Re: [Users] unsupported configuration: spice secure channels set in XML configuration, but TLS port is not provided.
- Original Message - From: Blaster blas...@556nato.com To: users@ovirt.org Sent: Monday, November 18, 2013 4:55:27 AM Subject: [Users] unsupported configuration: spice secure channels set in XML configuration, but TLS port is not provided. Hello, I’m using overt 3.3 on Fedora 19. I had quite a bit of trouble getting everything up and running (All In One). My biggest problem was around vdsm, it crashed out during the interface configuration so I followed the instructions here http://www.ovirt.org/Installing_VDSM_from_rpm which had me disable TLS. None of that ever worked, so I ended up creating the bridge myself, running engine-cleanup then engine-setup again. Now when I run my VMs I get the following error: unsupported configuration: spice secure channels set in XML configuration, but TLS port is not provided. So something got messed up somewhere. I can’t figure out where the XML files for each VM are stored. How can I resolve this error? Google searches haven’t turned up anyone having this problem. you set non-secure configuration on vdsm side, you need to set the secure spice configuration to false in the engine as well, you can do this with engine-config: engine-config -s SSLEnabled=false and restart the engine. Thanks for any help ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] oVirt 3.3.2 beta status
Hi, we're going to branch and build oVirt 3.3.2 beta on Nov 27th. A bug tracker is available at [1] and it shows only 2 bugs blocking the release: Bug 1029792 - VDSM does not report the qemu version in capabilities, if qemu-kvm-rhev is used Bug 1029885 - cloud-init testcase does not work in engine 3.3.1 The following is a list of the bugs still open with target 3.3.2 or 3.3: Whiteboard Bug ID Summary 991267 [RFE] Add TUI information to log file. infra 987982 When adding a host through the REST API, the error message says that rootPassword is required, but ... infra 1017267 Plaintext user passwords in async_tasks database infra 1020344 Power Managent with cisco_ucs problem infra 1009899 exportDbSchema scripts generates output file with wrong name infra 1029792 VDSM does not report the qemu version in capabilities, if qemu-kvm-rhev is used integration 1026933 pre-populate ISO domain with virtio-win ISO integration 1026930 Package virtio-win and put it in ovirt repositories integration 1030437 RFE: Configuration of email notifications integration 1022440 AIO - configure the AIO host to be a gluster cluster/host integration 902979 ovirt-live - firefox doesn't trust the installed engine integration 1021805 oVirt Live - use motd to show the admin password network 988002 [oVirt] [network] Add button shouldn't appear on specific network network 987916 [oVirt] [provider] Dialog doesn't update unless focus lost network 987999 [oVirt] [provider] Add button shouldn't appear on specific provider network 906313 [oVirt-webadmin] [setupNetworks] No valid Operation for network_name and Unassigned Logical Networks panel network 1023722 [oVirt-webadmin][network] Network roles in cluster management should be radio buttons network 997197 Some AppErrors messages are grammatically incorrect (singular vs plural) storage 1016118 async between masterVersion : can't connect to StoragePool storage 987917 [oVirt] [glance] API version not specified in provider dialog storage 1029069 Live storage migration snapshot removal fails, probably due to unexpected qemu-img output ux 906394 [oVirt-webadmin] [network] Loading animation in network main tab 'hosts' and 'vms' subtab is stuck on first view... virt1007940 Cannot clone from snapshot while using GlusterFS as POSIX Storage Domain Please set the target to 3.3.2 and add the bug to the tracker if you think that 3.3.2 should not be released without it fixed. Please also update the target to 3.3.3 or any next release for bugs that won't be in 3.3.2: it will ease gathering the blocking bugs for next releases. For those who want to help testing the bugs, I suggest to add yourself as QA contact for the bug and add yourself to the testing page [2]. [1] https://bugzilla.redhat.com/1027349 [2] http://www.ovirt.org/Testing/Ovirt_3.3.2_testing -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] [Spice-devel] govirt 0.30 plans
On Sat, Nov 16, 2013 at 08:43:16AM -0500, i iordanov wrote: Hi Itamar, Thanks for the explanations! I'll let Christophe confirm that govirt defaults to user-mode. Yes it does, ovirt-proxy.c has: g_object_class_install_property(oclass, PROP_ADMIN, g_param_spec_boolean(admin, admin, Use REST API as an admin, FALSE, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS)); FALSE is the default value for the OvirtProxy::admin property. Christophe pgpniaBPZnqXV.pgp Description: PGP signature ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] openldap
On 17/10/13 17:22, Juan Hernandez wrote:
On 10/17/2013 05:15 PM, Itamar Heim wrote:
On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
I saw that openldap is now listed as a provider when invoking
engine-manage-domains. I'm eager to find more information about this.
