callum Smith  wrote:

> Yes, in process of trying to fix/identify things - need to undo this.
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> On 11 Jun 2018, at 11:48, Donny Davis  wrote:
>
> did you add system permissions to the everyone group?
>
> On Mon, Jun 11, 2018 at 6:42 AM, Callum Smith 
> wrote:
>
>> Happy for you to link me a guide, googlefu is failing me.
>>
>> How do i get around this "It's not allowed to remove system permissions
>> assigned to built-in Everyone group" - to remove permissions erroneously
>> added.
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. cal...@well.ox.ac.uk
>>
>> On 11 Jun 2018, at 11:38, Donny Davis  wrote:
>>
>> You can create a profile that has the proper permissions to allow what
>> you are looking for, and then assign that profile to the groups you wish.
>> I wrote a post on this quite a while back on how to setup oVirt to appear
>> to be multi-tenant.
>>
>> Happy to see you don't have an ldap issue :)
>>
>> >This will be a problem for us to now create group permissions for all
>> 100+ groups since Everyone === No-one. -sigh-
>>
>>
>> On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith 
>> wrote:
>>
>>> Ah, this appears to be an issue with the proxy - setting up the spice
>>> proxy as indicated in the guides is causing this issue, and likely will
>>> need support.
>>>
>>> https://www.ovirt.org/documentation/admin-guide/chap-Proxies/
>>>
>>> Regards,
>>> Callum
>>>
>>> --
>>>
>>> Callum Smith
>>> Research Computing Core
>>> Wellcome Trust Centre for Human Genetics
>>> University of Oxford
>>> e. cal...@well.ox.ac.uk
>>>
>>> On 11 Jun 2018, at 11:29, Callum Smith  wrote:
>>>
>>> Ok, the user now logs in! This will be a problem for us to now create
>>> group permissions for all 100+ groups since Everyone === No-one. -sigh-
>>>
>>> A new issue, when in the VM portal as the LDAP user, i get HTTP basic
>>> auth login prompts, and a "Authorization expired" error, then a page
>>> reload. Nothing in the logs seem to indicate an issue.
>>>
>>> Regards,
>>> Callum
>>>
>>> --
>>>
>>> Callum Smith
>>> Research Computing Core
>>> Wellcome Trust Centre for Human Genetics
>>> University of Oxford
>>> e. cal...@well.ox.ac.uk
>>>
>>> On 11 Jun 2018, at 11:26, Donny Davis  wrote:
>>>
>>> Try giving your user system permissions as a superuser and see if it
>>> goes away.
>>>
>>> I wouldn't leave it like that, but it will help isolate your issue. I
>>> don't think you have an ldap issue... the log entry is telling you that
>>> user has no permissions
>>> >The user callum@Biomedical Research Computing is not authorized to
>>> perform login
>>>
>>> On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith 
>>> wrote:
>>>
 Dear Donny,

 No, though the user shows the permissions inherited from the Everyone
 group:
 
 Regards,
 Callum

 --

 Callum Smith
 Research Computing Core
 Wellcome Trust Centre for Human Genetics
 University of Oxford
 e. cal...@well.ox.ac.uk

 On 11 Jun 2018, at 11:21, Donny Davis  wrote:

 Just a shot in the dark, but after you setup ldap did you go in as the
 default admin and give an ldap account permissions?

 On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith 
 wrote:

> Dear All,
>
> Could this be as our LDAP is fairly short on attributes?
>
> 2018-06-11 11:00:52,856+01 INFO  
> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
> (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand
> internal: false.
> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbb
> roker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0]
> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research
> Computing connecting from '--ipaddr--' failed to log in.
> 2018-06-11 11:00:52,884+01 ERROR 
> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
> (default task-5) [] The user callum@Biomedical Research Computing is
> not authorized to perform login
>
> I note that a number of variables are included in this action, but
> which are required and which are optional is the question:
>
> https://github.com/oVirt/ovirt-engine/blob/master/backend/ma
> nager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/se
> rvlet/SsoPostLoginServlet.java#L88
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> 

[ovirt-users] Re: oVirt Metrics

[Peter Hudec]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Shirly,

I could one more try to install it. The firsts few attempts leads to
long discussion in the mailing list and I was not able to get it working
.

