[ovirt-users] Re: oVirt 4.5.x User Creation with Keycloak
Hi Simon, In Keycloak there is a way to create a 'bootstrap' administrator user (a user that belong do Administrator group) that is automatically recognised as oVirt admin. Typically, you want to use that user to assign permissions in oVirt Administrator panel[1]. I suspect that is what you really wanted to ask for. To directly answer your question. Any Keycloak user that does not belong to Administrator group is treated a 'regular' oVirt user (without any specifi permissions). [1] https://www.ovirt.org/documentation/administration_guide/index.html#sect-Roles I hope this helps a bit. Artur pon., 20 mar 2023 o 22:40 napisał(a): > I'm trying to create a user/group that doesn't have full admin permissions. > Does this capability exist with keycloak for the oVirt environment? > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/72LVXUVNXGFLYDZROQZOL77QJQ22QLF7/ > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZO3ALNQC7PKGPVQKHHKRIGMLZJVAVLQ3/
[ovirt-users] Re: Slightly confused by KeyCloak
Hi Theo, The thing you mentioned - ovirt-administrator groups is a special construct with a purpose of having bootstrapped ovirt admin user for the new oVirt installations. This explains why Keycloak users assigned to that group, can for example, create new VMs. Keycloak server bundled into oVirt setup serves only authentication purpose as opposed to the authorization, therefore, it is not required to create Keycloak group 'ovirt-student' and match it with oVirt counterpart. If I understood correctly - users defined in keycloak can actually login to oVirt Admin panel and/or to ovirt vm portal, right? If that's the case - you're simply missing some (group?) permissions - these permissions are only managed from within oVirt admin panel. One more thing worth mentioning. In order to have some users under group defined in oVirt (via admin panel) you have to manually assign them there. User & group association defined in Keycloak is not propagated to oVirt. Although, it could be a nice feature to have! Perhaps this documentation will help a bit: https://www.ovirt.org/documentation/virtual_machine_management_guide/index.html#sect-Virtual_Machines_and_Permissions cheers! Artur pt., 13 sty 2023 o 08:46 napisał(a): > Hi there, > > We've decided to use oVirt for our school datacenter and I'm setting up a > PoC to show it could work for our needs. > So far, I've managed to deploy a single hosted engine to iSCSI by using > the hosted-engine deploy script. So far, so good, I can create VMs, I've > had a few problems, but nothing I couldn't figure out. > > What got me confused is the KeyCloak link with oVirt. My goal is to allow > students to register to oVirt so that they can spin up VMs, images, and so > on. > I've created a group in KeyCloak named "ovirt-student" that is > automatically assigned to new users. > I have also linked oVirt to this group by going into the engine web UI and > adding the group to oVirt's group list. > > I have given system permissions to the ovirt-student group such as > VMCreator. I've then tried to connect to a dummy user called "test". My > results are as follows : > - The user does not seem to have the correct rights as it cannot create > new VMs in the VM portal; > - The admin interface does not suggest the user is a part of the > ovirt-student group; > > However, when I add the test user to the ovirt-administrator group, no > problem at all, the user is an admin, alright. > > My question is as follows : what do I need to do so that the groups in > KeyCloak and oVirt are synced ? > > Thanks a lot, > > TP > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/7VIJCGCGX7CQ6KQKYXX5RSIOISZZKR6Y/ > ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Z4AD6WSXYN36K7EVFU7VBXMQKGY474ET/
[ovirt-users] Re: Unable to change the admin passsword on oVirt 4.5.2.5
Hi, For new environment I would recommend to clean it and start from scratch. During engine-setup just provide 'No' to keycloak related questions . In case you already have a working setup, then please take a look into this thread [1]. It's a bit old but the procedure worked that time. [1] https://lists.ovirt.org/archives/list/users@ovirt.org/thread/6HNKNAXW2ACO5VAJAH2BTMD3T3BKTUHK/#JJTUWLSMW2BP4AKOSZRDPLC5WQYIL6EW Artur pt., 23 wrz 2022 o 11:07 Ayansh Rocks napisał(a): > > Any straightaway command to change the admin user password when using > keycloak integration ? > > On Thu, Sep 22, 2022 at 4:08 PM Ayansh Rocks > wrote: >> >> I am using Keycloak integration but unable to find the way to change the >> password. Can I switch to "AAA" anyhow ? >> >> >> >> On Mon, Sep 19, 2022 at 2:15 PM Martin Perina wrote: >>> >>> Hi, >>> >>> the answer depends if you selected Keycloak integration during engine-setup >>> or not. If you are not sure, you can check using following: >>> >>> 1. What is your username when connecting to webadmin? >>> - If it's "admin@ovirt", the you are using Keycloak integration >>> - If it's "admin" and profile "internal" then you are using AAA. >>> >>> 2. Please take a look at the file >>> /etc/ovirt-engine/engine.conf.d/12-setup-keycloak: >>> - If the file exists and it contains "KEYCLOAK_BUNDLED=true", then you >>> are using Keycloak integration >>> - If the file doesn't exists or it contains "KEYCLOAK_BUNDLED=false", >>> then you are using AAA. >>> >>> If you selected Keycloak inetgration, the you need to login to Keycloak >>> administration console and change admin@ovirt password