Does anyone know if there is any updated documentation floating around
somewhere ?
Found this: http://www.ovirt.org/LDAP_Quick_Start
But the article seem only half-finished.
Rgds Jonas
this may help you.
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
help finishing the wiki would be great...
thanks,
Itamar
I am attaching slightly updated notes on how to configure OpenLDAP and
Kerberos for both Fedora and RHEL/CentOS.
Anyone knows if ovirt is able to handle that the kdc and directory
service are running on separate hosts ? In my environment this is the
case where the kdc is located at a service with it's own name/IP
(admin.elementary.se), and the directory-service on ldap.elementary.se.
Even though I see both names are resolved by a name server lookup a
network sniffer trace shows that later (ldap.elementary.se) used for
both kerberos and ldap access.
Furthermore this (incorrect) configuration file is created
[libdefaults]
default_realm = ELEMENTARY.SE
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
[realms]
ELEMENTARY.SE = {
kdc = ldap.elementary.se
}
[domain_realm]
elementary.se = ELEMENTARY.SE
In my lab both these services are actually placed on the same physical
server and since the kdc binds to all local interfaces ovirt actually
does reach the kdc via the incorrect name, this is however not the case
later in production.
When trying to add the domain it crashes with the following stack trace
General error has occurednull
java.lang.NegativeArraySizeException
at
sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
at
sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
at sun.security.jgss.krb5.WrapToken_v2.init(WrapToken_v2.java:200)
at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
at
com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
at
com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.ovirt.engine.core.ldap.RootDSEData.init(RootDSEData.java:52)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
at
org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
at
org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
at
org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
at
org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)
at
org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.jboss.modules.Module.run(Module.java:260)
at org.jboss.modules.Main.main(Main.java:291)
Failure while testing domain %1$s. Details:
[Users] oVirt 3.3.1 RC
The oVirt team is pleased to announce that the 3.3.1 Release candidate is now available in beta [1] and will be released on Tue Nov 19th 2013 if no other blockers will be found while we're testing it [2]. Feel free to join us verifying the bugzilla entries actually under verification [3]. Release notes for this update are available on the wiki [4]. A new oVirt Node build will be available soon as well. [1] http://resources.ovirt.org/releases/beta [2] http://www.ovirt.org/Testing/Ovirt_3.3.1_testing [3] http://red.ht/1gQAdEo [4] http://www.ovirt.org/OVirt_3.3.1_release_notes -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Fence-virt support
- Original Message - From: Itamar Heim ih...@redhat.com To: Sander Grendelman san...@grendelman.com Cc: users@ovirt.org, Eli Mesika emes...@redhat.com Sent: Thursday, November 14, 2013 3:04:39 AM Subject: Re: [Users] Fence-virt support On 11/13/2013 04:27 PM, Sander Grendelman wrote: I'm running an ovirt environment (two virt hosts and one engine host) on libvirt/kvm on fedora 19. (nested KVM). I want to fence the virtualized virtualization hosts from the engine host (or their partner host) through libvirt. Fence-virt can do this. I know this is a bit of a niche case, but it's very useful for testing/demo purposes. you can just edit the configs to add it (may be overridden during upgrade): VdsFenceType, VdsFenceOptionMapping and VdsFenceOptionTypes Did that worked for you or do you need any further help? Thanks Eli On Wed, Nov 13, 2013 at 8:33 PM, Itamar Heim ih...@redhat.com wrote: On 11/13/2013 07:47 AM, Sander Grendelman wrote: I'm currently building a ovirt test-environment using nested virtualization on libvirt/kvm. For the most part this works great. However, I can't configure fencing/power management because only hardware BMC's/fencing devices are supported. Is this something that could/should be included in a future oVirt version? Or is there another option/workaround to test power management? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users please elaborate a bit more on what's missing. what are you trying to fence and from where? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] [Engine-devel] oVirt 3.3.2 beta status
