Re: [one-users] Setting filesystem type for new disk crashes GlusterFS
Hi, There seems to be a problem with sparse files and glusterfs and/or the underlying FS (XFS?). No, it's only in combination with mkfs. Creating sparse files without a preset filesystem (i.e. raw images) works perfectly. By the way: How did you figure out that XFS is used? Is it known to produce problems? In addition to your suggestions, I experimented with overriding the filesystem type setting by setting FSTYPE = raw in /var/lib/one/remotes/tm/shared/mkimage. As far as I tested, that worked as well. However, we recently upgraded to Ubuntu 14.04 and GlusterFS 3.4.2. Now the bug seems to be gone. Thanks anyway! Greetings Wilma 2015-01-22 10:10 GMT+01:00 Javier Fontan jfon...@opennebula.org: There seems to be a problem with sparse files and glusterfs and/or the underlying FS (XFS?). You can disable that functionality adding an exit 1 command at the top of these scripts: * /var/lib/one/remotes/datastore/mkfs * /var/lib/one/remotes/tm/mkimage Another way of solving this is changing the what the image is created (so it is not sparse). The problem is that it will take a lot more time to create the image. The commad to change is 'dd' from those scripts. For example, for 'mkfs': exec_and_log $DD if=/dev/zero of=$DST bs=1 count=1 seek=${SIZE}M \ Could not create image $DST to exec_and_log $DD if=/dev/zero of=$DST bs=1M count=${SIZE} \ Could not create image $DST Cheers On Sat, Jan 17, 2015 at 10:43 AM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, Our OpenNebula setup uses GlusterFS to share /var/lib/one among all machines. Yesterday a customer created a new volatile disk for a VM. But this image creation crashed the gluster client on the host the VM was running on. I assume it has something to do with the fact that the customer entered 'ext3' as filesystem type. This isn't the first time this bug occured, we also had it almost one year ago and there it was also related to the filesystem type of an image. I believe that this feature is rarely used by our customers and simply wasn't used in the meantime. Now we are using OpenNebula 4.8.0 on Ubuntu 12.04.5 with glusterfs 3.2.5. Here's the log of the VM that triggered the crash: Sat Jan 10 13:24:21 2015 [Z0][VMM][I]: VM successfully rebooted-hard. Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: Command execution fail: /var/lib/one/remotes/tm/shared/mkimage 51200 ext3 192.168.128.14:/var/lib/one//datastores/0/346/disk.2 346 0 Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: mkimage: Making filesystem of 51200M and type ext3 at 192.168.128.14:/var/lib/one//datastores/0/346/disk.2 Fri Jan 16 17:31:00 2015 [Z0][VMM][E]: mkimage: Command set -e Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: export PATH=/usr/sbin:/sbin:$PATH Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: dd if=/dev/zero of=/var/lib/one/datastores/0/346/disk.2 bs=1 count=1 seek=51200M Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: mkfs -t ext3 -F /var/lib/one/datastores/0/346/disk.2 failed: Warning: Permanently added '192.168.128.14' (ECDSA) to the list of known hosts. Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: 1+0 records in Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: 1+0 records out Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: 1 byte (1 B) copied, 0.000576409 s, 1.7 kB/s Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: mke2fs 1.42 (29-Nov-2011) Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: Warning: could not erase sector 2: Attempt to write block to filesystem resulted in short write Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: Warning: could not read block 0: Attempt to read block from filesystem resulted in short read Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: Warning: could not erase sector 0: Attempt to write block to filesystem resulted in short write Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: mkfs.ext3: Attempt to write block to filesystem resulted in short write while zeroing block 13107184 at end of filesystem Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: Could not write 5 blocks in inode table starting at 1027: Attempt to write block to filesystem resulted in short write Fri Jan 16 17:31:00 2015 [Z0][VMM][E]: Could not create image /var/lib/one/datastores/0/346/disk.2 Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: ExitCode: 1 Fri Jan 16 17:31:00 2015 [Z0][VMM][I]: Failed to execute transfer manager driver operation: tm_attach. Fri Jan 16 17:31:00 2015 [Z0][VMM][E]: Error attaching new VM Disk: Could not create image /var/lib/one/datastores/0/346/disk.2 After that crash all subsequent operations fail because the frontend was unable to log into that particular host (since /var/lib/one was missing and passwordless SSH did not work anymore). I have 2 questions: 1) Does anyone have an idea what's going on there? 2) Is it possible to disable this filesystem type feature. We don't need it, but I would like to prevent these accidental host crashes. Greetings Wilma
Re: [one-users] ubuntu 14.04 as image - no network on first boot
Hi, Just stumbled on a curious case today: Using the new context packages under Ubuntu 14.04 killed my loopback NIC since it was left it without an IP (so 127.0.0.1 was not set). I changed the script to call '/sbin/ifquery -X lo -la' to leave the loopback device as is. Furthermore, under Ubuntu 12.04 ifquery has different console options. No idea if they changed it recently, but for the same functionality under 12.04 one must call '/sbin/ifquery -e lo --list'. Using the 14.04 call from above throws an error. Greetings Wilma 2014-04-28 22:20 GMT+02:00 Javier Fontan jfon...@opennebula.org: I've updated the debian packages with the ip flush command sent by Stefan (thanks!). Now it seems to work even when an IP was previously configured in the interfaces file. This will make the context scripts more resilient when you save a disk without cleaning the interfaces file. http://dev.opennebula.org/attachments/download/780/one-context_4.6.0.deb If there are no major bugs with the new package this will be the one linked in the documentation. ML, the source of the context packages in the OpenNebula repository [1]. We usually put the created packages in the files section of the development web pages [2] and link them in the documentation [3]. [1] https://github.com/OpenNebula/one/tree/master/share/scripts/context-packages [2] http://dev.opennebula.org/projects/opennebula/files [3] http://docs.opennebula.org/4.6/user/virtual_machine_setup/bcont.html On Mon, Apr 28, 2014 at 5:55 PM, ML mail mlnos...@yahoo.com wrote: Thanks for the new package. I just tested this version 4.6.0 which now works perfectly with ubuntu 14.04 and I have network access from the first boot. Btw: is there an official repository or download page for the ONE context packages? On Saturday, April 26, 2014 2:28 AM, Javier Fontan jfon...@opennebula.org wrote: We have applied the changes made by Michael. That seems to do the trick. Thank you! You can find the package at http://dev.opennebula.org/attachments/download/779/one-context_4.6.0.deb Cheers On Fri, Apr 25, 2014 at 8:54 AM, ML mail mlnos...@yahoo.com wrote: Small addition here: after the first boot (where the network is not available) instead of rebooting (where the network works afterwards), I can simply run ifup eth0 and the network is working. So somehow ONE context sets things up correctly but eth0 is simply not up after the first boot... On , ML mail mlnos...@yahoo.com wrote: I also had no problems with Ubuntu 12.04, this problem only arises with 14.04. After installing the package I did not touch the interfaces file, actually I never touched it and strangely enough it has the correct context data in it but eth0 is just not configured upon first boot. Maybe it's my Ubutnu 14.04 image itself... I installed a minimal server version of Ubuntu with only OpenSSH from the tasksel menu. Do I maybe need additional packages or to run/configure anything additional post-installation? Regards ML On Thursday, April 24, 2014 7:57 PM, Javier Fontan jfon...@opennebula.org wrote: We have tested the package in both 12.04 and 14.04. Network works fine in the first boot. Did you modify interfaces file after installing the package? One of the things the package does is to empty the interfaces file, just has the loopback configured so it does not configure the network before the context package starts. On Thu, Apr 24, 2014 at 2:55 PM, Javier Fontan jfon...@opennebula.org wrote: Thanks! I'll take a look at it and test it in other distros. On Thu, Apr 24, 2014 at 8:00 AM, Michael Kutzner michael.kutz...@virtion.de wrote: Hi Javier, Am 23.04.2014 um 21:18 schrieb Javier Fontan jfon...@opennebula.org : Network restart is not supported in ubuntu. There is new code to overcome this issue but we are still testing the packages. A package with the latest code is attached if you want to try. You can install it over the previous version. I run into the same problem today and tried to figure out what could be a way also to included fixed interfaces configured in /etc/network/interfaces.d. So, I slightly changed at the end of 00-network (from configure_network on) == snip == configure_network() { gen_network_configuration /etc/network/interfaces echo source /etc/network/interfaces.d/*.cfg /etc/network/interfaces } deactivate_network() { . /etc/os-release if [ $ID = ubuntu ]; then IFACES=`/sbin/ifquery -la` for i in $IFACES; do DEV=`get_dev $i` /sbin/ifdown $i done else service networking stop fi } activate_network() { . /etc/os-release if [ $ID = ubuntu ]; then IFACES=`/sbin/ifquery -la` for i in $IFACES; do DEV=`get_dev $i` /sbin/ifup $i done else service
Re: [one-users] Bug in 4.6,2?
