Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Deepak C Shetty

Try these... assuming selinux is creating the perm issue.
I had something similar problem and doing the below got it resolved.

1) getsebool virt_use_nfs

This should show this  variable as on ... as in ...
virt_use_nfs --> on

If not, then go to step 2

2) setsebool  virt_use_nfs 1

Do all of the above as root.

Hope that helps

thanx,
deepak

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[Users] LDAP

2012-02-24 Thread Jeff Bailey
Sorry for the new thread but I just joined the list.  The following 
excerpt from Nathan Stratton's 389DS log shows the same thing that I've 
been seeing when trying to use IPA.  It appears that the directory 
server type is being misidentified as active directory hence the search 
on samaccounttype and userprincipalname.


[23/Feb/2012:18:33:34 +] conn=50 op=3 SRCH base="dc=blinkmind,dc=net"
scope=2
filter="(&(samaccounttype=805306368)(userprincipalname=nathan at BLINKMIND.NET  
))"
attrs="nsUniqueId ipaUniqueID objectguid objectClass javaSerializedData
javaClassName javaFactory javaCodebase javaReferenceAddress javaClassNames
javaremotelocation"




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] LDAP

2012-02-24 Thread Yair Zaslavsky
On 02/23/2012 08:26 PM, Oved Ourfalli wrote:
> 
> 
> - Original Message -
>> From: "Nathan Stratton" 
>> To: "Oved Ourfalli" 
>> Cc: users@ovirt.org, "Yaniv Kaul" 
>> Sent: Thursday, February 23, 2012 8:13:33 PM
>> Subject: Re: [Users] LDAP
>>
>> On Thu, 23 Feb 2012, Oved Ourfalli wrote:
>>
>>> IIRC, we only support using -interactive or using -passwordFile,
>>> and not both.
>>> The fact that you don't get a warning on that is a bug.
>>
>> :) Opps.
>>
>>> Found this blog with a similar error that is caused due to password
>>> expiration (in the engine log, and not while running the manage
>>> domains utility, but that might also help):
>>> http://blog.rtfm.co.hu/2012/02/rhev-error-from-kerberos-integrity-check-on-decrypted-field-failed/
>>>
>>> But the information there doesn't go very well with the fact that
>>> kinit is successful.
>>
>> Ya, I saw that also, (been doing a lot of googling), but:
>>
>> -bash-4.2# kinit nathan
>> Password for nat...@blinkmind.net:
>> -bash-4.2# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: nat...@blinkmind.net
>>
>> Valid starting ExpiresService principal
>> 02/23/12 12:07:21  02/24/12 12:07:16
>>  krbtgt/blinkmind@blinkmind.net
>>  renew until 03/01/12 12:07:16
>>
>>
>>> Is the file containing the correct password? Try using only
>>> -interactive, and enter the password interactively.
>>
>> Yep, the password is correct, I get the same error no matter what
>> password
>> I use. However when I try with -interactive I get more debug info
>> (see
>> below).
>>
>>> Also, attaching the log of the utility might be helpful.
>>
>> How would I get that? I don't see anyting anywhere in /var/log/*
>>
> 
> It should be in 
> /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log 
> (or in /var/log/engine/engine-manage-domains/engine-manage-domains.log... not 
> sure).
> 
>>> Also, try logging in with that user to the IPA machine, that way
>>> you'll know if you need to change your password (I saw that
>>> sometimes kinit doesn't  ask you to change the password, but
>>> logging in does).
>>
>> Yep, that works fine. If I do it with -interactive I get the errors
>> below.
>> It seams to have an issue with DNS, but yet it is pulling the two SRV
>> records AND hitting the right servers. Also both ovirt-engine and
>> ipa-master have forward and reverse dns and proper /etc/hosts files.
>>
>> -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net
>> -user=nathan -interactive
>> Enter password:
>>
>> javax.naming.AuthenticationException: GSSAPI [Root exception is
>> javax.security.sasl.SaslException: GSS initiate failed [Caused by
>> GSSException: No valid credentials provided (Mechanism level: Server
>> not
>> found in Kerberos database (7) - UNKNOWN_SERVER)]]
>>  at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168)
>>  at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232)
>>  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
>>  at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:306)
>>  at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>  at
>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>  at
>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>  at
>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>  at
>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>  at
>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
>>  at javax.naming.InitialContext.init(InitialContext.java:240)
>>  at javax.naming.InitialContext.(InitialContext.java:214)
>>  at
>> javax.naming.directory.InitialDirContext.(InitialDirContext.java:99)
>>  at
>> org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:78)
>>  at java.security.AccessController.doPrivileged(Native Method)
>>  at javax.security.auth.Subject.doAs(Subject.java:357)
>>  at
>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
>>  at
>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:154)
>>  at
>> org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:140)
>>  at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.checkKerberosConfiguration(ManageDomains.java:563)
>>  at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.testConfiguration(ManageDomains.java:709)
>>  at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.addDomain(ManageDomains.java:404)
>>  at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.runCommand(ManageDomains.java:235)
>>  at
>> org.ovirt.engine.core.utils.kerberos.ManageDomains.main(ManageDomains.java:163)
>> Caused by: javax.security.sasl.SaslException: GSS initiate failed
>> [Caused
>

Re: [Users] LDAP

2012-02-24 Thread Yair Zaslavsky
On 02/24/2012 10:35 AM, Jeff Bailey wrote:
> Sorry for the new thread but I just joined the list.  The following
Welcome aboard Jeff

> excerpt from Nathan Stratton's 389DS log shows the same thing that I've
> been seeing when trying to use IPA.  It appears that the directory
> server type is being misidentified as active directory hence the search
> on samaccounttype and userprincipalname.
> 
> [23/Feb/2012:18:33:34 +] conn=50 op=3 SRCH base="dc=blinkmind,dc=net"
> scope=2
> filter="(&(samaccounttype=805306368)(userprincipalname=nathan at
> BLINKMIND.NET  ))"
> attrs="nsUniqueId ipaUniqueID objectguid objectClass javaSerializedData
> javaClassName javaFactory javaCodebase javaReferenceAddress javaClassNames
> javaremotelocation"
One the issues I see here is the fact the the query is using
samaccounttype and objectguid which might be relevant only for
ActiveDirectory.
Nathan, can you provide us the exact query? (you can place
userprincipalname=X in order to prevent spamming, we'll understand
what you mean). I just want to fully understand if you truely see both
ipaUniqueID and objectguid
I would (for example) check what attributes are supports by the 389ds
schema.

Yair

> 
> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Problems attaching ISO Domain to second dc

2012-02-24 Thread Deepak C Shetty

On 02/23/2012 06:21 PM, Deepak C Shetty wrote:

Hi,
I had one iso domain attached to a DC (nfs based).
I had second DC (fc based) and wanted to share the same iso domain as 
above.


When i tried to attach the same ISO domain to the fc dc, it failed and 
all the other
storage domains (data and master, nfs based) present in the nfs dc, 
went down/inactive.


for some time i could see the status as "Contend" ( dont remember if 
it was against the

storage domains or dc overall)

ISO storage domains (backed by nfs) should be able to be attached to 
more than 1

dc.. but it failed for me... what could be the reason ?



Hello, Is attaching 1 ISO to multiple DC's supported or not ?

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] LDAP

2012-02-24 Thread Oved Ourfalli


- Original Message -
> From: "Jeff Bailey" 
> To: users@ovirt.org
> Sent: Friday, February 24, 2012 10:35:02 AM
> Subject: [Users] LDAP
> 
> Sorry for the new thread but I just joined the list.  The following
> excerpt from Nathan Stratton's 389DS log shows the same thing that
> I've
> been seeing when trying to use IPA.  It appears that the directory
> server type is being misidentified as active directory hence the
> search
> on samaccounttype and userprincipalname.
> 
> [23/Feb/2012:18:33:34 +] conn=50 op=3 SRCH
> base="dc=blinkmind,dc=net"
> scope=2
> filter="(&(samaccounttype=805306368)(userprincipalname=nathan at
> BLINKMIND.NET  ))"
> attrs="nsUniqueId ipaUniqueID objectguid objectClass
> javaSerializedData
> javaClassName javaFactory javaCodebase javaReferenceAddress
> javaClassNames
> javaremotelocation"
> 
> 
The identification of the provider type is done using the following logic, 
according to the results from the root DSE query:
* if it contains a defaultNamingContext attribute --> AD
* else
* Check the vendorName attribute
* if it is "389 Project" then it is IPA
* if it is "Red Hat" then it is RHDS.

We added support for AD, IPA and RHDS. I guess that 389ds has a different 
vendor name.

What does your root DSE query show?
You can run it using ldapsearch, with the options" -LLL -Y GSSAPI -D 
 -h  -b "" -s base 
objectClass=*

the distinguished name will be something like:
uid=username,dc=example,dc=com

It will help us understand which vendor name is shown in your ldap server, and 
we might use it in order to improve the identification.

It surprises me that IPA is not identified correctly, as "389 Project" is the 
vendor name that was used there (unless it was changed).
As for 389ds, as I said before we added RHDS support, so there might be changes 
in the schema, and also probably the vendor name there is not "Red Hat".


> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Terry Phelps
On 2/23/12, Keith Robertson  wrote:
> On 02/23/2012 02:21 PM, Terry Phelps wrote:
>> Thanks for the quick reply.
>>
>> My one hypervisor already had the ISO domain mounted (without any
>> explicit action by me):
> This is to be expected.  VDSM needs the mount. I suggested that command
> just in case it wasn't mounted for some odd reason.
>> mount | grep iso
>>
>> oravm3.acbl.net:/isodomain/ on
>> /rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
>> (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)
>>
>> Using this mount (I didn't do exactly what you said, if that matters),
> Nope, you're fine.
>> I did the tests you asked for.
>> Yes, I can touch a new file.
>> Yes, I can read the ISO file
>>
>> Here is what I saw:
>>
> I'm assuming you were "vdsm" when you executed these commands, right?
>> bash-4.2$ ls
>> OracleLinux-R6-U2-Server-x86_64-dvd.iso
>> bash-4.2$ touch me
>> bash-4.2$ ls
>> me  OracleLinux-R6-U2-Server-x86_64-dvd.iso
>> bash-4.2$ strings Orac* |head -2
>> CD001
>> LINUX   OL6.2 x86_64 Disc 1 20111212
>>
>>
>> Funny, though. When I typed "su - vdsm" by mistake, from root, it said
>> "This account is currently not available." (Is that relevant?) But
>> what you said to do did work fine.
> By default vdsm is given a nologin shell for security reasons.  The "-s
> /bin/bash" overrides that when switching users.
>> Other ideas/
> Not at the moment.  I think you've done a fairly good job of
> demonstrating that VDSM would not have any permission problems reading
> or writing to the NFS export.

Just to gather more information, I re-ran engine-iso-uploader to
upload my ISO. It complained that the ISO was already there, which it
IS. I used the "--force" option to make him do it again. He did.

It still doesn't show up in the admin portal.

Is there something else I can do to help find the problem?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Keith Robertson

On 02/24/2012 09:19 AM, Terry Phelps wrote:

On 2/23/12, Keith Robertson  wrote:

On 02/23/2012 02:21 PM, Terry Phelps wrote:

Thanks for the quick reply.

My one hypervisor already had the ISO domain mounted (without any
explicit action by me):

This is to be expected.  VDSM needs the mount. I suggested that command
just in case it wasn't mounted for some odd reason.

mount | grep iso

oravm3.acbl.net:/isodomain/ on
/rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
(rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

Using this mount (I didn't do exactly what you said, if that matters),

Nope, you're fine.

I did the tests you asked for.
Yes, I can touch a new file.
Yes, I can read the ISO file

Here is what I saw:


I'm assuming you were "vdsm" when you executed these commands, right?

bash-4.2$ ls
OracleLinux-R6-U2-Server-x86_64-dvd.iso
bash-4.2$ touch me
bash-4.2$ ls
me  OracleLinux-R6-U2-Server-x86_64-dvd.iso
bash-4.2$ strings Orac* |head -2
CD001
LINUX   OL6.2 x86_64 Disc 1 20111212


Funny, though. When I typed "su - vdsm" by mistake, from root, it said
"This account is currently not available." (Is that relevant?) But
what you said to do did work fine.

By default vdsm is given a nologin shell for security reasons.  The "-s
/bin/bash" overrides that when switching users.

Other ideas/

Not at the moment.  I think you've done a fairly good job of
demonstrating that VDSM would not have any permission problems reading
or writing to the NFS export.

Just to gather more information, I re-ran engine-iso-uploader to
upload my ISO. It complained that the ISO was already there, which it
IS. I used the "--force" option to make him do it again. He did.

Yup, standard behavior.

It still doesn't show up in the admin portal.

Is there something else I can do to help find the problem?
Well you've demonstrated that the user "vdsm" can r/w the NFS export 
from the hypervisor.  This is a common source of problems as things like 
selinux and UID/GID mismatches can cause all sorts blockages preventing 
VDSM's ability to r/w the NFS export.


Let's see what VDSM thinks.  From a hypervisor do this...
1. Type "mount"
2. Look for your ISO domain in the returned list.
3. Note the local path to the ISO domain.  It might look something like 
this...

 /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
4. List the directories in it:
  ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
5. Notice the returned UUID directory name:
 [root@node ~]# ls  /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
 92cf90c2-3698-48b5-84fd-d8e4f8684549
6. Supply that to the vdsClient command as follows:
  vdsClient -s 0  getFileList  92cf90c2-3698-48b5-84fd-d8e4f8684549

What happens?




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Terry Phelps
It looks like you were doing this as root, so I did, too. In any case,
the result looks good to me:

# mount | grep iso

oravm3.acbl.net:/isodomain/ on
/rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
(rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

]# ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain

48a5390f-2f86-485c-8537-b6bc9dd71796  vdsmTest

[root@oravm2 ~]# vdsClient -s 0 getFileList 48a5390f-2f86-485c-8537-b6bc9dd71796

file:  OracleLinux-R6-U2-Server-x86_64-dvd.iso status:  {'status':
469, 'ctime': '1330092866.03', 'size': '3591360512'}


NOTE: That "vdsmTest" file you see has appeared there since yesterday,
I think. I didn't put it there.

On 2/24/12, Keith Robertson  wrote:
> On 02/24/2012 09:19 AM, Terry Phelps wrote:
>> On 2/23/12, Keith Robertson  wrote:
>>> On 02/23/2012 02:21 PM, Terry Phelps wrote:
 Thanks for the quick reply.

 My one hypervisor already had the ISO domain mounted (without any
 explicit action by me):
>>> This is to be expected.  VDSM needs the mount. I suggested that command
>>> just in case it wasn't mounted for some odd reason.
 mount | grep iso

 oravm3.acbl.net:/isodomain/ on
 /rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
 (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

 Using this mount (I didn't do exactly what you said, if that matters),
>>> Nope, you're fine.
 I did the tests you asked for.
 Yes, I can touch a new file.
 Yes, I can read the ISO file

 Here is what I saw:

>>> I'm assuming you were "vdsm" when you executed these commands, right?
 bash-4.2$ ls
 OracleLinux-R6-U2-Server-x86_64-dvd.iso
 bash-4.2$ touch me
 bash-4.2$ ls
 me  OracleLinux-R6-U2-Server-x86_64-dvd.iso
 bash-4.2$ strings Orac* |head -2
 CD001
 LINUX   OL6.2 x86_64 Disc 1 20111212


 Funny, though. When I typed "su - vdsm" by mistake, from root, it said
 "This account is currently not available." (Is that relevant?) But
 what you said to do did work fine.
>>> By default vdsm is given a nologin shell for security reasons.  The "-s
>>> /bin/bash" overrides that when switching users.
 Other ideas/
>>> Not at the moment.  I think you've done a fairly good job of
>>> demonstrating that VDSM would not have any permission problems reading
>>> or writing to the NFS export.
>> Just to gather more information, I re-ran engine-iso-uploader to
>> upload my ISO. It complained that the ISO was already there, which it
>> IS. I used the "--force" option to make him do it again. He did.
> Yup, standard behavior.
>> It still doesn't show up in the admin portal.
>>
>> Is there something else I can do to help find the problem?
> Well you've demonstrated that the user "vdsm" can r/w the NFS export
> from the hypervisor.  This is a common source of problems as things like
> selinux and UID/GID mismatches can cause all sorts blockages preventing
> VDSM's ability to r/w the NFS export.
>
> Let's see what VDSM thinks.  From a hypervisor do this...
> 1. Type "mount"
> 2. Look for your ISO domain in the returned list.
> 3. Note the local path to the ISO domain.  It might look something like
> this...
>   /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
> 4. List the directories in it:
>ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
> 5. Notice the returned UUID directory name:
>   [root@node ~]# ls  /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
>   92cf90c2-3698-48b5-84fd-d8e4f8684549
> 6. Supply that to the vdsClient command as follows:
>vdsClient -s 0  getFileList  92cf90c2-3698-48b5-84fd-d8e4f8684549
>
> What happens?
>
>
>
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Keith Robertson
OK, so VDSM looks fine.  Let's see what the REST API and by extension 
ovirt-engine thinks about it...


From the host upon which ovirt-engine running do this:
 wget -q -O - --no-check-certificate --user=admin@internal 
--password='password here' 
https://localhost:8443/api/storagedomains/48a5390f-2f86-485c-8537-b6bc9dd71796/files


Do you see the files?

Cheers,
Keith

On 02/24/2012 10:28 AM, Terry Phelps wrote:

It looks like you were doing this as root, so I did, too. In any case,
the result looks good to me:

# mount | grep iso

oravm3.acbl.net:/isodomain/ on
/rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
(rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

]# ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain

48a5390f-2f86-485c-8537-b6bc9dd71796  vdsmTest

[root@oravm2 ~]# vdsClient -s 0 getFileList 48a5390f-2f86-485c-8537-b6bc9dd71796

file:  OracleLinux-R6-U2-Server-x86_64-dvd.iso status:  {'status':
469, 'ctime': '1330092866.03', 'size': '3591360512'}


NOTE: That "vdsmTest" file you see has appeared there since yesterday,
I think. I didn't put it there.

Have no idea what that is.

On 2/24/12, Keith Robertson  wrote:

On 02/24/2012 09:19 AM, Terry Phelps wrote:

On 2/23/12, Keith Robertson   wrote:

On 02/23/2012 02:21 PM, Terry Phelps wrote:

Thanks for the quick reply.

My one hypervisor already had the ISO domain mounted (without any
explicit action by me):

This is to be expected.  VDSM needs the mount. I suggested that command
just in case it wasn't mounted for some odd reason.

mount | grep iso

oravm3.acbl.net:/isodomain/ on
/rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
(rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

Using this mount (I didn't do exactly what you said, if that matters),

Nope, you're fine.