On the other hand I do not have time to finish integration with the
zabbix ;(

regard
Peter

On 11/06/2018 12:30, Shirly Radco wrote:
> Dear users,
> 
> I would love to get some feedback if someone has tried to install
> and use the oVirt metrics store, released in 4.2, for collecting
> metrics and logs, based on Elasticsearch, Kibana, Collectd and
> Fluentd on top of OpenShift. 
> https://www.ovirt.org/develop/release-management/features/metrics/metr
ics-store/
>
>  How did the installation go? Are you actively using it? And any
> other feedback would be much appreciated.
> 
> Best regards,
> 
> --
> 
> SHIRLY RADCO
> 
> BI SeNIOR SOFTWARE ENGINEER
> 
> Red Hat Israel 
> 
>  TRIED. TESTED. TRUSTED.
> 
> 
> 
> 
> ___ Users mailing list
> -- users@ovirt.org To unsubscribe send an email to
> users-le...@ovirt.org Privacy Statement:
> https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/ List
> Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/3G2M3Q35
UQZLOHDRAEBMX2INPDAQCOHO/
>
> 
- -- 
*Peter Hudec*
Infraštruktúrny architekt
phu...@cnc.sk 

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* 

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlseZQUACgkQQnvVWOJ3
5BAa8hAArd0EpkVM0J4E5aAJVVC9MQWwmf9m/zVIrm4WMOjziD3SCuYHeXbkpAJq
AEzUBRB7ltcVXWkqZJx3hydFZkxfPrKX6wVQylcPMZGXeUZKEGiLJWCFtgvAUosO
YL6M2/tis3QcGGTto/7ZmKMwHvruEspW0d2P0Cpk2k/fKwkoChTM9VMhwSlbNJuN
KxH4dnOVLkjRFPU5cO9Rk56WzBK78MeL6mdZksM8nNP4cUJQ+VGoZjXu0fR941Yu
qyBQh6D1d3S56S+8xK9q9a8z99JzAUWm3Y46Gyrs0lBjxFfwefYhP4PpZp9UiBLx
nW82ATxKgKL7WZ+84M2H4bt9KDPs9N7xfMhFVkiFJHOz6vP9E66RM4ZDCuplO55m
yCLS/NexyIXhHDJ6DcnDizlW4WDZoXVlSzyvvLkL7ZlrPgMzTUgaiennrtUIEwHA
afWrpWgs843tCXBSXrm8NMdhZNHyFH6QEUFeH8pxCcxv2Nss9MImpzfcXBMkffdm
NnTOFK1Vtmvd1B6sLC9v99Y74AUiJNroEDiwqPUF8iAkYRUHfqvGxpPw1EQZyOa9
oRzBAqlhjqELNjVPy2ciE5YwB2e8CdtfAEe8gPLSad9x4zLbeVsFvuzy+nrwqZlm
+Hnx+f9xlvoPutC+J2tHJilga7GHib7HQOzauJJRN5JawfumfWM=
=Mkzr
-END PGP SIGNATURE-
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HW3T5CVIBSOMORAVQXQ7GQSWXENVKTFD/

[ovirt-users] Re: oVirt Metrics

[Marcelo Leandro]

Hello,
Good morning Shirley.
I am have one doubt , for collecting metrics need install agents in vms?.

Very thanks.

Marcelo Leandro
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/H4TNXBSJ3XLCCLYMOOLRY6QKSBTTM7LB/

[ovirt-users] Re: gdeploy hosted engine failed but host says it is up what now?