Hi, What can I do to fix this in a database that is already at 4.6.2? I do not really want to go back to my 4.4 backup... Greetings Wilma 2014-07-03 11:09 GMT+02:00 Carlos Martín Sánchez cmar...@opennebula.org: Hi, On Thu, Jul 3, 2014 at 2:04 AM, Grzegorz Kocur gko...@ux.pl wrote: Hi, Last night I upgraded opennebula 4.4 to newest stable version - 4.6.2. The upgrade went smoothly, but after starting oned I met strange problem: user with given id could list template with the same id (with no rights to this template). For example: user with id 80 running onetemplate list gets template with id 80, user with id 81 gets template id 81 etc. I had to revert to opennebula 4.4, this is critical for us. It looks like a bug. Can anyone of you confirm this? Yes, it's a bug that was reported recently. We just updated the documentation [1] with the workaround: There is a known issue (#3006) in the database upgrade scripts shipped with OpenNebula 4.6.2. To fix it, download the lastest code from the repo: sudo wget https://raw.githubusercontent.com/OpenNebula/one/one-4.6/src/onedb/shared/4.4.1_to_4.5.80.rb -O /usr/lib/one/ruby/onedb/shared/4.4.1_to_4.5.80.rb Regards [1] http://docs.opennebula.org/4.6/release_notes/release_notes/upgrade_44.html -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org http://www.opennebula.org/ | cmar...@opennebula.org | @OpenNebula http://twitter.com/opennebula cmar...@opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
[one-users] VM monitoring information do not get deleted
Hi, I observed a problem with two OpenNebula setups, that I set up with version 4.4 and which I upgraded to 4.6 some weeks ago: The VM monitoring information does not seem to be deleted from the database (MySQL) after VM_MONITORING_EXPIRATION_TIME has expired. I have a sandbox for testing issues: A single machine (both frontend and host) with a single virtual machine, that runs 24/7. When I upgraded OpenNebula 4.4 to 4.6, the SQL-Dump created by onedb upgrade was 3.6 MB big (perfectly okay for such a small setup). Today, when I dumped the DB, the backup file is 176 MB in size. Wondering about the size, I inspected the database and found ~77k rows in the vm_monitoring table. Obviously, OpenNebula writes rows into this table every few seconds without ever deleting anything. I didn't change VM_MONITORING_EXPIRATION_TIME in oned.conf (it was commented out), so it should delete old values after 4h. I manually set VM_MONITORING_EXPIRATION_TIME to 14400 as well as other values: No effect, the DB continues to inflate. Meanwhile, Sunstone begins to become unresponsible when I open the details of a VM. I believe this is due to generating the CPU and memory graphs which has to process several ten thousands of rows. Did I miss some setting or is this a bug? Greetings Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] VM monitoring information do not get deleted
Hi, Thanks for the confirmation. I'm using the SQL-command DELETE FROM `vm_monitoring` WHERE UNIX_TIMESTAMP() - last_poll 14400 to delete everything but the last 4 hours. I don't know if UNIX_TIMESTAMP() is available when using SQLite, but for MySQL this works as workaround. Greetings Wilma 2014-05-14 23:55 GMT+02:00 Ruben S. Montero rsmont...@opennebula.org: Hi I confirm the bug, it was introduced to address Feature #2848: Add a configuration flag to enable individual VM monitoring. By default VM monitoring is disable to prevent a tsunami of pro-active VM monitoring requests in case of massive failure of hypervisors. In that situation OpenNebula would try to contact the VMs collapsing the drivers and effectively blocking any other healthy hypervisor. We are doing a maintenance release (4.6.1) next week, and this will be solved. In the meantime you can either delete the vm_monitoring table, or just set VM_INDIVIDUAL_MONITORING to yes. Thanks Wilma for the heads up. Cheers Ruben On Wed, May 14, 2014 at 11:08 PM, Stefan Kooman ste...@bit.nl wrote: Quoting Stefan Kooman (ste...@bit.nl): After reading the above things start to make sense. We're using a MySQL master-master replication setup, with one oned server as primary master. The amount of network traffic, InnoDB activity, disk throughput, etc have gone up tremendously. See attached images to get an impression. For newly created vm's opening capacity or network tab this isn't a problem, yet. But for vm's that are already running for month's this is a problem. I see the sunstone instance that is serving me dropping out of the load-balancer for not replying to health-checks in time. Just by clicking the network tab of a long running vm. If this is a bug I need a workaround soon before running out of disk space ;). Gr. Stefan P.s Thanks for Wilma for spotting this, haven't had time to look into this issue: too busy with reverting back from trusty - saucy on hypervisors, more on that later. Pff, added those bloody attachments ;). Gr. Stefan -- | BIT BV http://www.bit.nl/Kamer van Koophandel 09090351 | GPG: 0xD14839C6 +31 318 648 688 / i...@bit.nl ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Ruben S. Montero, PhD Project co-Lead and Chief Architect OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | rsmont...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Special characters in VM's names
In the XML output, the name is correct: $ onevm list -x | grep 'NAME' NAMEtext #xF6; text #xF6; text/NAME $ onevm show -x 0 | grep 'NAME' NAMEtext #xF6; text #xF6; text/NAME Greetings Wilma 2014-05-08 15:42 GMT+02:00 Carlos Martín Sánchez cmar...@opennebula.org: Hi Wilma, On Tue, May 6, 2014 at 2:06 PM, Wilma Hermann wilma.herm...@gmail.comwrote: Hi everyone, There seems to be a bug in 4.6 regarding special characters in VM's names (at least this holds for german umlauts): - If I set a VM to have the name text ö text, the machine is displayed as ö text. - If I change the name to text ö text ö text, the machine is displayed as ö text ö text. In other words: Every character before the first special character is truncated. It's not a Sunstone bug, it also appears on the CLI. If I use onevm list the machine's name is truncated. If I use onevm show, I see the full name. In Sunstone, the list of VMs shows the truncated name, the page with the VM's details however displays the full name. Greetings Wilma Thanks for reporting this, we will take a look [1]. Can you confirm the name that appears in the xml output, running onevm list -x and onevm show -x? Regards [1] http://dev.opennebula.org/issues/2880 -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org http://www.opennebula.org/ | cmar...@opennebula.org | @OpenNebula http://twitter.com/opennebula cmar...@opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] noVNC problem in sunstone after restarting oned.