On Mon, Nov 18, 2013 at 10:12:02AM +0100, Sandro Bonazzola wrote: Hi, we're going to branch and build oVirt 3.3.2 beta on Nov 27th. A bug tracker is available at [1] and it shows only 2 bugs blocking the release: Bug 1029792 - VDSM does not report the qemu version in capabilities, if qemu-kvm-rhev is used Backported http://gerrit.ovirt.org/21363 http://gerrit.ovirt.org/21364 to ovirt-3.3 branch to address this request. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Fence-virt support
It kind of worked. I did an insert into the database to add an xvm fence mode. After that I had to first change the mode to ipmilan to get rid of a couple of mandatory fields. The setup also breaks when I try to edit a host. The fence mechanism makes a couple of assumptions that don't work with fence-virtd: - fence-virtd uses a keyfile, no username and password. - fence-virtd uses port=vmname to identify a VM The gui has mandatory username and password fields and the standard port/sshport field only takes numeric values. Some of the problems I ran into are probably related to https://bugzilla.redhat.com/show_bug.cgi?id=1020344 On Mon, Nov 18, 2013 at 1:26 PM, Eli Mesika emes...@redhat.com wrote: - Original Message - From: Itamar Heim ih...@redhat.com To: Sander Grendelman san...@grendelman.com Cc: users@ovirt.org, Eli Mesika emes...@redhat.com Sent: Thursday, November 14, 2013 3:04:39 AM Subject: Re: [Users] Fence-virt support On 11/13/2013 04:27 PM, Sander Grendelman wrote: I'm running an ovirt environment (two virt hosts and one engine host) on libvirt/kvm on fedora 19. (nested KVM). I want to fence the virtualized virtualization hosts from the engine host (or their partner host) through libvirt. Fence-virt can do this. I know this is a bit of a niche case, but it's very useful for testing/demo purposes. you can just edit the configs to add it (may be overridden during upgrade): VdsFenceType, VdsFenceOptionMapping and VdsFenceOptionTypes Did that worked for you or do you need any further help? Thanks Eli On Wed, Nov 13, 2013 at 8:33 PM, Itamar Heim ih...@redhat.com wrote: On 11/13/2013 07:47 AM, Sander Grendelman wrote: I'm currently building a ovirt test-environment using nested virtualization on libvirt/kvm. For the most part this works great. However, I can't configure fencing/power management because only hardware BMC's/fencing devices are supported. Is this something that could/should be included in a future oVirt version? Or is there another option/workaround to test power management? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users please elaborate a bit more on what's missing. what are you trying to fence and from where? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] info on chrome and spice
On Sat, 2013-11-16 at 10:59 +0100, Gianluca Cecchi wrote: Hello, I have an all-in-one installation based on Fedora 18 and oVirt stable repo. oVirt is 3.2.3-1.fc18 Fedora system is updated at 11/11/2013. I have both firefox (firefox-25.0-3.fc18.x86_64) and chrome (google-chrome-stable-30.0.1599.114-1.x86_64 , baseurl of yum from baseurl=http://dl.google.com/linux/chrome/rpm/stable/x86_64) While I can use spice console with firefox, in chrome the icon is not enabled. Is there any way to have chrome able to open spice console? Does it change anything in oVirt 3.3 for chrome on Linux (and/or on WIndows)? In oVirt 3.3 you have serveral options for SPICE: - Native client - Browser plugin (requires Firefox) - SPICE HTML5 browser client (didn't test this option yet) The native client option is working fine for me with Chrome 31 on Fedora 19. It opens console.vv with virt-viewer. Theoretically it should work on Windows as well, but didn't test it yet... Regards, René Thanks, Gianluca ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Fence-virt support
- Original Message - From: Sander Grendelman san...@grendelman.com To: Eli Mesika emes...@redhat.com Cc: users@ovirt.org Sent: Monday, November 18, 2013 3:52:09 PM Subject: Re: [Users] Fence-virt support It kind of worked. I did an insert into the database to add an xvm fence mode. After that I had to first change the mode to ipmilan to get rid of a couple of mandatory fields. The setup also breaks when I try to edit a host. The fence mechanism makes a couple of assumptions that don't work with fence-virtd: - fence-virtd uses a keyfile, no username and password. This is a real problem , we are not supporting currently other authentication methods - fence-virtd uses port=vmname to identify a VM The gui has mandatory username and password fields and the standard port/sshport field only takes numeric values. For that we have the options field , you could omit the port from the fence mapping and then add in the options port=value Some of the problems I ran into are probably related to https://bugzilla.redhat.com/show_bug.cgi?id=1020344 This is actually related to another BZ https://bugzilla.redhat.com/show_bug.cgi?id=1014513 On Mon, Nov 18, 2013 at 1:26 PM, Eli Mesika emes...