[ovirt-users] VM Networking not working

[Christopher Lord]

I asked this on the IRC channel but I thought I'd ask here too.


I have set up a 3 node hosted-engine ovirt cluster. On each host I have bonded 
2 10Gb ports that I use for Storage, and 2 10Gb ports that I intend to use for 
VM traffic. However when I created my first VM and added a VLAN tagged network 
to it, the VM can't access any external network.


I can see the bond, and the bridge on the host. If I give the bridge an IP on 
the host it can access the network.


Also none of the network information is populated in the ovirt engine web ui 
for the VM. All the Guest Agent Data is blank.


Am I missing something? Please let me know what logs will be helpful to 
troubleshoot.


Thanks,


Chris
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Ondra Machacek]

On 05/26/2016 05:28 PM, Alexis HAUSER wrote:

This is really weird : If I manually run : dig _ldap._tcp.my_forst_name.com SRV


^_ldap


I can see the 4 AD servers in ANSWER, AUTHORITY and ADDITIONAL SECTION

If I use : pool.default.serverset.srvrecord.service = ldaps
In the logs I see this : "An error occurred while attempting to query DNS in order 
to retrieve SRV records with name '_ldaps._tcp.my_forest_name.com':"


^_ldaps



The same happens with : dig @any_of_the_4_AD_server 
_ldap._tcp.my_forest_name.com SRV


^_ldap



So why dig can resolve it but not ovirt ?


you use '_ldaps._tcp' in ovirt not '_ldap._tcp' as in dig.

And '_ldaps' is what's missing in your DNS.






If I understand correctly, you misunderstood meaning of 'vars.dns' variable.
This variables says what DNS server(s) should be used to send DNS
queries, instead of the
default one from /etc/resolv.conf.
So if you specify:
 vars.dns = dns://ad_server.mydomain.com
then aaa-ldap do following:
 $ dig @ad_server.mydomain.com
_ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
if you remove 'vars.dns' varibale then aaa-ldap does following:
 $ dig _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
so default DNS servers are used.



Interesting, now I understand better...



In config files no. The correct approach is configure DNS properly.
Because SRV record
provides you port on which that service operates. So I would suggest you
either create new SRV record named 'ldaps' with port 636(in your AD
DNS), or use startTLS with port 389.



"ldaps" is also a kind of conventional "microsoft SRV record" like _ldaps_tcp ?



Unfortunatelly using '_ldaps._tcp' is not any standart. But that's what 
usually people do if they can't use startTLS.




With startTLS I didn't have any success (and I don't really get why) :

"2016-05-26 17:23:36,535 WARN  [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] 
(ajp-/127.0.0.1:8702-6) [] [ovirt-engine-extension-aaa-ldap.authn::AD2-authn] Cannot 
initialize LDAP framework, deferring initialization. Error: : LdapErr: 
DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece"

"{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class 
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=:
 LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece, 
Extkey[name=EXTENSION_INVOKE_RESULT;type=class 
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}"




This message doesn't say much. Can you please send full Java exception 
stack trace?

Don't forget to also remove lines:

 pool.default.ssl.enable = true
 pool.default.serverset.srvrecord.service = ldaps
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Hosted-Engine storage migration

[Beard Lionel (BOSTON-STORAGE)]

Hi,

I would like to migrate Hosted Engin VM from a NFS storage domain to another 
NFS one.
I have tried to move data and to update HostedEngine.conf and vm.conf but with 
no success.

Is there a procedure to perform this operation ?

Thanks !

Regards,
Lionel BEARD



Ce message et toutes les pi?ces jointes (ci-apr?s le "message") sont ?tablis ? 
l'intention exclusive de ses destinataires et sont confidentiels. Si vous 
recevez ce message par erreur ou s'il ne vous est pas destin?, merci de le 
d?truire ainsi que toute copie de votre syst?me et d'en avertir imm?diatement 
l'exp?diteur. Toute lecture non autoris?e, toute utilisation de ce message qui 
n'est pas conforme ? sa destination, toute diffusion ou toute publication, 
totale ou partielle, est interdite. L'Internet ne permettant pas d'assurer 
l'int?grit? de ce message ?lectronique susceptible d'alt?ration, l'exp?diteur 
(et ses filiales) d?cline(nt) toute responsabilit? au titre de ce message dans 
l'hypoth?se o? il aurait ?t? modifi? ou falsifi?.

This message and any attachments (the "message") is intended solely for the 
intended recipient(s) and is confidential. If you receive this message in 
error, or are not the intended recipient(s), please delete it and any copies 
from your systems and immediately notify the sender. Any unauthorized view, use 
that does not comply with its purpose, dissemination or disclosure, either 
whole or partial, is prohibited. Since the internet cannot guarantee the 
integrity of this message which may not be reliable, the sender (and its 
subsidiaries) shall not be liable for the message if modified or falsified.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] failing update ovirt-engine on centos 7

[Sandro Bonazzola]

Il 26/Mag/2016 12:50, "Yedidyah Bar David"  ha scritto:
>
> On Thu, May 26, 2016 at 1:21 PM, Pavel Gashev  wrote:
> > I had an issue with updating to 3.6.6. There were errors during
engine-setup:
> >
> > [ ERROR ] Yum Non-fatal POSTUN scriptlet failure in rpm package
ovirt-vmconsole-1.0.0-1.el7.centos.noarch
> >
> > [ ERROR ] Yum Transaction close failed: Traceback (most recent call
last):   File "/usr/lib/python2.7/site-packages/otopi/miniyum.py", line
778, in endTransaction self.processTransaction()   File
"/usr/lib/python2.7/site-packages/otopi/miniyum.py", line 1064, in
processTransaction _('One or more elements within Yum transaction
failed') RuntimeError: One or more elements within Yum transaction failed
> >
> > ovirt-vmconsole has the following uninstall script:
> > postuninstall scriptlet (using /bin/sh):
> > if [ "$1" -ge "1" ]; then
> > semodule -i
"/usr/share/selinux/packages/ovirt-vmconsole/ovirt_vmconsole.pp"
> > fi
> >
> > In other words you can't update if you have SELINUX disabled.
> >
> > The workaround is the following:
> > ln -fs /bin/true /usr/sbin/semodule
>
> Thanks for the report. Adding Francesco.
>

Please open a bz on ovirt-vmconsole.

> >
> >
> > On 26/05/16 08:43, "users-boun...@ovirt.org on behalf of Yedidyah Bar
David"  wrote:
> >
> >>On Wed, May 25, 2016 at 9:11 PM, Fabrice Bacchella
> >> wrote:
> >>>
> >>> Le 25 mai 2016 à 17:25, Kapetanakis Giannis 
a
> >>> écrit :
> >>>
> >>> On 25/05/16 17:59, Fabrice Bacchella wrote:
> >>>
> >>> I have an dedicated machin to run ovirt-engine (not hosted). It's an
up to
> >>> date centos 7.2.1511
> >>>
> >>> I installed ovirt 3.6.6 a few weeks ago (May 10 17:56:44 tells me
yum.log)
> >>>
> >>> Now, I'm trying a full yum update and getting :
> >>> # yum update
> >>> 
> >>>
> >>> Error: Package: ovirt-engine-tools-3.6.5.3-1.el7.centos.noarch
(@ovirt-3.6)
> >>>Requires: ovirt-engine-tools-backup = 3.6.5.3-1.el7.centos
> >>>Removing:
ovirt-engine-tools-backup-3.6.5.3-1.el7.centos.noarch
> >>> (@ovirt-3.6)
> >>>ovirt-engine-tools-backup = 3.6.5.3-1.el7.centos
> >>>Updated By:
ovirt-engine-tools-backup-3.6.6.2-1.el7.centos.noarch
> >>> (ovirt-3.6)
> >>>ovirt-engine-tools-backup = 3.6.6.2-1.el7.centos
> >>>
> >>>
> >>>
> >>> Follow 3.6.6 release notes to update:
> >>> https://www.ovirt.org/release/3.6.6/
> >>>
> >>>
> >>> yum install
http://resources.ovirt.org/pub/yum-repo/ovirt-release36.rpm
> >>> yum update ovirt\*setup\*
> >>> and then run
> >>> engine-setup to update the rest of the packages.
> >>>
> >>>
> >>> I have seen this doc.
> >>>
> >>> It updates a few components and what about the others ? The readme
talk
> >>> about running engine-setup, but not that it will updates other
packages. I
> >>> thought that ovirt-engine is for engine setup, not upgrading.
> >>
> >>Right.
> >>
> >>After engine-setup finishes, you should 'yum update' to update the rest.
> >>
> >>And BTW, this specific issue about tools-backup was fixed in [1]. So a
> >>future 'yum update' should not emit this error - although the update
> >>sequence is still the same - add repos, update setup packages,
engine-setup,
> >>update the rest.
> >>
> >>[1] https://bugzilla.redhat.com/show_bug.cgi?id=1321249
> >>--
> >>Didi
> >>___
> >>Users mailing list
> >>Users@ovirt.org
> >>http://lists.ovirt.org/mailman/listinfo/users
> >
>
>
>
> --
> Didi
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] moVirt 1.4 RC1 (Android client for oVirt)

[Filip Krepinsky]

- Original Message -
> 
> 
> On Wed, May 25, 2016 at 6:32 PM, Michal Skrivanek < mskri...@redhat.com >
> wrote:
> 
> 
> 
> > On 25 May 2016, at 13:50, Tomas Jelinek < tjeli...@redhat.com > wrote:
> > 
> > Hey All,
> > 
> > the first RC of moVirt 1.4 has been released!
> > 
> > It can be downloaded only using direct link[1] - the play store will be
> > upgraded after considered stable.
> > 
> > The most important feature of this release was to enhance the dashboard so
> > it will look similar to the one coming to oVirt 4.0.
> > Screenshot attached.
> > 
> > Other changes:
> > - Added new dashboard functionality (virtual/physical consumption,
> > clickable cpu/memory consumption)
> > - Better UI (dashboard, adding/editing triggers)
> > - Better sorting in lists
> > - Memory units are now displayed correctly
> > - Fixed crashing bugs when looking at hosted engine
> > 
> > Would you like to help/contribute?
> > Sure, for example you can:
> > - give feedback on the new dashboard (the one from the attachment)
> 
> Looks great!