The message SecurityError: The operation is insecure. is usually related to a Same-Origin-Policy problem. Are you using secure websockets for VNC? If you have Sunstone TLS secured and try to connect to an insecure websocket for VNC, Firefox blocks that. For Firefox, you need to have both connections secured to not get this error. And don't use a self-signed certificate for the server, this would raise the error again (you can setup your own little CA, that works, but don't use a self-signed server certificate). The other option would be to go into the Firefox config (about:config) and set network.websocket.allowInsecureFromHTTPS to true. Greetings Wilma 2014-05-05 10:52 GMT+02:00 Daniel Molina dmol...@opennebula.org: Are you using al old firefox version? could you try using a newer On 5 May 2014 10:48, Leszek Master keks...@gmail.com wrote: The problem is only in the firefox browser (in the chrome it is working properly). The error form browser log: SecurityError: The operation is insecure. websock.js:333 New state 'loaded', was 'disconnected'. Msg: noVNC ready: native WebSockets, canvas rendering util.js:110 New state 'connect', was 'loaded'. util.js:110 Skipping unsupported WebSocket binary sub-protocol util.js:111 New state 'failed', was 'connect'. Msg: Connect timeout util.js:111 New state 'disconnected', was 'failed'. 2014-05-05 10:46 GMT+02:00 Daniel Molina dmol...@opennebula.org: Hi, Could you check if there is any error in the browser console? Cheers On 16 April 2014 15:35, Leszek Master keks...@gmail.com wrote: It's not running in the ps auwx, there is only: python /usr/share/one/websockify/websocketproxy.py --target-config=/var/lib/one/sunstone_vnc_tokens 29876 In the log i can see: 192.168.8.252: SSL connection but '/home/leni/self.pem' not found. Why it look for ssl cert in the user folder? 2014-04-16 14:44 GMT+02:00 Daniel Molina dmol...@opennebula.org: Hi, Could you check if the novnc-server is running in the machine. You can start it using the novnc-server start command Cheers On 16 April 2014 11:10, Leszek Master keks...@gmail.com wrote: I had to restart my whole physical machine running oned sched and sunstone. But the vm's on hosts were running. After rebooting i can see vm's running in the sunstone, but when i click on the vnc icon nothing happened (only information in right corner: Submitted VM startvnc: 5 ). I can connect to the host:59xx port using tight vnc. So the vnc works on the host. How can i get the noVNC running in the sunstone webpanel? ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
[one-users] Special characters in VM's names
Hi everyone, There seems to be a bug in 4.6 regarding special characters in VM's names (at least this holds for german umlauts): - If I set a VM to have the name text ö text, the machine is displayed as ö text. - If I change the name to text ö text ö text, the machine is displayed as ö text ö text. In other words: Every character before the first special character is truncated. It's not a Sunstone bug, it also appears on the CLI. If I use onevm list the machine's name is truncated. If I use onevm show, I see the full name. In Sunstone, the list of VMs shows the truncated name, the page with the VM's details however displays the full name. Greetings Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Assigning limited admin rights
Hi, Good idea, but with the admin group as secondary group the admin user gets the 'user' view in Sunstone, not the 'admin' view. It seems that views defined for secondary groups do not appear in Sunstone's settings. After defining the 'admin' view for that particular user, I can select it, but I find this complicated. This way, adding an admin requires me to edit sunstone-views.yaml (that's not really the problem) and restarting Sunstone (which kicks all users out of their sessions). It's not really a big deal (I don't add admins on a daily basis), but I would have expected that Sunstone offers me all views that are defined for all groups that I am (primary or secondary) member of. Greetings Wilma 2014-04-10 16:48 GMT+02:00 Carlos Martín Sánchez cmar...@opennebula.org: Hi, On Wed, Apr 9, 2014 at 5:27 PM, Wilma Hermann wilma.herm...@gmail.comwrote: Hi, To answer my own mail, I could resolve both problems. For the sake of completeness, here's how: 1. I'm using a hook to change a new user's group after creation using the approach from this thread: http://lists.opennebula.org/pipermail/users-opennebula.org/2013-September/024648.html You could also put your admin user in the users group as the primary group, and add the admin group as a secondary group. This way it all new users will belong to the 'users' group. Regards -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org http://www.opennebula.org/ | cmar...@opennebula.org | @OpenNebula http://twitter.com/opennebula cmar...@opennebula.org 1. 2. The problem here was that I used the vdcadmin view in Sunstone for the user. By debugging I found out that the list of groups in Sunstone is populated by some javascript loaded by the groups panel. In the vdcadmin view, the groups panel is disabled by default, therefore the list of groups is empty. It's arguably either a bug or a strict permission management thing, I can't justice on that. However, if I enable the groups panel and prevent the user from doing changes to the groups, I have everything I wanted to build. Greetings Wilma 2014-04-07 13:35 GMT+02:00 Wilma Hermann wilma.herm...@gmail.com: Hi, Thanks for the info, it was very useful. I'm still having two issues: 1. The default group of a new user is the same as the creating user's one. I would like to have new users in the users group by default. Is there a way to change this behavior? 2. In Sunstone, the user doing the user management does not see the existing groups even though he ought to. I created an ACL #user_id GROUP/* USE+MANAGE+ADMIN, but still the list of groups I can assign to a user through Sunstone is empty (Even the string Please select does not appear). On the command line, a oneuser chgrp works flawlessly using this account, so I guess it's a bug in Sunstone. Greetings Wilma 2014-04-04 10:34 GMT+02:00 Carlos Martín Sánchez cmar...@opennebula.org : Hi, Adding to what Rubén said, the acl modification is only allowed for users in the oneadmin group. Make sure you use the reference command-auth tables in the xml-rpc doc [1] to create your rules. For example, oneuser passwd requires USER:MANAGE. The rule #user_id USER/* USE+MANAGE+ADMIN will allow your user to change oneadmin's password. In this case, you will want to create a rule targeting each group (excluding oneadmin). Regards [1] http://docs.opennebula.org/4.4/integration/system_interfaces/api.html#authorization-requests-reference -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | cmar...@opennebula.org | @OpenNebula On Thu, Apr 3, 2014 at 2:19 PM, Ruben S. Montero rsmont...@opennebula.org wrote: Hi Probably, the following may work... oneacl create #user_id USER/* CREATE oneacl create #user_id USER/* USE+MANAGE+ADMIN Take a look to the ACL guide for more info: http://docs.opennebula.org/4.4/administration/users_and_groups/manage_acl.html Cheers Ruben On Thu, Apr 3, 2014 at 12:08 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, Is it possible to assign limited admin rights to certain accounts? I would like to have a user that is allowed to do all the user management (creating users, adding users to existing groups, etc.) without adding this user to the oneadmin-group. In particular, I would like to deny this user access to all other users' VMs, templates, images, etc. The user also shouldn't have write-access to the ACLs (otherwise limits would make no sense obviously). Greetings Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Ruben S. Montero, PhD Project co-Lead
Re: [one-users] Assigning limited admin rights
