[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Anton Louw 
Fantastic, thanks a lot for all your assistance Artur!

From: Artur Socha 
Sent: 22 April 2020 14:52
To: Anton Louw ; users@ovirt.org
Subject: Re: [ovirt-users] oVirt and KeyCloak intergration

On Wed, 2020-04-22 at 14:43 +0200, Artur Socha wrote:
On Wed, 2020-04-22 at 12:28 +, Anton Louw wrote:

Hi Artur,

You are a champion! I can access oVirt now. Thank you so much.
You're welcome!
I am happy it worked because I had no more ideas what to check next :)


One last question, can I create additional groups in ie. Read Only, etc? And 
then will this be done in KeyCloak or in the oVIrt UI?

typo fixed:
This ovirt-administrator group is only for accessing(authentication & sso) 
ovirt engine admin panel and, as far as I understand it, it *** does NOT *** 
restrict access to particular engine's admin functions.
I think that proper authorization is done only at the engine's UI level. See 
'User Authorization' under 
https://ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html


Thank you


Anton Louw
Cloud Engineer: Storage and Virtualization at Vox

T:  087 805  | D: 087 805 1572
M: N/A
E: anton.l...@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

[F]

[T]

[I]

[L]

[Y]


From: Artur Socha mailto:aso...@redhat.com>>
Sent: 22 April 2020 13:21
To: Anton Louw 
mailto:anton.l...@voxtelecom.co.za>>; 
users@ovirt.org
Subject: Re: [ovirt-users] oVirt and KeyCloak intergration


On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
> On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> >
> > Ok so this is definitely looking better. I get an error, but at least now it
> > is saying : “The user admin@openidchttp is not authorized to perform login”
> >
> > This is strange though, because admin in by default should be allowed
> > access?
>
> Well, yes and no :)
>
> In order for user to be considered admin (for ovirt engine) it must belong to
> keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
> > Groups->Members)


Anton Louw
Cloud Engineer: Storage and Virtualization
__
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.l...@voxtelecom.co.za

www.vox.co.za



Small clarification:

In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' -> Members

Note that the group must have the exact name: ovirt-administrator


>
> I think you are very close to have it up-and-running.
>
>
> >
> > From: Anton Louw
> > Sent: 22 April 2020 12:38
> > To: Artur Socha mailto:aso...@redhat.com>>; 
> > users@ovirt.org
> > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> >
> > Perfect, I’ll test and let you know.
> >
> > Thanks
> >
> > From: Artur Socha mailto:aso...@redhat.com>>
> > Sent: 22 April 2020 12:32
> > To: Anton Louw 
> > mailto:anton.l...@voxtelecom.co.za>>; 
> > users@ovirt.org
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> >
> > + users@ovirt.org
> >
> > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> > >
> > >
> > > Hi Artur,
> > >
> > > I would just like to make sure I am following correctly, comparing your
> > > entries against mine.
> > >
> > > Your setup:
> > > ...
> > > config.mapAuthRecord.regex.pattern =
> > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> > > ...
> > >
> > >
> > > My setup:
> > > …
> > > config.mapAuthRecord.regex.pattern =
> > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> > > …
> > >
> > > Should I add the additional 2 “\\” in on my side?
> >
> >
> > Yes, please try adding it. In my case I learned about this issue by
> > debugging
> > the code because the real exception generated by incorrect regexp syntax was
> > hidden behind generic error message giving no clues about the true cause.
> >
> > >
> > > Your setup:
> > > ...
> > >  > > negotiate|oauth/token-
> > > http-auth)|^/ovirt-engine/callback>
> > > 
> > >
> > > Require valid-user
> > > AuthType openid-connect
> > >
> > > ErrorDocument 401 " > > url=/ovirt-engine/sso/login-unauthorized\"/> > > engine/sso/login-unauthorized\">Here"
> > > 
> > > 
> > > …
> > >
> > > My setup:
> > > …
> > >  > > negotiate|oauth/token-
> > > http-auth)|^/ovirt-engine/callback>
> > > 
> > >
> > > Require valid-user
> > > AuthType openid-connect
> > >
> > > ErrorDocument 401 "Here"
> > > 
> > > 
> > > …
> > >
> > > I remember I had syntax errors, but mine was changed.
> > >
> > > Does this look fine to you?
> >
> >
> > Yeah, your version looks good too. You have ' instead of " so that is ok.
> >
> >
> > Anton Louw
> > Cloud

[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread Strahil Nikolov 
On April 22, 2020 10:45:49 PM GMT+03:00, Edson Richter 
 wrote:
>De: Strahil Nikolov 
>Enviado: quarta-feira, 22 de abril de 2020 15:45
>Para: users@ovirt.org ; Edson Richter
>; eev...@digitaldatatechs.com
>; france...@shellrent.com
>
>Assunto: Re: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
>
>On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter
> wrote:
>>I'm in no way a ovirt expert. But as Linux administrator, I would say
>>that firewalld and iptables are "front-end" to kernel internal
>security
>>tables, so, in the final of the day, will provide *almost* same
>>functionality.
>>
>>Seems that firewalld is able to activate modules without restarting
>>entire firewall infra-structure, which iptables is not capable of.
>This
>>leverage an advantage for firewalld, specially where you would not
>have
>>interruptions in existing stateful connections.
>>
>>I've used iptables *always* as replacement for firewalld because of
>>almost 20 yrs using iptables - this is the first step in all about
>>hundred Centos7 installations I've done past few years. I just can't
>>throw away all my scripts that block hackers, provide 2 and 3 way
>>"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and
>>all, everytime a new "firewall" front end appears. I've seen at least
>>two or three "iptables killers tech" in the past, and iptables still
>is
>>the king - at least for me.
>>
>>Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux
>>admin which will not jump from iptables train yet.
>>
>>Perhaps, I would not reccomend to completely deactivate all firewall
>in
>>any server! If it is the case, I would instead to advice to just
>>replace firewalld with iptables-service (at least, in Centos7) - but
>>only in case you have too much to loose without iptables (as am I).
>>
>>Regards,
>>
>>Edson
>>
>>
>>
>>De: eev...@digitaldatatechs.com 
>>Enviado: quarta-feira, 22 de abril de 2020 12:18
>>Para: france...@shellrent.com ;
>>users@ovirt.org 
>>Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
>>
>>If you log in to the cockpit, you can add services or custom ports
>>easily. I would not disable the firewall.
>> for the cockpit.
>>
>>Eric Evans
>>Digital Data Services LLC.
>>304.660.9080
>>
>>
>>-Original Message-
>>From: france...@shellrent.com 
>>Sent: Tuesday, April 21, 2020 12:54 PM
>>To: users@ovirt.org
>>Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3]
>>
>>Hi all,
>>
>>I was wondering if it's "safe" disabling entirely the firewalld
>service
>>and manage the firewall only via iptables, on the host and on the
>>hosted engine (a self-hosted engine). It would make a lot easier the
>>managing the firewall rules for me because of many automatisms I
>>created based on iptables. Did anyone manage to do this? Any
>>contraindication for doing this or precaution that I have to take care
>>of?
>>
>>Thanks for your time and help,
>>Francesco
>>___
>>Users mailing list -- users@ovirt.org
>>To unsubscribe send an email to users-le...@ovirt.org Privacy
>>Statement:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078297638sdata=vqS7cjtftiP1F%2Bv1akulAA0KqCLTh4In2pltWIdJBd0%3Dreserved=0
>>oVirt Code of Conduct:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078297638sdata=EdDGteCs4vPuBkZvwU4f9JmSozZcSxdO9zL9qILnH68%3Dreserved=0
>>List Archives:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=V0wxXmGJpwqbmToN4h9NOLQ1dd61nkWJ4fP3z%2Bq4njU%3Dreserved=0
>>___
>>Users mailing list -- users@ovirt.org
>>To unsubscribe send an email to users-le...@ovirt.org
>>Privacy Statement:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=L37Na1hFCWmjMbxeXLxk4A%2B9qVDNj24xrHKsqeVUYjk%3Dreserved=0
>>oVirt Code of Conduct:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=YmbRQIouTnJPYOW4EKC%2F8iyrpzzmdfN%2F%2FMi5b1guiUE%3Dreserved=0
>>List Archives:

[ovirt-users] Re: Batch delete Snapshots

2020-04-22 Thread Strahil Nikolov 
On April 22, 2020 10:50:17 PM GMT+03:00, Christian Reiss 
 wrote:
>Hey folks,
>
>quick question: Can this be made batch-able?
>
># gluster snapshot delete all
>System contains 1 snapshot(s).
>Do you still want to continue and delete them?  (y/n)
>
>So for a script I could do a snapshot, copy the contents and
>auto-remove
>all snapshots after. I could go with snapshot list and act on those,
>but
>this seems like it should be in the code?
>
>-Chris.

There is an option how many snapahots to be available and the rest will be 
automatically deleted.

Yet, I have no experience with automatic snapshots.

Best Regards,
Strahil Nikolov
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QKEPLEFE5ZNJP76EMKX3BJQJHKNLTOBA/