Thanks for the feedback everyone.

> 
> 
> 
> I guess the two lists in portrait mode are truncated all the time, it would
> probably make more sense to show only one column and switch hosts/vms via
> real/virtual toggle
> 
> Or show the top 5 VMs and below it, the top 5 hosts. This way the text isn't
> cut:

I think we should show only one list (hosts/vms) depending on the state of the 
view (physical/virtual), which I think will make more sense from UI perspective.

> 
> Most utilized VMs:
> abc-vm 107%
> def-vm 105%
> this-and-that-vm 44%
> 
> Most utilized hosts:
> this-host 27%
> that-host 30%
> 
> ...
> 
> 
> 
> 
> 
> > - download RC [1], test it and report bugs
> 
> Small nitpick - the color of the warning icon should not be yellow if there
> are no warnings.
> Y.

Yes this would be better for warnings and error events.

> 
> 
> > - patches are also welcome :)
> > 
> > have a nice day,
> > Tomas
> > 
> > [1]:
> > https://github.com/matobet/moVirt/blob/master/moVirt/moVirt-release.apk?raw=true
> > ___

The link to the APK has been updated to RC2 (units were changed to display by 
IEC standard - KiB, MiB, etc.)

> > Users mailing list

I will start working on the changes mentioned.
Filip

> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] iSCSI storage maintenance

[Martijn Grendelman]

Hi,

I have a simple oVirt setup, with one storage server and a couple of
hypervisors, running some 50 VMs. The storage server uses ZFS zvols,
exported over iSCSI with SCST. Now I want to do some maintenance on the
storage, specificly I want to update SCST to a new version.

I expect that the normal procedure for this would be:
- shutdown all VMs
- put storage domain into maintenance
- perform maintenance
- get everything back online

Now I know I can also take the following ugly shortcut:
- stop SCST daemon
- see all VMs go to Paused
- perform maintenance
- restart SCST
- resume all VMs or wait for them to resume themselves

The win being of course, that nothing has to be restarted/rebooted.
Extremely small scale testing (one running VM on a 20 GB test domain)
indicates, that this works like a charm. The VM resumes without a
problem and doesn't log anything storage related.

My question is: what are the risks involved in the shortcut scenario?

I understand that there are IOPS that never reach the disk, so they have
to be queued somewhere (inside Qemu I presume). What happens if this
happens with 50 VMs at once?

Best regards,
Martijn.

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Alexis HAUSER]

This is really weird : If I manually run : dig _ldap._tcp.my_forst_name.com SRV
I can see the 4 AD servers in ANSWER, AUTHORITY and ADDITIONAL SECTION

If I use : pool.default.serverset.srvrecord.service = ldaps
In the logs I see this : "An error occurred while attempting to query DNS in 
order to retrieve SRV records with name '_ldaps._tcp.my_forest_name.com':"

The same happens with : dig @any_of_the_4_AD_server 
_ldap._tcp.my_forest_name.com SRV

So why dig can resolve it but not ovirt ?



>If I understand correctly, you misunderstood meaning of 'vars.dns' variable.
>This variables says what DNS server(s) should be used to send DNS 
>queries, instead of the
>default one from /etc/resolv.conf.
>So if you specify:
>  vars.dns = dns://ad_server.mydomain.com
>then aaa-ldap do following:
>  $ dig @ad_server.mydomain.com 
>_ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
>if you remove 'vars.dns' varibale then aaa-ldap does following:
>  $ dig _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV
>so default DNS servers are used.


Interesting, now I understand better...


>In config files no. The correct approach is configure DNS properly. 
>Because SRV record
>provides you port on which that service operates. So I would suggest you 
>either create new SRV record named 'ldaps' with port 636(in your AD 
>DNS), or use startTLS with port 389.


"ldaps" is also a kind of conventional "microsoft SRV record" like _ldaps_tcp ?


With startTLS I didn't have any success (and I don't really get why) :

"2016-05-26 17:23:36,535 WARN  
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/127.0.0.1:8702-6) [] 
[ovirt-engine-extension-aaa-ldap.authn::AD2-authn] Cannot initialize LDAP 
framework, deferring initialization. Error: : LdapErr: DSID-0C090CF0, 
comment: Error initializing SSL/TLS, data 0, vece"

"{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class 
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=:
 LdapErr: DSID-0C090CF0, comment: Error initializing SSL/TLS, data 0, vece, 
Extkey[name=EXTENSION_INVOKE_RESULT;type=class 
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}"


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Ondra Machacek]

On 05/26/2016 03:35 PM, Alexis HAUSER wrote:

So it means that aaa-ldap then tries to do following:
LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -H
ldaps://mydomain.com:389 -x -D 'CN=Something,DC=myserver,DC=come' -w
'mypaswd' -b 'CN=users,DC=something,DC=com'
Which won't work, because you do ldaps on 389 port. (I guess it don't
work, unless you changed default AD configuration)
What you need to do is to specify a port for ldaps service. It's
ussually done as I said before.


Yes that's true, it would work only with 636, not 389.


Yes, I understood that, and I said before, when I set 
"pool.default.serverset.srvrecord.service = ldaps", the parameter "vars.dns" is 
ignored by ovirt...
When I use "vars.dns = dns://ad_server.mydomain.com", restart ovirt-engine, attempt to 
login and then check the logs, I see in the logs it is still trying to use 
"_ldaps._tcp.university.mydomain.com" instead... It really totally ignore the vars.dns 
parameter !


If I understand correctly, you misunderstood meaning of 'vars.dns' variable.
This variables says what DNS server(s) should be used to send DNS 
queries, instead of the

default one from /etc/resolv.conf.

So if you specify:

 vars.dns = dns://ad_server.mydomain.com

then aaa-ldap do following:

 $ dig @ad_server.mydomain.com 
_ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV


if you remove 'vars.dns' varibale then aaa-ldap does following:

 $ dig _ldap._tcp.'pool.default.serverset.srvrecord.domain' SRV

so default DNS servers are used.



Now if use only "vars.dns = dns://ad_server.mydomain.com", and disable (comment) 
"pool.default.serverset.srvrecord.service = ldaps", in the logs, I see the right DNS used 
(ad_server.mydomain.com), but as you said, on the wrong port.

If I specify the port with "vars.dns = dns://ad_server.mydomain.com:636", I still see in 
the log it's trying to use port 389. Which mean the port number is totally ignore in 
"vars.dns" parameter.



To get more info how the
DNSSRVRecordServerSet works you can read this:
https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/DNSSRVRecordServerSet.html


Interesting, but here _ldap_tcp is not used. And I'm not a java delopper, I 
won't know how to do with these classes etc...



It seems to confirm what I said : this DNS entry doesn't seem to exist.



Yes, and it should, or you need to change
_ldap._tcp.university.mydomain.com SRV record to point on 636, or
configure 389 port to accept ldaps. That's just my guess.


So does it mean there is no way to specify to ovirt config files that I want to 
use another DNS on 636 port ?


In config files no. The correct approach is configure DNS properly. 
Because SRV record
provides you port on which that service operates. So I would suggest you 
either create new SRV record named 'ldaps' with port 636(in your AD 
DNS), or use startTLS with port 389.






Configurations looks OK, so you hit some bug, can you please opent a bz
for it? Thanks.


Ok, no problem, I'll do that.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] SELinux and oVirt

[Cam Mac]

Hi Michal,

I re-installed the OS and then oVirt on that node, with SELinux enabled,
and that has resolved the issue.

Thanks for your help.