I did the tests you asked for.
Yes, I can touch a new file.
Yes, I can read the ISO file

Here is what I saw:


I'm assuming you were "vdsm" when you executed these commands, right?

bash-4.2$ ls
OracleLinux-R6-U2-Server-x86_64-dvd.iso
bash-4.2$ touch me
bash-4.2$ ls
me  OracleLinux-R6-U2-Server-x86_64-dvd.iso
bash-4.2$ strings Orac* |head -2
CD001
LINUX   OL6.2 x86_64 Disc 1 20111212


Funny, though. When I typed "su - vdsm" by mistake, from root, it said
"This account is currently not available." (Is that relevant?) But
what you said to do did work fine.

By default vdsm is given a nologin shell for security reasons.  The "-s
/bin/bash" overrides that when switching users.

Other ideas/

Not at the moment.  I think you've done a fairly good job of
demonstrating that VDSM would not have any permission problems reading
or writing to the NFS export.

Just to gather more information, I re-ran engine-iso-uploader to
upload my ISO. It complained that the ISO was already there, which it
IS. I used the "--force" option to make him do it again. He did.

Yup, standard behavior.

It still doesn't show up in the admin portal.

Is there something else I can do to help find the problem?

Well you've demonstrated that the user "vdsm" can r/w the NFS export
from the hypervisor.  This is a common source of problems as things like
selinux and UID/GID mismatches can cause all sorts blockages preventing
VDSM's ability to r/w the NFS export.

Let's see what VDSM thinks.  From a hypervisor do this...
1. Type "mount"
2. Look for your ISO domain in the returned list.
3. Note the local path to the ISO domain.  It might look something like
this...
   /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
4. List the directories in it:
ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
5. Notice the returned UUID directory name:
   [root@node ~]# ls  /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
   92cf90c2-3698-48b5-84fd-d8e4f8684549
6. Supply that to the vdsClient command as follows:
vdsClient -s 0  getFileList  92cf90c2-3698-48b5-84fd-d8e4f8684549

What happens?







___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Problems attaching ISO Domain to second dc

2012-02-24 Thread Itamar Heim

On 02/24/2012 02:52 PM, Deepak C Shetty wrote:

On 02/23/2012 06:21 PM, Deepak C Shetty wrote:

Hi,
I had one iso domain attached to a DC (nfs based).
I had second DC (fc based) and wanted to share the same iso domain as
above.

When i tried to attach the same ISO domain to the fc dc, it failed and
all the other
storage domains (data and master, nfs based) present in the nfs dc,
went down/inactive.

for some time i could see the status as "Contend" ( dont remember if
it was against the
storage domains or dc overall)

ISO storage domains (backed by nfs) should be able to be attached to
more than 1
dc.. but it failed for me... what could be the reason ?



Hello, Is attaching 1 ISO to multiple DC's supported or not ?


supported
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Douglas Landgraf

On 02/24/2012 10:28 AM, Terry Phelps wrote:

It looks like you were doing this as root, so I did, too. In any case,
the result looks good to me:

# mount | grep iso

oravm3.acbl.net:/isodomain/ on
/rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
(rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

]# ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain

48a5390f-2f86-485c-8537-b6bc9dd71796  vdsmTest

[root@oravm2 ~]# vdsClient -s 0 getFileList 48a5390f-2f86-485c-8537-b6bc9dd71796

file:  OracleLinux-R6-U2-Server-x86_64-dvd.iso status:  {'status':
469, 'ctime': '1330092866.03', 'size': '3591360512'}


NOTE: That "vdsmTest" file you see has appeared there since yesterday,
I think. I didn't put it there.


You didn't, this file can be removed,  yesterday the nfs-check couldn't 
complete the test (remove the file)

as you answered me (below) and it's still there.


 # python nfs-check.py oravm3.acbl.net:/isodomain
 Current hostname: oravm2.acbl.net - IP addr 127.0.0.1
 Trying to /bin/mount -t nfs oravm3.acbl.net:/isodomain...
 Executing NFS tests..
 Removing vdsmTest file..
 Traceback (most recent call last):
  File "nfs-check.py", line 268, in
os.removedirs(LOCALPATH)
  File "/usr/lib64/python2.7/os.py", line 170, in removedirs
 OSError: [Errno 16] Device or resource busy: '/tmp/tmpV9KEh5'



Now I am wondering why...


--
Cheers
Douglas

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Douglas Landgraf

Hi Terry,

On 02/24/2012 02:51 PM, Douglas Landgraf wrote:

On 02/24/2012 10:28 AM, Terry Phelps wrote:

It looks like you were doing this as root, so I did, too. In any case,
the result looks good to me:

# mount | grep iso

oravm3.acbl.net:/isodomain/ on
/rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
(rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10) 



]# ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain

48a5390f-2f86-485c-8537-b6bc9dd71796  vdsmTest

[root@oravm2 ~]# vdsClient -s 0 getFileList 
48a5390f-2f86-485c-8537-b6bc9dd71796


file:  OracleLinux-R6-U2-Server-x86_64-dvd.iso status:  {'status':
469, 'ctime': '1330092866.03', 'size': '3591360512'}


NOTE: That "vdsmTest" file you see has appeared there since yesterday,
I think. I didn't put it there.


You didn't, this file can be removed,  yesterday the nfs-check 
couldn't complete the test (remove the file)

as you answered me (below) and it's still there.


 # python nfs-check.py oravm3.acbl.net:/isodomain
 Current hostname: oravm2.acbl.net - IP addr 127.0.0.1
 Trying to /bin/mount -t nfs oravm3.acbl.net:/isodomain...
 Executing NFS tests..
 Removing vdsmTest file..
 Traceback (most recent call last):
  File "nfs-check.py", line 268, in
os.removedirs(LOCALPATH)
  File "/usr/lib64/python2.7/os.py", line 170, in removedirs
 OSError: [Errno 16] Device or resource busy: '/tmp/tmpV9KEh5'



Just to confirm, during the execution of nfs-check have you manually 
entry into /tmp/tmpV9KEh5 (from another shell)?

If not, this EBUSY error might be like symptom of this weird behaviour...

However, let me continue... looking the previous messages of this 
thread, looks like you have the iso correctly uploaded.
Have you tried to restart jboss-as service (oVirt Engine) to see if your 
iso appears into the GUI?


BTW, most of ovirt people are available to chat and help 'on-the-fly' at 
irc.oftc.net, channel  #ovirt , fell free to join us there .


--
Cheers
Douglas (irc: dougsland)

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Deepak C Shetty

Terry,
Did you try the getsebool and setsebool options I provided, just 
checking if u happened

to miss that mail ?

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Keith Robertson

On 02/24/2012 12:42 PM, Deepak C Shetty wrote:

Terry,
Did you try the getsebool and setsebool options I provided, just 
checking if u happened

to miss that mail ?

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
I think the test to r/w files on the NFS export would have exposed that 
issue.  Since Terry was able successfully r/w files in the ISO storage 
domain as the VDSM user I doubt that this is the root cause.  I'd really 
like to see the output from the wget to the REST API.


Cheers,
Keith
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Problems attaching ISO Domain to second dc

2012-02-24 Thread Deepak C Shetty

On 02/24/2012 09:57 PM, Itamar Heim wrote:

On 02/24/2012 02:52 PM, Deepak C Shetty wrote:

On 02/23/2012 06:21 PM, Deepak C Shetty wrote:

Hi,
I had one iso domain attached to a DC (nfs based).
I had second DC (fc based) and wanted to share the same iso domain as
above.

When i tried to attach the same ISO domain to the fc dc, it failed and
all the other
storage domains (data and master, nfs based) present in the nfs dc,
went down/inactive.

for some time i could see the status as "Contend" ( dont remember if
it was against the
storage domains or dc overall)

ISO storage domains (backed by nfs) should be able to be attached to
more than 1
dc.. but it failed for me... what could be the reason ?



Hello, Is attaching 1 ISO to multiple DC's supported or not ?


supported

So i have 2 dc's NFS and FC based, i have a iso domain ( backed by nfs) 
currently attached
to NFS dc, but when i try to attach the same iso domain to fc dc, it 
appears on the UI , with Locked
as status for a while and then dissapears... is there something that i 
am missing ?


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Terry Phelps
On 2/24/12, Keith Robertson  wrote:
> OK, so VDSM looks fine.  Let's see what the REST API and by extension
> ovirt-engine thinks about it...
>
>  From the host upon which ovirt-engine running do this:
>   wget -q -O - --no-check-certificate --user=admin@internal
> --password='password here'
> https://localhost:8443/api/storagedomains/48a5390f-2f86-485c-8537-b6bc9dd71796/files
>
> Do you see the files?

NOPE:

# cat doit
wget -q -O - --no-check-certificate --user=admin@internal \
   --password=**
https://localhost:8443/api/storagedomains/48a5390f-2f86-485c-8537-b6bc9dd71796/files

[root@oravm3 ~]# sh doit




Maybe this has gotten us closer to the problem.