[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread Edson Richter 
De: Strahil Nikolov 
Enviado: quarta-feira, 22 de abril de 2020 15:45
Para: users@ovirt.org ; Edson Richter 
; eev...@digitaldatatechs.com 
; france...@shellrent.com 
Assunto: Re: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter 
 wrote:
>I'm in no way a ovirt expert. But as Linux administrator, I would say
>that firewalld and iptables are "front-end" to kernel internal security
>tables, so, in the final of the day, will provide *almost* same
>functionality.
>
>Seems that firewalld is able to activate modules without restarting
>entire firewall infra-structure, which iptables is not capable of. This
>leverage an advantage for firewalld, specially where you would not have
>interruptions in existing stateful connections.
>
>I've used iptables *always* as replacement for firewalld because of
>almost 20 yrs using iptables - this is the first step in all about
>hundred Centos7 installations I've done past few years. I just can't
>throw away all my scripts that block hackers, provide 2 and 3 way
>"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and
>all, everytime a new "firewall" front end appears. I've seen at least
>two or three "iptables killers tech" in the past, and iptables still is
>the king - at least for me.
>
>Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux
>admin which will not jump from iptables train yet.
>
>Perhaps, I would not reccomend to completely deactivate all firewall in
>any server! If it is the case, I would instead to advice to just
>replace firewalld with iptables-service (at least, in Centos7) - but
>only in case you have too much to loose without iptables (as am I).
>
>Regards,
>
>Edson
>
>
>
>De: eev...@digitaldatatechs.com 
>Enviado: quarta-feira, 22 de abril de 2020 12:18
>Para: france...@shellrent.com ;
>users@ovirt.org 
>Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
>
>If you log in to the cockpit, you can add services or custom ports
>easily. I would not disable the firewall.
> for the cockpit.
>
>Eric Evans
>Digital Data Services LLC.
>304.660.9080
>
>
>-Original Message-
>From: france...@shellrent.com 
>Sent: Tuesday, April 21, 2020 12:54 PM
>To: users@ovirt.org
>Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3]
>
>Hi all,
>
>I was wondering if it's "safe" disabling entirely the firewalld service
>and manage the firewall only via iptables, on the host and on the
>hosted engine (a self-hosted engine). It would make a lot easier the
>managing the firewall rules for me because of many automatisms I
>created based on iptables. Did anyone manage to do this? Any
>contraindication for doing this or precaution that I have to take care
>of?
>
>Thanks for your time and help,
>Francesco
>___
>Users mailing list -- users@ovirt.org
>To unsubscribe send an email to users-le...@ovirt.org Privacy
>Statement:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078297638sdata=vqS7cjtftiP1F%2Bv1akulAA0KqCLTh4In2pltWIdJBd0%3Dreserved=0
>oVirt Code of Conduct:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078297638sdata=EdDGteCs4vPuBkZvwU4f9JmSozZcSxdO9zL9qILnH68%3Dreserved=0
>List Archives:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=V0wxXmGJpwqbmToN4h9NOLQ1dd61nkWJ4fP3z%2Bq4njU%3Dreserved=0
>___
>Users mailing list -- users@ovirt.org
>To unsubscribe send an email to users-le...@ovirt.org
>Privacy Statement:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=L37Na1hFCWmjMbxeXLxk4A%2B9qVDNj24xrHKsqeVUYjk%3Dreserved=0
>oVirt Code of Conduct:
>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7Cd8353bf8e03c4bd40ad308d7e6ed4733%7C84df9e7fe9f640afb435%7C1%7C0%7C637231779078307635sdata=YmbRQIouTnJPYOW4EKC%2F8iyrpzzmdfN%2F%2FMi5b1guiUE%3Dreserved=0
>List Archives:

[ovirt-users] Batch delete Snapshots

2020-04-22 Thread Christian Reiss 
Hey folks,

quick question: Can this be made batch-able?

# gluster snapshot delete all
System contains 1 snapshot(s).
Do you still want to continue and delete them?  (y/n)

So for a script I could do a snapshot, copy the contents and auto-remove
all snapshots after. I could go with snapshot list and act on those, but
this seems like it should be in the code?

-Chris.

-- 
with kind regards,
mit freundlichen Gruessen,

Christian Reiss




signature.asc
Description: OpenPGP digital signature
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7OEEU2C63YFO4CWXOUYSFVLQUKLQNRZV/

[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread Strahil Nikolov 
On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter 
 wrote:
>I'm in no way a ovirt expert. But as Linux administrator, I would say
>that firewalld and iptables are "front-end" to kernel internal security
>tables, so, in the final of the day, will provide *almost* same
>functionality.
>
>Seems that firewalld is able to activate modules without restarting
>entire firewall infra-structure, which iptables is not capable of. This
>leverage an advantage for firewalld, specially where you would not have
>interruptions in existing stateful connections.
>
>I've used iptables *always* as replacement for firewalld because of
>almost 20 yrs using iptables - this is the first step in all about
>hundred Centos7 installations I've done past few years. I just can't
>throw away all my scripts that block hackers, provide 2 and 3 way
>"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and
>all, everytime a new "firewall" front end appears. I've seen at least
>two or three "iptables killers tech" in the past, and iptables still is
>the king - at least for me.
>
>Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux
>admin which will not jump from iptables train yet.
>
>Perhaps, I would not reccomend to completely deactivate all firewall in
>any server! If it is the case, I would instead to advice to just
>replace firewalld with iptables-service (at least, in Centos7) - but
>only in case you have too much to loose without iptables (as am I).
>
>Regards,
>
>Edson
>
>
>
>De: eev...@digitaldatatechs.com 
>Enviado: quarta-feira, 22 de abril de 2020 12:18
>Para: france...@shellrent.com ;
>users@ovirt.org 
>Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
>
>If you log in to the cockpit, you can add services or custom ports
>easily. I would not disable the firewall.
> for the cockpit.
>
>Eric Evans
>Digital Data Services LLC.
>304.660.9080
>
>
>-Original Message-
>From: france...@shellrent.com 
>Sent: Tuesday, April 21, 2020 12:54 PM
>To: users@ovirt.org
>Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3]
>
>Hi all,
>
>I was wondering if it's "safe" disabling entirely the firewalld service
>and manage the firewall only via iptables, on the host and on the
>hosted engine (a self-hosted engine). It would make a lot easier the
>managing the firewall rules for me because of many automatisms I
>created based on iptables. Did anyone manage to do this? Any
>contraindication for doing this or precaution that I have to take care
>of?
>
>Thanks for your time and help,
>Francesco
>___
>Users mailing list -- users@ovirt.org
>To unsubscribe send an email to users-le...@ovirt.org Privacy
>Statement:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590584674sdata=EDp9IGQkVISq0Fh3zXQUXKN1RZGx0Ji30eXiFu597f8%3Dreserved=0
>oVirt Code of Conduct:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3Dreserved=0
>List Archives:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=40H%2B8wdVVTAITN3DKhXrd3bdim8l8N7ycNhQJ3%2F51F0%3Dreserved=0
>___
>Users mailing list -- users@ovirt.org
>To unsubscribe send an email to users-le...@ovirt.org
>Privacy Statement:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=AEp0cL8tH4YuO6%2BufhI%2BG8%2Bd5rDXhj8OhhQLoVPdhJ0%3Dreserved=0
>oVirt Code of Conduct:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3Dreserved=0
>List Archives:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FJOTFQ5SPDUET7MUU3MYQVDGZDMRO7GWQ%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=iOrDXFsvJ%2BZtJjFJAq7JRVS2y5rORfwnL3oCkoOxJTw%3Dreserved=0

Keep in mind that I had some issues with oVirt (was  more than a year ago - so 
don't ask for details) when either firewalld or SELINUX

[ovirt-users] [OT] windows 10 qemu-kvm latest stable drivers

2020-04-22 Thread Gianluca Cecchi 
Hello,
I see that this link below, that should be the correct one for stable
virtio drivers:

https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso

points to virtio-win-0.1.171-1 released on May 2019.
The same pointed by the repo
https://fedorapeople.org/groups/virt/virtio-win/virtio-win.repo
Under
https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/archive-virtio/
there are many new ones... Are so they all to be considered unstable?

Thanks,

Gianluca
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CLMIDAFXTGYNPKYN6SE6LWGO7NUUAT3H/

[ovirt-users] Re: How to force removal of old host from Engine

2020-04-22 Thread Strahil Nikolov 
On April 22, 2020 11:57:31 AM GMT+03:00, Yedidyah Bar David  
wrote:
>On Wed, Apr 22, 2020 at 11:52 AM Shareef Jalloq 
>wrote:
>>
>> Thanks for the suggestions everyone.  First up, no, this is not part
>of a Gluster HCI.
>>
>> Secondly, "Confirm Host has been rebooted" seems to require the host
>have a status of "Non operational", "Maintenance" or "Connecting" from
>the error pop up.
>>
>> Ah, as I'm writing this, I shut down the host and now the status
>changes to Non-responsive and lets me put it in maintenance so I can
>remove it.  So it looks like the change in config causes the engine to
>not be able to communicate with the host.  Is that a bug or expected? 
>What should my workflow have been here after reinstalling the node?
>
>What did you do in practice?
>
>I think something like:
>
>1. Move to maintenance
>2. Remove from engine
>3. Reinstall OS
>4. Add to engine
>
>But this depends on exactly what you wanted to achieve, or IOW why you
>reinstalled.
>
>Best regards,
>
>>
>> Thanks, Shareef.
>>
>>
>>
>> On Wed, Apr 22, 2020 at 7:46 AM Yedidyah Bar David 
>wrote:
>>>
>>> On Wed, Apr 22, 2020 at 2:17 AM Strahil Nikolov
> wrote:
>>> >
>>> > On April 22, 2020 12:41:49 AM GMT+03:00, "Maton, Brett"
> wrote:
>>> > >Last time I had to forcibly remove a node because it was
>impossible to
>>> > >do
>>> > >so otherwise, it had never ever had anything to do with gluster,
>so I
>>> > >STRONGLY dispute your claim that fixing an issue (that was not
>stated)
>>> > >will
>>> > >fix anything.
>>> > >
>>> > >On Tue, 21 Apr 2020 at 22:39, Maton, Brett
>
>>> > >wrote:
>>> > >
>>> > >> I'm sorry there was no suggestion that the node had anything to
>do
>>> > >with
>>> > >> gluster, clearly stated but how to remove a dead and
>unmanageable
>>> > >node from
>>> > >> the cluster.
>>> > >>
>>> > >> On Tue, 21 Apr 2020 at 20:41, Strahil Nikolov
>
>>> > >> wrote:
>>> > >>
>>> > >>> Not a good approach.
>>> > >>> It's important to know if the node was also a gluster peer in
>the
>>> > >storage
>>> > >>> pool - if yes, it needs to be replaced with 'replace-brick' or
>>> > >>> 'reset-brick' (depending if you use the old hostname or not).
>>> > >>> Once the storage node is replaced - oVirt will allow you to
>remove
>>> > >it.
>>> > >>>
>>> > >>>
>>> > >>> Best Regards,
>>> > >>> Strahil Nikolov
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> В вторник, 21 април 2020 г., 19:46:47 Гринуич+3, Maton, Brett
><
>>> > >>> mat...@ltresources.co.uk> написа:
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> Last time I had to do this I removed from the database.
>>> > >>>
>>> > >>> (at your own risk)
>>> > >>> On ovirt engine switch to the postgres user from root:
>>> > >>>
>>> > >>> su - postgres
>>> > >>>
>>> > >>> Enable postgres 10 and connect to the engine database:
>>> > >>>
>>> > >>> . scl_source enable rh-postgresql10
>>> > >>> psql -d engine
>>> > >>>
>>> > >>> Change  to the name (Name column of the
>host in
>>> > >the
>>> > >>> UI) of the host you want to get rid of ( leave the '\' and \''
>in
>>> > >place )
>>> > >>>
>>> > >>> BEGIN;\set host '\'\''DELETE FROM
>vds_dynamic
>>> > >WHERE
>>> > >>> vds_id IN (SELECT vds_id FROM vds_static WHERE vds_name =
>>> > >:host);DELETE
>>> > >>> FROM vds_statistics WHERE vds_id IN (SELECT vds_id FROM
>vds_static
>>> > >WHERE
>>> > >>> vds_name = :host);DELETE FROM vds_static WHERE vds_name =
>>> > >:host;COMMIT;
>>> > >>> 
>>> > >>>
>>> > >>>
>>> > >>>
>>> > >>> On Tue, 21 Apr 2020 at 15:19, Shareef Jalloq
>
>>> > >>> wrote:
>>> > >>> > Hi,
>>> > >>> >
>>> > >>> > I seem to have got a stale host in my engine that I can't
>remove.
>>> > >I
>>> > >>> recently reinstalled oVirt Node on this host and while trying
>to
>>> > >refresh
>>> > >>> the host in the engine, have got it in some state where I
>can't do
>>> > >anything.
>>> > >>> >
>>> > >>> > The host is listed as Status=Unassigned.  Under the
>Management
>>> > >pull
>>> > >>> down I only have Restart and Stop options, both of which error
>if
>>> > >>> selected.  The Remove button is not available.
>>> > >>> >
>>> > >>> > How do I force a removal of this host from the view so I can
>>> > >reload it?
>>> > >>> >
>>> > >>> > Shareef.
>>> > >>> > ___
>>> > >>> > Users mailing list -- users@ovirt.org
>>> > >>> > To unsubscribe send an email to users-le...@ovirt.org
>>> > >>> > Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> > >>> > oVirt Code of Conduct:
>>> > >>> https://www.ovirt.org/community/about/community-guidelines/
>>> > >>> > List Archives:
>>> > >>>
>>> >
>>https://lists.ovirt.org/archives/list/users@ovirt.org/message/TCBGLVCLMTZSQAURDDVGHKYXXQ36NO5H/
>>> > >>> >
>>> > >>> ___
>>> > >>> Users mailing list -- users@ovirt.org
>>> > >>> To unsubscribe send an email to users-le...@ovirt.org
>>> > >>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> > >>> oVirt Code of Conduct:
>>> > >>>