there. More >>> information can be found at >>> https://www.keycloak.org/archive/documentation-15.0.html >>> >>> If you selected AAA, then the steps you posted below are correct. >>> >>> Unfortunately we don't have yet proper documentation about Keycloak >>> integration, which was introduced in oVirt 4.5.1. >>> >>> Regards, >>> Martin >>> >>> >>> On Fri, Sep 16, 2022 at 3:42 PM Ayansh Rocks >>> wrote: Hi All, Any idea hot to change password of admin user on oVirt 4.5.2.5 ? Below is not working - [root@ovirt]# ovirt-aaa-jdbc-tool user password-reset admin Picked up JAVA_TOOL_OPTIONS: -Dcom.redhat.fips=false Password: Reenter password: updating user admin... user updated successfully [root@delhi-test-ovirtm-02 ~]# Above shows successful but password not changed. Thanks ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YYEHEQU3HIHAJSQI4PPSQP5Y2SZEE6MX/ >>> >>> >>> >>> -- >>> Martin Perina >>> Manager, Software Engineering >>> Red Hat Czech s.r.o. > > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4XFWCJXP3UY4HIVNXTBWT74FNTIUZOK/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/KPYU4ITQQYU3HJMZFNPYF2RI6AHWJPN4/
[ovirt-users] Re: Veeam Backup for RHV (oVirt)
Cool! I'm glad this worked for you. I tested it on a non-HE environment so I forgot to mention a maintenance mode requirement. cheer, Artur On Fri, Jul 29, 2022 at 11:15 AM wrote: > Thanks! > > i did try it, and now everything works! > If anyone else is gonna do this, before doing steps above, you have to > enable Global Maintenance mode (Compute -> Hosts -> ... -> Enable Global HA > Maintenance ) or else you will get errors during engine-setup > . > Also, during engine-setup, even if you will be asked to provide new admin > password, that password will not work if you changed it before via > ovirt-aaa-jdbc-tool tool. Use password that you configured with that tool. > > Regards, > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/EAQBIPA3YS54C6BKRBIEPN5O7NFSBH4K/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Z6ZO3GZPAWUWLKVONM3DQKTX26FBIWU5/
[ovirt-users] Re: Veeam Backup for RHV (oVirt)
*oVirt Keycloak internal SSO revert procedure:*
*First of all this is rather a Dev approach and in a real Production
environment regular 'restore from previous backup and run setup' approach
should be used. *
*I have tested this only on my very simplified dev environment. *
*Please make sure to backup any existing setup before proceding*
On the engine host:
*1. Disable external SSO in oVirt Engine*
*edit:*
/etc/ovirt-engine/engine.conf.d/12-setup-keycloak.conf
end update the following properties:
KEYCLOAK_BUNDLED=false
ENGINE_SSO_ENABLE_EXTERNAL_SSO=false
*2. Disable HTTPD openidc configuration*
remove/rename /etc/httpd/conf.d/internalsso-openidc.conf
ie.
mv /etc/httpd/conf.d/internalsso-openidc.conf
/etc/httpd/conf.d/internalsso-openidc.conf.disabled
*3. Update oVirt OVN provider (if configured)*
edit
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
and remove or comment out the following property:
ovirt-admin-user-name=admin@ovirt@internalsso
*4 Run setup to update all answers and postinstall configurations:*
$ engine-setup –offline
--otopi-environment="OVESETUP_CONFIG/keycloakEnable=bool:False
OVESETUP_CONFIG/keycloakSupported=bool:False"
*5. Update Grafana OAuth configuration (if configured on the same host as
the engine)*
*NOTE: ignore this step if you don’t need SSO for the Monitoring Portal.*
Update highlighted sections
/etc/grafana/grafana.ini
Locate [auth.generic_oauth] section
[auth.generic_oauth]
name = oVirt Engine
Auth
enabled =
true
allow_sign_up =
false
client_id = ovirt-grafana
client_secret = """wnS3xkK0Rd13kw30EhEEnDqn8lk2hLBDB2jlfSAHgHs
"""
scopes = ovirt-app-admin,ovirt-app-portal,ovirt-ext=auth:sequence-priority
role_attribute_path =
email_attribute_name =
email
auth_url = https://ENGINE/ovirt-engine/sso/openid/authorize
token_url = https://ENGINE/ovirt-engine/sso/openid/token
api_url = https://ENGINE/ovirt-engine/sso/openid/userinfo
team_ids =
allowed_organizations =
tls_skip_verify_insecure = false
tls_client_cert =
tls_client_key =
tls_client_ca = /etc/pki/ovirt-engine/apache-ca.pem
send_client_credentials_via_post = false
I was unable to retrieve the originally created client_secret for grafana
client id (ovirt-grafana).
But it is possible to create a new one. Just make sure to backup that
secret for future upgrades.
$ ovirt-register-sso-client-tool --callback-prefix-url='
https://ENGINE_FQDN/ovirt-engine-grafana/’
'--client-ca-location={ca_pem} ' #ie.
/etc/pki/ovirt-engine/ca.pem
'--client-id=ovirt-grafana2 ' # or anything else other than
‘ovirt-grafana’
'--encrypted-userinfo=false '
'--conf-file-name={tmp_conf}' # ie.
/tmp/99-client-register.conf
This command will create and register a new client that can be used for
grafana oauth setup.
The necessary configuration details will be store in filesystem under
location defined by '--conf-file-name={tmp_conf}'
*6. Restart services*
-
ovirt-engine
-
httpd
-
ovirt-provider-ovn (if configured)
-
grafana-server (if configured on the same host as oVirt Engine)
*7. Login to oVirt Admin Panel using legacy AAA credentials (username:
admin, profile: internal, provided password) *
*and update oVirt OVN provider credentials so that username is
'ovirt@internal'*
>From side panel choose:
Administration -> Providers -> ovirt-provider-ovn
Click Edit for ovirt-provider-ovn and update the ‘Username’ field to
contain ‘admin@internal’.
If you run engine-setup with the defaults, the password is the same.
