Re: [ovirt-users] LDAP bind DN generation problem
On 18/06/15 14:49, Ondra Machacek wrote: On 06/18/2015 02:07 PM, Mitja Mihelič wrote: Hi! Hi We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP domain on the login screen. Only internal is available. Our LDAP server is actually a 389DS instance and we are using for authentication in oVirt without Kerberos. The existing setup has worked since the days of 3.2. When we try to validate the domain, we get [root@brda ~]# engine-manage-domains validate Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object] Failure while testing domain guest.arnes.si. Details: Cannot authenticate user to LDAP server. The LDAP log reports [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND dn=uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si method=128 version=3 As you can see there is a comma missing before dc=guest,dc=arnes,dc=si. Before the upgrade the bind DN was generated properly as [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND dn=uid=ovirt,ou=People,dc=arnes,dc=si method=128 version=3 So what is your search user's DN ? Is it: dn=uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si or dn=uid=ovirt,ou=People,dc=arnes,dc=si Is it possible for you to try if different user works fine? Because user with very similar DN works for me just OK. At the time of posting I did not notice the difference, thanks for the spot. The correct DN is dn=uid=ovirt,ou=People,dc=arnes,dc=si. Although that means that after upgrading to 3.5 the DN for the search user is formatted differently when issuing an LDAP bind request. In the end we noticed that the AAA part of oVirt was reworked in 3.5. We deleted the old LDAP domain, that we manually inserted into the database back in 3.2 days. Then we added LDAP as an authentication source as per AAA instructions, which we found a bit vague. The README on github for the AAA extension provided most of the information. We also found that the format of external_id in the users table had been changed from fdfc627c-d875-11e0-90f0-83df133b58cc to fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in. Instead additional users were created with this new format external_id, a namespace with dc=arnes,dc=si and a new user_id. We manually deleted the faux users, updated the external_id to the new format and added a namespace entry for existing users. That worked for us. Kind regards, Mitja This looks like a bug. Is there a quick fix we can do to fix this typo? We are also interested in knowing what is the correct way in 3.5 to add a domain that uses an LDAP server for its authentication source without Kerberos. Please see following links: *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD *http://www.ovirt.org/Features/AAA *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD *https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6 *https://github.com/machacekondra/ovirt-engine-kerbldap-migration Kind regards, Mitja -- -- Mitja Mihelič ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 8800, fax: +386 1 479 88 99 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Automating oVirt Windows Guest Tools installations
Hi Patrick, First of all lets clear some misunderstanding here - you don't need to manually install Python. The installation of oVirt WGT is fully self contained, and while the oVirt Guest Agent it includes is indeed programmed in Python, the version included is converted using py2exe (check py2exe.org for more details if it interests you) into a standalone executable (well, almost - just like Windows version of Python.exe, it depends on Microsoft Visual Studio CRTL, but we install it during the installation of the oVirt WGT). Now about the automated installation. Generally we support silent installation of oVirt WGT. You just need to supply /S command parameter to the installer. However there is a catch - unfortunately Windows will popup warning messages due to the fact that the drivers supplied are non-WHQL'd. That is because the drivers are signed by Red Hat, Inc. and not by Microsoft certificate. This is a security feature of Windows OS itself, and there is not much we can do about it right now. The side effect of this is that you need to manually approve the drivers installation for each driver, or choose to trust all drivers from Red Hat, Inc., and then no more popups will show up. Unfortunately, you still need to do this manually at least once, and you can't pre-approve Red Hat, Inc. to make this process automated. For more information on installing oVirt WGT you can check this article: http://community.redhat.com/blog/2015/05/how-to-install-and-use-ovirts-windows-guest-tools/ by yours truly. There is a workaround though, and it's to create a program that will automatically approve such unsigned drivers dialogs. It's relatively easy to program with i.e. AutoIt scripting engine (check: https://www.autoitscript.com/site/autoit/ ), which is free (like in free beer, but unfortunately not as in freedom because source code for it is not supplied). Note that you must be quite careful with that, as by doing so you basically disabling the security mechanism that Microsoft had put in place for a reason, and potentially you may unintentionally install other non-WHQL'd drivers - if the installation attempt for these other drivers will be made while your auto-approver program will run. Thanks in advance, Lev Veyde. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] ovirt-shell : which default start mode?