@redhat.com wrote: - Original Message - From: Itamar Heim ih...@redhat.com To: Sander Grendelman san...@grendelman.com Cc: users@ovirt.org, Eli Mesika emes...@redhat.com Sent: Thursday, November 14, 2013 3:04:39 AM Subject: Re: [Users] Fence-virt support On 11/13/2013 04:27 PM, Sander Grendelman wrote: I'm running an ovirt environment (two virt hosts and one engine host) on libvirt/kvm on fedora 19. (nested KVM). I want to fence the virtualized virtualization hosts from the engine host (or their partner host) through libvirt. Fence-virt can do this. I know this is a bit of a niche case, but it's very useful for testing/demo purposes. you can just edit the configs to add it (may be overridden during upgrade): VdsFenceType, VdsFenceOptionMapping and VdsFenceOptionTypes Did that worked for you or do you need any further help? Thanks Eli On Wed, Nov 13, 2013 at 8:33 PM, Itamar Heim ih...@redhat.com wrote: On 11/13/2013 07:47 AM, Sander Grendelman wrote: I'm currently building a ovirt test-environment using nested virtualization on libvirt/kvm. For the most part this works great. However, I can't configure fencing/power management because only hardware BMC's/fencing devices are supported. Is this something that could/should be included in a future oVirt version? Or is there another option/workaround to test power management? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users please elaborate a bit more on what's missing. what are you trying to fence and from where? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] oVirt 3.3.1 RC
Hello, would be nice, if BZ119100 https://bugzilla.redhat.com/show_bug.cgi?id=1009100 could be included. Ether as solution or by adding a work arround (adding pe. a disable_livesnapshot to the engine database) hans-Joachim ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] API read-only access / roles
I'm working on (Zabbix) monitoring through the RESTful API. Which role should I assign to the monitoring user? The user only needs read access to the data but it looks like I nead to assign at least an Admin role to the user to be able to read data through the API. For this I've created a AdminLoginOnly role that only has System-Configure System-Login Permissions access. Is this the way to go for this king of configuration? Or is there a way to further minimize the permissions of this user? Another issue is that a Login event is generated every time the user connects through the API. This makes the Events pane less useful / readable. Is there a way to disable this for some users/roles? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] API read-only access / roles
On Mon, 2013-11-18 at 16:46 +0100, Sander Grendelman wrote: I'm working on (Zabbix) monitoring through the RESTful API. Very nice - do you use my check_rhev3 Nagios plugin (https://github.com/ovido/check_rhev3) or are you working on your own script? Which role should I assign to the monitoring user? The user only needs read access to the data but it looks like I nead to assign at least an Admin role to the user to be able to read data through the API. For this I've created a AdminLoginOnly role that only has System-Configure System-Login Permissions access. Is this the way to go for this king of configuration? Or is there a way to further minimize the permissions of this user? I create a custom role with these permissions for Nagios monitoring, too. I was thinking that in oVirt 3.3 there should be a predefined viewers-role, but can't find it in my setup :( Another issue is that a Login event is generated every time the user connects through the API. This makes the Events pane less useful / readable. Is there a way to disable this for some users/roles? It depends if you have your own script or check_rhev3: - check_rhev3 1.2: use option -o - check_rhev3 1.3: you should not see any login information in this version anymore - custom script: see this page on information how to use the JSESSIONID cookie: http://www.ovirt.org/Features/RESTSessionManagement Regards, René ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] openldap
On 11/18/2013 12:17 PM, Jonas Israelsson wrote:
On 17/10/13 17:22, Juan Hernandez wrote:
On 10/17/2013 05:15 PM, Itamar Heim wrote:
On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
I saw that openldap is now listed as a provider when invoking
engine-manage-domains. I'm eager to find more information about this.