Next, scroll down, click ‘Test’ and make sure it is successful before
submitting the change.
Up to my best knowledge these steps should be sufficient to fully revert to
legacy AAA on the existing Keycloak enabled environment.
Fingers crossed!
Artur
On Thu, Jul 28, 2022 at 8:46 AM Artur Socha wrote:
> Hi,
> I will document the required steps to revert from Keycloak. I only need
> some time to test the procedure.
> Definitely, it is possible.
>
> Stay tuned, I will post it first here (today)
>
> Artur
>
> On Thu, Jul 28, 2022 at 8:30 AM wrote:
>
>> Ah, I see..
>> Then, is there any good guide or documentation how to revert from
>> Keycloak to AAA?
>> All I could find is how to move from AAA to Keycloak, but not reverse.
>> ___
>> Users mailing list -- users@ovirt.org
>> To unsubscribe send an email to users-le...@ovirt.org
>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/6HNKNAXW2ACO5VAJAH2BTMD3T3BKTUHK/
>>
>
>
> --
> Artur Socha
> Senior Software Engineer, RHV
> Re
[ovirt-users] Re: Veeam Backup for RHV (oVirt)
Hi, I will document the required steps to revert from Keycloak. I only need some time to test the procedure. Definitely, it is possible. Stay tuned, I will post it first here (today) Artur On Thu, Jul 28, 2022 at 8:30 AM wrote: > Ah, I see.. > Then, is there any good guide or documentation how to revert from Keycloak > to AAA? > All I could find is how to move from AAA to Keycloak, but not reverse. > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/6HNKNAXW2ACO5VAJAH2BTMD3T3BKTUHK/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/LY33XM7SMBORJSJUQ33C77B2DJDXAI4C/
[ovirt-users] Re: Help needed
Regarding Keycloak related errors. This seems like a result of something else going wrong rather than the keycloak issue itself. Preparation of keycloak-add-user.json happens quite early in the setup process. Anyway, please ping me if that happens again. thanks, Artur On Thu, Jul 21, 2022 at 6:10 PM less foobar via Users wrote: > I can't replicate it. Ovirt installed properly this time. The only > difference was that instead of setting gluster first I've started the > hosted-engine --deploy and then the gluster > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/CDGPSSGLGLUP6J352ONQDDCJLYYIV46I/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/EVVJYLLSPUFR3VP3KQE3FVVYLNTVXLTR/
[ovirt-users] Re: SSO error during hosted engine deployment with 4.5.1
Hi Dax,
+ Ritesh
I believe that this issue has just been resolved and is awaiting to be
released.
https://github.com/oVirt/cockpit-ovirt/pull/28/files
Artur
On Sun, Jul 10, 2022 at 8:27 AM Dax Kelson wrote:
> On the final setup of using the cockpit ovirt wizard to install the hosted
> engine with 4.5.1, this occurs:
>
> [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Obtain SSO token using
> username/password credentials]
> [ ERROR ] fatal: [localhost]: FAILED! => {"msg": "The field 'environment'
> has an invalid value, which includes an undefined variable. The error was:
> 'he_admin_username' is undefined\n\nThe error appears to be in
> '/usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/tasks/auth_sso.yml':
> line 2, column 3, but may\nbe elsewhere in the file depending on the exact
> syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Obtain
> SSO token using username/password credentials\n ^ here\n"}
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/UHEK3DEX46R57BF6WJF3UKXXLUKYGEAY/
>
--
Artur Socha
Senior Software Engineer, RHV
Red Hat
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QODH77VJH6A22AAWABD53TBIWE2UXYD7/
[ovirt-users] Re: Grafana login
Hi everyone, I think what you found here is the bug. Partially it was fixed in the mentioned BZs but later we realized it still exists under some circumstances. I have posted GitHub PR [1] addressing it and it has already been merged. This fix is expected to be released as part of oVirt Engine 4.5.2. After that, it will be possible to fully use SSO ie. login with the same username to grafana and oVirt. The root cause for this bug was a different 'admin' email being used in grafana and oVirt. Until then, I think it should be possible to login grafana/monitoring portal: 1) when no keycloak enabled: use 'admin' and don't use 'oVirt SSO' on grafana login page 2) when keycloak enabled: use 'admin' and don't choose 'oVirt SSO' on grafana login page 3) when keycloak enabled: user 'admin@ovirt' via 'oVirt SSO' on grafana login page, or login first to oVirt and then go to grafana (Monitoring Panel). Last option should not ask you for credentials again as the SSO is supposed to work. [1] https://github.com/oVirt/ovirt-engine/pull/508 thanks, Artur On Mon, Jul 18, 2022 at 5:13 PM Klaas Demter wrote: > I thought that was fixed in latest version: > > https://bugzilla.redhat.com/show_bug.cgi?id=1996292 > > https://bugzilla.redhat.com/show_bug.cgi?id=2021497 > > Maybe report your findings in one of the bzs. > > > Greetings > > Klaas > > On 7/18/22 08:16, markec...@gmail.com wrote: > > Ok, i finally found a way to login, using username "admin" and password > that I have created when installing hosted engine. > > > > I thought the Grafana login was connected to Keycloak or the oVirt > internal SSO database, but as far as I can see, Grafana account is created > during the installation of Hosted-engine, and subsequent password changes > in Keycloak or the internal SSO database do not affect the Grafana login > credidentials, you have to use ones you have created during installation. > > ___ > > Users mailing list -- users@ovirt.org > > To unsubscribe send an email to users-le...@ovirt.org > > Privacy Statement: https://www.ovirt.org/privacy-policy.html > > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/D6Q2JV65JM3Q3NVTRDDHU532V75652VL/ > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/F7BHAD6DJ66QYTYQCLAZ5F4DSTH6VDU3/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7FBHCTPKR57MPPYWV5FET437OL5DZQ4G/