[william.dossett]

Ok,  yes I am starting to think this is a network issue.  I have two networks.  
When I setup hosted engine and gluster I used the private network 172.17.70.x 
as it was setting up gluster and I assumed that I should use the private 
network for this.   Its been a while and I can’t remember exactly what steps I 
took setting up the management instance, but I did give it a static address on 
our normal management VLAN.  but now wondering if it is on that private 
network. 

 

Its been a while since I worked with ovirt and rhev, but, I normally could see 
a VM.  I cannot see this VM at all anywhere of I am looking in the wrong place, 
but I have tried pretty much everything.  I don’t know how I would VNC into it 
as I don’t see the VM or anyway to access the console which I would guess is 
what I need to do, or access its settings to verify the networking.

 

Thanks for the advice, but I seem to be missing something basic here.

 

Bill

 

 

From: Simone Tiraboschi  
Sent: Monday, June 11, 2018 2:18 AM
To: william.doss...@gmail.com
Cc: femi adegoke ; users 
Subject: Re: [ovirt-users] Re: gdeploy hosted engine failed but host says it is 
up what now?

 

Hi,

 

\"engine-status\": {\"reason\": \"failed liveliness check\", \"health\": 
\"bad\", \"vm\": \"up\", \"detail\": \"Up\"}

 

means that the engine VM is up at virt side although a liveliness check over 
http is failing.

This could happen if your engine VM got a different network configuration or 
something like that.

 

I'd suggest to connect to the engine VM over vnc and check the network status 
there.

 

ovirt-ha-agent will try to keep the engine up so if the http health liveliness 
check is failing, ovirt-ha-agent will try to restart the engine VM.

 

 

On Sun, Jun 10, 2018 at 2:05 PM, mailto:william.doss...@gmail.com> > wrote:

Not sure if it helps, but I just noticed I have about 300 

Hosted engine host: usbou-rhev01 changed state: EngineStarting-EngineStop.

Then

Hosted engine host: usbou-rhev01 changed state: EngineStop-EngineDown.

Then

Hosted engine host: usbou-rhev01 changed state: EngineDown-EngineStart.

Then

Hosted engine host: usbou-rhev01 changed state: EngineStart-EngineStarting.

And then it starts over... so there is obviously something wrong with the VM... 
 

Under the virtualization page,  It says I have 1 running virtual machine but I 
can't see it to delete it or get any visibility into it.

Thanks
Bill


-Original Message-
From: femi adegoke  
Sent: Sunday, June 10, 2018 1:07 AM
To: users@ovirt.org  
Subject: [ovirt-users] Re: gdeploy hosted engine failed but host says it is up 
what now?

Bill,

3 things that have given me trouble in the past...ymmv!

1) Static IP for the hosted engine, multiple times, I've tried dhcp with no luck
2) Size of thick brick for hosted engine must be 60GB or more, I've tried 50gb 
mulitple times & it always fails.
3) Hosted engine & admin portal passwords, make them very simple, complex 
passwords with special characters ...always failed 
___
Users mailing list -- users@ovirt.org  
To unsubscribe send an email to users-le...@ovirt.org 
  Privacy Statement: 
https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KGE453SG5CEOJ2IQFQGN3JEU52UZXSD3/
___
Users mailing list -- users@ovirt.org  
To unsubscribe send an email to users-le...@ovirt.org 
 
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/

List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/D7XP52YGAD3CZ4AC2VT6ON2DFP4YGNDV/

 

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NSUKYR44F3YJGWDGO7NUVTZQ5SKJFLHI/

[ovirt-users] Re: oVirt Metrics

[Carlos Rodrigues]