Does anyone know if there is any updated documentation floating around
somewhere ?
Found this: http://www.ovirt.org/LDAP_Quick_Start
But the article seem only half-finished.
Rgds Jonas
this may help you.
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
help finishing the wiki would be great...
thanks,
Itamar
I am attaching slightly updated notes on how to configure OpenLDAP and
Kerberos for both Fedora and RHEL/CentOS.
I just updated the wiki with the latest version of the instructions that
I use. I think they work. Any enhancement is welcome.
Anyone knows if ovirt is able to handle that the kdc and directory
service are running on separate hosts ? In my environment this is the
case where the kdc is located at a service with it's own name/IP
(admin.elementary.se), and the directory-service on ldap.elementary.se.
Even though I see both names are resolved by a name server lookup a
network sniffer trace shows that later (ldap.elementary.se) used for
both kerberos and ldap access.
By default oVirt uses the Kerberos and LDAP servers that are provided by
DNS. Can you please check what is the result of the following DNS query?
# dig -t SRV _kerberos._tcp.elementary.se
Furthermore this (incorrect) configuration file is created
[libdefaults]
default_realm = ELEMENTARY.SE
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
[realms]
ELEMENTARY.SE = {
kdc = ldap.elementary.se
}
[domain_realm]
elementary.se = ELEMENTARY.SE
In my lab both these services are actually placed on the same physical
server and since the kdc binds to all local interfaces ovirt actually
does reach the kdc via the incorrect name, this is however not the case
later in production.
This file is generated from the above mentioned DNS queries. Please let
us know what is the content of your SRV DNS records.
When trying to add the domain it crashes with the following stack trace
General error has occurednull
java.lang.NegativeArraySizeException
at
sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
at
sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
at sun.security.jgss.krb5.WrapToken_v2.init(WrapToken_v2.java:200)
at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
at
com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
at
com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.ovirt.engine.core.ldap.RootDSEData.init(RootDSEData.java:52)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
at
org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
at
org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
at
org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
at
Re: [Users] openldap
On 18/11/13 17:24, Juan Hernandez wrote:
On 11/18/2013 12:17 PM, Jonas Israelsson wrote:
On 17/10/13 17:22, Juan Hernandez wrote:
On 10/17/2013 05:15 PM, Itamar Heim wrote:
On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
I saw that openldap is now listed as a provider when invoking
engine-manage-domains. I'm eager to find more information about this.
Does anyone know if there is any updated documentation floating around
somewhere ?
Found this:http://www.ovirt.org/LDAP_Quick_Start
But the article seem only half-finished.
Rgds Jonas
this may help you.
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
help finishing the wiki would be great...
thanks,
Itamar
I am attaching slightly updated notes on how to configure OpenLDAP and
Kerberos for both Fedora and RHEL/CentOS.
I just updated the wiki with the latest version of the instructions that
I use. I think they work. Any enhancement is welcome.
Anyone knows if ovirt is able to handle that the kdc and directory
service are running on separate hosts ? In my environment this is the
case where the kdc is located at a service with it's own name/IP
(admin.elementary.se), and the directory-service on ldap.elementary.se.
Even though I see both names are resolved by a name server lookup a
network sniffer trace shows that later (ldap.elementary.se) used for
both kerberos and ldap access.
By default oVirt uses the Kerberos and LDAP servers that are provided by
DNS. Can you please check what is the result of the following DNS query?
# dig -t SRV _kerberos._tcp.elementary.se
All DNS querys gets the correct answer (both forward and reverse)
Engine -- 192.168.24.217 -- dashboard.elementary.se
LDAP-Server -- 192.168.24.239 -- ldap.elementary.se
KDC -- 192.168.24.240 -- admin.elementary.se
dig -t SRV _kerberos._tcp.elementary.se
; DiG 9.9.3-rpz2+rl.156.01-P2 -t SRV _kerberos._tcp.elementary.se
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 19187
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_kerberos._tcp.elementary.se. IN SRV
;; ANSWER SECTION:
_kerberos._tcp.elementary.se. 3600 IN SRV 0 0 88 admin.elementary.se.