[ovirt-users] Keycloak - the default OpenID/SSO provider for oVirt Engine
lus many more almost for free - multi factor authentication, 3rd party identity providers (ie. github, google, facebook etc.) just to name a few. For more information please see the Keycloak's documentation [4]. [1] https://www.ovirt.org/release/4.5.1/#keycloak-sso-setup-for-ovirt-engine [2] https://github.com/oVirt/ovirt-engine-keycloak/blob/master/keycloak_usage.md [3] https://bugzilla.redhat.com/show_bug.cgi?id=2101474 [4] https://www.keycloak.org/archive/documentation-15.0.html Please, let us know if you have any questions/concerns. Last, but not least, any contributions or bug reports are more than welcomed! thanks! Artur -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/5K4VIJPO5JL5MIZ6VGVL4FSF7FEYVKHD/
[ovirt-users] Re: Install Ovirt 4.5.1 on Centos Stream 8.6
... and I forgot to mention that you would need to enable openidc auth module before installing it: $ dnf module enable mod_auth_openidc:2.3 -y Artur On Tue, Jun 28, 2022 at 10:38 AM Artur Socha wrote: > Hi Moula, > I am a bit confused with Centos Stream 8.6. There is Centos Stream 8 or > Centos Stream 9. > Could provide the output from > > $ cat /etc/os-release > $ dnf list --all | grep ovirt-engine-keycloak > > thanks, > Artur > > On Tue, Jun 28, 2022 at 9:05 AM wrote: > >> Hello, >> I'm trying to install ovirt-engine on centos Stream 8.6 and it's still >> not possible due to outdated dependencies. >> ovirt-engine-keycloak >> ovirt-engine-keycloak-setup >> mod_auth_openidc >> >> Thank's. >> Moula. >> ___ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/privacy-policy.html >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/U667QVSPA3BR3PQVQGRLYGBQ3TIUPNBX/ >> > > > -- > Artur Socha > Senior Software Engineer, RHV > Red Hat > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZEVH4R37KOBLWXQ7CH4PJLS7H3MQQJZ7/
[ovirt-users] Re: Install Ovirt 4.5.1 on Centos Stream 8.6
Hi Moula, I am a bit confused with Centos Stream 8.6. There is Centos Stream 8 or Centos Stream 9. Could provide the output from $ cat /etc/os-release $ dnf list --all | grep ovirt-engine-keycloak thanks, Artur On Tue, Jun 28, 2022 at 9:05 AM wrote: > Hello, > I'm trying to install ovirt-engine on centos Stream 8.6 and it's still not > possible due to outdated dependencies. > ovirt-engine-keycloak > ovirt-engine-keycloak-setup > mod_auth_openidc > > Thank's. > Moula. > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/U667QVSPA3BR3PQVQGRLYGBQ3TIUPNBX/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SEJWVNLTASNB66XRYN4CSH7TPJEBWOAL/
[ovirt-users] Re: 500 - Internal Server Error after engine-setup oVirt 4.4 on CentOS Stream 8
s.weld.injection.WeldInterceptorInjectionInterceptor.processInvocation(WeldInterceptorInjectionInterceptor.java:56) > at org.jboss.invocation@1.6.0. > Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at org.jboss.as.ee@23.0.2.Final > //org.jboss.as.ee.component.ComponentInstantiatorInterceptor.processInvocation(ComponentInstantiatorInterceptor.java:74) > at org.jboss.invocation@1.6.0. > Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at org.jboss.as.weld@23.0.2.Final > //org.jboss.as.weld.interceptors.Jsr299BindingsCreateInterceptor.processInvocation(Jsr299BindingsCreateInterceptor.java:111) > at org.jboss.invocation@1.6.0. > Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at org.jboss.as.ee@23.0.2.Final > //org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > at org.jboss.invocation@1.6.0. > Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at org.jboss.as.ejb3@23.0.2.Final > //org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:232) > ... 28 more > Caused by: java.lang.reflect.InvocationTargetException > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at org.jboss.weld.core@3.1.6. > Final//org.jboss.weld.injection.producer.DefaultLifecycleCallbackInvoker.invokeMethods(DefaultLifecycleCallbackInvoker.java:83) > ... 