Hi, Since long, I'm using some scripts to create VM, add some components and start them. My script is booting them in PXE. After an upgrade in 3.5.1, I'm witnessing that the default boot is now primarily using hard disk, and not PXE. Is there a way for the ovirt-shell to ask a boot via PXE? In fact, I find that the embeded inline help of ovirt-shell is difficult to read, and some *tree view* of all options would be much better readable. -- Nicolas ECARNOT ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can not kill vm
Hi! I find a way to fix this! /etc/init.d/vdsmd stop kill -9 libvirtd pid /etc/init.d/vdsmd start tks! stopping vdsm or libvirtd is irrelevant. maybe you should learn about `pkill' which doesn't need to specify pid :) j. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Get CPU and Memory Usage for VM and Host using ovirt java sdk
1)I would like to know if there is a way to fetch the “CPU and Memory Usage for VM “ and CPU and Memory Usage for a Host in the RHEVM environment using ovirt sdk in java. I am using ovirt-engine-sdk-java-3.5.0.5.jar. Can you please provide me with the java example if possible. The cpu and memory usage of the VM in the rhevm is as highlighted in the picture below. 2) Autostart attribute for a VM in RHEVM. Earlier when I was using libvirt 0.5.1 jar in a kvm system,I found that autostart attribute [vm. getAutostart ] is provided in the libvirt java sdk. “Autostart is a Boolean value which indicates whether the network is configured to be automatically started when the host machine boots” Is there any such attribute for a VM in RHEVM,if yes is there a way to fetch the auto start value using ovirt java sdk. Have you checked http://www.ovirt.org/Java-sdk ? j.___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP bind DN generation problem
- Original Message - From: Mitja Mihelič mitja.mihe...@arnes.si To: Ondra Machacek omach...@redhat.com, users@ovirt.org Sent: Friday, June 19, 2015 1:39:14 PM Subject: Re: [ovirt-users] LDAP bind DN generation problem On 18/06/15 14:49, Ondra Machacek wrote: On 06/18/2015 02:07 PM, Mitja Mihelič wrote: Hi! Hi We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP domain on the login screen. Only internal is available. Our LDAP server is actually a 389DS instance and we are using for authentication in oVirt without Kerberos. The existing setup has worked since the days of 3.2. When we try to validate the domain, we get [root@brda ~]# engine-manage-domains validate Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object] Failure while testing domain guest.arnes.si. Details: Cannot authenticate user to LDAP server. The LDAP log reports [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND dn=uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si method=128 version=3 As you can see there is a comma missing before dc=guest,dc=arnes,dc=si. Before the upgrade the bind DN was generated properly as [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND dn=uid=ovirt,ou=People,dc=arnes,dc=si method=128 version=3 So what is your search user's DN ? Is it: dn=uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si or dn=uid=ovirt,ou=People,dc=arnes,dc=si Is it possible for you to try if different user works fine? Because user with very similar DN works for me just OK. At the time of posting I did not notice the difference, thanks for the spot. The correct DN is dn=uid=ovirt,ou=People,dc=arnes,dc=si. Although that means that after upgrading to 3.5 the DN for the search user is formatted differently when issuing an LDAP bind request. In the end we noticed that the AAA part of oVirt was reworked in 3.5. We deleted the old LDAP domain, that we manually inserted into the database back in 3.2 days. Then we added LDAP as an authentication source as per AAA instructions, which we found a bit vague. The README on github for the AAA extension provided most of the information. We also found that the format of external_id in the users table had been changed from fdfc627c-d875-11e0-90f0-83df133b58cc to fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in. Instead additional users were created with this new format external_id, a namespace with dc=arnes,dc=si and a new user_id. We manually deleted the faux users, updated the external_id to the new format and added a namespace entry for existing users. That worked for us. the conversion tool should have taken care of all these. have you tried to use it? Kind regards, Mitja This looks like a bug. Is there a quick fix we can do to fix this typo? We are also interested in knowing what is the correct way in 3.5 to add a domain that uses an LDAP server for its authentication source without Kerberos. Please see following links: * https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD * https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD * http://www.ovirt.org/Features/AAA * https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD * https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6 * https://github.com/machacekondra/ovirt-engine-kerbldap-migration Kind regards, Mitja -- -- Mitja Mihelič ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 8800, fax: +386 1 479 88 99 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Run Once Python SDK
On 06/19/2015 11:24 AM, Jiri Belka wrote: I was looking into performing the run once option via the SDK with an attached ISO. With the plan to be to attach an ISO and force a VM to boot from the CD. Basically: 1) Mount an ISO in run once mode 2) Make CD-ROM the first item in the boot sequence 3) Boot the VM Isn't it just vm.start() with appropriate params? j. Yes, something like this: ---8--- #!/usr/bin/python from ovirtsdk import api from ovirtsdk.xml import params api = api.API( url=https://engine.example.com/ovirt-engine/api;, username=admin@internal, password=..., insecure=True, debug=False ) vm = api.vms.get(name=myvm) vm.start( action=params.Action( vm=params.VM( cdroms=params.CdRoms( cdrom=[ params.CdRom( file=params.File( id=CentOS-7.0-1406-x86_64-Minimal.iso ) ) ] ), os=params.OperatingSystem( boot=[ params.Boot( dev=cdrom ) ] ) ) ) ) api.disconnect() ---8--- -- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] 答复: How to backup/restore the rhevm-VM in hosted-engine ?