[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread Edson Richter 
I'm in no way a ovirt expert. But as Linux administrator, I would say that 
firewalld and iptables are "front-end" to kernel internal security tables, so, 
in the final of the day, will provide *almost* same functionality.

Seems that firewalld is able to activate modules without restarting entire 
firewall infra-structure, which iptables is not capable of. This leverage an 
advantage for firewalld, specially where you would not have interruptions in 
existing stateful connections.

I've used iptables *always* as replacement for firewalld because of almost 20 
yrs using iptables - this is the first step in all about hundred Centos7 
installations I've done past few years. I just can't throw away all my scripts 
that block hackers, provide 2 and 3 way "knock-knock" lockers, fail2ban 
customizations, nat rules, DMZ, and all, everytime a new "firewall" front end 
appears. I've seen at least two or three "iptables killers tech" in the past, 
and iptables still is the king - at least for me.

Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux admin 
which will not jump from iptables train yet.

Perhaps, I would not reccomend to completely deactivate all firewall in any 
server! If it is the case, I would instead to advice to just replace firewalld 
with iptables-service (at least, in Centos7) - but only in case you have too 
much to loose without iptables (as am I).

Regards,

Edson



De: eev...@digitaldatatechs.com 
Enviado: quarta-feira, 22 de abril de 2020 12:18
Para: france...@shellrent.com ; users@ovirt.org 

Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

If you log in to the cockpit, you can add services or custom ports easily. I 
would not disable the firewall.
 for the cockpit.

Eric Evans
Digital Data Services LLC.
304.660.9080


-Original Message-
From: france...@shellrent.com 
Sent: Tuesday, April 21, 2020 12:54 PM
To: users@ovirt.org
Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3]

Hi all,

I was wondering if it's "safe" disabling entirely the firewalld service and 
manage the firewall only via iptables, on the host and on the hosted engine (a 
self-hosted engine). It would make a lot easier the managing the firewall rules 
for me because of many automatisms I created based on iptables. Did anyone 
manage to do this? Any contraindication for doing this or precaution that I 
have to take care of?

Thanks for your time and help,
Francesco
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590584674sdata=EDp9IGQkVISq0Fh3zXQUXKN1RZGx0Ji30eXiFu597f8%3Dreserved=0
oVirt Code of Conduct: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3Dreserved=0
List Archives: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FPNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=40H%2B8wdVVTAITN3DKhXrd3bdim8l8N7ycNhQJ3%2F51F0%3Dreserved=0
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fprivacy-policy.htmldata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=AEp0cL8tH4YuO6%2BufhI%2BG8%2Bd5rDXhj8OhhQLoVPdhJ0%3Dreserved=0
oVirt Code of Conduct: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovirt.org%2Fcommunity%2Fabout%2Fcommunity-guidelines%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=y4DjzIRm81AqZAZKHLf43LGmolShykPl%2FML86jC8IJ8%3Dreserved=0
List Archives: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.ovirt.org%2Farchives%2Flist%2Fusers%40ovirt.org%2Fmessage%2FJOTFQ5SPDUET7MUU3MYQVDGZDMRO7GWQ%2Fdata=02%7C01%7C%7C2c232cb3c1804aa28ccb08d7e6d08648%7C84df9e7fe9f640afb435%7C1%7C0%7C637231655590594669sdata=iOrDXFsvJ%2BZtJjFJAq7JRVS2y5rORfwnL3oCkoOxJTw%3Dreserved=0
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:

[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread eevans 
If you log in to the cockpit, you can add services or custom ports easily. I 
would not disable the firewall.
 for the cockpit.

Eric Evans
Digital Data Services LLC.
304.660.9080


-Original Message-
From: france...@shellrent.com  
Sent: Tuesday, April 21, 2020 12:54 PM
To: users@ovirt.org
Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3]

Hi all,

I was wondering if it's "safe" disabling entirely the firewalld service and 
manage the firewall only via iptables, on the host and on the hosted engine (a 
self-hosted engine). It would make a lot easier the managing the firewall rules 
for me because of many automatisms I created based on iptables. Did anyone 
manage to do this? Any contraindication for doing this or precaution that I 
have to take care of?

Thanks for your time and help,
Francesco
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: 
https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5/
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JOTFQ5SPDUET7MUU3MYQVDGZDMRO7GWQ/

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha 
On Wed, 2020-04-22 at 14:43 +0200, Artur Socha wrote:
> On Wed, 2020-04-22 at 12:28 +, Anton Louw wrote:
> > 
> > 
> > 
> > Hi Artur,
> > 
> >  
> > 
> > You are a champion! I can access oVirt now. Thank you so much.
> > 
> You're welcome!
> I am happy it worked  because I had no more ideas what to check next :)
> 
> > One last question, can I create additional groups in ie. Read Only, etc? And
> > then will this be done in KeyCloak or in the oVIrt UI?
typo fixed:
> This ovirt-administrator group is only for accessing(authentication & sso)
> ovirt engine admin panel and, as far as I understand it, it *** does NOT ***
> restrict access to  particular engine's admin functions. I think that proper 
> authorization is done only at the engine's UI level.  See  'User 
> Authorization' under 
> https://ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html
> >  
> > 
> > Thank you
> > 
> > 
> > 
> > 
> > 
> >   
> >   
> >   
> > Anton Louw
> >  
> >   
> > Cloud Engineer: Storage and Virtualization at Vox
> > 
> >   
> >   
> > 
> >   
> >   
> > T:  087 805  | D: 087 805 1572
> > M: N/A
> > 
> > E: anton.l...@voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > 
> > www.vox.co.za
> >   
> > 
> > 
> > 
> > 
> > 
> >   
> >   
> >   
> >   
> >   
> > 
> > 
> > 
> >   
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > From: Artur Socha 
> > 
> > 
> > Sent: 22 April 2020 13:21
> > 
> > To: Anton Louw ; users@ovirt.org
> > 
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> > 
> > 
> >  
> > On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
> > 
> > > On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> > 
> > > > 
> > 
> > > > Ok so this is definitely looking better. I get an error, but at least
> > now it
> > 
> > > > is saying : “The user admin@openidchttp is not authorized to perform
> > login”
> > 
> > > > 
> > 
> > > > This is strange though, because admin in by default should be allowed
> > 
> > > > access?
> > 
> > > 
> > 
> > > Well, yes and no :)
> > 
> > > 
> > 
> > > In order for user to be considered admin (for ovirt engine) it must belong
> > to
> > 
> > > keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
> > 
> > > > Groups->Members)
> > 
> > 
> > 
> > Small clarification:
> > 
> > 
> > 
> > In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' ->
> > Members
> > 
> > 
> > 
> > Note that the group must have the exact name: ovirt-administrator 
> > 
> > 
> > 
> > 
> > 
> > > 
> > 
> > > I think you are very close to have it up-and-running.
> > 
> > > 
> > 
> > > 
> > 
> > > > 
> > 
> > > > From: Anton Louw 
> > 
> > > > Sent: 22 April 2020 12:38
> > 
> > > > To: Artur Socha ; 
> > users@ovirt.org
> > 
> > > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> > 
> > > > 
> > 
> > > > Perfect, I’ll test and let you know.
> > 
> > > > 
> > 
> > > > Thanks
> > 
> > > > 
> > 
> > > > From: Artur Socha  
> > 
> > > > Sent: 22 April 2020 12:32
> > 
> > > > To: Anton Louw ;
> > users@ovirt.org
> > 
> > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> > 
> > > > 
> > 
> > > > + users@ovirt.org
> > 
> > > > 
> > 
> > > > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> > 
> > > > > 
> > 
> > > > > 
> > 
> > > > > Hi Artur,
> > 
> > > > > 
> > 
> > > > > I would just like to make sure I am following correctly, comparing
> > your
> > 
> > > > > entries against mine.
> > 
> > > > > 
> > 
> > > > > Your setup:
> > 
> > > > > ...
> > 
> > > > > config.mapAuthRecord.regex.pattern =
> > 
> > > > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> > 
> > > > > ...
> > 
> > > > > 
> > 
> > > > > 
> > 
> > > > > My setup:
> > 
> > > > > …
> > 
> > > > > config.mapAuthRecord.regex.pattern =
> > 
> > > > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> > 
> > > > > …
> > 
> > > > > 
> > 
> > > > > Should I add the additional 2 “\\” in on my side?
> > 
> > > > 
> > 
> > > > 
> > 
> > > > Yes, please try adding it. In my case I learned about this issue by
> > 
> > > > debugging
> > 
> > > > the code because the real exception generated by incorrect regexp syntax
> > was
> > 
> > > > hidden behind generic error message giving no clues about the true
> > cause.
> > 
> > > > 
> > 
> > > > > 
> > 
> > > > > Your setup:
> > 
> > > > > ...
> > 
> > > > >  > 
> > > > > negotiate|oauth/token-
> > 
> > > > > http-auth)|^/ovirt-engine/callback>
> > 
> > > > > 
> > 
> > > > > 
> > 
> > > > > Require valid-user
> > 
> > > > > AuthType openid-connect
> > 
> > > > > 
> > 
> > > > > ErrorDocument 401 " > 
> > > > > url=/ovirt-engine/sso/login-unauthorized\"/> > 
> > > > > engine/sso/login-unauthorized\">Here"
> > 
> > > > > 
> > 
> > > > > 
> > 
> > > > > …
> > 
> > > > > 
> > 
> > > > > My setup:
> > 
> > > > > …
> > 
> > > > >  > 
> > > > > negotiate|oauth/token-
> > 
> > > > > http-auth)|^/ovirt-engine/callback>
> > 
> > > > > 
> > 
> > >

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha 
On Wed, 2020-04-22 at 12:28 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
> 
>  
> 
> You are a champion! I can access oVirt now. Thank you so much.
> 
You're welcome!I am happy it worked  because I had no more ideas what to check
next :)
> One last question, can I create additional groups in ie. Read Only, etc? And
> then will this be done in KeyCloak or in the oVIrt UI?