>
> Cheers,
> Keith
>
> On 02/24/2012 10:28 AM, Terry Phelps wrote:
>> It looks like you were doing this as root, so I did, too. In any case,
>> the result looks good to me:
>>
>> # mount | grep iso
>>
>> oravm3.acbl.net:/isodomain/ on
>> /rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
>> (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)
>>
>> ]# ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
>>
>> 48a5390f-2f86-485c-8537-b6bc9dd71796  vdsmTest
>>
>> [root@oravm2 ~]# vdsClient -s 0 getFileList
>> 48a5390f-2f86-485c-8537-b6bc9dd71796
>>
>> file:  OracleLinux-R6-U2-Server-x86_64-dvd.iso status:  {'status':
>> 469, 'ctime': '1330092866.03', 'size': '3591360512'}
>>
>>
>> NOTE: That "vdsmTest" file you see has appeared there since yesterday,
>> I think. I didn't put it there.
> Have no idea what that is.
>> On 2/24/12, Keith Robertson  wrote:
>>> On 02/24/2012 09:19 AM, Terry Phelps wrote:
 On 2/23/12, Keith Robertson   wrote:
> On 02/23/2012 02:21 PM, Terry Phelps wrote:
>> Thanks for the quick reply.
>>
>> My one hypervisor already had the ISO domain mounted (without any
>> explicit action by me):
> This is to be expected.  VDSM needs the mount. I suggested that command
> just in case it wasn't mounted for some odd reason.
>> mount | grep iso
>>
>> oravm3.acbl.net:/isodomain/ on
>> /rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
>> (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)
>>
>> Using this mount (I didn't do exactly what you said, if that matters),
> Nope, you're fine.
>> I did the tests you asked for.
>> Yes, I can touch a new file.
>> Yes, I can read the ISO file
>>
>> Here is what I saw:
>>
> I'm assuming you were "vdsm" when you executed these commands, right?
>> bash-4.2$ ls
>> OracleLinux-R6-U2-Server-x86_64-dvd.iso
>> bash-4.2$ touch me
>> bash-4.2$ ls
>> me  OracleLinux-R6-U2-Server-x86_64-dvd.iso
>> bash-4.2$ strings Orac* |head -2
>> CD001
>> LINUX   OL6.2 x86_64 Disc 1 20111212
>>
>>
>> Funny, though. When I typed "su - vdsm" by mistake, from root, it said
>> "This account is currently not available." (Is that relevant?) But
>> what you said to do did work fine.
> By default vdsm is given a nologin shell for security reasons.  The "-s
> /bin/bash" overrides that when switching users.
>> Other ideas/
> Not at the moment.  I think you've done a fairly good job of
> demonstrating that VDSM would not have any permission problems reading
> or writing to the NFS export.
 Just to gather more information, I re-ran engine-iso-uploader to
 upload my ISO. It complained that the ISO was already there, which it
 IS. I used the "--force" option to make him do it again. He did.
>>> Yup, standard behavior.
 It still doesn't show up in the admin portal.

 Is there something else I can do to help find the problem?
>>> Well you've demonstrated that the user "vdsm" can r/w the NFS export
>>> from the hypervisor.  This is a common source of problems as things like
>>> selinux and UID/GID mismatches can cause all sorts blockages preventing
>>> VDSM's ability to r/w the NFS export.
>>>
>>> Let's see what VDSM thinks.  From a hypervisor do this...
>>> 1. Type "mount"
>>> 2. Look for your ISO domain in the returned list.
>>> 3. Note the local path to the ISO domain.  It might look something like
>>> this...
>>>/rhev/data-center/mnt/oravm3.acbl.net:_isodomain
>>> 4. List the directories in it:
>>> ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
>>> 5. Notice the returned UUID directory name:
>>>[root@node ~]# ls  /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
>>>92cf90c2-3698-48b5-84fd-d8e4f8684549
>>> 6. Supply that to the vdsClient command as follows:
>>> vdsClient -s 0  getFileList  92cf90c2-3698-48b5-84fd-d8e4f8684549
>>>
>>> What happens?
>>>
>>>
>>>
>>>
>>>
>
>

Re: [Users] LDAP

2012-02-24 Thread Nathan Stratton

On Fri, 24 Feb 2012, Oved Ourfalli wrote:


The identification of the provider type is done using the following logic, 
according to the results from the root DSE query:
* if it contains a defaultNamingContext attribute --> AD
* else
* Check the vendorName attribute
* if it is "389 Project" then it is IPA
* if it is "Red Hat" then it is RHDS.

We added support for AD, IPA and RHDS. I guess that 389ds has a different 
vendor name.

What does your root DSE query show?
You can run it using ldapsearch, with the options" -LLL -Y GSSAPI -D  -h  -b "" -s base objectClass=*

the distinguished name will be something like:
uid=username,dc=example,dc=com


[root@ipa-master ~]# ldapsearch -LLL -Y GSSAPI -D 
uid=nathan,cn=users,cn=accounts,dc=blinkmind,dc=net -h localhost -b "" -s 
base objectClass=*

SASL/GSSAPI authentication started
SASL username: ad...@blinkmind.net
SASL SSF: 56
SASL data security layer installed.
dn:
objectClass: top
namingContexts: dc=blinkmind,dc=net
defaultnamingcontext: dc=blinkmind,dc=net
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.10
supportedExtension: 2.16.840.1.113730.3.8.10.3
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 2.16.840.1.113730.3.8.10.1
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.12
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.9
supportedExtension: 2.16.840.1.113730.3.5.4
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 2.16.840.1.113730.3.4.3
supportedControl: 2.16.840.1.113730.3.4.4
supportedControl: 2.16.840.1.113730.3.4.5
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.16
supportedControl: 2.16.840.1.113730.3.4.15
supportedControl: 2.16.840.1.113730.3.4.17
supportedControl: 2.16.840.1.113730.3.4.19
supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
supportedControl: 1.3.6.1.4.1.4203.666.5.16
supportedControl: 2.16.840.1.113730.3.4.14
supportedControl: 2.16.840.1.113730.3.4.20
supportedControl: 1.3.6.1.4.1.1466.29539.12
supportedControl: 2.16.840.1.113730.3.4.12
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.13
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: LOGIN
supportedLDAPVersion: 2
supportedLDAPVersion: 3
vendorName: 389 Project
vendorVersion: 389-Directory/1.2.10.rc1 B2012.035.328
dataversion: 020120223201756
netscapemdsuffix: cn=ldap://dc=ipa-master,dc=blinkmind,dc=net:389
lastusn: 468



It will help us understand which vendor name is shown in your ldap server, and 
we might use it in order to improve the identification.

It surprises me that IPA is not identified correctly, as "389 Project" is the 
vendor name that was used there (unless it was changed).
As for 389ds, as I said before we added RHDS support, so there might be changes in the 
schema, and also probably the vendor name there is not "Red Hat".


Looks like "389 Project"

However I still see:

-bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net -user=nathan 
-interactive
Enter password:

No user in Directory was found for nat...@blinkmind.net. Trying next LDAP 
server in list
Failure while testing domain blinkmind.net. Details: No user information was 
found for user


On my FreeIPA server I see:

[24/Feb/2012:18:28:46 +] conn=144 op=3 SRCH base="dc=blinkmind,dc=net" 
scope=2 
filter="(&(samaccounttype=805306368)(userprincipalname=nat...@blinkmind.net))" 
attrs="nsUniqueId ipaUniqueID objectguid objectClass javaSerializedData 
javaClassName javaFactory javaCodebase javaReferenceAddress javaClassNames 
javaremotelocation"
[24/Feb/2012:18:28:46 +] conn=144 op=3 RESULT err=0 tag=101 nentries=0 
etime=0 notes=U



Entries returned are 0 because userprincipalname=nat...@blinkmind.net does 
not exist.




<>

Nathan StrattonCTO, BlinkMind, Inc.
nathan at robotics.net nathan at blinkmind.com
http://www.robotics.nethttp://www.blinkmind.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Keith Robertson
Is your storage domain active?  Just run the "list" command on the iso  
uploader (or look in the UI).


Example:
[root@rhevm ~]# rhevm-iso-uploader list
Please provide the REST API password for RHEV-M (CTRL+D to abort):
ISO Storage Domain Name   | Datacenter| ISO Domain Status
iso1  | Default   | active
iso1  | iSCSI | inactive
iso1  | NFS   | active


On 02/24/2012 01:04 PM, Terry Phelps wrote:

On 2/24/12, Keith Robertson  wrote:

OK, so VDSM looks fine.  Let's see what the REST API and by extension
ovirt-engine thinks about it...

  From the host upon which ovirt-engine running do this:
   wget -q -O - --no-check-certificate --user=admin@internal
--password='password here'
https://localhost:8443/api/storagedomains/48a5390f-2f86-485c-8537-b6bc9dd71796/files

Do you see the files?

NOPE:

# cat doit
wget -q -O - --no-check-certificate --user=admin@internal \
--password=**
https://localhost:8443/api/storagedomains/48a5390f-2f86-485c-8537-b6bc9dd71796/files

[root@oravm3 ~]# sh doit




Maybe this has gotten us closer to the problem.





Cheers,
Keith

On 02/24/2012 10:28 AM, Terry Phelps wrote:

It looks like you were doing this as root, so I did, too. In any case,
the result looks good to me:

# mount | grep iso

oravm3.acbl.net:/isodomain/ on
/rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
(rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

]# ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain

48a5390f-2f86-485c-8537-b6bc9dd71796  vdsmTest

[root@oravm2 ~]# vdsClient -s 0 getFileList
48a5390f-2f86-485c-8537-b6bc9dd71796

file:  OracleLinux-R6-U2-Server-x86_64-dvd.iso status:  {'status':
469, 'ctime': '1330092866.03', 'size': '3591360512'}


NOTE: That "vdsmTest" file you see has appeared there since yesterday,
I think. I didn't put it there.

Have no idea what that is.

On 2/24/12, Keith Robertson   wrote:

On 02/24/2012 09:19 AM, Terry Phelps wrote:

On 2/23/12, Keith Robertsonwrote:

On 02/23/2012 02:21 PM, Terry Phelps wrote:

Thanks for the quick reply.