;; AUTHORITY SECTION:
elementary.se. 3600IN NS ns2.elementary.se.
elementary.se. 3600IN NS ns1.elementary.se.
;; ADDITIONAL SECTION:
admin.elementary.se.3600IN A 192.168.24.240
ns1.elementary.se. 3600IN A 192.168.24.231
ns2.elementary.se. 3600IN A 192.168.24.232
;; Query time: 0 msec
;; SERVER: 192.168.24.231#53(192.168.24.231)
;; WHEN: Mon Nov 18 18:05:05 CET 2013
;; MSG SIZE rcvd: 180
Still...
18:13:41.232154 IP 192.168.24.217.42362 192.168.24.239.88: Flags [S],
seq 3592225170, win 14600, options [mss 1460,sackOK,TS val 160790012 ecr
0,nop,wscale 7], length 0
18:13:41.232238 IP 192.168.24.239.88 192.168.24.217.42362: Flags [S.],
seq 2526310478, ack 3592225171, win 14480, options [mss 1460,sackOK,TS
val 174749087 ecr 160790012,nop,wscale 7], length 0
18:13:41.232739 IP 192.168.24.217.42362 192.168.24.239.88: Flags [.],
ack 1, win 115, options [nop,nop,TS val 160790013 ecr 174749087], length 0
18:13:41.232787 IP 192.168.24.217.42362 192.168.24.239.88: Flags [P.],
seq 1:141, ack 1, win 115, options [nop,nop,TS val 160790013 ecr
174749087], length 140
18:13:41.232804 IP 192.168.24.239.88 192.168.24.217.42362: Flags [.],
ack 141, win 122, options [nop,nop,TS val 174749087 ecr 160790013], length 0
18:13:41.245137 IP 192.168.24.239.88 192.168.24.217.42362: Flags [P.],
seq 1:704, ack 141, win 122, options [nop,nop,TS val 174749090 ecr
160790013], length 703
18:13:41.245517 IP 192.168.24.217.42362 192.168.24.239.88: Flags [.],
ack 704, win 126, options [nop,nop,TS val 160790026 ecr 174749090], length 0
18:13:41.245578 IP 192.168.24.217.42362 192.168.24.239.88: Flags [F.],
seq 141, ack 704, win 126, options [nop,nop,TS val 160790026 ecr
174749090], length 0
18:13:41.246606 IP 192.168.24.239.88 192.168.24.217.42362: Flags [F.],
seq 704, ack 142, win 122, options [nop,nop,TS val 174749090 ecr
160790026], length 0
wouFurthermore this (incorrect) configuration file is created
[libdefaults]
default_realm = ELEMENTARY.SE
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
[realms]
ELEMENTARY.SE = {
kdc = ldap.elementary.se
}
[domain_realm]
elementary.se = ELEMENTARY.SE
In my lab both these services are actually placed on the same physical
server and since the kdc binds to all local interfaces ovirt actually
does reach the kdc via the incorrect name, this is however not the case
later in production.