This ovirt-administrator group is only for accessing(authentication & sso) ovirt
engine admin panel and, as far as I understand it, it does restrict access
to  particular engine's admin functions. I think that proper authorization is
done only at the engine's UI level.  See  'User Authorization' under 
https://ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html
>  
> 
> Thank you
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 22 April 2020 13:21
> 
> To: Anton Louw ; users@ovirt.org
> 
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> 
> 
>  
> On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
> 
> > On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> 
> > > 
> 
> > > Ok so this is definitely looking better. I get an error, but at least now
> it
> 
> > > is saying : “The user admin@openidchttp is not authorized to perform
> login”
> 
> > > 
> 
> > > This is strange though, because admin in by default should be allowed
> 
> > > access?
> 
> > 
> 
> > Well, yes and no :)
> 
> > 
> 
> > In order for user to be considered admin (for ovirt engine) it must belong
> to
> 
> > keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
> 
> > > Groups->Members)
> 
> 
> 
> Small clarification:
> 
> 
> 
> In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' -> Members
> 
> 
> 
> Note that the group must have the exact name: ovirt-administrator 
> 
> 
> 
> 
> 
> > 
> 
> > I think you are very close to have it up-and-running.
> 
> > 
> 
> > 
> 
> > > 
> 
> > > From: Anton Louw 
> 
> > > Sent: 22 April 2020 12:38
> 
> > > To: Artur Socha ; 
> users@ovirt.org
> 
> > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> 
> > > 
> 
> > > Perfect, I’ll test and let you know.
> 
> > > 
> 
> > > Thanks
> 
> > > 
> 
> > > From: Artur Socha  
> 
> > > Sent: 22 April 2020 12:32
> 
> > > To: Anton Louw ;
> users@ovirt.org
> 
> > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> 
> > > 
> 
> > > + users@ovirt.org
> 
> > > 
> 
> > > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> 
> > > > 
> 
> > > > 
> 
> > > > Hi Artur,
> 
> > > > 
> 
> > > > I would just like to make sure I am following correctly, comparing your
> 
> > > > entries against mine.
> 
> > > > 
> 
> > > > Your setup:
> 
> > > > ...
> 
> > > > config.mapAuthRecord.regex.pattern =
> 
> > > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> 
> > > > ...
> 
> > > > 
> 
> > > > 
> 
> > > > My setup:
> 
> > > > …
> 
> > > > config.mapAuthRecord.regex.pattern =
> 
> > > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> 
> > > > …
> 
> > > > 
> 
> > > > Should I add the additional 2 “\\” in on my side?
> 
> > > 
> 
> > > 
> 
> > > Yes, please try adding it. In my case I learned about this issue by
> 
> > > debugging
> 
> > > the code because the real exception generated by incorrect regexp syntax
> was
> 
> > > hidden behind generic error message giving no clues about the true cause.
> 
> > > 
> 
> > > > 
> 
> > > > Your setup:
> 
> > > > ...
> 
> > > >  
> > > > negotiate|oauth/token-
> 
> > > > http-auth)|^/ovirt-engine/callback>
> 
> > > > 
> 
> > > > 
> 
> > > > Require valid-user
> 
> > > > AuthType openid-connect
> 
> > > > 
> 
> > > > ErrorDocument 401 " 
> > > > url=/ovirt-engine/sso/login-unauthorized\"/> 
> > > > engine/sso/login-unauthorized\">Here"
> 
> > > > 
> 
> > > > 
> 
> > > > …
> 
> > > > 
> 
> > > > My setup:
> 
> > > > …
> 
> > > >  
> > > > negotiate|oauth/token-
> 
> > > > http-auth)|^/ovirt-engine/callback>
> 
> > > > 
> 
> > > > 
> 
> > > > Require valid-user
> 
> > > > AuthType openid-connect
> 
> > > > 
> 
> > > > ErrorDocument 401 "Here"
> 
> > > > 
> 
> > > > 
> 
> > > > …
> 
> > > > 
> 
> > > > I remember I had syntax errors, but mine was changed.
> 
> > > > 
> 
> > > > Does this look fine to you?
> 
> > > 
> 
> > > 
> 
> > > Yeah, your version looks good too. You have ' instead of " so that is ok. 
> 
> > > 
> 
> > > 
> 
> > > Anton Louw
> 
> > > Cloud Engineer: Storage and Virtualization at Vox
> 
> > > T: 087 805  | D: 087 805 1572
> 
> > > M: N/A
> 
> > > E: anton.l...@voxtelecom.co.za
> 
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> > > 
>

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Anton Louw 
Hi Artur,

You are a champion! I can access oVirt now. Thank you so much.

One last question, can I create additional groups in ie. Read Only, etc? And 
then will this be done in KeyCloak or in the oVIrt UI?

Thank you

From: Artur Socha 
Sent: 22 April 2020 13:21
To: Anton Louw ; users@ovirt.org
Subject: Re: [ovirt-users] oVirt and KeyCloak intergration

On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
> On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> >
> > Ok so this is definitely looking better. I get an error, but at least now it
> > is saying : “The user admin@openidchttp is not authorized to perform login”
> >
> > This is strange though, because admin in by default should be allowed
> > access?
>
> Well, yes and no :)
>
> In order for user to be considered admin (for ovirt engine) it must belong to
> keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
> > Groups->Members)


Anton Louw
Cloud Engineer: Storage and Virtualization
__
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.l...@voxtelecom.co.za

www.vox.co.za



Small clarification:

In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' -> Members

Note that the group must have the exact name: ovirt-administrator


>
> I think you are very close to have it up-and-running.
>
>
> >
> > From: Anton Louw
> > Sent: 22 April 2020 12:38
> > To: Artur Socha mailto:aso...@redhat.com>>; 
> > users@ovirt.org
> > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> >
> > Perfect, I’ll test and let you know.
> >
> > Thanks
> >
> > From: Artur Socha mailto:aso...@redhat.com>>
> > Sent: 22 April 2020 12:32
> > To: Anton Louw 
> > mailto:anton.l...@voxtelecom.co.za>>; 
> > users@ovirt.org
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> >
> > + users@ovirt.org
> >
> > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> > >
> > >
> > > Hi Artur,
> > >
> > > I would just like to make sure I am following correctly, comparing your
> > > entries against mine.
> > >
> > > Your setup:
> > > ...
> > > config.mapAuthRecord.regex.pattern =
> > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> > > ...
> > >
> > >
> > > My setup:
> > > …
> > > config.mapAuthRecord.regex.pattern =
> > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> > > …
> > >
> > > Should I add the additional 2 “\\” in on my side?
> >
> >
> > Yes, please try adding it. In my case I learned about this issue by
> > debugging
> > the code because the real exception generated by incorrect regexp syntax was
> > hidden behind generic error message giving no clues about the true cause.
> >
> > >
> > > Your setup:
> > > ...
> > >  > > negotiate|oauth/token-
> > > http-auth)|^/ovirt-engine/callback>
> > > 
> > >
> > > Require valid-user
> > > AuthType openid-connect
> > >
> > > ErrorDocument 401 " > > url=/ovirt-engine/sso/login-unauthorized\"/> > > engine/sso/login-unauthorized\">Here"
> > > 
> > > 
> > > …
> > >
> > > My setup:
> > > …
> > >  > > negotiate|oauth/token-
> > > http-auth)|^/ovirt-engine/callback>
> > > 
> > >
> > > Require valid-user
> > > AuthType openid-connect
> > >
> > > ErrorDocument 401 "Here"
> > > 
> > > 
> > > …
> > >
> > > I remember I had syntax errors, but mine was changed.
> > >
> > > Does this look fine to you?
> >
> >
> > Yeah, your version looks good too. You have ' instead of " so that is ok.
> >
> >
> > Anton Louw
> > Cloud Engineer: Storage and Virtualization at Vox
> > T: 087 805  | D: 087 805 1572
> > M: N/A
> > E: anton.l...@voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > www.vox.co.za
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > > Thanks
> > >
> > >
> > >
> > > Anton Louw
> > > Cloud Engineer: Storage and Virtualization at Vox
> > > T: 087 805  | D: 087 805 1572
> > > M: N/A
> > > E: anton.l...@voxtelecom.co.za
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > > www.vox.co.za
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Anton Louw
> > > Sent: 22 April 2020 10:07
> > > To: Artur Socha mailto:aso...@redhat.com>>
> > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> > >
> > > Hi Artur,
> > >
> > > Great, I will try the below and let you know. I appreciate your efforts.
> > >
> > > Sure, you may report it, I was in such a rush that I only hit “reply” and
> > > not “Reply All”
> > >
> > > I do recall that I had to make some changes to the below as the it
> > > complained about syntax errors:
> > >
> > > ErrorDocument 401 " > > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> > > href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> > > 
> > > 
> > >
> > > I will let you know the outcome when I change the below as you suggested.
>