Hi, To answer my own mail, I could resolve both problems. For the sake of completeness, here's how: 1. I'm using a hook to change a new user's group after creation using the approach from this thread: http://lists.opennebula.org/pipermail/users-opennebula.org/2013-September/024648.html 2. The problem here was that I used the vdcadmin view in Sunstone for the user. By debugging I found out that the list of groups in Sunstone is populated by some javascript loaded by the groups panel. In the vdcadmin view, the groups panel is disabled by default, therefore the list of groups is empty. It's arguably either a bug or a strict permission management thing, I can't justice on that. However, if I enable the groups panel and prevent the user from doing changes to the groups, I have everything I wanted to build. Greetings Wilma 2014-04-07 13:35 GMT+02:00 Wilma Hermann wilma.herm...@gmail.com: Hi, Thanks for the info, it was very useful. I'm still having two issues: 1. The default group of a new user is the same as the creating user's one. I would like to have new users in the users group by default. Is there a way to change this behavior? 2. In Sunstone, the user doing the user management does not see the existing groups even though he ought to. I created an ACL #user_id GROUP/* USE+MANAGE+ADMIN, but still the list of groups I can assign to a user through Sunstone is empty (Even the string Please select does not appear). On the command line, a oneuser chgrp works flawlessly using this account, so I guess it's a bug in Sunstone. Greetings Wilma 2014-04-04 10:34 GMT+02:00 Carlos Martín Sánchez cmar...@opennebula.org: Hi, Adding to what Rubén said, the acl modification is only allowed for users in the oneadmin group. Make sure you use the reference command-auth tables in the xml-rpc doc [1] to create your rules. For example, oneuser passwd requires USER:MANAGE. The rule #user_id USER/* USE+MANAGE+ADMIN will allow your user to change oneadmin's password. In this case, you will want to create a rule targeting each group (excluding oneadmin). Regards [1] http://docs.opennebula.org/4.4/integration/system_interfaces/api.html#authorization-requests-reference -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | cmar...@opennebula.org | @OpenNebula On Thu, Apr 3, 2014 at 2:19 PM, Ruben S. Montero rsmont...@opennebula.org wrote: Hi Probably, the following may work... oneacl create #user_id USER/* CREATE oneacl create #user_id USER/* USE+MANAGE+ADMIN Take a look to the ACL guide for more info: http://docs.opennebula.org/4.4/administration/users_and_groups/manage_acl.html Cheers Ruben On Thu, Apr 3, 2014 at 12:08 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, Is it possible to assign limited admin rights to certain accounts? I would like to have a user that is allowed to do all the user management (creating users, adding users to existing groups, etc.) without adding this user to the oneadmin-group. In particular, I would like to deny this user access to all other users' VMs, templates, images, etc. The user also shouldn't have write-access to the ACLs (otherwise limits would make no sense obviously). Greetings Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Ruben S. Montero, PhD Project co-Lead and Chief Architect OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | rsmont...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Assigning limited admin rights
Hi, Thanks for the info, it was very useful. I'm still having two issues: 1. The default group of a new user is the same as the creating user's one. I would like to have new users in the users group by default. Is there a way to change this behavior? 2. In Sunstone, the user doing the user management does not see the existing groups even though he ought to. I created an ACL #user_id GROUP/* USE+MANAGE+ADMIN, but still the list of groups I can assign to a user through Sunstone is empty (Even the string Please select does not appear). On the command line, a oneuser chgrp works flawlessly using this account, so I guess it's a bug in Sunstone. Greetings Wilma 2014-04-04 10:34 GMT+02:00 Carlos Martín Sánchez cmar...@opennebula.org: Hi, Adding to what Rubén said, the acl modification is only allowed for users in the oneadmin group. Make sure you use the reference command-auth tables in the xml-rpc doc [1] to create your rules. For example, oneuser passwd requires USER:MANAGE. The rule #user_id USER/* USE+MANAGE+ADMIN will allow your user to change oneadmin's password. In this case, you will want to create a rule targeting each group (excluding oneadmin). Regards [1] http://docs.opennebula.org/4.4/integration/system_interfaces/api.html#authorization-requests-reference -- Carlos Martín, MSc Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | cmar...@opennebula.org | @OpenNebula On Thu, Apr 3, 2014 at 2:19 PM, Ruben S. Montero rsmont...@opennebula.org wrote: Hi Probably, the following may work... oneacl create #user_id USER/* CREATE oneacl create #user_id USER/* USE+MANAGE+ADMIN Take a look to the ACL guide for more info: http://docs.opennebula.org/4.4/administration/users_and_groups/manage_acl.html Cheers Ruben On Thu, Apr 3, 2014 at 12:08 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, Is it possible to assign limited admin rights to certain accounts? I would like to have a user that is allowed to do all the user management (creating users, adding users to existing groups, etc.) without adding this user to the oneadmin-group. In particular, I would like to deny this user access to all other users' VMs, templates, images, etc. The user also shouldn't have write-access to the ACLs (otherwise limits would make no sense obviously). Greetings Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Ruben S. Montero, PhD Project co-Lead and Chief Architect OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | rsmont...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
[one-users] Assigning limited admin rights
Hi, Is it possible to assign limited admin rights to certain accounts? I would like to have a user that is allowed to do all the user management (creating users, adding users to existing groups, etc.) without adding this user to the oneadmin-group. In particular, I would like to deny this user access to all other users' VMs, templates, images, etc. The user also shouldn't have write-access to the ACLs (otherwise limits would make no sense obviously). Greetings Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
[one-users] Recycle bin for VMs
Hi, Is there any mechanism in OpenNebula that deals with accidental deletions? For example, if a user deletes a VM by accident (because the user mistakes the Shutdown and suspend-button with the Shutdown and delete-button) and the VM did not use a persistent image, it would be great to have something like a recycle bin from where the VM could be restored. Greetings Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Sunstone noVNC with WSS support