Hi,

i'm trying to install oVirt Metrics following the installation guide (h
ttps://www.ovirt.org/develop/release-
management/features/metrics/metrics-store-installation/) but i have
some issues running deploy cluster from here https://www.ovirt.org/deve
lop/release-management/features/metrics/setting-up-viaq-logging/

cd /usr/share/ansible/openshift-ansible
# (or wherever you cloned the git repo if using git)
ANSIBLE_LOG_PATH=/tmp/ansible.log ansible-playbook -vvv -e
@/root/vars.yaml -i /root/ansible-inventory-origin-39-aio
playbooks/deploy_cluster.yml

I fails on Web console installation:

2018-06-06 19:48:24,020 p=17586 u=root |  [DEPRECATION WARNING]: Using
tests as filters is deprecated. Instead of using
`result|version_compare` instead use `result is version_compare`. This
feature
 will be removed in version 2.9. 
Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
2018-06-06 19:48:24,135 p=17586 u=root |  Using module file
/usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
2018-06-06 19:48:27,093 p=17586 u=root |  fatal: [localhost]: FAILED!
=> {
"changed": true, 
"cmd": [
"oc", 
"logs", 
"deployment/webconsole", 
"--tail=50", 
"--config=/tmp/console-ansible-C8XDuW/admin.kubeconfig", 
"-n", 
"openshift-web-console"
], 
"delta": "0:00:01.567694", 
"end": "2018-06-06 19:48:26.706407", 
"invocation": {
"module_args": {
"_raw_params": "oc logs deployment/webconsole --tail=50 --
config=/tmp/console-ansible-C8XDuW/admin.kubeconfig -n openshift-web-
console", 
"_uses_shell": false, 
"chdir": null, 
"creates": null, 
"executable": null, 
"removes": null, 
"stdin": null, 
"warn": true
}

}, 
"msg": "non-zero return code", 
"rc": 1, 
"start": "2018-06-06 19:48:25.138713", 
"stderr": "Error from server (BadRequest): container \"webconsole\"
in pod \"webconsole-84466b9d97-s4x28\" is waiting to start:
ContainerCreating", 
"stderr_lines": [
"Error from server (BadRequest): container \"webconsole\" in
pod \"webconsole-84466b9d97-s4x28\" is waiting to start:
ContainerCreating"
], 
"stdout": "", 
"stdout_lines": []
}
2018-06-06 19:48:27,097 p=17586 u=root |  ...ignoring

Regards,
Carlos Rodrigues

On Mon, 2018-06-11 at 13:30 +0300, Shirly Radco wrote:
> Dear users,
> 
> I would love to get some feedback if someone has tried to install and
> use the oVirt metrics store, released in 4.2, for collecting metrics
> and logs, based on Elasticsearch, Kibana, Collectd and Fluentd on top
> of OpenShift.
> https://www.ovirt.org/develop/release-management/features/metrics/met
> rics-store/
> 
> How did the installation go? Are you actively using it?
> And any other feedback would be much appreciated.
> 
> Best regards, 
> --
> SHIRLY RADCO
> BI SENIOR SOFTWARE ENGINEER
> Red Hat Israel
>   TRIED. TESTED. TRUSTED.
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/communit
> y-guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/3G2M3Q35UQZLOHDRAEBMX2INPDAQCOHO/
-- 
Carlos Rodrigues

Engenheiro de Software Sénior

Eurotux Informática, S.A. | www.eurotux.com
(t) +351 253 680 300 (m) +351 911 926 110
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/43PIG73CSXRPYCLETWLYEWAIURRM3R4Q/

[ovirt-users] Re: LDAP Authentication issues

[Callum Smith]

Dear All & Donny,

Thank you for the clarifications, very useful indeed.