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha 
On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
> On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> > 
> > Ok so this is definitely looking better. I get an error, but at least now it
> > is saying : “The user admin@openidchttp is not authorized to perform login”
> >  
> > This is strange though, because admin in by default should be allowed
> > access?
> 
> Well, yes and no :)
> 
> In order for user to be considered admin (for ovirt engine) it must belong to
> keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
> > Groups->Members)

Small clarification:

In keycloak admin panel see Manage-> Groups->  'ovirt-administrator' -> Members

Note that the group must have the exact name: ovirt-administrator 


> 
> I think you are very close to have it up-and-running.
> 
> 
> >  
> > From: Anton Louw 
> > Sent: 22 April 2020 12:38
> > To: Artur Socha ; users@ovirt.org
> > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> >  
> > Perfect, I’ll test and let you know.
> >  
> > Thanks
> >  
> > From: Artur Socha  
> > Sent: 22 April 2020 12:32
> > To: Anton Louw ; users@ovirt.org
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> >  
> > + users@ovirt.org
> >  
> > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> > >  
> > > 
> > > Hi Artur,
> > >  
> > > I would just like to make sure I am following correctly, comparing your
> > > entries against mine.
> > >  
> > > Your setup:
> > > ...
> > > config.mapAuthRecord.regex.pattern =
> > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> > > ...
> > > 
> > > 
> > > My setup:
> > > …
> > > config.mapAuthRecord.regex.pattern =
> > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> > > …
> > >  
> > > Should I add the additional 2 “\\” in on my side?
> > 
> >  
> > Yes, please try adding it. In my case I learned about this issue by
> > debugging
> > the code because the real exception generated by incorrect regexp syntax was
> > hidden behind generic error message giving no clues about the true cause.
> >  
> > >  
> > > Your setup:
> > > ...
> > >  > > negotiate|oauth/token-
> > > http-auth)|^/ovirt-engine/callback>
> > > 
> > >  
> > > Require valid-user
> > > AuthType openid-connect
> > > 
> > > ErrorDocument 401 " > > url=/ovirt-engine/sso/login-unauthorized\"/> > > engine/sso/login-unauthorized\">Here"
> > > 
> > > 
> > > …
> > >  
> > > My setup:
> > > …
> > >  > > negotiate|oauth/token-
> > > http-auth)|^/ovirt-engine/callback>
> > > 
> > >  
> > >   Require valid-user
> > >   AuthType openid-connect
> > >  
> > >   ErrorDocument 401 "Here"
> > > 
> > > 
> > > …
> > >  
> > > I remember I had syntax errors, but mine was changed.
> > >  
> > > Does this look fine to you?
> > 
> >  
> > Yeah, your version looks good too. You have ' instead of " so that is ok. 
> >  
> > 
> > Anton Louw
> > Cloud Engineer: Storage and Virtualization at Vox
> > T:  087 805  | D: 087 805 1572
> > M: N/A
> > E: anton.l...@voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > www.vox.co.za
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > > Thanks
> > >  
> > >  
> > >  
> > > Anton Louw
> > > Cloud Engineer: Storage and Virtualization at Vox
> > > T:  087 805  | D: 087 805 1572
> > > M: N/A
> > > E: anton.l...@voxtelecom.co.za
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > > www.vox.co.za
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > >  
> > > From: Anton Louw 
> > > Sent: 22 April 2020 10:07
> > > To: Artur Socha 
> > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> > >  
> > > Hi Artur,
> > >  
> > > Great, I will try the below and let you know. I appreciate your efforts.
> > >  
> > > Sure, you may report it, I was in such a rush that I only hit “reply” and
> > > not “Reply All”
> > >  
> > > I do recall that I had to make some changes to the below as the it
> > > complained about syntax errors:
> > >  
> > > ErrorDocument 401 " > > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> > > href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> > > 
> > > 
> > >  
> > > I will let you know the outcome when I change the below as you suggested.
> > >  
> > > Cheers
> > >  
> > > From: Artur Socha  
> > > Sent: 22 April 2020 09:51
> > > To: Anton Louw 
> > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> > >  
> > > I checked your logs and I did not notice anything suspicious. 
> > > However, now I recall I made some changes compared to blog post
> > > example:
> > > 
> > > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties 
> > > I added escaping in regexp for '\'
> > > ...
> > > config.mapAuthRecord.regex.pattern =
> > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> > > ...
> > > 
> > > 2) /etc/httpd/ovirt-openidc.conf
> > > Escaping for '"' in error document snippet
> > > ...
> > >  > > negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
> > >

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha 
On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote:
> 
> 
> Ok so this is definitely looking better. I get an error, but at least now it
> is saying : “The user admin@openidchttp is not authorized to perform login”
>  
> This is strange though, because admin in by default should be allowed access?

Well, yes and no :)

In order for user to be considered admin (for ovirt engine) it must belong to
keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
>Groups->Members)

I think you are very close to have it up-and-running.


>  
> From: Anton Louw 
> Sent: 22 April 2020 12:38
> To: Artur Socha ; users@ovirt.org
> Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>  
> Perfect, I’ll test and let you know.
>  
> Thanks
>  
> From: Artur Socha  
> Sent: 22 April 2020 12:32
> To: Anton Louw ; users@ovirt.org
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>  
> + users@ovirt.org
>  
> On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> >  
> > 
> > Hi Artur,
> >  
> > I would just like to make sure I am following correctly, comparing your
> > entries against mine.
> >  
> > Your setup:
> > ...
> > config.mapAuthRecord.regex.pattern =
> > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> > ...
> > 
> > 
> > My setup:
> > …
> > config.mapAuthRecord.regex.pattern =
> > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> > …
> >  
> > Should I add the additional 2 “\\” in on my side?
> 
>  
> Yes, please try adding it. In my case I learned about this issue by debugging
> the code because the real exception generated by incorrect regexp syntax was
> hidden behind generic error message giving no clues about the true cause.
>  
> >  
> > Your setup:
> > ...
> >  > http-auth)|^/ovirt-engine/callback>
> > 
> >  
> > Require valid-user
> > AuthType openid-connect
> > 
> > ErrorDocument 401 " > url=/ovirt-engine/sso/login-unauthorized\"/> > engine/sso/login-unauthorized\">Here"
> > 
> > 
> > …
> >  
> > My setup:
> > …
> >  > http-auth)|^/ovirt-engine/callback>
> > 
> >  
> >   Require valid-user
> >   AuthType openid-connect
> >  
> >   ErrorDocument 401 "Here"
> > 
> > 
> > …
> >  
> > I remember I had syntax errors, but mine was changed.
> >  
> > Does this look fine to you?
> 
>  
> Yeah, your version looks good too. You have ' instead of " so that is ok. 
>  
> 
> Anton Louw
> Cloud Engineer: Storage and Virtualization at Vox
> T:  087 805  | D: 087 805 1572
> M: N/A
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
> 
> 
>   
> 
>   
> 
>   
> 
>   
> 
>  
> 
> > Thanks
> >  
> >  
> >  
> > Anton Louw
> > Cloud Engineer: Storage and Virtualization at Vox
> > T:  087 805  | D: 087 805 1572
> > M: N/A
> > E: anton.l...@voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > www.vox.co.za
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> >  
> > From: Anton Louw 
> > Sent: 22 April 2020 10:07
> > To: Artur Socha 
> > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> >  
> > Hi Artur,
> >  
> > Great, I will try the below and let you know. I appreciate your efforts.
> >  
> > Sure, you may report it, I was in such a rush that I only hit “reply” and
> > not “Reply All”
> >  
> > I do recall that I had to make some changes to the below as the it
> > complained about syntax errors:
> >  
> > ErrorDocument 401 " > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> > href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> > 
> > 
> >  
> > I will let you know the outcome when I change the below as you suggested.
> >  
> > Cheers
> >  
> > From: Artur Socha  
> > Sent: 22 April 2020 09:51
> > To: Anton Louw 
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> >  
> > I checked your logs and I did not notice anything suspicious. 
> > However, now I recall I made some changes compared to blog post
> > example:
> > 
> > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties 
> > I added escaping in regexp for '\'
> > ...
> > config.mapAuthRecord.regex.pattern =
> > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> > ...
> > 
> > 2) /etc/httpd/ovirt-openidc.conf
> > Escaping for '"' in error document snippet
> > ...
> >  > negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
> > 
> > 
> > Require valid-user
> > AuthType openid-connect
> > 
> > ErrorDocument 401 " > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> > href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> > 
> > 
> > 
> > ...
> > 
> > These two issues were most probably caused by the blog site rendering.
> > 
> > 
> > You might want to check engine.log (or server.log not really sure which
> > one was that) for aaa extension initialization logs. They should 
> > appear at the beginning just after restarting engine.
> > 
> > Unfortunately, at the moment I do not have running keycloak setup (I
> > used to have a local VM) but I will try to find some time to

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Anton Louw 
Ok so this is definitely looking better. I get an error, but at least now it is 
saying : “The user admin@openidchttp is not authorized to perform login”

This is strange though, because admin in by default should be allowed access?


Anton Louw
Cloud Engineer: Storage and Virtualization
__
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.l...@voxtelecom.co.za

www.vox.co.za



From: Anton Louw
Sent: 22 April 2020 12:38
To: Artur Socha ; users@ovirt.org
Subject: RE: [ovirt-users] oVirt and KeyCloak intergration

Perfect, I’ll test and let you know.

Thanks

From: Artur Socha mailto:aso...@redhat.com>>
Sent: 22 April 2020 12:32
To: Anton Louw 
mailto:anton.l...@voxtelecom.co.za>>; 
users@ovirt.org
Subject: Re: [ovirt-users] oVirt and KeyCloak intergration

+ users@ovirt.org

On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:

Hi Artur,

I would just like to make sure I am following correctly, comparing your entries 
against mine.

Your setup:
...
config.mapAuthRecord.regex.pattern = 
^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
...

My setup:
…
config.mapAuthRecord.regex.pattern = 
^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
…

Should I add the additional 2 “\\” in on my side?

Yes, please try adding it. In my case I learned about this issue by debugging 
the code because the real exception generated by incorrect regexp syntax was 
hidden behind generic error message giving no clues about the true cause.


Your setup:
...



Require valid-user
AuthType openid-connect

ErrorDocument 401 "Here"


…

My setup:
…



  Require valid-user
  AuthType openid-connect

  ErrorDocument 401 "Here"


…

I remember I had syntax errors, but mine was changed.

Does this look fine to you?

Yeah, your version looks good too. You have ' instead of " so that is ok.