Hi Valentin, Last time I checked, my CA looked pretty real to me Admittedly, real might have been the wrong word. Probably common would have better described what I meant. And why is that? Is Verisign's random number generator better than yours? No, but their root certificate is shipped with every common browser out there, even on mobile devices. None of the RFCs I've read about PKI don't tell me that I SHOULD NOT use self signed certs for production environments. Fair enough, that's true. And when you have an environment where you can ensure that all users have your root certificate installed, then there's no downside of a private CA-infrastructure. But from ML's comments I assumed that this particular OpenNebula installation is to be opened to the public (or at least an audience where ML cannot make sure that the root certificate is trusted by default). If that assumption holds and you're not willing to spend a few dollars for an uninterrupted user-experience, then I question your business model... Greetings Wilma 2014-03-07 17:37 GMT+01:00 Valentin Bud valentin@gmail.com: Hello Wilma, On Thu, Feb 6, 2014 at 6:20 PM, Wilma Hermann wilma.herm...@gmail.com wrote: There is a really easy fix for that: Get a real certificate from a real CA. You should not use self-signed certs for a production environment. And why is that? Is Verisign's random number generator better than yours? A real certificate from a real CA? I don't get that. Last time I checked, my CA looked pretty real to me, conforming with RFC 5280. And the certificates from the browser and VPNs issued by that CA are also real. None of the RFCs I've read about PKI don't tell me that I SHOULD NOT use self signed certs for production environments. Your business's image could suffer from a self signed cert but that's another story. Technology is technology and it should work either way, be it self signed or not. Best, Valentin Greetings Wilma 2014-02-06 ML mail mlnos...@yahoo.com: This workaround fixes that problem yes but it is not a good workaround especially if you want to offer opennebula to real customers. I hope another better alternative can be found in the future but I am aware that this is mostly a browser problem :| Regards ML On Thursday, February 6, 2014 10:56 AM, Daniel Molina dmol...@opennebula.org wrote: Hi, On 5 February 2014 16:58, ML mail mlnos...@yahoo.com wrote: Hello, I would like to use noVNC in Sunstone over an encrypted channel (WSS). Therefore I have generated my own SSL key and certificate which I have added to the sunstone-server.conf configuration. The problem is that this does not work, when I start VNC from the Sunstone web interface I get the following error message in novnc.log: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Does this mean I need an official SSL certificate? Please, check if the solution proposed in this thread, fixes your problem http://lists.opennebula.org/pipermail/users-opennebula.org/2014-February/026405.html Cheers Regards ML ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Valentin Bud http://databus.pro | valen...@databus.pro ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Using CloudInit for contextualization
Here is the context I've been using: That context does not work for me, even with a trusty image. Neither the network part nor writing the test-file works out. Did you use the alpha-2 image or a daily build of trusty? If I remember correctly the file is /var/lib/cloud/instance/user-data The folder /var/lib/cloud/instances (which I assume you were referring to) is empty on my VMs. It takes about 2.5 minutes to boot the first time as dhcp is trying to get an IP and I don't have a dhcp server. That bugs me too, but I could live with it if the rest was working... Another thing I observed on both the saucy as well as the trusty images: Obviously, the openSSH server of the VM does not generate host keys. If I restart a VM after the first (2.5 minutes) boot, I can ping the machine (network works), but when I try to connect via SSH, the connection is closed by the VM. The log of the VM says: # virt-cat one-42 /var/log/auth.log | tail -4 Feb 16 18:21:01 ubuntu sshd[927]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key Feb 16 18:21:01 ubuntu sshd[927]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key Feb 16 18:21:01 ubuntu sshd[927]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key Feb 16 18:21:01 ubuntu sshd[927]: fatal: No supported key exchange algorithms [preauth] Greetings Wilma 2014-02-13 14:44 GMT+01:00 Javier Fontan jfon...@opennebula.org: I've been playing a bit more with cloud-init and ubuntu. Unfortunately I could not make it work in the saucy images. They come with cloud-init 0.7.3 and they should be compatible but I was not able to make the user_data work. With development images (trusty) I've managed to make it work but still has some problems with the network. To make it configure the network correctly it needs to be down so the network configuration part makes its work. Here is the context I've been using: --8-- CONTEXT=[ NETWORK=YES, SSH_PUBLIC_KEY=$USER[SSH_PUBLIC_KEY], USER_DATA=#cloud-config bootcmd: - ifdown -a runcmd: - curl http://10.0.1.1:8999/I_am_alive write_files: - encoding: b64 content: RG9lcyBpdCB3b3JrPwo= owner: root:root path: /etc/test_file permissions: '0644' packages: - ruby2.0 ] --8-- The bootcmd part brings down the network so it is configured (and brought up) by network contextualization. That is the important part. The other sections are just tests: * runcmd tries to connect to another machine, just to check that networking is ready when user data scripts are being executed * write_files is there in case network does not work to check that the user data script executed. * packages installs the ruby interpreter, again to check networking and user data. trusty image comes with cloud-init 0.7.5 (is not available for saucy). I believe that upgrading the cloud-init package will make the saucy image work. It takes about 2.5 minutes to boot the first time as dhcp is trying to get an IP and I don't have a dhcp server. On Thu, Feb 6, 2014 at 6:28 PM, Javier Fontan jfon...@opennebula.org wrote: If I remember correctly the file is /var/lib/cloud/instance/user-data. I've been also checking the log files but there's nothing interesting to me. In case you want to run cloud-init manually you can use: # cloud-init -d init --local On Thu, Feb 6, 2014 at 5:26 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Good to hear that the problem is reproducible. I was really about to doubt myself. Can't be so hard to get a config file right ;) Where is that user data file stored in the VM? Maybe you could tell me, where you would continue to debug. Maybe I can help you out. Greetings Wilma 2014-02-06 Javier Fontan jfon...@opennebula.org: I've been trying the image and I could not make the user data work. Cloud-init is able to get networking options and configures the network but it doesn't restart it so the changes make any effect. It is also able to get the user data and writes it to the user data file used later for configuration but it does nothing with it. It could be a problem with the cloud-init configuration in that machine. I'll do more debugging as soon as I get some time. On Tue, Feb 4, 2014 at 1:19 PM, Javier Fontan jfon...@opennebula.org wrote: I'll try to test that image and will let you know what I can find. On Tue, Feb 4, 2014 at 1:18 PM, Wilma Hermann wilma.herm...@gmail.com wrote: No, I never touched that file. It's current setting is DISK = [ driver = raw , cache = none] I also tried converting the Ubuntu Image to qcow and raw using qemu-img to make sure it is no problem with the image format. That also didn't change anything. 2014-02-04 Javier Fontan jfon...@opennebula.org: It's a long shot but do you have the default image set to qcow2? In '/etc/one/vmm_exec/vmm_exec_kvm.conf': DISK = [ driver = qcow2
Re: [one-users] Sunstone noVNC with WSS support
There is a really easy fix for that: Get a real certificate from a real CA. You should not use self-signed certs for a production environment. Greetings Wilma 2014-02-06 ML mail mlnos...@yahoo.com: This workaround fixes that problem yes but it is not a good workaround especially if you want to offer opennebula to real customers. I hope another better alternative can be found in the future but I am aware that this is mostly a browser problem :| Regards ML On Thursday, February 6, 2014 10:56 AM, Daniel Molina dmol...@opennebula.org wrote: Hi, On 5 February 2014 16:58, ML mail mlnos...@yahoo.com wrote: Hello, I would like to use noVNC in Sunstone over an encrypted channel (WSS). Therefore I have generated my own SSL key and certificate which I have added to the sunstone-server.conf configuration. The problem is that this does not work, when I start VNC from the Sunstone web interface I get the following error message in novnc.log: SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Does this mean I need an official SSL certificate? Please, check if the solution proposed in this thread, fixes your problem http://lists.opennebula.org/pipermail/users-opennebula.org/2014-February/026405.html Cheers Regards ML ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- -- Daniel Molina Project Engineer OpenNebula - Flexible Enterprise Cloud Made Simple www.OpenNebula.org http://www.opennebula.org/ | dmol...@opennebula.org| @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Using CloudInit for contextualization