Cheers,

Cam

On Wed, May 25, 2016 at 7:24 PM, Michal Skrivanek 
wrote:

>
>
> On 25 May 2016, at 19:29, Cam Mac  wrote:
>
> Hi Michal,
>
> Ran restorecon -r on '/' (and restarted vdsmd and other services): it is
> still getting selinux errors. I'd like to keep selinux running, especially
> as it is officially supported
>
>
> Yeah. Hm, dunno why it didn't work, perhaps the config is not set up
> correctly. I thought redeploy would fix it but I don't really know the
> deployment code so maybe I'm wrong
>
> (and works on the other node), so I guess the best option is to reinstall
> the OS and then install ovirt again perhaps.
>
>
> That's the most easy way out, yes:)
>
> Thanks,
> michal
>
>
> Thanks,
>
> Campbell
>
> On Wed, May 25, 2016 at 6:15 PM, Michal Skrivanek 
> wrote:
>
>>
>>
>> On 25 May 2016, at 19:12, Cam Mac  wrote:
>>
>> I'll try that - presumably on the paths it is complaining about, and the
>> qemu binarys?
>>
>>
>> It shouldn't hurt on /, it should only help:)
>> And if it complains e.g. on attached nfs, the i suppose you need to run
>> it there too
>>
>>
>>
>> On Wed, May 25, 2016 at 4:59 PM, Michal Skrivanek <
>> michal.skriva...@redhat.com> wrote:
>>
>>>
>>> On 25 May 2016, at 17:35, Cam Mac  wrote:
>>>
>>> Hi Michal,
>>>
>>> I chose the 'reinstall node' option from the GUI menu, which appeared to
>>> go ok, however, I still cannot create or migrate a VM on that node. I can
>>> see selinux 'denied' messages relating to qemu-kvm, e.g.:
>>>
>>> type=AVC msg=audit(1464189232.136:251): avc:  denied  { read } for
>>>  pid=4019 comm="qemu-kvm" name="65ab-b33a-483a-af46-76f7305e2ae5"
>>> dev="sda2" ino=35401 scontext=system_
>>> u:system_r:svirt_t:s0:c720,c927
>>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=lnk_file
>>>
>>> There are a number of errors in the vdsm log but I assume that relates
>>> to selinux blocking it. So perhaps I need to remove all the ovirt packages
>>> manually, or perhaps re-install the OS as well? I guess either of those
>>> options involves complications with certificates and WWIDs for the attached
>>> SAN.
>>>
>>> Or could I somehow generate selinux labels?
>>>
>>>
>>> yeah, I think it didn’t happen. I though we do relabelling as part of
>>> deploy
>>> How about running "restorecon -r” now?
>>>
>>>
>>> These nodes + engine are not yet production, though I'd prefer to fix
>>> than restart entirely from scratch.
>>>
>>> Thanks for any help.
>>>
>>> regards,
>>>
>>> Campbell
>>>
>>>
>>> On Wed, May 11, 2016 at 3:13 PM, Cam Mac  wrote:
>>>
 Ah, ok that makes sense. For the node, is it enough to use the
 'reinstall node' option from the GUI, or is it better to reinstall the OS
 and then deploy it again?

 Thanks,

 Cam

 On Wed, May 11, 2016 at 2:40 PM, Michal Skrivanek <
 michal.skriva...@redhat.com> wrote:

>
> On 11 May 2016, at 15:24, Cam Mac  wrote:
>
> Thanks Michal, if reinstalling the engine, (which also had SELinux
> disabled at install), would the best way be to backup the engine and then
> restore just the ovirt config?
>
>
> for engine..well, VM security is not related to that, those are
> running on hypervisors, not the engine. So for any functionality/security
> it’s irrelevant what SELinux state it’s in
> I’m not sure if relabeling with restorecon is not enough (it sould
> work also on nodes, but as I said, it’s likely more safe to reinstall just
> to be really really sure:)
> Simone, am I right about the restorecon for engine?
>
>
> Cheers,
>
> Cam
>
> On Wed, May 11, 2016 at 2:14 PM, Michal Skrivanek <
> michal.skriva...@redhat.com> wrote:
>
>>
>> > On 11 May 2016, at 15:02, Cam Mac  wrote:
>> >
>> > Hi,
>> >
>> > In the oVirt guide, it says that "SELinux is being used by default
>> on oVirt Node", but then goes on to say that if you have problems you
>> should set it to permissive mode. I have had a few things fail due to 
>> being
>> blocked by SELinux on a node I later enabled SELinux on, as it was off at
>> install time. The other node which has had SELinux on from the start and 
>> so
>> far has not had any oVirt operations blocked. I am guessing that the 
>> oVirt
>> install process creates the necessary rules to allow vdsm to run under
>> SELinux. So if you want to set SELinux to enforcing after installation, 
>> is
>> there a script to do this, or is it better to just reinstall the node or
>> engine, rather than trying to work out the individual exceptions?
>>
>> For oVirt node it’s easier to reinstall it, it doesn’t persist 

Re: [ovirt-users] Changing Cluster CPU Type in a single Host with Hosted Engine environment

[Martin Polednik]

On 26/05/16 13:01 +, Ralf Braendli wrote:

Hi

Thanks a lot for you help.
Just to be sure.
The Database would be the Datebase on the HostedEngine right ?


Right.


After this operation should it work directly or is a restart required ?


You should most likely restart the machine (to avoid hitting cached
values).


And for the Bug report this should be done here 
https://bugzilla.redhat.com/enter_bug.cgi?classification=oVirt ?


Yes (ovirt-engine, virt team).


Best Regards

Ralf Brändli


Am 26.05.2016 um 14:42 schrieb Martin Polednik :

On 26/05/16 07:12 +, Ralf Braendli wrote:

Hi

I have the Problem that I selected the wrong CPU Type throw the setup process.
Is it posible to change it without an new installation ?


Hi!

I'm afraid this may not be possible using "regular" approach. You
could do this by directly changing the cpu type in database, but this
is not supported operation.

Just an example what would I do in this case (but proceed carefully
before changing anything in the DB):

$ su - postgres -c "psql -t engine -c \"SELECT
split_part(trim(regexp_split_to_table(option_value, ';')), ':', 2)
FROM vdc_options WHERE option_name = 'ServerCPUList' AND version =
'3.5';\""

gives you a nice list of supported cpu names (the database name must
be exact, so it's better to paste from that list.

Intel Conroe Family
Intel Penryn Family
Intel Nehalem Family
Intel Westmere Family
Intel SandyBridge Family
Intel Haswell-noTSX Family
Intel Haswell Family
Intel Broadwell-noTSX Family
Intel Broadwell Family
AMD Opteron G1
AMD Opteron G2
AMD Opteron G3
AMD Opteron G4
AMD Opteron G5
IBM POWER8

Then you can update the cluster directly:

$ su - postgres -c "psql -t engine -c \"UPDATE cluster SET cpu_name =
'YOUR CPU NAME' WHERE name = 'YOUR CLUSTER NAME';\""

('YOUR CPU NAME' and 'YOUR CLUSTER NAME' must of course correspond to
the cpu name from the list above and the name of the cluster
respectively)

Also, could you open a bug on this? I think we should be able to do
change the CPU type without all this.

Thanks,
mpolednik


We have a single Host with a Hosted Engine installed.
With this installation I can’t put the Host into Maintenance Mode because the 
Hosted Engine will run on this Host.

The Version we us is 3.5.5-1

Best Regards

Ralf Brändli
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Changing Cluster CPU Type in a single Host with Hosted Engine environment

[Ralf Braendli]

Hi

Thanks a lot for you help.
Just to be sure.
The Database would be the Datebase on the HostedEngine right ?
After this operation should it work directly or is a restart required ?

And for the Bug report this should be done here 
https://bugzilla.redhat.com/enter_bug.cgi?classification=oVirt ?

Best Regards

Ralf Brändli

> Am 26.05.2016 um 14:42 schrieb Martin Polednik :
> 
> On 26/05/16 07:12 +, Ralf Braendli wrote:
>> Hi
>> 
>> I have the Problem that I selected the wrong CPU Type throw the setup 
>> process.
>> Is it posible to change it without an new installation ?
> 
> Hi!
> 
> I'm afraid this may not be possible using "regular" approach. You
> could do this by directly changing the cpu type in database, but this
> is not supported operation.
> 
> Just an example what would I do in this case (but proceed carefully
> before changing anything in the DB):
> 
> $ su - postgres -c "psql -t engine -c \"SELECT
> split_part(trim(regexp_split_to_table(option_value, ';')), ':', 2)
> FROM vdc_options WHERE option_name = 'ServerCPUList' AND version =
> '3.5';\""
> 
> gives you a nice list of supported cpu names (the database name must
> be exact, so it's better to paste from that list.
> 
> Intel Conroe Family
> Intel Penryn Family
> Intel Nehalem Family
> Intel Westmere Family
> Intel SandyBridge Family
> Intel Haswell-noTSX Family
> Intel Haswell Family
> Intel Broadwell-noTSX Family
> Intel Broadwell Family
> AMD Opteron G1
> AMD Opteron G2
> AMD Opteron G3
> AMD Opteron G4
> AMD Opteron G5
> IBM POWER8
> 
> Then you can update the cluster directly:
> 
> $ su - postgres -c "psql -t engine -c \"UPDATE cluster SET cpu_name =
> 'YOUR CPU NAME' WHERE name = 'YOUR CLUSTER NAME';\""
> 
> ('YOUR CPU NAME' and 'YOUR CLUSTER NAME' must of course correspond to
> the cpu name from the list above and the name of the cluster
> respectively)
> 
> Also, could you open a bug on this? I think we should be able to do
> change the CPU type without all this.
> 
> Thanks,
> mpolednik
> 
>> We have a single Host with a Hosted Engine installed.
>> With this installation I can’t put the Host into Maintenance Mode because 
>> the Hosted Engine will run on this Host.
>> 
>> The Version we us is 3.5.5-1
>> 
>> Best Regards
>> 
>> Ralf Brändli
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Changing Cluster CPU Type in a single Host with Hosted Engine environment

[Martin Polednik]

On 26/05/16 07:12 +, Ralf Braendli wrote:

Hi

I have the Problem that I selected the wrong CPU Type throw the setup process.
Is it posible to change it without an new installation ?


Hi!

I'm afraid this may not be possible using "regular" approach. You
could do this by directly changing the cpu type in database, but this
is not supported operation.

Just an example what would I do in this case (but proceed carefully
before changing anything in the DB):

$ su - postgres -c "psql -t engine -c \"SELECT
split_part(trim(regexp_split_to_table(option_value, ';')), ':', 2)
FROM vdc_options WHERE option_name = 'ServerCPUList' AND version =
'3.5';\""

gives you a nice list of supported cpu names (the database name must
be exact, so it's better to paste from that list.