This file is generated from the above mentioned DNS queries. Please
Re: [Users] openldap
On 18/11/13 18:26, Juan Hernandez wrote: On 11/18/2013 06:21 PM, Jonas Israelsson wrote: On 18/11/13 17:24, Juan Hernandez wrote: On 11/18/2013 12:17 PM, Jonas Israelsson wrote: On 17/10/13 17:22, Juan Hernandez wrote: On 10/17/2013 05:15 PM, Itamar Heim wrote: On 10/17/2013 09:57 AM, Jonas Israelsson wrote: I saw that openldap is now listed as a provider when invoking engine-manage-domains. I'm eager to find more information about this. Does anyone know if there is any updated documentation floating around somewhere ? Found this:http://www.ovirt.org/LDAP_Quick_Start But the article seem only half-finished. Rgds Jonas this may help you. https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4 https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5 help finishing the wiki would be great... thanks, Itamar I am attaching slightly updated notes on how to configure OpenLDAP and Kerberos for both Fedora and RHEL/CentOS. I just updated the wiki with the latest version of the instructions that I use. I think they work. Any enhancement is welcome. Anyone knows if ovirt is able to handle that the kdc and directory service are running on separate hosts ? In my environment this is the case where the kdc is located at a service with it's own name/IP (admin.elementary.se), and the directory-service on ldap.elementary.se. Even though I see both names are resolved by a name server lookup a network sniffer trace shows that later (ldap.elementary.se) used for both kerberos and ldap access. By default oVirt uses the Kerberos and LDAP servers that are provided by DNS. Can you please check what is the result of the following DNS query? # dig -t SRV _kerberos._tcp.elementary.se All DNS querys gets the correct answer (both forward and reverse) Engine -- 192.168.24.217 -- dashboard.elementary.se LDAP-Server -- 192.168.24.239 -- ldap.elementary.se KDC -- 192.168.24.240 -- admin.elementary.se dig -t SRV _kerberos._tcp.elementary.se ; DiG 9.9.3-rpz2+rl.156.01-P2 -t SRV _kerberos._tcp.elementary.se ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 19187 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_kerberos._tcp.elementary.se. IN SRV ;; ANSWER SECTION: _kerberos._tcp.elementary.se. 3600 IN SRV 0 0 88 admin.elementary.se. ;; AUTHORITY SECTION: elementary.se. 3600IN NS ns2.elementary.se. elementary.se. 3600IN NS ns1.elementary.se. ;; ADDITIONAL SECTION: admin.elementary.se.3600IN A 192.168.24.240 ns1.elementary.se. 3600IN A 192.168.24.231 ns2.elementary.se. 3600IN A 192.168.24.232 ;; Query time: 0 msec ;; SERVER: 192.168.24.231#53(192.168.24.231) ;; WHEN: Mon Nov 18 18:05:05 CET 2013 ;; MSG SIZE rcvd: 180 Still... 18:13:41.232154 IP 192.168.24.217.42362 192.168.24.239.88: Flags [S], seq 3592225170, win 14600, options [mss 1460,sackOK,TS val 160790012 ecr 0,nop,wscale 7], length 0 18:13:41.232238 IP 192.168.24.239.88 192.168.24.217.42362: Flags [S.], seq 2526310478, ack 3592225171, win 14480, options [mss 1460,sackOK,TS val 174749087 ecr 160790012,nop,wscale 7], length 0 18:13:41.232739 IP 192.168.24.217.42362 192.168.24.239.88: Flags [.], ack 1, win 115, options [nop,nop,TS val 160790013 ecr 174749087], length 0 18:13:41.232787 IP 192.168.24.217.42362 192.168.24.239.88: Flags [P.], seq 1:141, ack 1, win 115, options [nop,nop,TS val 160790013 ecr 174749087], length 140 18:13:41.232804 IP 192.168.24.239.88 192.168.24.217.42362: Flags [.], ack 141, win 122, options [nop,nop,TS val 174749087 ecr 160790013], length 0 18:13:41.245137 IP 192.168.24.239.88 192.168.24.217.42362: Flags [P.], seq 1:704, ack 141, win 122, options [nop,nop,TS val 174749090 ecr 160790013], length 703 18:13:41.245517 IP 192.168.24.217.42362 192.168.24.239.88: Flags [.], ack 704, win 126, options [nop,nop,TS val 160790026 ecr 174749090], length 0 18:13:41.245578 IP 192.168.24.217.42362 192.168.24.239.88: Flags [F.], seq 141, ack 704, win 126, options [nop,nop,TS val 160790026 ecr 174749090], length 0 18:13:41.246606 IP 192.168.24.239.88 192.168.24.217.42362: Flags [F.], seq 704, ack 142, win 122, options [nop,nop,TS val 174749090 ecr 160790026], length 0 Your SRV records look correct. We may have a bug here. What engine-manage-domains command line are you exactly using? Are you using the -ldapServers option? Yes, engine-manage-domains -action=add -domain=elementary.se -provider=OpenLDAP -user=ovirt -interactive -ldapServers=ldap.elementary.se ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Resizing the iscsi data domain