I also tried it with the current Alpha 2 of Ubuntu 14.04 which includes cloud-init 0.7.5, but it does not work either. You can find the output of onevm and oneimage attached. Thanks in advance Wilma 2014-02-04 Javier Fontan jfon...@opennebula.org: It should be working. Can you send us the output of onevm show -x vmid of one of those machines? On Mon, Feb 3, 2014 at 6:17 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, I'm using the release image from yesterday (02-Feb-2014 03:39) [1]. And the machine uses cloud-init 0.7.3: # virt-cat one-42 /var/log/cloud-init.log | grep running 2014-02-03 15:18:56,873 - util.py[DEBUG]: Cloud-init v. 0.7.3 running 'init-local' at Mon, 03 Feb 2014 15:18:56 +. Up 4.48 seconds. [1]: http://cloud-images.ubuntu.com/releases/13.10/release/ Thanks in advance Wilma 2014-02-03 Javier Fontan jfon...@opennebula.org: Are you using a recent version of those images? OpenNebula support was added in cloud-init 0.7.3 and the current images come with that version. User data can be specified with USER_DATA or USERDATA parameters so your configuration seems to be OK. On Mon, Feb 3, 2014 at 5:54 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, Well, the core of the problem sounds logical to me. Nevertheless, I have to wait 2 minutes for the network initialization to time-out until I can reboot the machine using the CtrlAltDel-Button in VNC... That's not comfortable, but bearable. However, I cannot get that USER_DATA variable to work. Whatever I enter there, it is obviously ignored. I tried it with the exact code from the documentation you mentioned, but also with something like CONTEXT=[NETWORK=YES,SSH_PUBLIC_KEY=$USER[SSH_PUBLIC_KEY], USER_DATA=#cloud-config bootcmd: - echo HelloWorld /etc/issue ] just to get a visual feedback that the USER_DATA is being used by cloud-init. None of it worked out. Is there a special trick with USER_DATA? Just in case that's important: I'm using OpenNebula 4.4 with libvirt/KVM. Thanks in advance Wilma 2014-01-30 Javier Fontan jfon...@opennebula.org: Unfortunately the current version of cloud-init does not load new network parameters after they are configured in some distributions. There is a ticket to track that problem [1] The documentation gives some ideas on how to overcome this [2]: --8-- The current version of cloud-init configures the network before running cloud-init configuration. This makes the network configuration not reliable. Until a new version that fixes this is released you can add OpenNebula context packages or this user data to reboot the machine so the network is properly configured. --8-- [1] https://bugs.launchpad.net/cloud-init/+bug/1225922 [2] http://docs.opennebula.org/stable/user/virtual_machine_setup/cloud-init.html On Tue, Jan 28, 2014 at 1:56 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, I'm trying to get a Ubuntu 13.10 guest to work, which uses a official Cloud-image (http://cloud-images.ubuntu.com/saucy/) as disk. However, the VM is not integrating into the virtual network. I've double checked the virtual network settings with CentOS-VMs, the network works correctly. I've found out that CloudInit writes a correct /etc/network/interfaces file with a static address, however, the machine somehow ignores this file and keeps sending DHCP requests without getting an answer (which is intended since we don't use DHCP in the VM's network). # virt-cat one-42 /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.129.4 network 192.168.128.0 netmask 255.255.254.0 gateway 192.168.128.1 # virt-cat one-42 /var/log/syslog | tail -6 Jan 28 12:42:44 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 21 (xid=0x1080a577) Jan 28 12:43:05 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 13 (xid=0x1080a577) Jan 28 12:43:18 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 20 (xid=0x1080a577) Jan 28 12:43:38 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 1 (xid=0x1080a577) Jan 28 12:43:39 ubuntu dhclient: No DHCPOFFERS received. Jan 28 12:43:39 ubuntu dhclient: No working leases in persistent database - sleeping. Does anybody know how the VM template needs to be configured in order to get it working? Thanks in advance Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Javier
Re: [one-users] VNC in sunstone not working on firefox 26 (one 4.4)
Hi, The reset of the connection is perfectly right. It's only about trusting the certificate on that port. After that, secure VNC should work. Make sure, that the user account you're using in Sunstone has secure Websockets enabled. You can't access the insecure VNC from an TLS-protected Sunstone because of the Same-Origin-Policy. Greetings Wilma 2014-02-04 Hamada, Ondrej ondrej.ham...@acision.com: Hi, Thank you for hints, but my connection gets reseted when trying to access https://opennebulaaddr:29876. I already have permanent exception for my cert in firefox. Ondra *From:* Daniel Molina [mailto:dmol...@opennebula.org] *Sent:* Tuesday, February 04, 2014 12:03 PM *To:* Hamada, Ondrej *Cc:* users *Subject:* Re: [one-users] VNC in sunstone not working on firefox 26 (one 4.4) Hi Ondra, Let us know if the solution proposed by Wilma works for you. Thank you both for your feedback. On 1 February 2014 19:41, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, are you using a self-signed certificate? I encountered the same issue with a snakeoil-cert, Firefox seems to store the trust to a certain certificate not only based on the domain but also on the port used. Since VNC is using a different port, this ends up in a missing trust-warning. Try opening https://opennebulaaddr https://opennebulaaddr/vm/272/startvnc:29876/ in your firefox. If it gives you a warning, then you only need to trust your cert and sucure VNC should work. Greetings Wilma 2014-01-31 Tino Vazquez cvazq...@c12g.com: Hi, Ok, thanks for letting us know. I've opened a ticket to reproduce and solve this problem for future releases: http://dev.opennebula.org/issues/2703 Regards, -Tino -- OpenNebula - Flexible Enterprise Cloud Made Simple -- Constantino Vázquez Blanco, PhD, MSc Senior Infrastructure Architect at C12G Labs www.c12g.com | @C12G | es.linkedin.com/in/tinova -- Confidentiality Warning: The information contained in this e-mail and any accompanying documents, unless otherwise expressly indicated, is confidential and privileged, and is intended solely for the person and/or entity to whom it is addressed (i.e. those identified in the To and cc box). They are the property of C12G Labs S.L.. Unauthorized distribution, review, use, disclosure, or copying of this communication, or any part thereof, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify us immediately by e-mail at ab...@c12g.com and delete the e-mail and attachments and any copy from your system. C12G thanks you for your cooperation. On 31 January 2014 17:05, Hamada, Ondrej ondrej.ham...@acision.com wrote: Hi Tino, Yes, I can confirm that. Without SSL the VNC works in firefox. Regards, Ondra -Original Message- From: Tino Vazquez [mailto:cvazq...@c12g.com] Sent: Friday, January 31, 2014 12:50 PM To: Hamada, Ondrej Cc: users Subject: Re: [one-users] VNC in sunstone not working on firefox 26 (one 4.4) Hi Ondrej, Just to rule out other problems, can you confirm that without SSL VNC is working in Firefox? Regards, -Tino -- OpenNebula - Flexible Enterprise Cloud Made Simple -- Constantino Vázquez Blanco, PhD, MSc Senior Infrastructure Architect at C12G Labs www.c12g.com | @C12G | es.linkedin.com/in/tinova -- Confidentiality Warning: The information contained in this e-mail and any accompanying documents, unless otherwise expressly indicated, is confidential and privileged, and is intended solely for the person and/or entity to whom it is addressed (i.e. those identified in the To and cc box). They are the property of C12G Labs S.L.. Unauthorized distribution, review, use, disclosure, or copying of this communication, or any part thereof, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify us immediately by e-mail at ab...