Intel Conroe Family
Intel Penryn Family
Intel Nehalem Family
Intel Westmere Family
Intel SandyBridge Family
Intel Haswell-noTSX Family
Intel Haswell Family
Intel Broadwell-noTSX Family
Intel Broadwell Family
AMD Opteron G1
AMD Opteron G2
AMD Opteron G3
AMD Opteron G4
AMD Opteron G5
IBM POWER8

Then you can update the cluster directly:

$ su - postgres -c "psql -t engine -c \"UPDATE cluster SET cpu_name =
'YOUR CPU NAME' WHERE name = 'YOUR CLUSTER NAME';\""

('YOUR CPU NAME' and 'YOUR CLUSTER NAME' must of course correspond to
the cpu name from the list above and the name of the cluster
respectively)

Also, could you open a bug on this? I think we should be able to do
change the CPU type without all this.

Thanks,
mpolednik


We have a single Host with a Hosted Engine installed.
With this installation I can’t put the Host into Maintenance Mode because the 
Hosted Engine will run on this Host.

The Version we us is 3.5.5-1

Best Regards

Ralf Brändli
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Ondra Machacek]

On 05/26/2016 11:56 AM, Alexis HAUSER wrote:

Where should I add this ? in /etc/hosts ? Somewhere in the ovirt config ? On 
the DNS server I'm using ?

On DNS you are using, usually on AD DNS.


Well actually this DNS name doesn't exist and seem to be only an unspecified 
variable in ovirt...I have no reason to create a DNS entry for it.


If you run:

 $ dig @one_of_the_adservers.com _ldaps._tcp.mydomain.com SRV

you will get something like this:

 ;; ANSWER SECTION:
 _ldap._tcp.mydomain.com 600 IN SRV 0 100 389 server1.mydomain.com.
 _ldap._tcp.mydomain.com. 600 IN SRV 0 100 389 server2.mydomain.com.

So it means that aaa-ldap then tries to do following:

LDAPTLS_CACERT=/somewhere/myca.pem ldapsearch -H 
ldaps://mydomain.com:389 -x -D 'CN=Something,DC=myserver,DC=come' -w 
'mypaswd' -b 'CN=users,DC=something,DC=com'


Which won't work, because you do ldaps on 389 port. (I guess it don't 
work, unless you changed default AD configuration)


What you need to do is to specify a port for ldaps service. It's 
ussually done as I said before. To get more info how the 
DNSSRVRecordServerSet works you can read this:



https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/DNSSRVRecordServerSet.html



I think you missed my previous mail (with the error logs with different 
parameters for DNS) :)


Actually, it's using ldaps yes. It doesnt solve my issue but I don't know where 
this DNS server comes from, I think it doesn't exist...



In AD startTLS usually works by default, strange. Why you disable it?


Here we're using ldaps



I tried to configure it by adding vars.dns = dns://one_of_the_adservers.com and the same 
with ":636" at the end, but none of them works, it's still trying to reach this 
weird address with underlines : _ldaps._tcp.university.mydomain.com



This error means, that you don't have SRV record for
'_ldaps._tcp.university.mydomain.com'. You need to create first, before
changing aaa-ldap configuration.



You can check if it's resolvable, by running following command:



 $ dig @one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV



dig @one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> 
@one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29630
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldaps._tcp.university.mydomain.com. INSRV

;; AUTHORITY SECTION:
university.mydomain.com. 3600   IN  SOA one_of_the_adservers.com. 
another_server.com. 36174 900 600 86400 3600

;; Query time: 5 msec
;; SERVER: X.X.X.X#53(X.X.X.X)
;; WHEN: Thu May 26 11:36:43 2016
;; MSG SIZE  rcvd: 134

It seems to confirm what I said : this DNS entry doesn't seem to exist.


Yes, and it should, or you need to change 
_ldap._tcp.university.mydomain.com SRV record to point on 636, or 
configure 389 port to accept ldaps. That's just my guess.






Actually that's what I said : only .properties file are detected. The problem is about the 
namespaces : when LDAP.properties file and AD.properties file are activated, the 
>>namespace suggested in the web interface in the user tab, when choosing AD, is the 
DN of the LDAP...Which seems to be a bugNamespaces of everything are mixed...And if I 
>>select internal and then select again AD, a new namespace appears : * (from 
internal).
This a weird behavior, right ?




Yes, that's weird, but I guess it's misconfigured. Doesn't your names of
extensions conflict?
I think that you combine values(names) 'ovirt.engine.extension.name' for
both AD and OpenLDAP. It should differ. Can you post those configurations?


Actually I don't have any ovirt.engine.extension.name parameter in the 
aaa/.properties
If you mean the authn and authz files, here they are (is that single line with 
ovirt-engine/ at the end of the first (AD) authz a normal thing...?)  :


No it's not, 'ovirt-engine/' shouldn't be there.



AD :

ovirt.engine.extension.name = AD-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/AD.properties
ovirt-engine/

ovirt.engine.extension.name = AD-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = AD
ovirt.engine.aaa.authn.authz.plugin = AD-authz
config.profile.file.1 = 

Re: [ovirt-users] failing update ovirt-engine on centos 7

[Yedidyah Bar David]

On Thu, May 26, 2016 at 1:21 PM, Pavel Gashev  wrote:
> I had an issue with updating to 3.6.6. There were errors during engine-setup:
>
> [ ERROR ] Yum Non-fatal POSTUN scriptlet failure in rpm package 
> ovirt-vmconsole-1.0.0-1.el7.centos.noarch
>
> [ ERROR ] Yum Transaction close failed: Traceback (most recent call last):   
> File "/usr/lib/python2.7/site-packages/otopi/miniyum.py", line 778, in 
> endTransaction self.processTransaction()   File 
> "/usr/lib/python2.7/site-packages/otopi/miniyum.py", line 1064, in 
> processTransaction _('One or more elements within Yum transaction 
> failed') RuntimeError: One or more elements within Yum transaction failed
>
> ovirt-vmconsole has the following uninstall script:
> postuninstall scriptlet (using /bin/sh):
> if [ "$1" -ge "1" ]; then
> semodule -i 
> "/usr/share/selinux/packages/ovirt-vmconsole/ovirt_vmconsole.pp"
> fi
>
> In other words you can't update if you have SELINUX disabled.
>
> The workaround is the following:
> ln -fs /bin/true /usr/sbin/semodule

Thanks for the report. Adding Francesco.

>
>
> On 26/05/16 08:43, "users-boun...@ovirt.org on behalf of Yedidyah Bar David" 
>  wrote:
>
>>On Wed, May 25, 2016 at 9:11 PM, Fabrice Bacchella
>> wrote:
>>>
>>> Le 25 mai 2016 à 17:25, Kapetanakis Giannis  a
>>> écrit :
>>>
>>> On 25/05/16 17:59, Fabrice Bacchella wrote:
>>>
>>> I have an dedicated machin to run ovirt-engine (not hosted). It's an up to
>>> date centos 7.2.1511
>>>
>>> I installed ovirt 3.6.6 a few weeks ago (May 10 17:56:44 tells me yum.log)
>>>
>>> Now, I'm trying a full yum update and getting :
>>> # yum update
>>> 
>>>
>>> Error: Package: ovirt-engine-tools-3.6.5.3-1.el7.centos.noarch (@ovirt-3.6)
>>>Requires: ovirt-engine-tools-backup = 3.6.5.3-1.el7.centos
>>>Removing: ovirt-engine-tools-backup-3.6.5.3-1.el7.centos.noarch
>>> (@ovirt-3.6)
>>>ovirt-engine-tools-backup = 3.6.5.3-1.el7.centos
>>>Updated By: ovirt-engine-tools-backup-3.6.6.2-1.el7.centos.noarch
>>> (ovirt-3.6)
>>>ovirt-engine-tools-backup = 3.6.6.2-1.el7.centos
>>>
>>>
>>>
>>> Follow 3.6.6 release notes to update:
>>> https://www.ovirt.org/release/3.6.6/
>>>
>>>
>>> yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release36.rpm
>>> yum update ovirt\*setup\*
>>> and then run
>>> engine-setup to update the rest of the packages.
>>>
>>>
>>> I have seen this doc.
>>>
>>> It updates a few components and what about the others ? The readme talk
>>> about running engine-setup, but not that it will updates other packages. I
>>> thought that ovirt-engine is for engine setup, not upgrading.
>>
>>Right.
>>
>>After engine-setup finishes, you should 'yum update' to update the rest.
>>
>>And BTW, this specific issue about tools-backup was fixed in [1]. So a
>>future 'yum update' should not emit this error - although the update
>>sequence is still the same - add repos, update setup packages, engine-setup,
>>update the rest.
>>
>>[1] https://bugzilla.redhat.com/show_bug.cgi?id=1321249
>>--
>>Didi
>>___
>>Users mailing list
>>Users@ovirt.org
>>http://lists.ovirt.org/mailman/listinfo/users
>



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] failing update ovirt-engine on centos 7

[Pavel Gashev]

I had an issue with updating to 3.6.6. There were errors during engine-setup:

[ ERROR ] Yum Non-fatal POSTUN scriptlet failure in rpm package 
ovirt-vmconsole-1.0.0-1.el7.centos.noarch

[ ERROR ] Yum Transaction close failed: Traceback (most recent call last):   
File "/usr/lib/python2.7/site-packages/otopi/miniyum.py", line 778, in 
endTransaction self.processTransaction()   File 
"/usr/lib/python2.7/site-packages/otopi/miniyum.py", line 1064, in 
processTransaction _('One or more elements within Yum transaction failed') 
RuntimeError: One or more elements within Yum transaction failed
 
ovirt-vmconsole has the following uninstall script:
postuninstall scriptlet (using /bin/sh): 
if [ "$1" -ge "1" ]; then
semodule -i 
"/usr/share/selinux/packages/ovirt-vmconsole/ovirt_vmconsole.pp"
fi

In other words you can't update if you have SELINUX disabled.