Thanks



Anton Louw
Cloud Engineer: Storage and Virtualization at Vox

T:  087 805  | D: 087 805 1572
M: N/A
E: anton.l...@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

[F]

[T]

[I]

[L]

[Y]


From: Anton Louw
Sent: 22 April 2020 10:07
To: Artur Socha mailto:aso...@redhat.com>>
Subject: RE: [ovirt-users] oVirt and KeyCloak intergration

Hi Artur,

Great, I will try the below and let you know. I appreciate your efforts.

Sure, you may report it, I was in such a rush that I only hit “reply” and not 
“Reply All”

I do recall that I had to make some changes to the below as the it complained 
about syntax errors:

ErrorDocument 401 "Here"



I will let you know the outcome when I change the below as you suggested.

Cheers

From: Artur Socha mailto:aso...@redhat.com>>
Sent: 22 April 2020 09:51
To: Anton Louw mailto:anton.l...@voxtelecom.co.za>>
Subject: Re: [ovirt-users] oVirt and KeyCloak intergration

I checked your logs and I did not notice anything suspicious.
However, now I recall I made some changes compared to blog post
example:

1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties
I added escaping in regexp for '\'
...
config.mapAuthRecord.regex.pattern =
^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
...

2) /etc/httpd/ovirt-openidc.conf
Escaping for '"' in error document snippet
...



Require valid-user
AuthType openid-connect

ErrorDocument 401 "Here"



...

These two issues were most probably caused by the blog site rendering.


You might want to check engine.log (or server.log not really sure which
one was that) for aaa extension initialization logs. They should
appear at the beginning just after restarting engine.

Unfortunately, at the moment I do not have running keycloak setup (I
used to have a local VM) but I will try to find some time to set it up
again once I'm done with another work item that actually consumes
almost entire disk space for my 2 machines)

Please let me know if anything changes after applying these config
changes. It this works for you then I will request the blog post to be
updated.

Do you mind if I keep(re-post) this discussion back to users@ovirt in
case other might have similar issues with keycloak integration?

A.

On Wed, 2020-04-22 at 06:35 +, Anton Louw wrote:
>
>
> Hi Artru,
>
> Thank you for the reply. The post [1] is actually the main source of
> information I worked from in order top get everything configured. In
> the post[1] I ran through the whole testing section, and everything
> works as expected. I can see the VMs etc when using the python
> script.
>
> In my case we are not using ldap as a provider, I tried using
> keycloak directly as a provider, I am not sure if that is where I am
> going wrong?
>
> I have attached the last part of the

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Anton Louw 
Perfect, I’ll test and let you know.

Thanks


Anton Louw
Cloud Engineer: Storage and Virtualization
__
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.l...@voxtelecom.co.za

www.vox.co.za



From: Artur Socha 
Sent: 22 April 2020 12:32
To: Anton Louw ; users@ovirt.org
Subject: Re: [ovirt-users] oVirt and KeyCloak intergration

+ users@ovirt.org

On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:

Hi Artur,

I would just like to make sure I am following correctly, comparing your entries 
against mine.

Your setup:
...
config.mapAuthRecord.regex.pattern = 
^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
...


My setup:
…
config.mapAuthRecord.regex.pattern = 
^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
…

Should I add the additional 2 “\\” in on my side?

Yes, please try adding it. In my case I learned about this issue by debugging 
the code because the real exception generated by incorrect regexp syntax was 
hidden behind generic error message giving no clues about the true cause.


Your setup:
...



Require valid-user
AuthType openid-connect

ErrorDocument 401 "Here"


…

My setup:
…



  Require valid-user
  AuthType openid-connect

  ErrorDocument 401 "Here"


…

I remember I had syntax errors, but mine was changed.

Does this look fine to you?

Yeah, your version looks good too. You have ' instead of " so that is ok.

Thanks



Anton Louw
Cloud Engineer: Storage and Virtualization at Vox

T:  087 805  | D: 087 805 1572
M: N/A
E: anton.l...@voxtelecom.co.za
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za

[F]

[T]

[I]

[L]

[Y]


From: Anton Louw
Sent: 22 April 2020 10:07
To: Artur Socha mailto:aso...@redhat.com>>
Subject: RE: [ovirt-users] oVirt and KeyCloak intergration

Hi Artur,

Great, I will try the below and let you know. I appreciate your efforts.

Sure, you may report it, I was in such a rush that I only hit “reply” and not 
“Reply All”

I do recall that I had to make some changes to the below as the it complained 
about syntax errors:

ErrorDocument 401 "Here"



I will let you know the outcome when I change the below as you suggested.

Cheers

From: Artur Socha mailto:aso...@redhat.com>>
Sent: 22 April 2020 09:51
To: Anton Louw mailto:anton.l...@voxtelecom.co.za>>
Subject: Re: [ovirt-users] oVirt and KeyCloak intergration

I checked your logs and I did not notice anything suspicious.
However, now I recall I made some changes compared to blog post
example:

1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties
I added escaping in regexp for '\'
...
config.mapAuthRecord.regex.pattern =
^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
...

2) /etc/httpd/ovirt-openidc.conf
Escaping for '"' in error document snippet
...



Require valid-user
AuthType openid-connect

ErrorDocument 401 "Here"



...

These two issues were most probably caused by the blog site rendering.


You might want to check engine.log (or server.log not really sure which
one was that) for aaa extension initialization logs. They should
appear at the beginning just after restarting engine.

Unfortunately, at the moment I do not have running keycloak setup (I
used to have a local VM) but I will try to find some time to set it up
again once I'm done with another work item that actually consumes
almost entire disk space for my 2 machines)

Please let me know if anything changes after applying these config
changes. It this works for you then I will request the blog post to be
updated.

Do you mind if I keep(re-post) this discussion back to users@ovirt in
case other might have similar issues with keycloak integration?

A.

On Wed, 2020-04-22 at 06:35 +, Anton Louw wrote:
>
>
> Hi Artru,
>
> Thank you for the reply. The post [1] is actually the main source of
> information I worked from in order top get everything configured. In
> the post[1] I ran through the whole testing section, and everything
> works as expected. I can see the VMs etc when using the python
> script.
>
> In my case we are not using ldap as a provider, I tried using
> keycloak directly as a provider, I am not sure if that is where I am
> going wrong?
>
> I have attached the last part of the apache ssl_access_log when I
> tried logging in this morning. I have also attached the engine log.
>
> Thanks
>
>
> Anton Louw
> Cloud Engineer: Storage and Virtualization at Vox
> T: 087 805  | D: 087 805 1572
> M: N/A
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
> From: Artru Socha

[ovirt-users] Re: oVirt and KeyCloak intergration

2020-04-22 Thread Artur Socha 
+ users@ovirt.org
On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote:
> 
> 
> 
> Hi Artur,
> 
>  
> 
> I would just like to make sure I am following correctly, comparing your
> entries against mine.
> 
> 
>  
> 
> Your setup:
> 
> ...
> 
> config.mapAuthRecord.regex.pattern =
> ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> 
> ...
> 
> 
> 
> 
> 
> My setup:
> 
> …
> 
> config.mapAuthRecord.regex.pattern =
> ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$
> 
> …
> 
>  
> 
> Should I add the additional 2 “\\” in on my side?

Yes, please try  adding it. In my case I learned about this issue by debugging
the code because the real exception generated by incorrect regexp syntax was
hidden behind  generic error message giving no clues about the true cause.
>  
> 
> Your setup:
> 
> ...
> 
>  http-auth)|^/ovirt-engine/callback>
> 
> 
> 
>  
> 
> Require valid-user
> 
> AuthType openid-connect
> 
> 
> 
> ErrorDocument 401 " engine/sso/login-unauthorized\"/> unauthorized\">Here"
> 
> 
> 
> 
> 
> …
> 
>  
> 
> My setup:
> 
> …
> 
>  http-auth)|^/ovirt-engine/callback>
> 
> 
> 
>  
> 
>   Require valid-user
> 
>   AuthType openid-connect
> 
>  
> 
>   ErrorDocument 401 "Here"
> 
> 
> 
> 
> 
> …
> 
>  
> 
> I remember I had syntax errors, but mine was changed.
> 
>  
> 
> Does this look fine to you?
> 

Yeah, your version looks good too. You have ' instead of  "  so that is ok. 
> Thanks
>  
>  
> 
> 
>   
>   
>   
> Anton Louw
>  
>   
> Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
> 
>   
>   
> T:  087 805  | D: 087 805 1572
> M: N/A
> 
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
> www.vox.co.za
>   
> 
> 
> 
> 
> 
>   
>   
>   
>   
>   
> 
> 
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Anton Louw
> 
> 
> Sent: 22 April 2020 10:07
> 
> To: Artur Socha 
> 
> Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> 
> 
>  
> Hi Artur,
>  
> Great, I will try the below and let you know. I appreciate your efforts.
> 
>  
> Sure, you may report it, I was in such a rush that I only hit “reply” and not
> “Reply All”
>  
> I do recall that I had to make some changes to the below as the it complained
> about syntax errors:
>  
> ErrorDocument 401 " 
> content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> 
> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> 
> 
> 
> 
>  
> I will let you know the outcome when I change the below as you suggested.
>  
> Cheers
>  
> 
> 
> From: Artur Socha 
> 
> 
> Sent: 22 April 2020 09:51
> 
> To: Anton Louw 
> 
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> 
> 
>  
> I checked your logs and I did not notice anything suspicious.
> 
> 
> However, now I recall I made some changes compared to blog post
> 
> example:
> 
> 
> 
> 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties 
> 
> I added escaping in regexp for '\'
> 
> ...
> 
> config.mapAuthRecord.regex.pattern =
> 
> ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$
> 
> ...
> 
> 
> 
> 2) /etc/httpd/ovirt-openidc.conf
> 
> Escaping for '"' in error document snippet
> 
> ...
> 
>  
> negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
> 
> 
> 
> 
> 
> Require valid-user
> 
> AuthType openid-connect
> 
> 
> 
> ErrorDocument 401 " 
> content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> 
> href=\"/ovirt-engine/sso/login-unauthorized\">Here"
> 
> 
> 
> 
> 
> 
> 
> ...
> 
> 
> 
> These two issues were most probably caused by the blog site rendering.
> 
> 
> 
> 
> 
> You might want to check engine.log (or server.log not really sure which
> 
> one was that) for aaa extension initialization logs. They should 
> 
> appear at the beginning just after restarting engine.
> 
> 
> 
> Unfortunately, at the moment I do not have running keycloak setup (I
> 
> used to have a local VM) but I will try to find some time to set it up
> 
> again once I'm done with another work item that actually consumes
> 
> almost entire disk space for my 2 machines)
> 
> 
> 
> Please let me know if anything changes after applying these config
> 
> changes. It this works for you then I will request the blog post to be
> 
> updated.
> 
> 
> 
> Do you mind if I keep(re-post) this discussion back to users@ovirt in
> 
> case other might have similar issues with keycloak integration?
> 
> 
> 
> A.
> 
> 
> 
> On Wed, 2020-04-22 at 06:35 +, Anton Louw wrote:
> 
> > 
> 
> > 
> 
> > Hi Artru,
> 
> > 
> 
> > Thank you for the reply. The post [1] is actually the main source of
> 
> > information I worked from in order top get everything configured. In
> 
> > the post[1] I ran through the whole testing section, and everything
> 
> > works as expected. I can see the VMs etc when using the python
> 
> > script.
> 
> > 
> 
> > In my case we are not using ldap as a provider, I tried using
> 
> > keycloak directly as a provider, I am not sure if that is where I am
> 
> > going wrong?
>