A note for future users who go down this path and dont want to restore or 
reinstall:

Cleaning out the `permissions` table in the database and restoring the defaults 
will solve the issue, but you need to restore the SuperUser permission on the 
admin@internal account:

Learning from here:
https://www.ovirt.org/develop/developer-guide/action-permissions-overview/

Clean out your `roles_groups` and `permissions`
DELETE FROM `permissions`;
DELETE FROM `roles_groups`;

Restore the defaults:
https://github.com/oVirt/ovirt-engine/blob/master/packaging/dbscripts/data/00600_insert_permissions.sql
https://github.com/oVirt/ovirt-engine/blob/master/packaging/dbscripts/data/00700_insert_roles_groups.sql

Re-assign the SuperUser role to the admin@internal user:
Either: 
https://github.com/oVirt/ovirt-engine/blob/master/packaging/bin/ovirt-engine-role.sh
Or just go straight into your localhost psql on your engine, replacing 
information as appropriate:
Get your external_id from the users table and use it in the function:
SELECT external_id FROM `users` WHERE `name` = 'admin' AND `domain` = 
'internal-authz';
select 
attach_user_to_role('admin','internal-authz','*','#external_id#','SuperUser');

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:57, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

https://lists.ovirt.org/pipermail/users/2015-January/030981.html

This is the thread where I discussed a bit of the permissions thing. I am sure 
things have changed since 3.5.1, but should get you down the right path.

On Mon, Jun 11, 2018 at 6:54 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Yes, in process of trying to fix/identify things - need to undo this.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:48, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

did you add system permissions to the everyone group?

On Mon, Jun 11, 2018 at 6:42 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Happy for you to link me a guide, googlefu is failing me.

How do i get around this "It's not allowed to remove system permissions 
assigned to built-in Everyone group" - to remove permissions erroneously added.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:38, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

You can create a profile that has the proper permissions to allow what you are 
looking for, and then assign that profile to the groups you wish.
I wrote a post on this quite a while back on how to setup oVirt to appear to be 
multi-tenant.

Happy to see you don't have an ldap issue :)

>This will be a problem for us to now create group permissions for all 100+ 
>groups since Everyone === No-one. -sigh-


On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Ah, this appears to be an issue with the proxy - setting up the spice proxy as 
indicated in the guides is causing this issue, and likely will need support.

https://www.ovirt.org/documentation/admin-guide/chap-Proxies/

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:29, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:

Ok, the user now logs in! This will be a problem for us to now create group 
permissions for all 100+ groups since Everyone === No-one. -sigh-

A new issue, when in the VM portal as the LDAP user, i get HTTP basic auth 
login prompts, and a "Authorization expired" error, then a page reload. Nothing 
in the logs seem to indicate an issue.

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 11 Jun 2018, at 11:26, Donny Davis 
mailto:do...@fortnebula.com>> wrote:

Try giving your user system permissions as a superuser and see if it goes away.

I wouldn't leave it like that, but it will help isolate your issue. I don't 
think you have an ldap issue... the log entry is telling you that user has no 
permissions
>The user callum@Biomedical Research Computing is not authorized to perform 
>login

On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith 
mailto:cal...@well.ox.ac.uk>> wrote:
Dear Donny,

No, though the user shows the permissions inherited from the Everyone group:

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

[ovirt-users] Unable to upgrade

[Michael Watters]

I am attempting to upgrade from ovirt-engine 4.1 to 4.2 however yum
updates are failing due to dependency conflicts.

[root@ovirt-engine yum.repos.d]# yum update "ovirt-*-setup*"
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
 * ovirt-4.2: mirrors.rit.edu
 * ovirt-4.2-epel: mirror.steadfast.net
sac-gdeploy 

  
| 3.0 kB  00:00:00
Resolving Dependencies

Error: ovirt-engine-setup-plugin-ovirt-engine conflicts with
ovirt-engine-4.1.1.8-1.el7.centos.noarch

Is there a way to resolve this?  I'm using the instructions located at
https://www.ovirt.org/release/4.2.1/#install--upgrade-from-previous-versions


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TXWAWXHLLXWYY2CC3B4E3WHSKVSFSNP4/

[ovirt-users] Re: gdeploy hosted engine failed but host says it is up what now?