The workaround is the following:
ln -fs /bin/true /usr/sbin/semodule


On 26/05/16 08:43, "users-boun...@ovirt.org on behalf of Yedidyah Bar David" 
 wrote:

>On Wed, May 25, 2016 at 9:11 PM, Fabrice Bacchella
> wrote:
>>
>> Le 25 mai 2016 à 17:25, Kapetanakis Giannis  a
>> écrit :
>>
>> On 25/05/16 17:59, Fabrice Bacchella wrote:
>>
>> I have an dedicated machin to run ovirt-engine (not hosted). It's an up to
>> date centos 7.2.1511
>>
>> I installed ovirt 3.6.6 a few weeks ago (May 10 17:56:44 tells me yum.log)
>>
>> Now, I'm trying a full yum update and getting :
>> # yum update
>> 
>>
>> Error: Package: ovirt-engine-tools-3.6.5.3-1.el7.centos.noarch (@ovirt-3.6)
>>Requires: ovirt-engine-tools-backup = 3.6.5.3-1.el7.centos
>>Removing: ovirt-engine-tools-backup-3.6.5.3-1.el7.centos.noarch
>> (@ovirt-3.6)
>>ovirt-engine-tools-backup = 3.6.5.3-1.el7.centos
>>Updated By: ovirt-engine-tools-backup-3.6.6.2-1.el7.centos.noarch
>> (ovirt-3.6)
>>ovirt-engine-tools-backup = 3.6.6.2-1.el7.centos
>>
>>
>>
>> Follow 3.6.6 release notes to update:
>> https://www.ovirt.org/release/3.6.6/
>>
>>
>> yum install http://resources.ovirt.org/pub/yum-repo/ovirt-release36.rpm
>> yum update ovirt\*setup\*
>> and then run
>> engine-setup to update the rest of the packages.
>>
>>
>> I have seen this doc.
>>
>> It updates a few components and what about the others ? The readme talk
>> about running engine-setup, but not that it will updates other packages. I
>> thought that ovirt-engine is for engine setup, not upgrading.
>
>Right.
>
>After engine-setup finishes, you should 'yum update' to update the rest.
>
>And BTW, this specific issue about tools-backup was fixed in [1]. So a
>future 'yum update' should not emit this error - although the update
>sequence is still the same - add repos, update setup packages, engine-setup,
>update the rest.
>
>[1] https://bugzilla.redhat.com/show_bug.cgi?id=1321249
>-- 
>Didi
>___
>Users mailing list
>Users@ovirt.org
>http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Alexis HAUSER]

>> Where should I add this ? in /etc/hosts ? Somewhere in the ovirt config ? On 
>> the DNS server I'm using ?
>On DNS you are using, usually on AD DNS.

Well actually this DNS name doesn't exist and seem to be only an unspecified 
variable in ovirt...I have no reason to create a DNS entry for it.

I think you missed my previous mail (with the error logs with different 
parameters for DNS) :)

>> Actually, it's using ldaps yes. It doesnt solve my issue but I don't know 
>> where this DNS server comes from, I think it doesn't exist...

>In AD startTLS usually works by default, strange. Why you disable it?

Here we're using ldaps

>
> I tried to configure it by adding vars.dns = dns://one_of_the_adservers.com 
> and the same with ":636" at the end, but none of them works, it's still 
> trying to reach this weird address with underlines : 
> _ldaps._tcp.university.mydomain.com

>This error means, that you don't have SRV record for 
>'_ldaps._tcp.university.mydomain.com'. You need to create first, before 
>changing aaa-ldap configuration.

>You can check if it's resolvable, by running following command:

>  $ dig @one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV


dig @one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 <<>> 
@one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29630
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldaps._tcp.university.mydomain.com. INSRV

;; AUTHORITY SECTION:
university.mydomain.com. 3600   IN  SOA one_of_the_adservers.com. 
another_server.com. 36174 900 600 86400 3600

;; Query time: 5 msec
;; SERVER: X.X.X.X#53(X.X.X.X)
;; WHEN: Thu May 26 11:36:43 2016
;; MSG SIZE  rcvd: 134

It seems to confirm what I said : this DNS entry doesn't seem to exist.


>> Actually that's what I said : only .properties file are detected. The 
>> problem is about the namespaces : when LDAP.properties file and 
>> AD.properties file are activated, the >>namespace suggested in the web 
>> interface in the user tab, when choosing AD, is the DN of the LDAP...Which 
>> seems to be a bugNamespaces of everything are mixed...And if I >>select 
>> internal and then select again AD, a new namespace appears : * (from 
>> internal).
>> This a weird behavior, right ?
>>

>Yes, that's weird, but I guess it's misconfigured. Doesn't your names of 
>extensions conflict?
>I think that you combine values(names) 'ovirt.engine.extension.name' for 
>both AD and OpenLDAP. It should differ. Can you post those configurations?

Actually I don't have any ovirt.engine.extension.name parameter in the 
aaa/.properties
If you mean the authn and authz files, here they are (is that single line with 
ovirt-engine/ at the end of the first (AD) authz a normal thing...?)  :

AD :

ovirt.engine.extension.name = AD-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/AD.properties
ovirt-engine/

ovirt.engine.extension.name = AD-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = AD
ovirt.engine.aaa.authn.authz.plugin = AD-authz
config.profile.file.1 = ../aaa/AD.properties


LDAP :

ovirt.engine.extension.name = public-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/public.properties

ovirt.engine.extension.name = public-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = public
ovirt.engine.aaa.authn.authz.plugin = public-authz
config.profile.file.1 = ../aaa/public.properties




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Ondra Machacek]

On 05/26/2016 10:11 AM, Alexis HAUSER wrote:

You use 389 with SSL? I guess you wrongly specified it.
But, if you want to use SSL and you have it on 636, then you should
create new SRV dns
records for example: _ldaps._tcp.university.mydomain.com ... 636


Where should I add this ? in /etc/hosts ? Somewhere in the ovirt config ? On 
the DNS server I'm using ?


On DNS you are using, usually on AD DNS.




and then change:
 pool.default.serverset.srvrecord.service=ldaps
But I guess you wanted to use startTLS with 389, which you can enable by
adding:
 pool.default.ssl.startTLS=true
and remove line:
 pool.default.ssl.enable=true
Does it solve your issue?


Actually, it's using ldaps yes. It doesnt solve my issue but I don't know where 
this DNS server comes from, I think it doesn't exist...


In AD startTLS usually works by default, strange. Why you disable it?



I tried to configure it by adding vars.dns = dns://one_of_the_adservers.com and the same 
with ":636" at the end, but none of them works, it's still trying to reach this 
weird address with underlines : _ldaps._tcp.university.mydomain.com

"2016-05-26 09:54:52,872 WARN  [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] 
(ajp-/127.0.0.1:8702-7) [] [ovirt-engine-extension-aaa-ldap.authn::AD-authn] Cannot 
initialize LDAP framework, deferring initialization. Error: An error occurred while 
attempting to query DNS in order to retrieve SRV records with name 
'_ldaps._tcp.university.mydomain.com':  javax.naming.NameNotFoundException: DNS name not 
found [response code 3]; remaining name '_ldaps._tcp.campus.enst-bretagne.fr'"


This error means, that you don't have SRV record for 
'_ldaps._tcp.university.mydomain.com'. You need to create first, before 
changing aaa-ldap configuration.


You can check if it's resolvable, by running following command:

 $ dig @one_of_the_adservers.com _ldaps._tcp.university.mydomain.com SRV




I meant I had to disable the LDAP (openLDAP) profile, renaming the file with .save so 
ovirt doesn't detect them. If both profiles are activated, ovirt-web interface 
propose >>me the DN of the LDAP into AD (in namespace field)... Is that a bug 
or normal behavior ?


Hmm, that's strange, because only files with *.properties suffix should
be detected and used. So yes please open bz that also other suffixes are
loaded.


Actually that's what I said : only .properties file are detected. The problem 
is about the namespaces : when LDAP.properties file and AD.properties file are 
activated, the namespace suggested in the web interface in the user tab, when 
choosing AD, is the DN of the LDAP...Which seems to be a bugNamespaces of 
everything are mixed...And if I select internal and then select again AD, a new 
namespace appears : * (from internal).
This a weird behavior, right ?



Yes, that's weird, but I guess it's misconfigured. Doesn't your names of 
extensions conflict?
I think that you combine values(names) 'ovirt.engine.extension.name' for 
both AD and OpenLDAP. It should differ. Can you post those configurations?

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Alexis HAUSER]

>Please don't port 636 for DNS server, 636 is only for LDAPS protocol:
>vars.dns = dns://one.of.adservers.com
​
Ok, but as I explained, even without using 636, the result is the same.