My one hypervisor already had the ISO domain mounted (without any
explicit action by me):

This is to be expected.  VDSM needs the mount. I suggested that command
just in case it wasn't mounted for some odd reason.

mount | grep iso

oravm3.acbl.net:/isodomain/ on
/rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
(rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

Using this mount (I didn't do exactly what you said, if that matters),

Nope, you're fine.

I did the tests you asked for.
Yes, I can touch a new file.
Yes, I can read the ISO file

Here is what I saw:


I'm assuming you were "vdsm" when you executed these commands, right?

bash-4.2$ ls
OracleLinux-R6-U2-Server-x86_64-dvd.iso
bash-4.2$ touch me
bash-4.2$ ls
me  OracleLinux-R6-U2-Server-x86_64-dvd.iso
bash-4.2$ strings Orac* |head -2
CD001
LINUX   OL6.2 x86_64 Disc 1 20111212


Funny, though. When I typed "su - vdsm" by mistake, from root, it said
"This account is currently not available." (Is that relevant?) But
what you said to do did work fine.

By default vdsm is given a nologin shell for security reasons.  The "-s
/bin/bash" overrides that when switching users.

Other ideas/

Not at the moment.  I think you've done a fairly good job of
demonstrating that VDSM would not have any permission problems reading
or writing to the NFS export.

Just to gather more information, I re-ran engine-iso-uploader to
upload my ISO. It complained that the ISO was already there, which it
IS. I used the "--force" option to make him do it again. He did.

Yup, standard behavior.

It still doesn't show up in the admin portal.

Is there something else I can do to help find the problem?

Well you've demonstrated that the user "vdsm" can r/w the NFS export
from the hypervisor.  This is a common source of problems as things like
selinux and UID/GID mismatches can cause all sorts blockages preventing
VDSM's ability to r/w the NFS export.

Let's see what VDSM thinks.  From a hypervisor do this...
1. Type "mount"
2. Look for your ISO domain in the returned list.
3. Note the local path to the ISO domain.  It might look something like
this...
/rhev/data-center/mnt/oravm3.acbl.net:_isodomain
4. List the directories in it:
 ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
5. Notice the returned UUID directory name:
[root@node ~]# ls  /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
92cf90c2-3698-48b5-84fd-d8e4f8684549
6. Supply that to the vdsClient command as follows:
 vdsClient -s 0  getFileList  92cf90c2-3698-48b5-84fd-d8e4f

Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Terry Phelps
Yes, I think so. Note that I'm running the ovirt 3 RPM, and not the
RHEV product, if that matters:

# engine-iso-uploader list
Please provide the REST API password for the admin@internal oVirt
Engine user (CTRL+D to abort):
ISO Storage Domain Name   | Datacenter| ISO Domain Status
ISODomain | Default   | active


On 2/24/12, Keith Robertson  wrote:
> Is your storage domain active?  Just run the "list" command on the iso
> uploader (or look in the UI).
>
> Example:
> [root@rhevm ~]# rhevm-iso-uploader list
> Please provide the REST API password for RHEV-M (CTRL+D to abort):
> ISO Storage Domain Name   | Datacenter| ISO Domain Status
> iso1  | Default   | active
> iso1  | iSCSI | inactive
> iso1  | NFS   | active
>
>
> On 02/24/2012 01:04 PM, Terry Phelps wrote:
>> On 2/24/12, Keith Robertson  wrote:
>>> OK, so VDSM looks fine.  Let's see what the REST API and by extension
>>> ovirt-engine thinks about it...
>>>
>>>   From the host upon which ovirt-engine running do this:
>>>wget -q -O - --no-check-certificate --user=admin@internal
>>> --password='password here'
>>> https://localhost:8443/api/storagedomains/48a5390f-2f86-485c-8537-b6bc9dd71796/files
>>>
>>> Do you see the files?
>> NOPE:
>>
>> # cat doit
>> wget -q -O - --no-check-certificate --user=admin@internal \
>> --password=**
>> https://localhost:8443/api/storagedomains/48a5390f-2f86-485c-8537-b6bc9dd71796/files
>>
>> [root@oravm3 ~]# sh doit
>>
>> 
>> 
>>
>> Maybe this has gotten us closer to the problem.
>>
>>
>>
>>
>>> Cheers,
>>> Keith
>>>
>>> On 02/24/2012 10:28 AM, Terry Phelps wrote:
 It looks like you were doing this as root, so I did, too. In any case,
 the result looks good to me:

 # mount | grep iso

 oravm3.acbl.net:/isodomain/ on
 /rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
 (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

 ]# ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain

 48a5390f-2f86-485c-8537-b6bc9dd71796  vdsmTest

 [root@oravm2 ~]# vdsClient -s 0 getFileList
 48a5390f-2f86-485c-8537-b6bc9dd71796

 file:  OracleLinux-R6-U2-Server-x86_64-dvd.iso status:  {'status':
 469, 'ctime': '1330092866.03', 'size': '3591360512'}


 NOTE: That "vdsmTest" file you see has appeared there since yesterday,
 I think. I didn't put it there.
>>> Have no idea what that is.
 On 2/24/12, Keith Robertson   wrote:
> On 02/24/2012 09:19 AM, Terry Phelps wrote:
>> On 2/23/12, Keith Robertsonwrote:
>>> On 02/23/2012 02:21 PM, Terry Phelps wrote:
 Thanks for the quick reply.

 My one hypervisor already had the ISO domain mounted (without any
 explicit action by me):
>>> This is to be expected.  VDSM needs the mount. I suggested that
>>> command
>>> just in case it wasn't mounted for some odd reason.
 mount | grep iso

 oravm3.acbl.net:/isodomain/ on
 /rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
 (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)

 Using this mount (I didn't do exactly what you said, if that
 matters),
>>> Nope, you're fine.
 I did the tests you asked for.
 Yes, I can touch a new file.
 Yes, I can read the ISO file

 Here is what I saw:

>>> I'm assuming you were "vdsm" when you executed these commands, right?
 bash-4.2$ ls
 OracleLinux-R6-U2-Server-x86_64-dvd.iso
 bash-4.2$ touch me
 bash-4.2$ ls
 me  OracleLinux-R6-U2-Server-x86_64-dvd.iso
 bash-4.2$ strings Orac* |head -2
 CD001
 LINUX   OL6.2 x86_64 Disc 1 20111212


 Funny, though. When I typed "su - vdsm" by mistake, from root, it
 said
 "This account is currently not available." (Is that relevant?) But
 what you said to do did work fine.
>>> By default vdsm is given a nologin shell for security reasons.  The
>>> "-s
>>> /bin/bash" overrides that when switching users.
 Other ideas/
>>> Not at the moment.  I think you've done a fairly good job of
>>> demonstrating that VDSM would not have any permission problems
>>> reading
>>> or writing to the NFS export.
>> Just to gather more information, I re-ran engine-iso-uploader to
>> upload my ISO. It complained that the ISO was already there, which it
>> IS. I used the "--force" option to m

Re: [Users] LDAP

2012-02-24 Thread Yair Zaslavsky
On 02/24/2012 08:31 PM, Nathan Stratton wrote:
> On Fri, 24 Feb 2012, Oved Ourfalli wrote:
> 
>> The identification of the provider type is done using the following
>> logic, according to the results from the root DSE query:
>> * if it contains a defaultNamingContext attribute --> AD
>> * else
>> * Check the vendorName attribute
>> * if it is "389 Project" then it is IPA
>> * if it is "Red Hat" then it is RHDS.
>>
>> We added support for AD, IPA and RHDS. I guess that 389ds has a
>> different vendor name.
>>
>> What does your root DSE query show?
>> You can run it using ldapsearch, with the options" -LLL -Y GSSAPI -D
>>  -h  -b "" -s base
>> objectClass=*
>>
>> the distinguished name will be something like:
>> uid=username,dc=example,dc=com
> 
> [root@ipa-master ~]# ldapsearch -LLL -Y GSSAPI -D
> uid=nathan,cn=users,cn=accounts,dc=blinkmind,dc=net -h localhost -b ""
> -s base objectClass=*
> SASL/GSSAPI authentication started
> SASL username: ad...@blinkmind.net
> SASL SSF: 56
> SASL data security layer installed.
> dn:
> objectClass: top
> namingContexts: dc=blinkmind,dc=net
> defaultnamingcontext: dc=blinkmind,dc=net
> supportedExtension: 2.16.840.1.113730.3.5.7
> supportedExtension: 2.16.840.1.113730.3.5.8
> supportedExtension: 2.16.840.1.113730.3.5.10
> supportedExtension: 2.16.840.1.113730.3.8.10.3
> supportedExtension: 1.3.6.1.4.1.4203.1.11.1
> supportedExtension: 2.16.840.1.113730.3.8.10.1
> supportedExtension: 2.16.840.1.113730.3.5.3
> supportedExtension: 2.16.840.1.113730.3.5.12
> supportedExtension: 2.16.840.1.113730.3.5.5
> supportedExtension: 2.16.840.1.113730.3.5.6
> supportedExtension: 2.16.840.1.113730.3.5.9
> supportedExtension: 2.16.840.1.113730.3.5.4
> supportedExtension: 1.3.6.1.4.1.1466.20037
> supportedControl: 2.16.840.1.113730.3.4.2
> supportedControl: 2.16.840.1.113730.3.4.3
> supportedControl: 2.16.840.1.113730.3.4.4
> supportedControl: 2.16.840.1.113730.3.4.5
> supportedControl: 1.2.840.113556.1.4.473
> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 2.16.840.1.113730.3.4.16
> supportedControl: 2.16.840.1.113730.3.4.15
> supportedControl: 2.16.840.1.113730.3.4.17
> supportedControl: 2.16.840.1.113730.3.4.19
> supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1
> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8
> supportedControl: 1.3.6.1.4.1.4203.666.5.16
> supportedControl: 2.16.840.1.113730.3.4.14
> supportedControl: 2.16.840.1.113730.3.4.20
> supportedControl: 1.3.6.1.4.1.1466.29539.12
> supportedControl: 2.16.840.1.113730.3.4.12
> supportedControl: 2.16.840.1.113730.3.4.18
> supportedControl: 2.16.840.1.113730.3.4.13
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: PLAIN
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: ANONYMOUS
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: LOGIN
> supportedLDAPVersion: 2
> supportedLDAPVersion: 3
> vendorName: 389 Project
> vendorVersion: 389-Directory/1.2.10.rc1 B2012.035.328
> dataversion: 020120223201756
> netscapemdsuffix: cn=ldap://dc=ipa-master,dc=blinkmind,dc=net:389
> lastusn: 468
> 
> 
>> It will help us understand which vendor name is shown in your ldap
>> server, and we might use it in order to improve the identification.
>>
>> It surprises me that IPA is not identified correctly, as "389 Project"
>> is the vendor name that was used there (unless it was changed).
>> As for 389ds, as I said before we added RHDS support, so there might
>> be changes in the schema, and also probably the vendor name there is
>> not "Red Hat".
> 
> Looks like "389 Project"
> 
> However I still see:
> 
> -bash-4.2# engine-manage-domains -action=add -domain=blinkmind.net
> -user=nathan -interactive
> Enter password:
> 
> No user in Directory was found for nat...@blinkmind.net. Trying next
> LDAP server in list
> Failure while testing domain blinkmind.net. Details: No user information
> was found for user
> 
> 
> On my FreeIPA server I see:
> 
> [24/Feb/2012:18:28:46 +] conn=144 op=3 SRCH
> base="dc=blinkmind,dc=net" scope=2
> filter="(&(samaccounttype=805306368)(userprincipalname=nat...@blinkmind.net))"
> attrs="nsUniqueId ipaUniqueID objectguid objectClass javaSerializedData
> javaClassName javaFactory javaCodebase javaReferenceAddress
> javaClassNames javaremotelocation"
> [24/Feb/2012:18:28:46 +] conn=144 op=3 RESULT err=0 tag=101
> nentries=0 etime=0 notes=U
> 
> 
> Entries returned are 0 because userprincipalname=nat...@blinkmind.net
> does not exist.
Hi Nathan,