59 more > Caused by: org.springframework.dao.InvalidDataAccessApiUsageException: > Unable to determine the correct call signature - no > procedure/function/signature for 'gettagsbyparent_id' > at org.springframework@5.0.4. > RELEASE//org.springframework.jdbc.core.metadata.GenericCallMetaDataProvider.processProcedureColumns(GenericCallMetaDataProvider.java:362) > at org.springframework@5.0.4. > RELEASE//org.springframework.jdbc.core.metadata.GenericCallMetaDataProvider.initializeWithProcedureColumnMetaData(GenericCallMetaDataProvider.java:114) > at org.springframework@5.0.4. > RELEASE//org.springframework.jdbc.core.metadata.CallMetaDataProviderFactory.lambda$createMetaDataProvider$0(CallMetaDataProviderFactory.java:127) > at org.springframework@5.0.4. > RELEASE//org.springframework.jdbc.support.JdbcUtils.extractDatabaseMetaData(JdbcUtils.java:324) > at org.springframework@5.0.4. > RELEASE//org.springframework.jdbc.core.metadata.CallMetaDataProviderFactory.createMetaDataProvider(CallMetaDataProviderFactory.java:70) > at org.springframework@5.0.4. > RELEASE//org.springframework.jdbc.core.metadata.CallMetaDataContext.initializeMetaData(CallMetaDataContext.java:252) > at org.springframework@5.0.4. > RELEASE//org.springframework.jdbc.core.simple.AbstractJdbcCall.compileInternal(AbstractJdbcCall.java:313) > at > org.ovirt.engine.core.dal//org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.compileInternal(PostgresDbEngineDialect.java:106) > at org.springframework@5.0.4. > RELEASE//org.springframework.jdbc.core.simple.AbstractJdbcCall.compile(AbstractJdbcCall.java:296) > at > org.ovirt.engine.core.dal//org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.getCall(SimpleJdbcCallsHandler.java:157) > at > org.ovirt.engine.core.dal//org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeImpl(SimpleJdbcCallsHandler.java:134) > at > org.ovirt.engine.core.dal//org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadList(SimpleJdbcCallsHandler.java:105) > at > org.ovirt.engine.core.dal//org.ovirt.engine.core.dao.TagDaoImpl.getAllForParent(TagDaoImpl.java:82) > at > deployment.engine.ear.bll.jar//org.ovirt.engine.core.bll.TagsDirector.addChildren(TagsDirector.java:116) > at > deployment.engine.ear.bll.jar//org.ovirt.engine.core.bll.TagsDirector.init(TagsDirector.java:75) > ... 64 more > > Thank you very much for the help! > > > > > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/UWTRCILDHMECWVWPMW7QC3JWJ2WFQKSW/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/KXIJHTWWML2IQUVFES7HHQKJPPH776F2/
[ovirt-users] Re: grafana @ ovirt 4.5.0.6 "origin not allowed"
Hi, I have seen similar thing in my dev environment. However, I blamed a browser because after I cleaned cookies, this error went away. Perhaps you could try to use it in private mode just to test? Artur On Tue, May 10, 2022 at 10:59 AM wrote: > Hello, > in my current new installation ovirt-engine-4.5.0.6-1.el8.noarch I have a > problem setting up the grafana monitoring portal. > I'm supposing that there is some problem regarding connection to ovirt DWH > DB. > > I tested the credentials stored in > /etc/grafana/conf/provisioning/datasources/ovirt-dwh.yaml of the > ovirt-engine and with psql it seem to work and also the DWH is populated by > the engine. > > But > > connecting to configuration->data sources and trying to reconfigure the > ovirt dwh datasource, when you click on "save & test" it appears a popup > telling that the "origin not allowed". > I cannot find anything in the grafana log or the httpd log. > Can you help? > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/6USYSPBHOVD4JMOQZMZVEFOPNXJIJMBS/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/65LE35YNXTQ3TTOLPYUFZMEXTEE6F4DT/
[ovirt-users] Re: Oauth token lifetime
Hi, After some digging I learned that 30 minutes default refers to default user session timeout and that is not the actual OAuth token timeout. However, user session timeout defines when a user should be logged out in general. User session length in minutes can be set by: $ engine-config -s UserSessionTimeOutInterval=123 OAuth token timeout (in seconds) is set by default as: SSO_TOKEN_TIMEOUT=36 >From what I see that timeout is used to cleanup inactive tokens (perhaps that's the reason why it is set to such a big value) If you want to experiment with it's length, you can define it somewhere under /etc/ovirt-engine/engine.conf.d/99-your-custom.conf Unfortunately I must admit it's a bit confusing (unless I am reading this code wrong). Artur On Mon, Dec 20, 2021 at 6:16 PM Sandro Bonazzola wrote: > > > Il giorno lun 20 dic 2021 alle ore 10:54 Nathanaël Blanchet < > blanc...@abes.fr> ha scritto: > >> >> Le 17/12/2021 à 18:07, Sandro Bonazzola a écrit : >> >> >> >> Il giorno gio 16 dic 2021 alle ore 23:08 Nathanaël Blanchet < >> blanc...@abes.fr> ha scritto: >> >>> Hello there is not a lot informations about Oauth token except I found >>> they expire after 30 minuts of inactivity. I'd like to change this value if >>> possible to a dedicate lifetime. Usually this kind of change is done with >>> engine-config but no such item is currently available. Is it possible? >>> >>> >> engine-config is still there: >> # rpm -qf /usr/bin/engine-config >> >> ovirt-engine-tools-4.5.0-0.2.master.20211215083937.gitafa2fd24e6.el8.noarch >> >> It is not about the engine-config command itsself but about the way to >> configure the oauth2 token lifetime. I mean, we usually use the >> engine-config for this kind of thing, but it seems there is currently no >> way to do this with engine-config. >> >> Where can I configure this? >> > > +Artur Socha +Martin Perina ? > > >> >> >> -- >> >> Sandro Bonazzola >> >> MANAGER, SOFTWARE ENGINEERING, EMEA R RHV >> >> Red Hat EMEA <https://www.redhat.com/> >> >> sbona...@redhat.com >> <https://www.redhat.com/> >> >> *Red Hat respects your work life balance. Therefore there is no need to >> answer this email out of your office hours. * >> >> >> -- >> Nathanaël Blanchet >> >> Supervision réseau >> SIRE >> 227 avenue Professeur-Jean-Louis-Viala >> 34193 MONTPELLIER CEDEX 5 >> Tél. 33 (0)4 67 54 84 55 >> Fax 33 (0)4 67 54 84 14blanc...@abes.fr >> >> > > -- > > Sandro Bonazzola > > MANAGER, SOFTWARE ENGINEERING, EMEA R RHV > > Red Hat EMEA <https://www.redhat.com/> > > sbona...@redhat.com > <https://www.redhat.com/> > > *Red Hat respects your work life balance. Therefore there is no need to > answer this email out of your office hours.* > > > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YZKV4P2TGQFXLDRYU5TR5IQKMX6T3ZZN/