[Simone Tiraboschi]

On Mon, Jun 11, 2018 at 2:37 PM,  wrote:

> Ok,  yes I am starting to think this is a network issue.  I have two
> networks.  When I setup hosted engine and gluster I used the private
> network 172.17.70.x as it was setting up gluster and I assumed that I
> should use the private network for this.   Its been a while and I can’t
> remember exactly what steps I took setting up the management instance, but
> I did give it a static address on our normal management VLAN.  but now
> wondering if it is on that private network.
>
>
>
> Its been a while since I worked with ovirt and rhev, but, I normally could
> see a VM.  I cannot see this VM at all anywhere of I am looking in the
> wrong place, but I have tried pretty much everything.  I don’t know how I
> would VNC into it as I don’t see the VM or anyway to access the console
> which I would guess is what I need to do, or access its settings to verify
> the networking.
>
>
>
> Thanks for the advice, but I seem to be missing something basic here.
>

Run on your first host
   hosted-engine --add-console-password
to set a temporary VNC password and then connect to it over VNC with
something like
   remote-viewer vnc://:




>
> Bill
>
>
>
>
>
> *From:* Simone Tiraboschi 
> *Sent:* Monday, June 11, 2018 2:18 AM
> *To:* william.doss...@gmail.com
> *Cc:* femi adegoke ; users 
> *Subject:* Re: [ovirt-users] Re: gdeploy hosted engine failed but host
> says it is up what now?
>
>
>
> Hi,
>
>
>
> \"engine-status\": {\"reason\": \"failed liveliness check\", \"health\":
> \"bad\", \"vm\": \"up\", \"detail\": \"Up\"}
>
>
>
> means that the engine VM is up at virt side although a liveliness check
> over http is failing.
>
> This could happen if your engine VM got a different network configuration
> or something like that.
>
>
>
> I'd suggest to connect to the engine VM over vnc and check the network
> status there.
>
>
>
> ovirt-ha-agent will try to keep the engine up so if the http health 
> liveliness check
> is failing, ovirt-ha-agent will try to restart the engine VM.
>
>
>
>
>
> On Sun, Jun 10, 2018 at 2:05 PM,  wrote:
>
> Not sure if it helps, but I just noticed I have about 300
>
> Hosted engine host: usbou-rhev01 changed state: EngineStarting-EngineStop.
>
> Then
>
> Hosted engine host: usbou-rhev01 changed state: EngineStop-EngineDown.
>
> Then
>
> Hosted engine host: usbou-rhev01 changed state: EngineDown-EngineStart.
>
> Then
>
> Hosted engine host: usbou-rhev01 changed state: EngineStart-EngineStarting.
>
> And then it starts over... so there is obviously something wrong with the
> VM...
>
> Under the virtualization page,  It says I have 1 running virtual machine
> but I can't see it to delete it or get any visibility into it.
>
> Thanks
> Bill
>
>
> -Original Message-
> From: femi adegoke 
> Sent: Sunday, June 10, 2018 1:07 AM
> To: users@ovirt.org
> Subject: [ovirt-users] Re: gdeploy hosted engine failed but host says it
> is up what now?
>
> Bill,
>
> 3 things that have given me trouble in the past...ymmv!
>
> 1) Static IP for the hosted engine, multiple times, I've tried dhcp with
> no luck
> 2) Size of thick brick for hosted engine must be 60GB or more, I've tried
> 50gb mulitple times & it always fails.
> 3) Hosted engine & admin portal passwords, make them very simple, complex
> passwords with special characters ...always failed
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org Privacy Statement:
> https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/KGE453SG5CEOJ2IQFQGN3JEU52UZXSD3/
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
>
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/D7XP52YGAD3CZ4AC2VT6ON2DFP4YGNDV/
>
>
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BTE7AIM4KDUYVAIRCBGBPKMCXNKTEX4D/

[ovirt-users] engine-setup fails to upgrade postgresql

[Michael Watters]

After installing the ovirt 4.2 repository and running engine-setup the
upgrade script fails with an error as shown below.