@c12g.com and delete the e-mail and attachments and any copy from your system. C12G thanks you for your cooperation. On 30 January 2014 17:59, Hamada, Ondrej ondrej.ham...@acision.com wrote: Hi Tino, Thank you for reply. Here's the output: 17:45:06.596 POST https://opennebulaaddr/vm/272/startvnc [HTTP/1.1 200 OK 59ms] 17:45:06.621 SecurityError: The operation is insecure. websock.js:333 17:45:06.619 New state 'loaded', was 'disconnected'. Msg: noVNC ready: native WebSockets, canvas rendering util.js:110 17:45:06.620 New state 'connect', was 'loaded'. util.js:110 17:45:06.621 Skipping unsupported WebSocket binary sub-protocol util.js:111 17:45:08.621 New state 'failed', was 'connect'. Msg: Connect timeout util.js:111 17:45:08.672 New state 'disconnected', was 'failed'. The security error - it remains me that the problems had started probably after I've configured apache as a SSL proxy for sunstone. And in Chrome it works ok. Unfortunately I need the SSL enabled
Re: [one-users] Using CloudInit for contextualization
No, I never touched that file. It's current setting is DISK = [ driver = raw , cache = none] I also tried converting the Ubuntu Image to qcow and raw using qemu-img to make sure it is no problem with the image format. That also didn't change anything. 2014-02-04 Javier Fontan jfon...@opennebula.org: It's a long shot but do you have the default image set to qcow2? In '/etc/one/vmm_exec/vmm_exec_kvm.conf': DISK = [ driver = qcow2 ] If this is the case change it to raw, restart oned and try again. The image already has the driver set to qcow2 so it should work. On Tue, Feb 4, 2014 at 11:48 AM, Wilma Hermann wilma.herm...@gmail.com wrote: I also tried it with the current Alpha 2 of Ubuntu 14.04 which includes cloud-init 0.7.5, but it does not work either. You can find the output of onevm and oneimage attached. Thanks in advance Wilma 2014-02-04 Javier Fontan jfon...@opennebula.org: It should be working. Can you send us the output of onevm show -x vmid of one of those machines? On Mon, Feb 3, 2014 at 6:17 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, I'm using the release image from yesterday (02-Feb-2014 03:39) [1]. And the machine uses cloud-init 0.7.3: # virt-cat one-42 /var/log/cloud-init.log | grep running 2014-02-03 15:18:56,873 - util.py[DEBUG]: Cloud-init v. 0.7.3 running 'init-local' at Mon, 03 Feb 2014 15:18:56 +. Up 4.48 seconds. [1]: http://cloud-images.ubuntu.com/releases/13.10/release/ Thanks in advance Wilma 2014-02-03 Javier Fontan jfon...@opennebula.org: Are you using a recent version of those images? OpenNebula support was added in cloud-init 0.7.3 and the current images come with that version. User data can be specified with USER_DATA or USERDATA parameters so your configuration seems to be OK. On Mon, Feb 3, 2014 at 5:54 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, Well, the core of the problem sounds logical to me. Nevertheless, I have to wait 2 minutes for the network initialization to time-out until I can reboot the machine using the CtrlAltDel-Button in VNC... That's not comfortable, but bearable. However, I cannot get that USER_DATA variable to work. Whatever I enter there, it is obviously ignored. I tried it with the exact code from the documentation you mentioned, but also with something like CONTEXT=[NETWORK=YES,SSH_PUBLIC_KEY=$USER[SSH_PUBLIC_KEY], USER_DATA=#cloud-config bootcmd: - echo HelloWorld /etc/issue ] just to get a visual feedback that the USER_DATA is being used by cloud-init. None of it worked out. Is there a special trick with USER_DATA? Just in case that's important: I'm using OpenNebula 4.4 with libvirt/KVM. Thanks in advance Wilma 2014-01-30 Javier Fontan jfon...@opennebula.org: Unfortunately the current version of cloud-init does not load new network parameters after they are configured in some distributions. There is a ticket to track that problem [1] The documentation gives some ideas on how to overcome this [2]: --8-- The current version of cloud-init configures the network before running cloud-init configuration. This makes the network configuration not reliable. Until a new version that fixes this is released you can add OpenNebula context packages or this user data to reboot the machine so the network is properly configured. --8-- [1] https://bugs.launchpad.net/cloud-init/+bug/1225922 [2] http://docs.opennebula.org/stable/user/virtual_machine_setup/cloud-init.html On Tue, Jan 28, 2014 at 1:56 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, I'm trying to get a Ubuntu 13.10 guest to work, which uses a official Cloud-image (http://cloud-images.ubuntu.com/saucy/) as disk. However, the VM is not integrating into the virtual network. I've double checked the virtual network settings with CentOS-VMs, the network works correctly. I've found out that CloudInit writes a correct /etc/network/interfaces file with a static address, however, the machine somehow ignores this file and keeps sending DHCP requests without getting an answer (which is intended since we don't use DHCP in the VM's network). # virt-cat one-42 /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.129.4 network 192.168.128.0 netmask 255.255.254.0 gateway 192.168.128.1 # virt-cat one-42 /var/log/syslog | tail -6 Jan 28 12:42:44 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 21 (xid=0x1080a577) Jan 28 12:43:05 ubuntu dhclient
Re: [one-users] Using CloudInit for contextualization
Hi, I'm using the release image from yesterday (02-Feb-2014 03:39) [1]. And the machine uses cloud-init 0.7.3: # virt-cat one-42 /var/log/cloud-init.log | grep running 2014-02-03 15:18:56,873 - util.py[DEBUG]: Cloud-init v. 0.7.3 running 'init-local' at Mon, 03 Feb 2014 15:18:56 +. Up 4.48 seconds. [1]: http://cloud-images.ubuntu.com/releases/13.10/release/ Thanks in advance Wilma 2014-02-03 Javier Fontan jfon...@opennebula.org: Are you using a recent version of those images? OpenNebula support was added in cloud-init 0.7.3 and the current images come with that version. User data can be specified with USER_DATA or USERDATA parameters so your configuration seems to be OK. On Mon, Feb 3, 2014 at 5:54 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, Well, the core of the problem sounds logical to me. Nevertheless, I have to wait 2 minutes for the network initialization to time-out until I can reboot the machine using the CtrlAltDel-Button in VNC... That's not comfortable, but bearable. However, I cannot get that USER_DATA variable to work. Whatever I enter there, it is obviously ignored. I tried it with the exact code from the documentation you mentioned, but also with something like CONTEXT=[NETWORK=YES,SSH_PUBLIC_KEY=$USER[SSH_PUBLIC_KEY], USER_DATA=#cloud-config bootcmd: - echo HelloWorld /etc/issue ] just to get a visual feedback that the USER_DATA is being used by cloud-init. None of it worked out. Is there a special trick with USER_DATA? Just in case that's important: I'm using OpenNebula 4.4 with libvirt/KVM. Thanks in advance Wilma 2014-01-30 Javier Fontan jfon...@opennebula.org: Unfortunately the current version of cloud-init does not load new network parameters after they are configured in some distributions. There is a ticket to track that problem [1] The documentation gives some ideas on how to overcome this [2]: --8-- The current version of cloud-init configures the network before running cloud-init configuration. This makes the network configuration not reliable. Until a new version that fixes this is released you can add OpenNebula context packages or this user data to reboot the machine so the network is properly configured. --8-- [1] https://bugs.launchpad.net/cloud-init/+bug/1225922 [2] http://docs.opennebula.org/stable/user/virtual_machine_setup/cloud-init.html On Tue, Jan 28, 2014 at 1:56 PM, Wilma Hermann wilma.herm...