[ovirt-users] Re: Questions about VDSM communication protocol
Hi Henry, Let me answer your questions at least partially. Stomp provides a simplified protocol for the messaging which at a time greatly helped effectively adding new functionalities. We do not have any development plans to separate the broker. AFAIK, in the past there were some attempts to use Rabbit MQ but that has never left the PoC stage(please somebody correct me if I am wrong). The current implementation with internal broker is performant enough (and reliable) to support huge installations (I cannot find relevant documentation right now, hopefully others will post urls) and gives enough flexibility to implement new messaging flows. By huge I mean hundreds of hosts and thousands of VMs communicating with each other. @Piotr Kliczewski @Martin Perina Would you like to add anything more? Artur On Thu, Dec 2, 2021 at 2:31 AM Henry lol wrote: > Hello, > > 1. I know vdsm communication adopted rpc over "stomp" and i'm wondering if > it's due to use of the message broker or any other purpose. > > 2. according to > https://www.ovirt.org/develop/release-management/features/infra/jsonrpc.html, > vdsm has the final plan to completely separate msg broker. Is it still > valid and under development? > > 3. if so, why is vdsm trying to use msg broker? because it seems enough > even without msg broker. > > > thanks, > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/EREUPD7LZIFV6YUKSK3NYD64ENPRS2ZX/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/A5JWGPTUSXVVDOENXW2VCSD6CCN24ONQ/
[ovirt-users] Re: Q: Get Host Capabilities Failed after restart
You can use that one or this 'simplified' short version
https://access.redhat.com/solutions/3227681
Artur
On Mon, Aug 9, 2021 at 5:01 PM Andrei Verovski wrote:
> Hi
>
>
> Should I use threaddump_linux.sh.tar.gz ?
> from:
>
> https://access.redhat.com/solutions/18178
>
>
> > On 9 Aug 2021, at 17:56, Artur Socha wrote:
> >
> > Actually you could even make 3 thread dumps in 30second intervals.
> > Artur
> >
> > On Mon, Aug 9, 2021 at 4:53 PM Artur Socha wrote:
> > Unfortunately I don't see anything wrong in both engine and vdsm logs.
> > There is one last thing that comes to my mind that you try - restart
> engine service. That is exactly the case I have been investigating.
> > But before restarting I would like to ask you, if possible, for a java
> (jvm) thread dump.
> > The procedure is as follows:
> > 1) find jboss pid ie.
> > $ ps -ef | grep jboss | grep -v grep | awk '{ print $2 }'
> > 2) trigger thread dump
> > $ kill -3
> > 3) thread dump logs can be found at /var/log/ovirt-engine/console.log
> >
> > And then restart engine service to check if that helps.
> >
> > Artur
> >
> >
> > On Mon, Aug 9, 2021 at 2:19 PM Andrei Verovski
> wrote:
> > Hi, Artur,
> >
> > Small update with vdsm status, forgot to include in previous post.
> >
> > I partially fixed problem with VDSM start.
> >
> > Bug "Failed to create session: Start job for unit user-0.slice failed
> with ‘canceled’”
> > is being described here
> > https://bugzilla.redhat.com/show_bug.cgi?id=1967962
> > and fix seem to be available here, so I have downgraded systemd with
> backport fix:
> >
> http://people.redhat.com/dtardon/systemd/bz1642460-backport-UserStopDelaySec=/
> >
> > Now vdsmd service starts successfully, but node14 still cannot be
> activated because of same error. This is quite strange, before restart on
> Friday node just worked. There were no upgrades, nothing, just restart.
> >
> > [root@node14 ~]# service vdsmd status
> > Redirecting to /bin/systemctl status vdsmd.service
> > ● vdsmd.service - Virtual Desktop Server Manager
> >Loaded: loaded (/usr/lib/systemd/system/vdsmd.service; enabled;
> vendor preset: disabled)
> >Active: active (running) since Mon 2021-08-09 15:12:59 EEST; 4min 20s
> ago
> > Process: 4066 ExecStartPre=/usr/libexec/vdsm/vdsmd_init_common.sh
> --pre-start (code=exited, status=0/SUCCESS)
> > Main PID: 4130 (vdsmd)
> > Tasks: 41 (limit: 615525)
> >Memory: 59.5M
> >CGroup: /system.slice/vdsmd.service
> >└─4130 /usr/bin/python3 /usr/share/vdsm/vdsmd
> >
> > Aug 09 15:12:55 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> prepare_transient_repository
> > Aug 09 15:12:57 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> syslog_available
> > Aug 09 15:12:57 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> nwfilter
> > Aug 09 15:12:58 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> dummybr
> > Aug 09 15:12:58 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> tune_system
> > Aug 09 15:12:58 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> test_space
> > Aug 09 15:12:59 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> test_lo
> > Aug 09 15:12:59 node14.***.lv systemd[1]: Started Virtual Desktop Server
> Manager.