When using the option "pool.default.serverset.srvrecord.service = ldaps" and 
"dns://one.of.adservers.com"

I get the following error (it still trying to point to the wrong adress)


"{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class 
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=An
 error occurred while attempting to query DNS in order to retrieve SRV records 
with name 'ldaps._tcp.university.mydomain.com':  
javax.naming.NameNotFoundException: DNS name not found [response code 3]; 
remaining name 'ldaps._tcp.university.mydomain.com', 
Extkey[name=EXTENSION_INVOKE_RESULT;type=class 
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}"


when disabling (commenting the line) "pool.default.serverset.srvrecord.service 
= ldaps" I get the following error :


"{Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class 
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=An
 error occurred while attempting to connect to server one.of.adservers.com:389: 
 java.io.IOException: LDAPException(resultCode=91 (connect error), 
errorMessage='Unable to verify an attempt to to establish a secure connection 
to 'one.of.adservers.com:389' because an unexpected error was encountered 
during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer 
not authenticated') caused by LDAPException(resultCode=91 (connect error), 
errorMessage='Unable to verify an attempt to to establish a secure connection 
to 'one.of.adservers.com:389' because an unexpected error was encountered 
during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer 
not authenticated')LDAPException(resultCode=91 (connect error), 
errorMessage='Unable to verify an attempt to to establish a secure connection 
to 'one.of.adservers.com:389' because an unexpected error was encountered 
during validation processing:  javax.net.ssl.SSLPeerUnverifiedException: peer 
not authenticated') caused by javax.net.ssl.SSLPeerUnverifiedException: peer 
not authenticated, Extkey[name=EXTENSION_INVOKE_RESULT;type=class 
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2}"


So I think I need a way to combine both of them, but using the right dns, what 
option can do that ?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Fwd: Struggling to get the network work

[Edward Haas]

On Wed, May 25, 2016 at 2:28 PM, Anantha Raghava <
rag...@exzatechconsulting.com> wrote:

>
> Hi,
>
> Just to add on the previous mail, the vNIC is added over a Physical NIC
> that does not have any IP address, but enabled and connected.
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>  Forwarded Message 
> Subject: Struggling to get the network work
> Date: Wed, 25 May 2016 15:41:06 +0530
> From: Anantha Raghava 
> 
> Reply-To: rag...@exzatechconsulting.com
> Organization: eXza Technology Consulting & Services
> To: users  
>
>
> Hi,
>
> I have a peculiar problem with oVirt 3.6. Any VM connected to ovrtmgmt is
> working absolutely fine, bu the VMs (Windows Guests) in different VLANs say
> 10, 32, 34, 40, 48 & 69 are not able to even ping their respective
> gateways. In other words, network packets are not coming out of the VMs at
> all.
>
> 1. Our infrastructure consists of Lenovo Flex Chassis with 3 Lenovo x240
> Compute nodes. All nodes are up and running and VMs are also created and
> guest OS installed.
> 2. Chassis switch has a trunk port that carries all VLAN traffic.
> 3. I have created logical networks and added VLAN tags (10, 32, 24, 40, 48
> & 69).
> 4. I have attached the vNIC to each host and assigned static IP in
> respective VLANs. For example in VLAN 32, the vNIC is assigned with
> 172.20.101.70, subnet: 255.255.255.192, Gateway: 172.20.101.65
> 5. VMs are mapped with respective vNIC and assigned IPs in respective
> VLAN. For Example, VM in VLAN 32 has 172.20.101.79 as IP, 255.255.255.192
> as subnet and 172.20.101.65 as gateway.
>
> Now, VM is able to ping vNIC in VLAN 32, but neither VM is able to ping
> the gateway nor hosts are able to ping vNIC or the VM.
>
> We even attempted with replacing a trunk port with access port, but same
> issue continues.
>
> What could have gone wrong? Any thing missing on oVirt configuration?
>
> A quick help is highly appreciated.
>
> --
>
>
> --
>
> Thanks & Regards,
>
>
> Anantha Raghava
>
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
Only a guess: On the VM OS, do not define any VLAN on its vnics. Each VM
that is assigned to a vlan network on the host will have its traffic tagged
only when traffic will go out of the network to the 'world'. So the VM is
not aware that the traffic will be tagged when passing through the host.

If this is not the case, please share the screenshots of what you
configured for one of the networks (including the vnic) and on the VM.

Thanks,
Edy.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Martin Perina]

On Thu, May 26, 2016 at 10:11 AM, Alexis HAUSER <
alexis.hau...@telecom-bretagne.eu> wrote:

> >You use 389 with SSL? I guess you wrongly specified it.
> >But, if you want to use SSL and you have it on 636, then you should
> >create new SRV dns
> >records for example: _ldaps._tcp.university.mydomain.com ... 636
>
> Where should I add this ? in /etc/hosts ? Somewhere in the ovirt config ?
> On the DNS server I'm using ?
>
> >and then change:
> >  pool.default.serverset.srvrecord.service=ldaps
> >But I guess you wanted to use startTLS with 389, which you can enable by
> >adding:
> >  pool.default.ssl.startTLS=true
> >and remove line:
> >  pool.default.ssl.enable=true
> >Does it solve your issue?
>
> Actually, it's using ldaps yes. It doesnt solve my issue but I don't know
> where this DNS server comes from, I think it doesn't exist...
>
> I tried to configure it by adding vars.dns = dns://
> one_of_the_adservers.com and the same with ":636" at the end, but none of
> them works, it's still trying to reach this weird address with underlines :
> _ldaps._tcp.university.mydomain.com


​Please don't port 636 for DNS server, 636 is only for LDAPS protocol:

vars.dns = dns://one.of.adservers.com
​

>
>
> "2016-05-26 09:54:52,872 WARN
> [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/127.0.0.1:8702-7)
> [] [ovirt-engine-extension-aaa-ldap.authn::AD-authn] Cannot initialize LDAP
> framework, deferring initialization. Error: An error occurred while
> attempting to query DNS in order to retrieve SRV records with name '_ldaps._
> tcp.university.mydomain.com':  javax.naming.NameNotFoundException: DNS
> name not found [response code 3]; remaining name '_ldaps._
> tcp.campus.enst-bretagne.fr'"
>
> >> I meant I had to disable the LDAP (openLDAP) profile, renaming the file
> with .save so ovirt doesn't detect them. If both profiles are activated,
> ovirt-web interface propose >>me the DN of the LDAP into AD (in namespace
> field)... Is that a bug or normal behavior ?
> >>
> >Hmm, that's strange, because only files with *.properties suffix should
> >be detected and used. So yes please open bz that also other suffixes are
> >loaded.
>
> Actually that's what I said : only .properties file are detected. The
> problem is about the namespaces : when LDAP.properties file and
> AD.properties file are activated, the namespace suggested in the web
> interface in the user tab, when choosing AD, is the DN of the LDAP...Which
> seems to be a bugNamespaces of everything are mixed...And if I select
> internal and then select again AD, a new namespace appears : * (from
> internal).
> This a weird behavior, right ?
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Martin Perina]

On Thu, May 26, 2016 at 10:11 AM, Alexis HAUSER <
alexis.hau...@telecom-bretagne.eu> wrote:

> >You use 389 with SSL? I guess you wrongly specified it.
> >But, if you want to use SSL and you have it on 636, then you should
> >create new SRV dns
> >records for example: _ldaps._tcp.university.mydomain.com ... 636
>
> Where should I add this ? in /etc/hosts ? Somewhere in the ovirt config ?
> On the DNS server I'm using ?
>
> >and then change:
> >  pool.default.serverset.srvrecord.service=ldaps
> >But I guess you wanted to use startTLS with 389, which you can enable by
> >adding:
> >  pool.default.ssl.startTLS=true
> >and remove line:
> >  pool.default.ssl.enable=true
> >Does it solve your issue?
>
> Actually, it's using ldaps yes. It doesnt solve my issue but I don't know
> where this DNS server comes from, I think it doesn't exist...
>
> I tried to configure it by adding vars.dns = dns://
> one_of_the_adservers.com and the same with ":636" at the end, but none of
> them works, it's still trying to reach this weird address with underlines :
> _ldaps._tcp.university.mydomain.com
>
> "2016-05-26 09:54:52,872 WARN
> [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/127.0.0.1:8702-7)
> [] [ovirt-engine-extension-aaa-ldap.authn::AD-authn] Cannot initialize LDAP
> framework, deferring initialization. Error: An error occurred while
> attempting to query DNS in order to retrieve SRV records with name '_ldaps._
> tcp.university.mydomain.com':  javax.naming.NameNotFoundException: DNS
> name not found [response code 3]; remaining name '_ldaps._
> tcp.campus.enst-bretagne.fr'"
>
> >> I meant I had to disable the LDAP (openLDAP) profile, renaming the file
> with .save so ovirt doesn't detect them. If both profiles are activated,
> ovirt-web interface propose >>me the DN of the LDAP into AD (in namespace
> field)... Is that a bug or normal behavior ?
> >>
> >Hmm, that's strange, because only files with *.properties suffix should
> >be detected and used. So yes please open bz that also other suffixes are
> >loaded.
>
> Actually that's what I said : only .properties file are detected. The
> problem is about the namespaces : when LDAP.properties file and
> AD.properties file are activated, the namespace suggested in the web
> interface in the user tab, when choosing AD, is the DN of the LDAP...Which
> seems to be a bugNamespaces of everything are mixed...And if I select
> internal and then select again AD, a new namespace appears : * (from
> internal).
> This a weird behavior, right ?
>

​If I understand correctly, you have only one AD server/domain, right?​

​If so, what do you want to use profile LDAP​.properties for?


> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Can't perform search after setting up an Active Directory

[Alexis HAUSER]

>You use 389 with SSL? I guess you wrongly specified it.
>But, if you want to use SSL and you have it on 636, then you should 
>create new SRV dns
>records for example: _ldaps._tcp.university.mydomain.com ... 636

Where should I add this ? in /etc/hosts ? Somewhere in the ovirt config ? On 
the DNS server I'm using ?

>and then change:
>  pool.default.serverset.srvrecord.service=ldaps
>But I guess you wanted to use startTLS with 389, which you can enable by 
>adding:
>  pool.default.ssl.startTLS=true
>and remove line:
>  pool.default.ssl.enable=true
>Does it solve your issue?