I think you're using the wrong query with IPA.

the part of samaccounttype=805306368 should be replaced with
objectClass=krbPrincipalAux
the part of userprincipalname should be replaced with -

krbPrincipalName=nat...@bblinkmind.net

So I guess the filter should look like -
(&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@bblinkmind.net))

I did not develop the IPA support, however, I checked the file -
LdapQ

Re: [Users] LDAP

2012-02-24 Thread Nathan Stratton

On Fri, 24 Feb 2012, Yair Zaslavsky wrote:


One the issues I see here is the fact the the query is using
samaccounttype and objectguid which might be relevant only for
ActiveDirectory.
Nathan, can you provide us the exact query? (you can place
userprincipalname=X in order to prevent spamming, we'll understand
what you mean). I just want to fully understand if you truely see both
ipaUniqueID and objectguid


[24/Feb/2012:18:28:46 +] conn=144 op=3 SRCH base="dc=blinkmind,dc=net" 
scope=2 
filter="(&(samaccounttype=805306368)(userprincipalname=nat...@blinkmind.net))" 
attrs="nsUniqueId ipaUniqueID objectguid objectClass javaSerializedData 
javaClassName javaFactory javaCodebase javaReferenceAddress javaClassNames 
javaremotelocation"


They both are there, but with FreeIPA there is no "userprincipalname"


<>

Nathan StrattonCTO, BlinkMind, Inc.
nathan at robotics.net nathan at blinkmind.com
http://www.robotics.nethttp://www.blinkmind.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] LDAP

2012-02-24 Thread Nathan Stratton

On Fri, 24 Feb 2012, Yair Zaslavsky wrote:


Hi Nathan,

I think you're using the wrong query with IPA.


Yep, but so far I have not found how to fix ovirt to use the correct one.


the part of samaccounttype=805306368 should be replaced with
objectClass=krbPrincipalAux
the part of userprincipalname should be replaced with -

krbPrincipalName=nat...@bblinkmind.net

So I guess the filter should look like -
(&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@bblinkmind.net))


Yes, I understand the query is wrong, what I don't understand is how to 
make ovirt use the correct query. I started working trying to get LDAP to 
work with my OpenLDAP system and was told that ovirt does not yet support 
it. I asked what was supported and was told to try 389, but ran into 
issues with that so then I was asked to try IPA and now have this issue.



I did not develop the IPA support, however, I checked the file -
LdapQueryMetadataFactoryImpl.java and found definitions of the queries
for the different providers - what you will see there is that each LDAP
provider has its own map of keys to queries - the relevant key is
LdapQueryType.getUserByPrincipalName  - so you can see how it is defined
in adHashMap and how it is defined in ipaHashMap, and other maps (dsMap
, for instance).


I don't have that .java file, I do have the .class. I am new to Java, how 
do I go about modifying ovirt to use the correct query?



<>

Nathan StrattonCTO, BlinkMind, Inc.
nathan at robotics.net nathan at blinkmind.com
http://www.robotics.nethttp://www.blinkmind.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] LDAP

2012-02-24 Thread Yair Zaslavsky
On 02/24/2012 08:59 PM, Nathan Stratton wrote:
> On Fri, 24 Feb 2012, Yair Zaslavsky wrote:
> 
>> Hi Nathan,
>>
>> I think you're using the wrong query with IPA.
> 
> Yep, but so far I have not found how to fix ovirt to use the correct one.
> 
>> the part of samaccounttype=805306368 should be replaced with
>> objectClass=krbPrincipalAux
>> the part of userprincipalname should be replaced with -
>>
>> krbPrincipalName=nat...@bblinkmind.net
>>
>> So I guess the filter should look like -
>> (&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@bblinkmind.net))
> 
> Yes, I understand the query is wrong, what I don't understand is how to
> make ovirt use the correct query. I started working trying to get LDAP
> to work with my OpenLDAP system and was told that ovirt does not yet
> support it. I asked what was supported and was told to try 389, but ran
> into issues with that so then I was asked to try IPA and now have this
> issue.
> 
>> I did not develop the IPA support, however, I checked the file -
>> LdapQueryMetadataFactoryImpl.java and found definitions of the queries
>> for the different providers - what you will see there is that each LDAP
>> provider has its own map of keys to queries - the relevant key is
>> LdapQueryType.getUserByPrincipalName  - so you can see how it is defined
>> in adHashMap and how it is defined in ipaHashMap, and other maps (dsMap
>> , for instance).
> 
> I don't have that .java file, I do have the .class. I am new to Java,
> how do I go about modifying ovirt to use the correct query?

Nathan, first of all, please try to run the query I suggested for you -
change the filter to
(&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@bblinkmind.net))
(I understand you try to query IPA with an external tool - please first
try to use this filter and see if it works.
In my humble opinion, I don't think that you need to change the code, we
need to understand why IPA provider is not "detected".

Yair


> 
>> <>
> Nathan StrattonCTO, BlinkMind, Inc.
> nathan at robotics.net nathan at blinkmind.com
> http://www.robotics.nethttp://www.blinkmind.com

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] LDAP

2012-02-24 Thread Nathan Stratton

On Fri, 24 Feb 2012, Yair Zaslavsky wrote:


Nathan, first of all, please try to run the query I suggested for you -
change the filter to
(&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@bblinkmind.net))
(I understand you try to query IPA with an external tool - please first
try to use this filter and see if it works.
In my humble opinion, I don't think that you need to change the code, we
need to understand why IPA provider is not "detected".


Sorry, new to LDAP, took me a while to figure out how to do the query with 
ldapsearch.


[root@ipa-master ~]# ldapsearch -x -b "dc=blinkmind,dc=net" 
"(&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@blinkmind.net))" 
-h localhost

# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: 
(&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@blinkmind.net))

# requesting: ALL
#

# nathan, users, accounts, blinkmind.net
dn: uid=nathan,cn=users,cn=accounts,dc=blinkmind,dc=net
displayName: Nathan Stratton
cn: Nathan Stratton
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: Stratton
gecos: Nathan Stratton
homeDirectory: /home/nathan
krbPwdPolicyReference: 
cn=global_policy,cn=BLINKMIND.NET,cn=kerberos,dc=blinkm

 ind,dc=net
krbPrincipalName: nat...@blinkmind.net
givenName: Nathan
uid: nathan
initials: NS
uidNumber: 33344
gidNumber: 33344
ipaUniqueID: cfcf627e-5e5c-11e1-8e68-001a4a0d0004
mepManagedEntry: cn=nathan,cn=groups,cn=accounts,dc=blinkmind,dc=net
krbLastPwdChange: 20120223202917Z
krbPasswordExpiration: 20220220202917Z
krbLoginFailedCount: 0
krbExtraData:: AAgBAA==
krbExtraData:: AAKdoUZPbmF0aGFuQEJMSU5LTUlORC5ORVQA
krbLastFailedAuth: 20120223202750Z
krbLastSuccessfulAuth: 20120224191502Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1