@gmail.com wrote: Hi, I'm trying to get a Ubuntu 13.10 guest to work, which uses a official Cloud-image (http://cloud-images.ubuntu.com/saucy/) as disk. However, the VM is not integrating into the virtual network. I've double checked the virtual network settings with CentOS-VMs, the network works correctly. I've found out that CloudInit writes a correct /etc/network/interfaces file with a static address, however, the machine somehow ignores this file and keeps sending DHCP requests without getting an answer (which is intended since we don't use DHCP in the VM's network). # virt-cat one-42 /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.129.4 network 192.168.128.0 netmask 255.255.254.0 gateway 192.168.128.1 # virt-cat one-42 /var/log/syslog | tail -6 Jan 28 12:42:44 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 21 (xid=0x1080a577) Jan 28 12:43:05 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 13 (xid=0x1080a577) Jan 28 12:43:18 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 20 (xid=0x1080a577) Jan 28 12:43:38 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 1 (xid=0x1080a577) Jan 28 12:43:39 ubuntu dhclient: No DHCPOFFERS received. Jan 28 12:43:39 ubuntu dhclient: No working leases in persistent database - sleeping. Does anybody know how the VM template needs to be configured in order to get it working? Thanks in advance Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Javier Fontán Muiños Developer OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org | @OpenNebula | github.com/jfontan -- Javier Fontán Muiños Developer OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org | @OpenNebula | github.com/jfontan ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] VNC in sunstone not working on firefox 26 (one 4.4)
Hi, are you using a self-signed certificate? I encountered the same issue with a snakeoil-cert, Firefox seems to store the trust to a certain certificate not only based on the domain but also on the port used. Since VNC is using a different port, this ends up in a missing trust-warning. Try opening https://opennebulaaddr https://opennebulaaddr/vm/272/startvnc:29876/ in your firefox. If it gives you a warning, then you only need to trust your cert and sucure VNC should work. Greetings Wilma 2014-01-31 Tino Vazquez cvazq...@c12g.com: Hi, Ok, thanks for letting us know. I've opened a ticket to reproduce and solve this problem for future releases: http://dev.opennebula.org/issues/2703 Regards, -Tino -- OpenNebula - Flexible Enterprise Cloud Made Simple -- Constantino Vázquez Blanco, PhD, MSc Senior Infrastructure Architect at C12G Labs www.c12g.com | @C12G | es.linkedin.com/in/tinova -- Confidentiality Warning: The information contained in this e-mail and any accompanying documents, unless otherwise expressly indicated, is confidential and privileged, and is intended solely for the person and/or entity to whom it is addressed (i.e. those identified in the To and cc box). They are the property of C12G Labs S.L.. Unauthorized distribution, review, use, disclosure, or copying of this communication, or any part thereof, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify us immediately by e-mail at ab...@c12g.com and delete the e-mail and attachments and any copy from your system. C12G thanks you for your cooperation. On 31 January 2014 17:05, Hamada, Ondrej ondrej.ham...@acision.com wrote: Hi Tino, Yes, I can confirm that. Without SSL the VNC works in firefox. Regards, Ondra -Original Message- From: Tino Vazquez [mailto:cvazq...@c12g.com] Sent: Friday, January 31, 2014 12:50 PM To: Hamada, Ondrej Cc: users Subject: Re: [one-users] VNC in sunstone not working on firefox 26 (one 4.4) Hi Ondrej, Just to rule out other problems, can you confirm that without SSL VNC is working in Firefox? Regards, -Tino -- OpenNebula - Flexible Enterprise Cloud Made Simple -- Constantino Vázquez Blanco, PhD, MSc Senior Infrastructure Architect at C12G Labs www.c12g.com | @C12G | es.linkedin.com/in/tinova -- Confidentiality Warning: The information contained in this e-mail and any accompanying documents, unless otherwise expressly indicated, is confidential and privileged, and is intended solely for the person and/or entity to whom it is addressed (i.e. those identified in the To and cc box). They are the property of C12G Labs S.L.. Unauthorized distribution, review, use, disclosure, or copying of this communication, or any part thereof, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify us immediately by e-mail at ab...@c12g.com and delete the e-mail and attachments and any copy from your system. C12G thanks you for your cooperation. On 30 January 2014 17:59, Hamada, Ondrej ondrej.ham...@acision.com wrote: Hi Tino, Thank you for reply. Here's the output: 17:45:06.596 POST https://opennebulaaddr/vm/272/startvnc [HTTP/1.1 200 OK 59ms] 17:45:06.621 SecurityError: The operation is insecure. websock.js:333 17:45:06.619 New state 'loaded', was 'disconnected'. Msg: noVNC ready: native WebSockets, canvas rendering util.js:110 17:45:06.620 New state 'connect', was 'loaded'. util.js:110 17:45:06.621 Skipping unsupported WebSocket binary sub-protocol util.js:111 17:45:08.621 New state 'failed', was 'connect'. Msg: Connect timeout util.js:111 17:45:08.672 New state 'disconnected', was 'failed'. The security error - it remains me that the problems had started probably after I've configured apache as a SSL proxy for sunstone. And in Chrome it works ok. Unfortunately I need the SSL enabled. -Original Message- From: Tino Vazquez [mailto:cvazq...@c12g.com] Sent: Thursday, January 30, 2014 4:24 PM To: Hamada, Ondrej Cc: users Subject: Re: [one-users] VNC in sunstone not working on firefox 26 (one 4.4) Hi Ondrej, Right after clicking on the VNC link, is anything showing in the Firefox dev tools console [1]? Best, -Tino [1] https://developer.mozilla.org/en/docs/Tools -- OpenNebula - Flexible Enterprise Cloud Made Simple -- Constantino Vázquez Blanco, PhD, MSc Senior Infrastructure Architect at C12G Labs www.c12g.com | @C12G | es.linkedin.com/in/tinova -- Confidentiality Warning: The information contained in this e-mail and any accompanying documents, unless otherwise expressly indicated, is confidential and privileged, and is intended solely for the person and/or entity to whom it is addressed (i.e. those identified in the To and cc box). They are the property of C12G Labs S.L.. Unauthorized distribution, review, use,
[one-users] Using CloudInit for contextualization
Hi, I'm trying to get a Ubuntu 13.10 guest to work, which uses a official Cloud-image (http://cloud-images.ubuntu.com/saucy/) as disk. However, the VM is not integrating into the virtual network. I've double checked the virtual network settings with CentOS-VMs, the network works correctly. I've found out that CloudInit writes a correct /etc/network/interfaces file with a static address, however, the machine somehow ignores this file and keeps sending DHCP requests without getting an answer (which is intended since we don't use DHCP in the VM's network). # virt-cat one-42 /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.129.4 network 192.168.128.0 netmask 255.255.254.0 gateway 192.168.128.1 # virt-cat one-42 /var/log/syslog | tail -6 Jan 28 12:42:44 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 21 (xid=0x1080a577) Jan 28 12:43:05 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 13 (xid=0x1080a577) Jan 28 12:43:18 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 20 (xid=0x1080a577) Jan 28 12:43:38 ubuntu dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 1 (xid=0x1080a577) Jan 28 12:43:39 ubuntu dhclient: No DHCPOFFERS received. Jan 28 12:43:39 ubuntu dhclient: No working leases in persistent database - sleeping. Does anybody know how the VM template needs to be configured in order to get it working? Thanks in advance Wilma ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org