[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread Gianluca Cecchi 
On Wed, Apr 22, 2020 at 11:24 AM Michaël Couren  wrote:

>
> >
> > Also, please note that in el8 (which will be the only supported OS for
> > oVirt 4.4), if you do not want to use firewalld, might have to
> > convert/amend your scripts/conf to use nftables.
> >
> > Best regards,
> > --
> > Didi
>
> Hi, I'm still using iptables on CentOS8-stream but not sure if it uses
> nftables or the "old" good netfilter
> in the backend.
>

This could be useful:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/using-and-configuring-firewalls-using-firewalld_configuring-and-managing-networking

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking

and also this:
https://www.redhat.com/en/blog/using-nftables-red-hat-enterprise-linux-8
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CDQEXHCSF75KW4LTHGKQAFUNCNHVKR3M/

[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread Yedidyah Bar David 
On Wed, Apr 22, 2020 at 12:23 PM Michaël Couren  wrote:
>
>
> >
> > Also, please note that in el8 (which will be the only supported OS for
> > oVirt 4.4), if you do not want to use firewalld, might have to
> > convert/amend your scripts/conf to use nftables.
> >
> > Best regards,
> > --
> > Didi
>
> Hi, I'm still using iptables on CentOS8-stream but not sure if it uses 
> nftables or the "old" good netfilter
> in the backend.

Didn't play yet at all with either nftables or EL8's iptables. Only
recently realized it's indeed included:

https://gerrit.ovirt.org/108265

> (Debian 10 documentation seems more precise on this point)
> By the way I don't use it on oVirt nodes just on VMs... Just saying it is 
> possible.

Yes, saw that too. Also that on a firewalld managed EL8 machine,
'iptables-save' says:
# Generated by xtables-save v1.8.2 on Wed Apr 22 12:50:13 2020
...
# Completed on Wed Apr 22 12:50:13 2020
# Table `firewalld' is incompatible, use 'nft' tool.

So this tells me, without learning nft, to be careful...

Thanks!
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UPFY3VNNDN2ABFXOV5F6MULAKCWP6MAE/

[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread Michaël Couren 

> 
> Also, please note that in el8 (which will be the only supported OS for
> oVirt 4.4), if you do not want to use firewalld, might have to
> convert/amend your scripts/conf to use nftables.
> 
> Best regards,
> --
> Didi

Hi, I'm still using iptables on CentOS8-stream but not sure if it uses nftables 
or the "old" good netfilter
in the backend.
(Debian 10 documentation seems more precise on this point)
By the way I don't use it on oVirt nodes just on VMs... Just saying it is 
possible.
-- 
Cordialement / Best regards, Michaël Couren,
ABES, Montpellier, France.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AOYYPYSRZK2KKID5TW5ZGYDJ6RZ357OW/

[ovirt-users] Re: How to force removal of old host from Engine

2020-04-22 Thread Yedidyah Bar David 
On Wed, Apr 22, 2020 at 11:52 AM Shareef Jalloq  wrote:
>
> Thanks for the suggestions everyone.  First up, no, this is not part of a 
> Gluster HCI.
>
> Secondly, "Confirm Host has been rebooted" seems to require the host have a 
> status of "Non operational", "Maintenance" or "Connecting" from the error pop 
> up.
>
> Ah, as I'm writing this, I shut down the host and now the status changes to 
> Non-responsive and lets me put it in maintenance so I can remove it.  So it 
> looks like the change in config causes the engine to not be able to 
> communicate with the host.  Is that a bug or expected?  What should my 
> workflow have been here after reinstalling the node?

What did you do in practice?

I think something like:

1. Move to maintenance
2. Remove from engine
3. Reinstall OS
4. Add to engine

But this depends on exactly what you wanted to achieve, or IOW why you
reinstalled.

Best regards,

>
> Thanks, Shareef.
>
>
>
> On Wed, Apr 22, 2020 at 7:46 AM Yedidyah Bar David  wrote:
>>
>> On Wed, Apr 22, 2020 at 2:17 AM Strahil Nikolov  
>> wrote:
>> >
>> > On April 22, 2020 12:41:49 AM GMT+03:00, "Maton, Brett" 
>> >  wrote:
>> > >Last time I had to forcibly remove a node because it was impossible to
>> > >do
>> > >so otherwise, it had never ever had anything to do with gluster, so I
>> > >STRONGLY dispute your claim that fixing an issue (that was not stated)
>> > >will
>> > >fix anything.
>> > >
>> > >On Tue, 21 Apr 2020 at 22:39, Maton, Brett 
>> > >wrote:
>> > >
>> > >> I'm sorry there was no suggestion that the node had anything to do
>> > >with
>> > >> gluster, clearly stated but how to remove a dead and unmanageable
>> > >node from
>> > >> the cluster.
>> > >>
>> > >> On Tue, 21 Apr 2020 at 20:41, Strahil Nikolov 
>> > >> wrote:
>> > >>
>> > >>> Not a good approach.
>> > >>> It's important to know if the node was also a gluster peer in the
>> > >storage
>> > >>> pool - if yes, it needs to be replaced with 'replace-brick' or
>> > >>> 'reset-brick' (depending if you use the old hostname or not).
>> > >>> Once the storage node is replaced - oVirt will allow you to remove
>> > >it.
>> > >>>
>> > >>>
>> > >>> Best Regards,
>> > >>> Strahil Nikolov
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>> В вторник, 21 април 2020 г., 19:46:47 Гринуич+3, Maton, Brett <
>> > >>> mat...@ltresources.co.uk> написа:
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>> Last time I had to do this I removed from the database.
>> > >>>
>> > >>> (at your own risk)
>> > >>> On ovirt engine switch to the postgres user from root:
>> > >>>
>> > >>> su - postgres
>> > >>>
>> > >>> Enable postgres 10 and connect to the engine database:
>> > >>>
>> > >>> . scl_source enable rh-postgresql10
>> > >>> psql -d engine
>> > >>>
>> > >>> Change  to the name (Name column of the host in
>> > >the
>> > >>> UI) of the host you want to get rid of ( leave the '\' and \'' in
>> > >place )
>> > >>>
>> > >>> BEGIN;\set host '\'\''DELETE FROM vds_dynamic
>> > >WHERE
>> > >>> vds_id IN (SELECT vds_id FROM vds_static WHERE vds_name =
>> > >:host);DELETE
>> > >>> FROM vds_statistics WHERE vds_id IN (SELECT vds_id FROM vds_static
>> > >WHERE
>> > >>> vds_name = :host);DELETE FROM vds_static WHERE vds_name =
>> > >:host;COMMIT;
>> > >>> 
>> > >>>
>> > >>>
>> > >>>
>> > >>> On Tue, 21 Apr 2020 at 15:19, Shareef Jalloq 
>> > >>> wrote:
>> > >>> > Hi,
>> > >>> >
>> > >>> > I seem to have got a stale host in my engine that I can't remove.
>> > >I
>> > >>> recently reinstalled oVirt Node on this host and while trying to
>> > >refresh
>> > >>> the host in the engine, have got it in some state where I can't do
>> > >anything.
>> > >>> >
>> > >>> > The host is listed as Status=Unassigned.  Under the Management
>> > >pull
>> > >>> down I only have Restart and Stop options, both of which error if
>> > >>> selected.  The Remove button is not available.
>> > >>> >
>> > >>> > How do I force a removal of this host from the view so I can
>> > >reload it?
>> > >>> >
>> > >>> > Shareef.
>> > >>> > ___
>> > >>> > Users mailing list -- users@ovirt.org
>> > >>> > To unsubscribe send an email to users-le...@ovirt.org
>> > >>> > Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> > >>> > oVirt Code of Conduct:
>> > >>> https://www.ovirt.org/community/about/community-guidelines/
>> > >>> > List Archives:
>> > >>>
>> > >https://lists.ovirt.org/archives/list/users@ovirt.org/message/TCBGLVCLMTZSQAURDDVGHKYXXQ36NO5H/
>> > >>> >
>> > >>> ___
>> > >>> Users mailing list -- users@ovirt.org
>> > >>> To unsubscribe send an email to users-le...@ovirt.org
>> > >>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> > >>> oVirt Code of Conduct:
>> > >>> https://www.ovirt.org/community/about/community-guidelines/
>> > >>> List Archives:
>> > >>>
>> > >https://lists.ovirt.org/archives/list/users@ovirt.org/message/EAFO7EBLCETILFJGCY55K254TLRKJPRC/
>> > >>>
>> >

[ovirt-users] Re: How to force removal of old host from Engine

2020-04-22 Thread Shareef Jalloq 
Thanks for the suggestions everyone.  First up, no, this is not part of a
Gluster HCI.

Secondly, "Confirm Host has been rebooted" seems to require the host have a
status of "Non operational", "Maintenance" or "Connecting" from the error
pop up.

Ah, as I'm writing this, I shut down the host and now the status changes to
Non-responsive and lets me put it in maintenance so I can remove it.  So it
looks like the change in config causes the engine to not be able to
communicate with the host.  Is that a bug or expected?  What should my
workflow have been here after reinstalling the node?

Thanks, Shareef.