> > Aug 09 15:13:00 node14.***.lv vdsm[4130]: WARN MOM not available. Error:
> [Errno 111] Connection refused
> > Aug 09 15:13:00 node14.***.lv vdsm[4130]: WARN MOM not available, KSM
> stats will be missing. Error:
> >
> >
> > [root@node14]# firewall-cmd --list-all
> > public (active)
> > target: default
> > icmp-block-inversion: no
> > interfaces: DMZ_node14 eno1 eno2 ovirtmgmt
> > sources:
> > services: cockpit dhcpv6-client libvirt-tls mountd nfs ovirt-imageio
> ovirt-vmconsole rpc-bind snmp ssh vdsm
> > ports: 2301/tcp 2381/tcp 22/tcp 6081/udp
> > protocols:
> > forward: no
> > masquerade: no
> > forward-ports:
> > source-ports:
> > icmp-blocks:
> > rich rules:
> > [root@node14 andrei]#
> >
> >
> > vdsm-client Host getStats and vdsm-client Host getCapabilities attached.
> >
> >
> >
> >
> >> On 9 Aug 2021, at 13:18, Artur Socha wrote:
> >>
> >> Thanks for the logs. I am checking them at the moment. I have noticed
> so far that node14 is serving NFS share which had been marked as
> problematic (probably because of the downtime during the migratio
[ovirt-users] Re: Q: Get Host Capabilities Failed after restart
Unfortunately I don't see anything wrong in both engine and vdsm logs.
There is one last thing that comes to my mind that you try - restart engine
service. That is exactly the case I have been investigating.
But before restarting I would like to ask you, if possible, for a java
(jvm) thread dump.
The procedure is as follows:
1) find jboss pid ie.
$ ps -ef | grep jboss | grep -v grep | awk '{ print $2 }'
2) trigger thread dump
$ kill -3
3) thread dump logs can be found at /var/log/ovirt-engine/console.log
And then restart engine service to check if that helps.
Artur
On Mon, Aug 9, 2021 at 2:19 PM Andrei Verovski wrote:
> Hi, Artur,
>
> Small update with vdsm status, forgot to include in previous post.
>
> I partially fixed problem with VDSM start.
>
> Bug "Failed to create session: Start job for unit user-0.slice failed with
> ‘canceled’”
> is being described here
> https://bugzilla.redhat.com/show_bug.cgi?id=1967962
> and fix seem to be available here, so I have downgraded systemd with
> backport fix:
>
> http://people.redhat.com/dtardon/systemd/bz1642460-backport-UserStopDelaySec=/
>
> Now vdsmd service starts successfully, but node14 still cannot be
> activated because of same error. This is quite strange, before restart on
> Friday node just worked. There were no upgrades, nothing, just restart.
>
> [root@node14 ~]# service vdsmd status
> Redirecting to /bin/systemctl status vdsmd.service
> ● vdsmd.service - Virtual Desktop Server Manager
>Loaded: loaded (/usr/lib/systemd/system/vdsmd.service; enabled; vendor
> preset: disabled)
>Active: active (running) since Mon 2021-08-09 15:12:59 EEST; 4min 20s
> ago
> Process: 4066 ExecStartPre=/usr/libexec/vdsm/vdsmd_init_common.sh
> --pre-start (code=exited, status=0/SUCCESS)
> Main PID: 4130 (vdsmd)
> Tasks: 41 (limit: 615525)
>Memory: 59.5M
>CGroup: /system.slice/vdsmd.service
>└─4130 /usr/bin/python3 /usr/share/vdsm/vdsmd
>
> Aug 09 15:12:55 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> prepare_transient_repository
> Aug 09 15:12:57 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> syslog_available
> Aug 09 15:12:57 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> nwfilter
> Aug 09 15:12:58 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> dummybr
> Aug 09 15:12:58 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> tune_system
> Aug 09 15:12:58 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> test_space
> Aug 09 15:12:59 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
> test_lo
> Aug 09 15:12:59 node14.***.lv systemd[1]: Started Virtual Desktop Server
> Manager.
> Aug 09 15:13:00 node14.***.lv vdsm[4130]: WARN MOM not available. Error:
> [Errno 111] Connection refused
> Aug 09 15:13:00 node14.***.lv vdsm[4130]: WARN MOM not available, KSM
> stats will be missing. Error:
>
>
> [root@node14]# firewall-cmd --list-all
> public (active)
> target: default
> icmp-block-inversion: no
> interfaces: DMZ_node14 eno1 eno2 ovirtmgmt
> sources:
> services: cockpit dhcpv6-client libvirt-tls mountd nfs ovirt-imageio
> ovirt-vmconsole rpc-bind snmp ssh vdsm
> ports: 2301/tcp 2381/tcp 22/tcp 6081/udp
> protocols:
> forward: no
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> [root@node14 andrei]#
>
>
> vdsm-client Host getStats and vdsm-client Host getCapabilities attached.
>
>
>
>
> On 9 Aug 2021, at 13:18, Artur Socha wrote:
>
> Thanks for the logs. I am checking them at the moment. I have noticed so
> far that node14 is serving NFS share which had been marked as problematic
> (probably because of the downtime during the migration) but it has
> recovered.
>
> In the meantime, is is possible to get some meaningful results when
> calling:
> $ vdsm-client Host getStats
> and
> $ vdsm-client Host getCapabilities
> on node14?
>
> What is the state for vdsmd service when running systemctl status vdsmd?
> One other thing to rule out is the networking/firewall. Here the list of
> the ports to be open for the host (the documentation is for hosted engine,
> but it applies for standalone setup as well):
>
> https://www.ovirt.org/documentation/installing_ovirt_as_a_self-hosted_engine_using_the_command_line/index.html#host-firewall-requirements_SHE_cli_deploy
>
> btw. I have been hunting for the rare and hard to recreate bug for quite a
> long time (without success yet) so any reported connectivity issues between
> the manager and hosts are super interesting to me.
>
> Artur
>
> On Mon, Aug 9, 2021 at 11:44 AM Andrei Verovski > wrote:
>
>> Hi, Artur,
>>
>>
>> Tha
[ovirt-users] Re: Q: Get Host Capabilities Failed after restart
Actually you could even make 3 thread dumps in 30second intervals.