[ ERROR ] Postgresql client version is '9.5.9', whereas the version on
'localhost' is '9.2.23'. Please use a PostgreSQL server of version '9.5.9'.
 Please note the following required changes in postgresql.conf
on 'localhost':

 postgresql.conf is usually in /var/lib/pgsql/data,
/var/opt/rh/rh-postgresql95/lib/pgsql/data, or somewhere under
/etc/postgresql* . You have to restart PostgreSQL after making these
changes.
  Engine database host []:


The setup script is supposed to take care of this automatically however
it fails before even attempting to upgrade postgres.  Does anybody know
how to work around this?

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5AQ6ZQ4RGCWHM2LLAIYGRK7URP6IF5SX/

[ovirt-users] Re: Hosted Engine w Gluster - increase number of hosts

[Sahina Bose]

On Sat, Jun 2, 2018 at 1:57 AM, femi adegoke 
wrote:

> > we recommend up to 7 HE hosts, it is not important if the number is
> > odd or even. The real implementation limit is much higher and you
> > won't reach it. But since we do not test more than 7 as part of the QE
> > process, we can't recommend it.
>
> If I increase the number of hosts from 3 to 3+n, what is the proper way to
> add gluster volumes (data/engine/vmstore) to the new hosts?
>

You can create new replica 3 or replica 2 + arbiter volumes - so you would
need 3 new bricks. The bricks need to be of same configuratation and size,
except for the arbiter bricks.

To add hosts to existing cluster, you can add hosts via oVirt engine and
use the web UI to create bricks and add new volumes.
With 4.2, we also provide a way to scale hosts via the Cockpit UI ( from
the Manage Gluster plugin on the HE dashboard)


> I would like the new hosts to also be hyperconverged (aka compute +
> storage)
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/communit
> y/about/community-guidelines/
> List Archives: https://lists.ovirt.org/archiv
> es/list/users@ovirt.org/message/BPO65GGXIFZ3SBJZJR4UXPMEAYRWUXZB/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/POJ5OLLVYFEHTA3WBJEX34W54OPNEDY4/

[ovirt-users] Re: engine-setup fails to upgrade postgresql

[Simone Tiraboschi]

On Mon, Jun 11, 2018 at 4:31 PM, Michael Watters 
wrote:

> After installing the ovirt 4.2 repository and running engine-setup the
> upgrade script fails with an error as shown below.
>
> [ ERROR ] Postgresql client version is '9.5.9', whereas the version on
> 'localhost' is '9.2.23'. Please use a PostgreSQL server of version '9.5.9'.
>  Please note the following required changes in postgresql.conf
> on 'localhost':
>
>  postgresql.conf is usually in /var/lib/pgsql/data,
> /var/opt/rh/rh-postgresql95/lib/pgsql/data, or somewhere under
> /etc/postgresql* . You have to restart PostgreSQL after making these
> changes.
>   Engine database host []:
>
>
> The setup script is supposed to take care of this automatically however
> it fails before even attempting to upgrade postgres.  Does anybody know
> how to work around this?
>

Yes, engine-setup is supposed to care of it by itself if the DBMS is on the
same machine as in your case.
Can you please attach setup logs?

>
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-
> guidelines/
> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/
> message/5AQ6ZQ4RGCWHM2LLAIYGRK7URP6IF5SX/
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/HVKIII7RPY22SZ6IOILLM4N2NC5MUITE/

[ovirt-users] Re: engine-setup fails to upgrade postgresql

[Michael Watters]

I actually managed to fix it.  The ovirt-engine package was still on
version 4.1, after running yum update to upgrade everything to version
4.2 the engine-setup script was able to upgrade postgresql.