<>

Nathan StrattonCTO, BlinkMind, Inc.
nathan at robotics.net nathan at blinkmind.com
http://www.robotics.nethttp://www.blinkmind.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Maor
On 02/24/2012 10:23 PM, Douglas Landgraf wrote:
> Hi Terry,
> 
> On 02/24/2012 02:51 PM, Douglas Landgraf wrote:
>> On 02/24/2012 10:28 AM, Terry Phelps wrote:
>>> It looks like you were doing this as root, so I did, too. In any case,
>>> the result looks good to me:
>>>
>>> # mount | grep iso
>>>
>>> oravm3.acbl.net:/isodomain/ on
>>> /rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
>>> (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)
>>>
>>>
>>> ]# ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
>>>
>>> 48a5390f-2f86-485c-8537-b6bc9dd71796  vdsmTest
>>>
>>> [root@oravm2 ~]# vdsClient -s 0 getFileList
>>> 48a5390f-2f86-485c-8537-b6bc9dd71796
>>>
>>> file:  OracleLinux-R6-U2-Server-x86_64-dvd.iso status:  {'status':
>>> 469, 'ctime': '1330092866.03', 'size': '3591360512'}
>>>
>>>
>>> NOTE: That "vdsmTest" file you see has appeared there since yesterday,
>>> I think. I didn't put it there.
>>
>> You didn't, this file can be removed,  yesterday the nfs-check
>> couldn't complete the test (remove the file)
>> as you answered me (below) and it's still there.
>>
>>>  # python nfs-check.py oravm3.acbl.net:/isodomain
>>>  Current hostname: oravm2.acbl.net - IP addr 127.0.0.1
>>>  Trying to /bin/mount -t nfs oravm3.acbl.net:/isodomain...
>>>  Executing NFS tests..
>>>  Removing vdsmTest file..
>>>  Traceback (most recent call last):
>>>   File "nfs-check.py", line 268, in
>>> os.removedirs(LOCALPATH)
>>>   File "/usr/lib64/python2.7/os.py", line 170, in removedirs
>>>  OSError: [Errno 16] Device or resource busy: '/tmp/tmpV9KEh5'
>>
>>
> Just to confirm, during the execution of nfs-check have you manually
> entry into /tmp/tmpV9KEh5 (from another shell)?
> If not, this EBUSY error might be like symptom of this weird behaviour...
> 
> However, let me continue... looking the previous messages of this
> thread, looks like you have the iso correctly uploaded.
> Have you tried to restart jboss-as service (oVirt Engine) to see if your
> iso appears into the GUI?
> 
> BTW, most of ovirt people are available to chat and help 'on-the-fly' at
> irc.oftc.net, channel  #ovirt , fell free to join us there .
> 
Hi Terry,
The engine.log should contain logs regarding ISO files,
can you please attach it to the mail, maybe we can find some clues there.

Regards,
Maor
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] LDAP

2012-02-24 Thread Yair Zaslavsky
On 02/24/2012 09:17 PM, Nathan Stratton wrote:
> On Fri, 24 Feb 2012, Yair Zaslavsky wrote:
> 
>> Nathan, first of all, please try to run the query I suggested for you -
>> change the filter to
>> (&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@bblinkmind.net))
>> (I understand you try to query IPA with an external tool - please first
>> try to use this filter and see if it works.
>> In my humble opinion, I don't think that you need to change the code, we
>> need to understand why IPA provider is not "detected".
> 
> Sorry, new to LDAP, took me a while to figure out how to do the query
> with ldapsearch.
> 
> [root@ipa-master ~]# ldapsearch -x -b "dc=blinkmind,dc=net"
> "(&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@blinkmind.net))" -h
> localhost
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter:
> (&(objectClass=krbPrincipalAux)(krbPrincipalName=nat...@blinkmind.net))
> # requesting: ALL
> #
> 
> # nathan, users, accounts, blinkmind.net
> dn: uid=nathan,cn=users,cn=accounts,dc=blinkmind,dc=net
> displayName: Nathan Stratton
> cn: Nathan Stratton
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: mepOriginEntry
> loginShell: /bin/sh
> sn: Stratton
> gecos: Nathan Stratton
> homeDirectory: /home/nathan
> krbPwdPolicyReference:
> cn=global_policy,cn=BLINKMIND.NET,cn=kerberos,dc=blinkm
>  ind,dc=net
> krbPrincipalName: nat...@blinkmind.net
> givenName: Nathan
> uid: nathan
> initials: NS
> uidNumber: 33344
> gidNumber: 33344
> ipaUniqueID: cfcf627e-5e5c-11e1-8e68-001a4a0d0004
> mepManagedEntry: cn=nathan,cn=groups,cn=accounts,dc=blinkmind,dc=net
> krbLastPwdChange: 20120223202917Z
> krbPasswordExpiration: 20220220202917Z
> krbLoginFailedCount: 0
> krbExtraData:: AAgBAA==
> krbExtraData:: AAKdoUZPbmF0aGFuQEJMSU5LTUlORC5ORVQA
> krbLastFailedAuth: 20120223202750Z
> krbLastSuccessfulAuth: 20120224191502Z
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1

Hi Nathan, that's awesome - looks like you got a result, so first of all
- we know the query syntax is working:)
Now, I would like to to run some queries on your psql db, so I will
check your configuration

select * from vdc_options where option_name ilike '%AdUser%';

select * from vdc_options where option_name = 'DomainName';




> 
> 
> 
>> <>
> Nathan StrattonCTO, BlinkMind, Inc.
> nathan at robotics.net nathan at blinkmind.com
> http://www.robotics.nethttp://www.blinkmind.com

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] LDAP

2012-02-24 Thread Nathan Stratton

On Fri, 24 Feb 2012, Yair Zaslavsky wrote:


Hi Nathan, that's awesome - looks like you got a result, so first of all
- we know the query syntax is working:)
Now, I would like to to run some queries on your psql db, so I will
check your configuration

select * from vdc_options where option_name ilike '%AdUser%';


All blank for option_vlaue:

5   AdUserPassword  general
4   AdUserName  general
142 AdUserIdgeneral


select * from vdc_options where option_name = 'DomainName';


3   DomainName  general

Also a blink option_value because engine-manage-domains never finishes.

-Nathan
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] LDAP SimpleAuthentication issue.

2012-02-24 Thread Yair Zaslavsky
On 02/24/2012 09:19 PM, Sharad Mishra wrote:
> Hi,
>   I am new to ovirt and LDAP. Looking at adding support for Tivoli
> Directory Server. Here is a small java/jndi program (not using Spring
> LDAP) that takes IBM  intranet Id and searches the directory to return
> IBM serial number. 

Hi Sharard, welcome aboard.
First of all, although this can be found in our mailing list, I would
like to point you that currently Roy Golan (rgolan at redhat dot com),
Oved ourfali (ovedo at redhat dot com) and myself are the people that
work mostly on ldap/authentication issues at engine-core - so feel free
to ask us questions.
In addition, I would like to give you a WIKI to help that will give you
some "getting started info" (This WIKI was written by Oved) -

http://ovirt.org/wiki/DomainInfrastructure



> 
> *
> Hashtable env = new Hashtable();
> env.put("java.naming.factory.initial",
> "com.sun.jndi.ldap.LdapCtxFactory");
> env.put("java.naming.factory.url.pkgs", "com.ibm.jndi");
> env.put("java.naming.provider.url",
> "ldap://:389");
> 
> String dn = null;
> try{
> InitialDirContext dirContext = new
> InitialDirContext(env);
> 
> SearchControls constraints = new
> SearchControls();
> String[] attr = new String[] {"uid"};
> 
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> constraints.setReturningAttributes(attr);
> 
> NamingEnumeration ne =
> dirContext.search("ou=,o=ibm.com",
> "(mail=" + intranetID + ")",
> constraints);
> 
> **
> 
>   But when I try to use
> org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a
> "javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
> Credentials]"
> 
> I am issuing - ldapTemplate.search("", "", contextMapper);
> 
> Where contextMapper is RHDSUserContextMapper and
> screenshots of ldapTemplate are attached.
As you willl probably see in Oved's WIKI, you don't need to provide
RHDSUserContextMapper - the name may be misleading, but this class is
for RedHat DS directory service - I think you need to have context
mappers for IBM Tivoli DS.
In addition you will have to add your own provider type, as can be seen
for example in GetRootDSE java (we send a ROOT DSE query in order to
"understand" what is our provider type, as currently engine-core
supports more than one type of DS.
> 
> There may be issues with the way I have setup filter and baseDN; but
> that should not give AuthEx. At this time I am looking for ways to get
> rid of authentication exception. Also, when using simple authentication,
> why do I need to give password? I can run "ldapsearch -LLL
> "(mail=)" -h :389 -x" without password to give
> me expected results.

This is a good question - I admit I did not work thoroughly enough with
SIMPLE authentication - maybe  we can bypass this.
I looked at the code of this class - it uses Spring-LDAP
LdapContextSource class which extends AbstractContextSource which uses
SimpleDirContextAuthenticationStrategy as the default "authentication
strategy" - so I guess that "playing" with the code of this example, and
ignoring the password may work for you.

I would like to also point out that when I look at Spring-LDAP's
SimpleDirContextAuthenticationStrategy I it does set
env.put(Context.SECURITY_CREDENTIALS, password) (look at public void
setupEnvironment method ) - so what I have in mind is that you might
need to create your own AuthenticationStrategy - see for example
org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy -
an authentication strategy that Oved, Roy and myself worked on to
support kerberos/GSS-API authentication with Spring-LDAP.