Il 19/06/2015 10:37, Jiri Belka ha scritto: Top posting A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Jiri, I top posted because the content of my email was mostly unrelated to the rest of the email. Let's avoid flames on mail etiquette. Hi, just wrote http://www.ovirt.org/OVirt_Hosted_Engine_Backup_and_Restore and currently testing this. Xie Chao, Groten Ryan: since you already explored this kind of procedure can you help commenting and / or sharing your experience here? Can oVirt project finally start to use real documentation? Why not use publican/docbook. wiki is horrible, outdated and i doubt there is a way to manage responsibility for wiki pages. Feel free to take lead of such project, I gladly contribute documentation there. j. -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] vdsm lvm filter
I've got a setup with with ovirt and an equallogic iscsi. Im using the dell hit drivers. Install all good, after a reboot the storage won't come up. From the vdsm logs i can see the volume groups can't be found. in the lvm vgs command the following filter is used: [ '\''r|.*|'\'' ] . If I change the LVMCONF_TEMPLATE in /usr/share/vdsm/storage/lvm.py and add the filter [ a|^/dev/eql/ovirt.*| ], the volume group is found and storage will be attached. How is the lvm filter constructed? And how can i make sure my volume groups are found without editing /usr/share/vdsm/storage/lvm.py? A shoot from darkness...: 134 USER_DEV_LIST = filter(None, config.get(irs, lvm_dev_whitelist).split(,)) 135 136 137 def _buildFilter(devices): 138 strippeds = set(d.strip() for d in devices) 139 strippeds.discard('') # Who has put a blank here? 140 strippeds = sorted(strippeds) 141 dmPaths = [dev.replace(r'\x', r'\\x') for dev in strippeds] 142 filt = '|'.join(dmPaths) 143 if len(filt) 0: 144 filt = 'a| + filt + |', 145 146 filt = filter = [ + filt + 'r|.*|' ] 147 return filt 148 149 150 def _buildConfig(devList): 151 flt = _buildFilter(chain(devList, USER_DEV_LIST)) 152 conf = LVMCONF_TEMPLATE % flt 153 return conf.replace(\n, ) So maybe lvm_dev_whitelist option in vdsm.conf ? j. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] [ovirt 3.5.1] Attach sysprep floppy from the API
I would like to attach a sysprep floppy to a Windows VM. Currently, I am able to configure the sysprep custom script from the API : PUT https://HOSTNAME/api/vms/{id} vm initialization custom_script{my content}/custom_script /initialization /vm After that, when I start the VM from the Web UI in RunOnce mode, I can attach the sysprep floppy to the VM. But how can I attach the sysprep floppy and start the VM in RunOnce mode from the API ? iiuc it's payload stuff, see http://www.ovirt.org/Features/VMPayload j. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Error while executing action Setup Networks: Could not connect to peer host
All thanks, after plural del host - add host_ - became all ок! ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] oVirt timeouts
pls, howto change oVirt timeouts for status : 1) node ( brick) is power down / up 2) volume status for node(brick) is up/down They are too long ( I'm expecting a few sec. not a lot of minutes ) If it has some spacial reason, let me know about, pls. I don't do glusterfs here but see *_options tables in the DB or engine-config -a output. j. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Ovirt PXE boot wierdness
I have the engine running on separate HW with eth0 being the management interface I have 2 compute nodes with eth0 being the management interface and eth1 having a vlan trunk with all of the VM networks If I install a guest from the CD image it all works fine and picks up an IP from the DHCP server. However if I switch the boot order to PXE first the gPXE DHCP request times out. Using tcpdump I can see the DHCP discovery packets get as far out as the physical trunk interfact eth1 (i.e. it gets past all of the virtual interfaces) but any other machines in that same VLAN don't see the DHCP request and neither does the DHCP server. My network settings are: Name: TestCluster External Provider: NO Network label: TC Enable VLAN tagging: 306 VM network: YES MTU: Default 1500 Under 'Setup Host Networks' Boot Protocol: DHCP Any ideas? Is it really gPXE (which is not maintained anymore) or iPXE? If the former try to download iPXE, see ipxe.org. What about iptables? j. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Ovirt-engine certificate SHA256
- Original Message - From: Kevin C ki...@kiven.fr To: users@ovirt.org Sent: Friday, June 12, 2015 5:19:37 PM Subject: [ovirt-users] Ovirt-engine certificate SHA256 Hi list, Is it possible to renew the ovirt-engine certificate to generate a new one with SHA256 . Never tried that, and as the certificate should not be exposed, it should not be very important. However, you should be able to update /etc/pki/ovirt-engine/openssl.conf before installation and modify: -default_md = sha1 +default_md = sha256 I am unsure how python (vdsm) will digest that. Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users