On 06/11/2018 11:31 AM, Simone Tiraboschi wrote:
>
>
> On Mon, Jun 11, 2018 at 4:31 PM, Michael Watters  > wrote:
>
> After installing the ovirt 4.2 repository and running engine-setup the
> upgrade script fails with an error as shown below.
>
> [ ERROR ] Postgresql client version is '9.5.9', whereas the version on
> 'localhost' is '9.2.23'. Please use a PostgreSQL server of version
> '9.5.9'.
>  Please note the following required changes in postgresql.conf
> on 'localhost':
> 
>  postgresql.conf is usually in /var/lib/pgsql/data,
> /var/opt/rh/rh-postgresql95/lib/pgsql/data, or somewhere under
> /etc/postgresql* . You have to restart PostgreSQL after making these
> changes.
>   Engine database host []:
>
>
> The setup script is supposed to take care of this automatically
> however
> it fails before even attempting to upgrade postgres.  Does anybody
> know
> how to work around this?
>
>
> Yes, engine-setup is supposed to care of it by itself if the DBMS is
> on the same machine as in your case.
> Can you please attach setup logs?
>  
>
>
> ___
> Users mailing list -- users@ovirt.org 
> To unsubscribe send an email to users-le...@ovirt.org
> 
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> 
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> 
> List Archives:
> 
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/5AQ6ZQ4RGCWHM2LLAIYGRK7URP6IF5SX/
> 
> 
>
>

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AL5JGLITD33ISNX375RAG6ADX5K2ZAMM/

[ovirt-users] Re: oVirt Metrics

[Karli Sjöberg]

On Jun 11, 2018 13:59, Shirly Radco  wrote:Dear users,I would love to get some feedback if someone has tried to install and use the oVirt metrics store, released in 4.2, for collecting metrics and logs, based on Elasticsearch, Kibana, Collectd and Fluentd on top of OpenShift.https://www.ovirt.org/develop/release-management/features/metrics/metrics-store/How did the installation go? Are you actively using it?And any other feedback would be much appreciated.Best regards, --SHIRLY RADCOBI SeNIOR SOFTWARE ENGINEERRed Hat IsraelTRIED. TESTED. TRUSTED.

___Users mailing list -- users@ovirt.orgTo unsubscribe send an email to users-le...@ovirt.orgPrivacy Statement: https://www.ovirt.org/site/privacy-policy/oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3G2M3Q35UQZLOHDRAEBMX2INPDAQCOHO/I have, and while I can say that it works, it was far from easy! I can't remember all of the gotchas I had to go through but most of them stemmed from the fact that I tested it all on a three node oVirt HCI cluster that was actually VM's with nested virtualization, which meant fairly limited resources but eventually got it working.Being completely new to OpenShift, a guide that needs more work is the single sign on from oVirt to OS. The instructions are way too unclear for me, and wrapping your head around how the login and permissions system works in OS took a while, to create an equal 'admin' account to log in with.Second, isn't OS just an above layer of kubernetes under it, or is that a misunderstanding on my part? If it is though, where is the administration page for Kubernetes in all of that? I'm thinking in the sense of how you can add more nodes to continue building a larger cluster for containers.But once everything was setup and able to log in to the Kibana interface and loading up the dashboards you've made, I was really impressed with how much data you got visualized for free. Thumbs up!/K___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CWMPCP3ZRT2CR56IVNG6JS7EMNVFSN3W/

[ovirt-users] Re: oVirt host deploy: disable multipath

[tadavis]

The bugzilla URL says that's a private/internal only bug.

You are not authorized to access bug #1016535.

Most likely the bug has been restricted for internal development processes and 
we cannot grant access.

If you are a Red Hat customer with an active subscription, please visit the Red 
Hat Customer Portal for assistance with your issue

If you are a Fedora Project user and require assistance, please consider using 
one of the mailing lists we host for the Fedora Project
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZJNNBUNNSXDGE4KWVMSAFEYIJTG4FKXC/