Actually, it's using ldaps yes. It doesnt solve my issue but I don't know where 
this DNS server comes from, I think it doesn't exist...

I tried to configure it by adding vars.dns = dns://one_of_the_adservers.com and 
the same with ":636" at the end, but none of them works, it's still trying to 
reach this weird address with underlines : _ldaps._tcp.university.mydomain.com

"2016-05-26 09:54:52,872 WARN  
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp-/127.0.0.1:8702-7) [] 
[ovirt-engine-extension-aaa-ldap.authn::AD-authn] Cannot initialize LDAP 
framework, deferring initialization. Error: An error occurred while attempting 
to query DNS in order to retrieve SRV records with name 
'_ldaps._tcp.university.mydomain.com':  javax.naming.NameNotFoundException: DNS 
name not found [response code 3]; remaining name 
'_ldaps._tcp.campus.enst-bretagne.fr'"

>> I meant I had to disable the LDAP (openLDAP) profile, renaming the file with 
>> .save so ovirt doesn't detect them. If both profiles are activated, 
>> ovirt-web interface propose >>me the DN of the LDAP into AD (in namespace 
>> field)... Is that a bug or normal behavior ?
>>
>Hmm, that's strange, because only files with *.properties suffix should 
>be detected and used. So yes please open bz that also other suffixes are 
>loaded.

Actually that's what I said : only .properties file are detected. The problem 
is about the namespaces : when LDAP.properties file and AD.properties file are 
activated, the namespace suggested in the web interface in the user tab, when 
choosing AD, is the DN of the LDAP...Which seems to be a bugNamespaces of 
everything are mixed...And if I select internal and then select again AD, a new 
namespace appears : * (from internal).
This a weird behavior, right ?

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Network problem with bonding and Windows guests

[Edward Haas]

On Wed, May 25, 2016 at 2:10 PM, Maxence Sartiaux  wrote:

> Yep work good !
>
> Adding
>
> ETHTOOL_OPTIONS='-K iface lro off'
>
> to the slave interfaces config file did the job :)
>
> Thank you !
>
> On Wed, 2016-05-25 at 10:37 +0100, Alex Crow wrote:
>
> On 25/05/16 10:28, Maxence Sartiaux wrote:
>
> Hello,
>
> I've a problem, all my ovirt hosts are linked with a bonding mode 4
> (802.3ad LACP) 2x10Gbps
> Eveything is okay with unix guest but with Windows guest, i can ping but
> internet browsing is impossible (sometime i have a part of the page, very
> rare case)
>
> If i remove the bonding and bridge one interface, windows work good.
>
> I've tried with windows 7 and windows 10, guest additions are installed
> VirtIO / rtl3189 tested, same problem
>
> My bonding opts : mode=4 lacp_rate=1 miimon=100
> Interface MTU 9000
>
> Bonding mode 2 also tested
>
>
> On the hosts, try setting LRO off on the members of your bond, see if it
> makes a difference
>
> eg,
>
> ethtool -K ens3f0 lro off
> ethtool -K ens3f1 lro off
>
> Alex
>
>
> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute advice.
> The information provided is correct to our knowledge & belief and must not
> be used as a substitute for obtaining tax, regulatory, investment, legal or
> any other appropriate advice.
>
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
>
>
> ___
> Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
>
>

___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
There was such a bug with the bonding driver not dropping the LRO when bind
to a bridge.

Thanks,
Edy.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] On 3.6.6, tried doing a live VM storage migration... didn't work

[Markus Stockhausen]

I know of at least one live Disk Migration issue with Multi Disk VMs.

https://bugzilla.redhat.com/show_bug.cgi?id=1319400

Might be totally different but I must admit that this feature had several ups 
and downs the last years.

Markus

Am 26.05.2016 3:50 vorm. schrieb Christopher Cox :
In our old 3.4 ovirt, I know I've migrated storage on live VMs and everything
seemed to work.

However on 3.6.6, I tried this and I saw the warning about moving storage on a
live VM (it wasn't doing much of anything) and I went ahead and migrated the
storage from one storage domain to another.   But when it was through, even
though the VM was still alive, when I tried to write to a virtual disk that was
part of the move, it paused the VM saying there wasn't enough storage.

I could unpause the VM, but in a few seconds, with things writing to the virtual
disk, again it was paused with the same out of space message.  Vdsm logs showed
the enospc return code... so it made sense, it's just that the VM shows plenty
of storage there.  Once I rebooted the VM, everything went back to normal.

So is moving storage for a live VM not supported?  I guess we got lucky in our
3.4 system (?)

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.

Über das Internet versandte E-Mails können unter fremden Namen erstellt oder
manipuliert werden. Deshalb ist diese als E-Mail verschickte Nachricht keine
rechtsverbindliche Willenserklärung.

Collogia
Unternehmensberatung AG
Ubierring 11
D-50678 Köln

Vorstand:
Kadir Akin
Dr. Michael Höhnerbach

Vorsitzender des Aufsichtsrates:
Hans Kristian Langva

Registergericht: Amtsgericht Köln
Registernummer: HRB 52 497

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.

e-mails sent over the internet may have been written under a wrong name or
been manipulated. That is why this message sent as an e-mail is not a
legally binding declaration of intention.

Collogia
Unternehmensberatung AG
Ubierring 11
D-50678 Köln

executive board:
Kadir Akin
Dr. Michael Höhnerbach

President of the supervisory board:
Hans Kristian Langva

Registry office: district court Cologne
Register number: HRB 52 497


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Changing Cluster CPU Type in a single Host with Hosted Engine environment

[Ralf Braendli]

Hi 

I have the Problem that I selected the wrong CPU Type throw the setup process.
Is it posible to change it without an new installation ?

We have a single Host with a Hosted Engine installed.
With this installation I can’t put the Host into Maintenance Mode because the 
Hosted Engine will run on this Host.

The Version we us is 3.5.5-1

Best Regards 

Ralf Brändli
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Could not connect to the optimizer service

[Yaniv Kaul]

On Wed, May 25, 2016 at 7:17 PM, Martin Sivak  wrote:

> Hi,
>
> > The connection to optimizer is being done by client's browser and not the
> > engine...
> > I used a private network which was not accessible from the browser.
>
> That is exactly the case. Glad to see you were able to fix it.
>

Perhaps worth adding a one-liner to the oVirt website mentioning this.
Y.


> --
> Martin Sivak
> SLA / oVirt
>
>
> On Wed, May 25, 2016 at 5:38 PM, Kapetanakis Giannis
>  wrote:
> > On 25/05/16 14:32, Kapetanakis Giannis wrote:
> >>
> >> On 25/05/16 14:28, Kapetanakis Giannis wrote:
> >>>
> >>> Hi,
> >>>
> >>> I've just setup optimizer service following
> >>>
> >>>
> http://www.ovirt.org/develop/release-management/features/sla/optaplanner/
> >>> and
> >>> https://github.com/oVirt/ovirt-optimizer
> >>>
> >>> I can access optimizer's interface and get the the solution result from
> >>> both http and https.
> >>> I can access it from both my pc and from ovirt-engine host with a
> browser
> >>> at url
> >>> ovirt-optimizer/result/Cluster_ID
> >>>
> >>> However in ovirt-engine interface I see
> >>> Status: Could not connect to the optimizer service [status code: 0]
> >>>
> >>> Also I see no connection attempt from ovirt-engine to optimizer (with
> >>> logging on optimizer's firewall).
> >>>
> >>> Engine is loading the conf:
> >>> 2016-05-25 13:54:40,395 INFO
> >>> [org.ovirt.engine.ui.frontend.server.gwt.plugin.PluginDataManager]
> (default
> >>> task-20) [] Reading UI plugin configuration
> >>> '/etc/ovirt-engine/ui-plugins/ovirt-optimizer-config.json'
> >>>
> >>> /etc/ovirt-engine/ui-plugins/ovirt-optimizer-config.json:
> >>> "config": { "baseurl":
> >>> "https://optimizer.example.com/ovirt-optimizer/result/;
> >>>
> >>> tried also
> >>> "config": { "baseurl":
> >>> "http://optimizer.example.com/ovirt-optimizer/result/;
> >>> incase there was a problem with optimizer's certificate.
> >>>
> >>> Any ideas? How can I debug why the engine is not doing any attempt to
> get
> >>> optimizer's result?
> >>>
> >>> best regards,
> >>>
> >>> Giannis
> >>>
> >>
> >> Forgot to mention versions:
> >>
> >> optimizer is Centos 7 ovirt-optimizer-jboss-0.9.1-2.el7.centos.noarch
> >> engine is Centos 6 ovirt-engine-3.6.6.2-1.el6.noarch,
> >> ovirt-optimizer-ui-0.9.1-2.el6.noarch
> >>
> >> G
> >
> >
> > I think I figured this out.
> > The connection to optimizer is being done by client's browser and not the
> > engine...
> > I used a private network which was not accessible from the browser.
> >
> >
> > G
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] moVirt 1.4 RC1 (Android client for oVirt)

[Yaniv Kaul]

On Wed, May 25, 2016 at 6:32 PM, Michal Skrivanek 
wrote:

>
> > On 25 May 2016, at 13:50, Tomas Jelinek  wrote:
> >
> > Hey All,
> >
> > the first RC of moVirt 1.4 has been released!
> >
> > It can be downloaded only using direct link[1] - the play store will be
> upgraded after considered stable.
> >
> > The most important feature of this release was to enhance the dashboard
> so it will look similar to the one coming to oVirt 4.0.
> > Screenshot attached.
> >
> > Other changes:
> > - Added new dashboard functionality (virtual/physical consumption,
> clickable cpu/memory consumption)
> > - Better UI (dashboard, adding/editing triggers)
> > - Better sorting in lists
> > - Memory units are now displayed correctly
> > - Fixed crashing bugs when looking at hosted engine
> >
> > Would you like to help/contribute?
> > Sure, for example you can:
> > - give feedback on the new dashboard (the one from the attachment)
>

Looks great!