Hi! I've done this with success. I put my domain in maintenance, used pvresize and after activated again. Try this. On 11/18/2013 07:58 PM, Pavel Zhukov wrote: On Monday, November 18, 2013 05:10:19 PM Juan Pablo Lorier wrote: Hi, I've resized the lun I'm using for data domain. I've changed the lun, rescaned the target with iscsiadm and reloaded multipath to get the new size. The thins is that though all the hosts sees the new size, ovirt doesn't. Do I need to run something to update the engine db? I'm running ovirt 3.2 Regards, ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Hi Juan, Resizing of the LUN is not supported yet. You can extend SD with additional LUN instead (Map new LUN - SD - Edit - check new LUN). You can try to re-elect SPM for now. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Cinder Integration
Hi All, I want to consume the oVirt Storage Domains in OpenStack Cinder. Is this driver available or are there any resources pointing on how this can be done? Please suggest. Thank You, Regards, Udaya Kiran On Monday, 18 November 2013 3:30 PM, Itamar Heim ih...@redhat.com wrote: On 11/18/2013 09:36 AM, Udaya Kiran P wrote: Hi Itamar, Yes, you are right. Please suggest. can you please reply on the original thread on users@ovirt.org, and explain the use case you want? thanks, Itamar Regards, Udaya Kiran On Monday, 18 November 2013 1:00 PM, Itamar Heim ih...@redhat.com wrote: On 11/18/2013 06:38 AM, Udaya Kiran P wrote: Hi Itamar, I see a POC in the below link, https://github.com/oourfali/openstack-ovirt-driver which was mentioned in the email thread found in, http://lists.ovirt.org/pipermail/users/2013-June/014682.html Can you suggest if its useful or it needs to be tailored to the latest changes? Thank You, Regards, Udaya Kiran On Thursday, 14 November 2013 1:19 PM, Itamar Heim ih...@redhat.com mailto:ih...@redhat.com wrote: On 11/14/2013 12:10 AM, Udaya Kiran P wrote: Hi Itamar, Thanks for the update. Is the POC for Cinder driver is ready? Are there any resources pointing towards this? still need to get to it, but we'd welcome help... Regards, Udaya Kiran On Thursday, 14 November 2013 1:19 AM, Itamar Heim ih...@redhat.com mailto:ih...@redhat.com mailto:ih...@redhat.com mailto:ih...@redhat.com wrote: On 11/12/2013 01:38 AM, Udaya Kiran P wrote: Hi everyone, Does anybody know if OpenStack Cinder Integration is done in oVirt3.3. Can I have some resources pointing to the same? 3.3 has glance and neutron (and keystone for their needs). cinder is a bit more complex and not covered yet. that's a POC of deploying openstack over oVirt. i.e., this cinder driver will expose ovirt disks to as openstack cinder volumes. is that what you are looking for? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] RFE question
Hello, I would like to ask how to post RFE to oVirt. I know about google spreadsheet, but should I post RFE to users mailing list and after some discussion post it to bugzilla? I have 2 rfe on oVirt web interface: 1) I think that nice to have feature would be to have fourth column with disk usage in Virtual Machine tab. 2) Great improvement wold also be possibility to sort Virtual Machine tab by clicking on column name. For example: When I click on Memory all VMs get sorted by memory usage. If this RFE already exists, I am sorry. But I did not find it. Thank you. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] RFE question
- Original Message - From: Jakub Bittner j.bitt...@nbu.cz To: users@ovirt.org Sent: Tuesday, November 19, 2013 8:33:30 AM Subject: [Users] RFE question Hello, I would like to ask how to post RFE to oVirt. I know about google spreadsheet, but should I post RFE to users mailing list and after some discussion post it to bugzilla? I have 2 rfe on oVirt web interface: 1) I think that nice to have feature would be to have fourth column with disk usage in Virtual Machine tab. 2) Great improvement wold also be possibility to sort Virtual Machine tab by clicking on column name. For example: When I click on Memory all VMs get sorted by memory usage. This one exists as a general requirement : https://bugzilla.redhat.com/show_bug.cgi?id=895222 If this RFE already exists, I am sorry. But I did not find it. Thank you. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