You will have to call after you implement such strategy a call to
context.setAuthenticationStategy with your implemented
AuthenticationStategy (for example, I think it can be placed after the
line of  -  LdapContextSource context = new LdapContextSource(); at
SimpleAuthenticationCheck.java

I think I gave you some pointers here,
Feel free to ask more questions

Yair


> 
> Thanks
> Sharad Mishra
> IBM
> 
> 
> 
> 
> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Maor
On 02/24/2012 09:37 PM, Terry Phelps wrote:
> 
> >
> Hi Terry,
> The engine.log should contain logs regarding ISO files,
> can you please attach it to the mail, maybe we can find some clues
> there.
> 
> Regards,
> Maor
> 
> 
> I am attaching what I think you're asking for:
> /var/log/ovirt-engine/engine.log
> 
> Near the end of it, I do see this:
> 
> 2012-02-24 13:49:28,795 INFO 
> [org.ovirt.engine.core.bll.IsoDomainListSyncronizer] (pool-5-thread-48)
> Finished automatic refresh process for Unknown file type with success,
> for storage domain id 48a5390f-2f86-485c-8537-b6bc9dd71796.
> 
> Perhaps that's relevant.
> 
Hi Terry, you right, that is the log, although it could be helpful if
the debug mode was enabled there (It can be done by editing the
configuration file $JBOSS_HOME/standalone/configuration/standalone.xml
and change the xml entry: 
from INFO to DEBUG)

>From what I see, there are no files fetched from VDSM
2012-02-23 15:06:43,465 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.HsmGetIsoListVDSCommand]
(http--0.0.0.0-8080-1) FINISH, HsmGetIsoListVDSCommand, return: []

The return list is empty.

Im not sure if it was already discussed in this mail thread, but maybe
it is also better to check the VDSM log in the hypervisor, or check what
does getIsoList verb returns.

Regarding the log that you were indicating, I am guessing, some how,
there is an unknown file in the DB, that the files in the DB are somehow
with file type Unknown, (I can not see the reason for it in the log).
but I'm not sure its relevant.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Keith Robertson

Terry,

Like this...
[root@node ~]# vdsClient -s 0  getConnectedStoragePoolsList
9775f154-7578-4e22-ae44-4664b298a8cc

[root@node ~]# vdsClient -s 0  getIsoList 
9775f154-7578-4e22-ae44-4664b298a8cc

-- ISO list with proper permissions only ---
rhel-server-6.2.x86_64-dvd.iso

Cheers,
Keith

On 02/24/2012 03:35 PM, Maor wrote:

On 02/24/2012 09:37 PM, Terry Phelps wrote:

 >
 Hi Terry,
 The engine.log should contain logs regarding ISO files,
 can you please attach it to the mail, maybe we can find some clues
 there.

 Regards,
 Maor


I am attaching what I think you're asking for:
/var/log/ovirt-engine/engine.log

Near the end of it, I do see this:

2012-02-24 13:49:28,795 INFO
[org.ovirt.engine.core.bll.IsoDomainListSyncronizer] (pool-5-thread-48)
Finished automatic refresh process for Unknown file type with success,
for storage domain id 48a5390f-2f86-485c-8537-b6bc9dd71796.

Perhaps that's relevant.


Hi Terry, you right, that is the log, although it could be helpful if
the debug mode was enabled there (It can be done by editing the
configuration file $JBOSS_HOME/standalone/configuration/standalone.xml
and change the xml entry:
from INFO to DEBUG)

 From what I see, there are no files fetched from VDSM
2012-02-23 15:06:43,465 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.HsmGetIsoListVDSCommand]
(http--0.0.0.0-8080-1) FINISH, HsmGetIsoListVDSCommand, return: []

The return list is empty.

Im not sure if it was already discussed in this mail thread, but maybe
it is also better to check the VDSM log in the hypervisor, or check what
does getIsoList verb returns.

Regarding the log that you were indicating, I am guessing, some how,
there is an unknown file in the DB, that the files in the DB are somehow
with file type Unknown, (I can not see the reason for it in the log).
but I'm not sure its relevant.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Terry Phelps
On Fri, Feb 24, 2012 at 3:46 PM, Keith Robertson wrote:

> Terry,
>
> Like this...
> [root@node ~]# vdsClient -s 0  getConnectedStoragePoolsList
> 9775f154-7578-4e22-ae44-**4664b298a8cc
>
> [root@node ~]# vdsClient -s 0  getIsoList 9775f154-7578-4e22-ae44-**
> 4664b298a8cc
> -- ISO list with proper permissions only ---
> rhel-server-6.2.x86_64-dvd.iso
>
> Aha! That doesn't show anything:

[root@oravm2 ~]# vdsClient -s 0  getConnectedStoragePoolsList
f465251e-5679-11e1-ba81-97917332892e

[root@oravm2 ~]# vdsClient -s 0  getIsoList
f465251e-5679-11e1-ba81-97917332892e
-- ISO list with proper permissions only ---

[root@oravm2 ~]#
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Douglas Landgraf

Hi,

On 02/24/2012 03:58 PM, Terry Phelps wrote:



On Fri, Feb 24, 2012 at 3:46 PM, Keith Robertson > wrote:


Terry,

Like this...
[root@node ~]# vdsClient -s 0  getConnectedStoragePoolsList
9775f154-7578-4e22-ae44-4664b298a8cc

[root@node ~]# vdsClient -s 0  getIsoList
9775f154-7578-4e22-ae44-4664b298a8cc
-- ISO list with proper permissions only ---
rhel-server-6.2.x86_64-dvd.iso

Aha! That doesn't show anything:

[root@oravm2 ~]# vdsClient -s 0  getConnectedStoragePoolsList
f465251e-5679-11e1-ba81-97917332892e

[root@oravm2 ~]# vdsClient -s 0  getIsoList 
f465251e-5679-11e1-ba81-97917332892e

-- ISO list with proper permissions only ---

[root@oravm2 ~]#


As Maor suggested, can you please attach the /var/log/vdsm/vdsm.log ?

--
Cheers
Douglas

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] Uploaded ISO file doesn't show up in admin portal

2012-02-24 Thread Spyro Polymiadis



disabling nfsv4 in /etc/sysconfig/nfs (adding -N 4 to the start up options)
was a work around for me to make my uploaded iso appear.

see my previous thread on this list 

- Original Message -
From: "Maor" 
To: "Terry Phelps" 
Cc: users@ovirt.org
Sent: Saturday, 25 February, 2012 5:57:07 AM
Subject: Re: [Users] Uploaded ISO file doesn't show up in admin portal

On 02/24/2012 10:23 PM, Douglas Landgraf wrote:
> Hi Terry,
> 
> On 02/24/2012 02:51 PM, Douglas Landgraf wrote:
>> On 02/24/2012 10:28 AM, Terry Phelps wrote:
>>> It looks like you were doing this as root, so I did, too. In any case,
>>> the result looks good to me:
>>>
>>> # mount | grep iso
>>>
>>> oravm3.acbl.net:/isodomain/ on
>>> /rhev/data-center/mnt/oravm3.acbl.net:_isodomain type nfs4
>>> (rw,relatime,vers=4,rsize=524288,wsize=524288,namlen=255,soft,nosharecache,proto=tcp,port=0,timeo=600,retrans=6,sec=sys,clientaddr=172.16.2.52,minorversion=0,local_lock=none,addr=192.168.118.10)
>>>
>>>
>>> ]# ls /rhev/data-center/mnt/oravm3.acbl.net:_isodomain
>>>
>>> 48a5390f-2f86-485c-8537-b6bc9dd71796  vdsmTest
>>>
>>> [root@oravm2 ~]# vdsClient -s 0 getFileList
>>> 48a5390f-2f86-485c-8537-b6bc9dd71796
>>>
>>> file:  OracleLinux-R6-U2-Server-x86_64-dvd.iso status:  {'status':
>>> 469, 'ctime': '1330092866.03', 'size': '3591360512'}
>>>
>>>
>>> NOTE: That "vdsmTest" file you see has appeared there since yesterday,
>>> I think. I didn't put it there.
>>
>> You didn't, this file can be removed,  yesterday the nfs-check
>> couldn't complete the test (remove the file)
>> as you answered me (below) and it's still there.
>>
>>>  # python nfs-check.py oravm3.acbl.net:/isodomain
>>>  Current hostname: oravm2.acbl.net - IP addr 127.0.0.1
>>>  Trying to /bin/mount -t nfs oravm3.acbl.net:/isodomain...
>>>  Executing NFS tests..
>>>  Removing vdsmTest file..
>>>  Traceback (most recent call last):
>>>   File "nfs-check.py", line 268, in
>>> os.removedirs(LOCALPATH)
>>>   File "/usr/lib64/python2.7/os.py", line 170, in removedirs
>>>  OSError: [Errno 16] Device or resource busy: '/tmp/tmpV9KEh5'
>>
>>
> Just to confirm, during the execution of nfs-check have you manually
> entry into /tmp/tmpV9KEh5 (from another shell)?
> If not, this EBUSY error might be like symptom of this weird behaviour...
> 
> However, let me continue... looking the previous messages of this
> thread, looks like you have the iso correctly uploaded.
> Have you tried to restart jboss-as service (oVirt Engine) to see if your
> iso appears into the GUI?
> 
> BTW, most of ovirt people are available to chat and help 'on-the-fly' at
> irc.oftc.net, channel  #ovirt , fell free to join us there .
> 
Hi Terry,
The engine.log should contain logs regarding ISO files,
can you please attach it to the mail, maybe we can find some clues there.

Regards,
Maor
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users