>
> I guess the two lists in portrait mode are truncated all the time, it
> would probably make more sense to show only one column and switch hosts/vms
> via real/virtual toggle
>

Or show the top 5 VMs and below it, the top 5 hosts. This way the text
isn't cut:

Most utilized VMs:
abc-vm 107%
def-vm 105%
this-and-that-vm 44%

Most utilized hosts:
this-host 27%
that-host 30%

...



>
> > - download RC [1], test it and report bugs
>

Small nitpick - the color of the warning icon should not be yellow if there
are no warnings.
Y.


> > - patches are also welcome :)
> >
> > have a nice day,
> > Tomas
> >
> > [1]:
> https://github.com/matobet/moVirt/blob/master/moVirt/moVirt-release.apk?raw=true
> ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Maintenance on the Mailing-Lists

[Sandro Bonazzola]

On Thu, May 26, 2016 at 8:26 AM, Marc Dequènes (Duck) 
wrote:

> Quack,
>
> I'm working in the OSAS team and arrived recently. Yoroshiku onegai
> shimasu.
>
> With the oVirt infra team we're working on the Mailing-Lists. In the
> past there was SPF problems leading to mails being classified as SPAM,
> especially affecting GMail users. A workaround was made, but it's not
> nice and history of this time was mostly lost.
>
> I'm then going to make some changes which I believe would work, but just
> in case I'm sending this message to the main Mailing-Lists so you can
> check your SPAM box and break my head on #ovirt@freenode if it fails :-).
>

Note that we are on #ovirt@oftc :-)



>
> Regards.
>
>
> ___
> Infra mailing list
> in...@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>
>


-- 
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] One RHEV Virtual Machine does not Automatically Resume following Compellent SAN Controller Failover

[Roy Golan]

On Mon, Nov 23, 2015 at 9:37 PM, Duckworth, Douglas C 
wrote:

> Hello --
>
> Not sure if y'all can help with this issue we've been seeing with RHEV...
>
> On 11/13/2015, during Code Upgrade of Compellent SAN at our Disaster
> Recovery Site, we Failed Over to Secondary SAN Controller.  Most Virtual
> Machines in our DR Cluster Resumed automatically after Pausing except VM
> "BADVM" on Host "BADHOST."
>
> In Engine.log you can see that BADVM was sent into "VM_PAUSED_EIO" state
> at 10:47:57:
>
> "VM BADVM has paused due to storage I/O problem."
>
> On this Red Hat Enterprise Virtualization Hypervisor 6.6
> (20150512.0.el6ev) Host, two other VMs paused but then automatically
> resumed without System Administrator intervention...
>
> In our DR Cluster, 22 VMs also resumed automatically...
>
> None of these Guest VMs are engaged in high I/O as these are DR site VMs
> not currently doing anything.
>
> We sent this information to Dell.  Their response:
>
> "The root cause may reside within your virtualization solution, not the
> parent OS (RHEV-Hypervisor disc) or Storage (Dell Compellent.)"
>
> We are doing this Failover again on Sunday November 29th so we would
> like to know how to mitigate this issue, given we have to manually
> resume paused VMs that don't resume automatically.
>
> Before we initiated SAN Controller Failover, all iSCSI paths to Targets
> were present on Host tulhv2p03.
>
> VM logs on Host show in /var/log/libvirt/qemu/badhost.log that Storage
> error was reported:
>
> block I/O error in device 'drive-virtio-disk0': Input/output error (5)
> block I/O error in device 'drive-virtio-disk0': Input/output error (5)
> block I/O error in device 'drive-virtio-disk0': Input/output error (5)
> block I/O error in device 'drive-virtio-disk0': Input/output error (5)
>
> All disks used by this Guest VM are provided by single Storage Domain
> COM_3TB4_DR with serial "270."  In syslog we do see that all paths for
> that Storage Domain Failed:
>
> Nov 13 16:47:40 multipathd: 36000d310005caf000270: remaining
> active paths: 0
>
> Though these recovered later:
>
> Nov 13 16:59:17 multipathd: 36000d310005caf000270: sdbg -
> tur checker reports path is up
> Nov 13 16:59:17 multipathd: 36000d310005caf000270: remaining
> active paths: 8
>
> Does anyone have an idea of why the VM would fail to automatically
> resume if the iSCSI paths used by its Storage Domain recovered?
>

Look at the vdsm.log for events which libvirt emits and the actions that
vdsm takes on them. One of the actions would be to unpause the VM AFAIR. If
you didn't see this then QEMU/libvirt failed to propagatate the new state
change or it might be deeper down the stack. If there are events there then
share the vdsm logs.


>
> Thanks
> Doug
>
> --
> Thanks
>
> Douglas Charles Duckworth
> Unix Administrator
> Tulane University
> Technology Services
> 1555 Poydras Ave
> NOLA -- 70112
>
> E: du...@tulane.edu
> O: 504-988-9341
> F: 504-988-8505
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Maintenance on the Mailing-Lists

[Duck]

Quack,

I'm working in the OSAS team and arrived recently. Yoroshiku onegai shimasu.

With the oVirt infra team we're working on the Mailing-Lists. In the
past there was SPF problems leading to mails being classified as SPAM,
especially affecting GMail users. A workaround was made, but it's not
nice and history of this time was mostly lost.

I'm then going to make some changes which I believe would work, but just
in case I'm sending this message to the main Mailing-Lists so you can
check your SPAM box and break my head on #ovirt@freenode if it fails :-).

Regards.



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] One RHEV Virtual Machine does not Automatically Resume following Compellent SAN Controller Failover

[Yaniv Dary]

What DR solution are you using?

Yaniv Dary
Technical Product Manager
Red Hat Israel Ltd.
34 Jerusalem Road
Building A, 4th floor
Ra'anana, Israel 4350109

Tel : +972 (9) 7692306
8272306
Email: yd...@redhat.com
IRC : ydary


On Wed, Nov 25, 2015 at 1:15 PM, Simone Tiraboschi 
wrote:

> Adding Nir who knows it far better than me.
>
>
> On Mon, Nov 23, 2015 at 8:37 PM, Duckworth, Douglas C 
> wrote:
>
>> Hello --
>>
>> Not sure if y'all can help with this issue we've been seeing with RHEV...
>>
>> On 11/13/2015, during Code Upgrade of Compellent SAN at our Disaster
>> Recovery Site, we Failed Over to Secondary SAN Controller.  Most Virtual
>> Machines in our DR Cluster Resumed automatically after Pausing except VM
>> "BADVM" on Host "BADHOST."
>>
>> In Engine.log you can see that BADVM was sent into "VM_PAUSED_EIO" state
>> at 10:47:57:
>>
>> "VM BADVM has paused due to storage I/O problem."
>>
>> On this Red Hat Enterprise Virtualization Hypervisor 6.6
>> (20150512.0.el6ev) Host, two other VMs paused but then automatically
>> resumed without System Administrator intervention...
>>
>> In our DR Cluster, 22 VMs also resumed automatically...
>>
>> None of these Guest VMs are engaged in high I/O as these are DR site VMs
>> not currently doing anything.
>>
>> We sent this information to Dell.  Their response:
>>
>> "The root cause may reside within your virtualization solution, not the
>> parent OS (RHEV-Hypervisor disc) or Storage (Dell Compellent.)"
>>
>> We are doing this Failover again on Sunday November 29th so we would
>> like to know how to mitigate this issue, given we have to manually
>> resume paused VMs that don't resume automatically.
>>
>> Before we initiated SAN Controller Failover, all iSCSI paths to Targets
>> were present on Host tulhv2p03.
>>
>> VM logs on Host show in /var/log/libvirt/qemu/badhost.log that Storage
>> error was reported:
>>
>> block I/O error in device 'drive-virtio-disk0': Input/output error (5)
>> block I/O error in device 'drive-virtio-disk0': Input/output error (5)
>> block I/O error in device 'drive-virtio-disk0': Input/output error (5)
>> block I/O error in device 'drive-virtio-disk0': Input/output error (5)
>>
>> All disks used by this Guest VM are provided by single Storage Domain
>> COM_3TB4_DR with serial "270."  In syslog we do see that all paths for
>> that Storage Domain Failed:
>>
>> Nov 13 16:47:40 multipathd: 36000d310005caf000270: remaining
>> active paths: 0
>>
>> Though these recovered later:
>>
>> Nov 13 16:59:17 multipathd: 36000d310005caf000270: sdbg -
>> tur checker reports path is up
>> Nov 13 16:59:17 multipathd: 36000d310005caf000270: remaining
>> active paths: 8
>>
>> Does anyone have an idea of why the VM would fail to automatically
>> resume if the iSCSI paths used by its Storage Domain recovered?
>>
>> Thanks
>> Doug
>>
>> --
>> Thanks
>>
>> Douglas Charles Duckworth
>> Unix Administrator
>> Tulane University
>> Technology Services
>> 1555 Poydras Ave
>> NOLA -- 70112
>>
>> E: du...@tulane.edu
>> O: 504-988-9341
>> F: 504-988-8505
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users