On Wed, Apr 22, 2020 at 7:46 AM Yedidyah Bar David  wrote:

> On Wed, Apr 22, 2020 at 2:17 AM Strahil Nikolov 
> wrote:
> >
> > On April 22, 2020 12:41:49 AM GMT+03:00, "Maton, Brett" <
> mat...@ltresources.co.uk> wrote:
> > >Last time I had to forcibly remove a node because it was impossible to
> > >do
> > >so otherwise, it had never ever had anything to do with gluster, so I
> > >STRONGLY dispute your claim that fixing an issue (that was not stated)
> > >will
> > >fix anything.
> > >
> > >On Tue, 21 Apr 2020 at 22:39, Maton, Brett 
> > >wrote:
> > >
> > >> I'm sorry there was no suggestion that the node had anything to do
> > >with
> > >> gluster, clearly stated but how to remove a dead and unmanageable
> > >node from
> > >> the cluster.
> > >>
> > >> On Tue, 21 Apr 2020 at 20:41, Strahil Nikolov 
> > >> wrote:
> > >>
> > >>> Not a good approach.
> > >>> It's important to know if the node was also a gluster peer in the
> > >storage
> > >>> pool - if yes, it needs to be replaced with 'replace-brick' or
> > >>> 'reset-brick' (depending if you use the old hostname or not).
> > >>> Once the storage node is replaced - oVirt will allow you to remove
> > >it.
> > >>>
> > >>>
> > >>> Best Regards,
> > >>> Strahil Nikolov
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> В вторник, 21 април 2020 г., 19:46:47 Гринуич+3, Maton, Brett <
> > >>> mat...@ltresources.co.uk> написа:
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> Last time I had to do this I removed from the database.
> > >>>
> > >>> (at your own risk)
> > >>> On ovirt engine switch to the postgres user from root:
> > >>>
> > >>> su - postgres
> > >>>
> > >>> Enable postgres 10 and connect to the engine database:
> > >>>
> > >>> . scl_source enable rh-postgresql10
> > >>> psql -d engine
> > >>>
> > >>> Change  to the name (Name column of the host in
> > >the
> > >>> UI) of the host you want to get rid of ( leave the '\' and \'' in
> > >place )
> > >>>
> > >>> BEGIN;\set host '\'\''DELETE FROM vds_dynamic
> > >WHERE
> > >>> vds_id IN (SELECT vds_id FROM vds_static WHERE vds_name =
> > >:host);DELETE
> > >>> FROM vds_statistics WHERE vds_id IN (SELECT vds_id FROM vds_static
> > >WHERE
> > >>> vds_name = :host);DELETE FROM vds_static WHERE vds_name =
> > >:host;COMMIT;
> > >>> 
> > >>>
> > >>>
> > >>>
> > >>> On Tue, 21 Apr 2020 at 15:19, Shareef Jalloq 
> > >>> wrote:
> > >>> > Hi,
> > >>> >
> > >>> > I seem to have got a stale host in my engine that I can't remove.
> > >I
> > >>> recently reinstalled oVirt Node on this host and while trying to
> > >refresh
> > >>> the host in the engine, have got it in some state where I can't do
> > >anything.
> > >>> >
> > >>> > The host is listed as Status=Unassigned.  Under the Management
> > >pull
> > >>> down I only have Restart and Stop options, both of which error if
> > >>> selected.  The Remove button is not available.
> > >>> >
> > >>> > How do I force a removal of this host from the view so I can
> > >reload it?
> > >>> >
> > >>> > Shareef.
> > >>> > ___
> > >>> > Users mailing list -- users@ovirt.org
> > >>> > To unsubscribe send an email to users-le...@ovirt.org
> > >>> > Privacy Statement: https://www.ovirt.org/privacy-policy.html
> > >>> > oVirt Code of Conduct:
> > >>> https://www.ovirt.org/community/about/community-guidelines/
> > >>> > List Archives:
> > >>>
> > >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/TCBGLVCLMTZSQAURDDVGHKYXXQ36NO5H/
> > >>> >
> > >>> ___
> > >>> Users mailing list -- users@ovirt.org
> > >>> To unsubscribe send an email to users-le...@ovirt.org
> > >>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> > >>> oVirt Code of Conduct:
> > >>> https://www.ovirt.org/community/about/community-guidelines/
> > >>> List Archives:
> > >>>
> > >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/EAFO7EBLCETILFJGCY55K254TLRKJPRC/
> > >>>
> > >>
> >
> > Last time I had to remove a host - I didn't have your issues.
> > Yet,  I'm not claiming the opposite - just that in case the host is also
> a gluster node ,  oVirt will intentionally prevent removal of the node.
> >
> > Your approach could be absolutely valid in case there is no Gluster
> involved - yet for HCI , Gluster brick has  to be replaced prior taking any
> actions for the removal.
>
> Did any of

[ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread Yedidyah Bar David 
On Wed, Apr 22, 2020 at 9:21 AM  wrote:
>
> Hi all,
>
> I was wondering if it's "safe" disabling entirely the firewalld service and 
> manage the firewall only via iptables, on the host and on the hosted engine 
> (a self-hosted engine). It would make a lot easier the managing the firewall 
> rules for me because of many automatisms I created based on iptables. Did 
> anyone manage to do this? Any contraindication for doing this or precaution 
> that I have to take care of?

I didn't try this myself, but last time this was discussed Simone said
that it's mandatory to have firewalld enabled and active during the
hosted-engine deploy, but that it should be safe to stop/disable after
that, as well as add new hosts without firewall.

Also, please note that in el8 (which will be the only supported OS for
oVirt 4.4), if you do not want to use firewalld, might have to
convert/amend your scripts/conf to use nftables.

Best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7QEUKHNG7LIUWKAOZ4NMIGEOCREGEOJH/

[ovirt-users] Re: How to force removal of old host from Engine

2020-04-22 Thread Yedidyah Bar David 
On Wed, Apr 22, 2020 at 2:17 AM Strahil Nikolov  wrote:
>
> On April 22, 2020 12:41:49 AM GMT+03:00, "Maton, Brett" 
>  wrote:
> >Last time I had to forcibly remove a node because it was impossible to
> >do
> >so otherwise, it had never ever had anything to do with gluster, so I
> >STRONGLY dispute your claim that fixing an issue (that was not stated)
> >will
> >fix anything.
> >
> >On Tue, 21 Apr 2020 at 22:39, Maton, Brett 
> >wrote:
> >
> >> I'm sorry there was no suggestion that the node had anything to do
> >with
> >> gluster, clearly stated but how to remove a dead and unmanageable
> >node from
> >> the cluster.
> >>
> >> On Tue, 21 Apr 2020 at 20:41, Strahil Nikolov 
> >> wrote:
> >>
> >>> Not a good approach.
> >>> It's important to know if the node was also a gluster peer in the
> >storage
> >>> pool - if yes, it needs to be replaced with 'replace-brick' or
> >>> 'reset-brick' (depending if you use the old hostname or not).
> >>> Once the storage node is replaced - oVirt will allow you to remove
> >it.
> >>>
> >>>
> >>> Best Regards,
> >>> Strahil Nikolov
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> В вторник, 21 април 2020 г., 19:46:47 Гринуич+3, Maton, Brett <
> >>> mat...@ltresources.co.uk> написа:
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Last time I had to do this I removed from the database.
> >>>
> >>> (at your own risk)
> >>> On ovirt engine switch to the postgres user from root:
> >>>
> >>> su - postgres
> >>>
> >>> Enable postgres 10 and connect to the engine database:
> >>>
> >>> . scl_source enable rh-postgresql10
> >>> psql -d engine
> >>>
> >>> Change  to the name (Name column of the host in
> >the
> >>> UI) of the host you want to get rid of ( leave the '\' and \'' in
> >place )
> >>>
> >>> BEGIN;\set host '\'\''DELETE FROM vds_dynamic
> >WHERE
> >>> vds_id IN (SELECT vds_id FROM vds_static WHERE vds_name =
> >:host);DELETE
> >>> FROM vds_statistics WHERE vds_id IN (SELECT vds_id FROM vds_static
> >WHERE
> >>> vds_name = :host);DELETE FROM vds_static WHERE vds_name =
> >:host;COMMIT;
> >>> 
> >>>
> >>>
> >>>
> >>> On Tue, 21 Apr 2020 at 15:19, Shareef Jalloq 
> >>> wrote:
> >>> > Hi,
> >>> >
> >>> > I seem to have got a stale host in my engine that I can't remove.
> >I
> >>> recently reinstalled oVirt Node on this host and while trying to
> >refresh
> >>> the host in the engine, have got it in some state where I can't do
> >anything.
> >>> >
> >>> > The host is listed as Status=Unassigned.  Under the Management
> >pull
> >>> down I only have Restart and Stop options, both of which error if
> >>> selected.  The Remove button is not available.
> >>> >
> >>> > How do I force a removal of this host from the view so I can
> >reload it?
> >>> >
> >>> > Shareef.
> >>> > ___
> >>> > Users mailing list -- users@ovirt.org
> >>> > To unsubscribe send an email to users-le...@ovirt.org
> >>> > Privacy Statement: https://www.ovirt.org/privacy-policy.html
> >>> > oVirt Code of Conduct:
> >>> https://www.ovirt.org/community/about/community-guidelines/
> >>> > List Archives:
> >>>
> >https://lists.ovirt.org/archives/list/users@ovirt.org/message/TCBGLVCLMTZSQAURDDVGHKYXXQ36NO5H/
> >>> >
> >>> ___
> >>> Users mailing list -- users@ovirt.org
> >>> To unsubscribe send an email to users-le...@ovirt.org
> >>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> >>> oVirt Code of Conduct:
> >>> https://www.ovirt.org/community/about/community-guidelines/
> >>> List Archives:
> >>>
> >https://lists.ovirt.org/archives/list/users@ovirt.org/message/EAFO7EBLCETILFJGCY55K254TLRKJPRC/
> >>>
> >>
>
> Last time I had to remove a host - I didn't have your issues.
> Yet,  I'm not claiming the opposite - just that in case the host is also a 
> gluster node ,  oVirt will intentionally prevent removal of the node.
>
> Your approach could be absolutely valid in case there is no Gluster involved 
> - yet for HCI , Gluster brick has  to be replaced prior taking any actions 
> for the removal.

Did any of you try to "Confirm 'Host has been rebooted'"? Did this help?

Best regards,
-- 
Didi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VCGXJVFZT2OSNI33APH62NH2CRHEZOU3/

[ovirt-users] Safely disable firewalld [Ovirt 4.3]

2020-04-22 Thread francesco 
Hi all,

I was wondering if it's "safe" disabling entirely the firewalld service and 
manage the firewall only via iptables, on the host and on the hosted engine (a 
self-hosted engine). It would make a lot easier the managing the firewall rules 
for me because of many automatisms I created based on iptables. Did anyone 
manage to do this? Any contraindication for doing this or precaution that I 
have to take care of?

Thanks for your time and help,
Francesco
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PNKTCSWLJXKK6FAIJ7EJMWIFTH4GGCL5/