Artur
On Mon, Aug 9, 2021 at 4:53 PM Artur Socha wrote:
> Unfortunately I don't see anything wrong in both engine and vdsm logs.
> There is one last thing that comes to my mind that you try - restart
> engine service. That is exactly the case I have been investigating.
> But before restarting I would like to ask you, if possible, for a java
> (jvm) thread dump.
> The procedure is as follows:
> 1) find jboss pid ie.
> $ ps -ef | grep jboss | grep -v grep | awk '{ print $2 }'
> 2) trigger thread dump
> $ kill -3
> 3) thread dump logs can be found at /var/log/ovirt-engine/console.log
>
> And then restart engine service to check if that helps.
>
> Artur
>
>
> On Mon, Aug 9, 2021 at 2:19 PM Andrei Verovski
> wrote:
>
>> Hi, Artur,
>>
>> Small update with vdsm status, forgot to include in previous post.
>>
>> I partially fixed problem with VDSM start.
>>
>> Bug "Failed to create session: Start job for unit user-0.slice failed
>> with ‘canceled’”
>> is being described here
>> https://bugzilla.redhat.com/show_bug.cgi?id=1967962
>> and fix seem to be available here, so I have downgraded systemd with
>> backport fix:
>>
>> http://people.redhat.com/dtardon/systemd/bz1642460-backport-UserStopDelaySec=/
>>
>> Now vdsmd service starts successfully, but node14 still cannot be
>> activated because of same error. This is quite strange, before restart on
>> Friday node just worked. There were no upgrades, nothing, just restart.
>>
>> [root@node14 ~]# service vdsmd status
>> Redirecting to /bin/systemctl status vdsmd.service
>> ● vdsmd.service - Virtual Desktop Server Manager
>>Loaded: loaded (/usr/lib/systemd/system/vdsmd.service; enabled; vendor
>> preset: disabled)
>>Active: active (running) since Mon 2021-08-09 15:12:59 EEST; 4min 20s
>> ago
>> Process: 4066 ExecStartPre=/usr/libexec/vdsm/vdsmd_init_common.sh
>> --pre-start (code=exited, status=0/SUCCESS)
>> Main PID: 4130 (vdsmd)
>> Tasks: 41 (limit: 615525)
>>Memory: 59.5M
>>CGroup: /system.slice/vdsmd.service
>>└─4130 /usr/bin/python3 /usr/share/vdsm/vdsmd
>>
>> Aug 09 15:12:55 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
>> prepare_transient_repository
>> Aug 09 15:12:57 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
>> syslog_available
>> Aug 09 15:12:57 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
>> nwfilter
>> Aug 09 15:12:58 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
>> dummybr
>> Aug 09 15:12:58 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
>> tune_system
>> Aug 09 15:12:58 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
>> test_space
>> Aug 09 15:12:59 node14.***.lv vdsmd_init_common.sh[4066]: vdsm: Running
>> test_lo
>> Aug 09 15:12:59 node14.***.lv systemd[1]: Started Virtual Desktop Server
>> Manager.
>> Aug 09 15:13:00 node14.***.lv vdsm[4130]: WARN MOM not available. Error:
>> [Errno 111] Connection refused
>> Aug 09 15:13:00 node14.***.lv vdsm[4130]: WARN MOM not available, KSM
>> stats will be missing. Error:
>>
>>
>> [root@node14]# firewall-cmd --list-all
>> public (active)
>> target: default
>> icmp-block-inversion: no
>> interfaces: DMZ_node14 eno1 eno2 ovirtmgmt
>> sources:
>> services: cockpit dhcpv6-client libvirt-tls mountd nfs ovirt-imageio
>> ovirt-vmconsole rpc-bind snmp ssh vdsm
>> ports: 2301/tcp 2381/tcp 22/tcp 6081/udp
>> protocols:
>> forward: no
>> masquerade: no
>> forward-ports:
>> source-ports:
>> icmp-blocks:
>> rich rules:
>> [root@node14 andrei]#
>>
>>
>> vdsm-client Host getStats and vdsm-client Host getCapabilities attached.
>>
>>
>>
>>
>> On 9 Aug 2021, at 13:18, Artur Socha wrote:
>>
>> Thanks for the logs. I am checking them at the moment. I have noticed so
>> far that node14 is serving NFS share which had been marked as problematic
>> (probably because of the downtime during the migration) but it has
>> recovered.
>>
>> In the meantime, is is possible to get some meaningful results when
>> calling:
>> $ vdsm-client Host getStats
>> and
>> $ vdsm-client Host getCapabilities
>> on node14?
>>
>> What is the state for vdsmd service when running systemctl status vdsmd?
>> One other thing to rule out is the networking/firewall. Here the list of
>> the ports to be open for the host (the documentation
[ovirt-users] Re: Q: Get Host Capabilities Failed after restart
Thanks for the logs. I am checking them at the moment. I have noticed so far that node14 is serving NFS share which had been marked as problematic (probably because of the downtime during the migration) but it has recovered. In the meantime, is is possible to get some meaningful results when calling: $ vdsm-client Host getStats and $ vdsm-client Host getCapabilities on node14? What is the state for vdsmd service when running systemctl status vdsmd? One other thing to rule out is the networking/firewall. Here the list of the ports to be open for the host (the documentation is for hosted engine, but it applies for standalone setup as well): https://www.ovirt.org/documentation/installing_ovirt_as_a_self-hosted_engine_using_the_command_line/index.html#host-firewall-requirements_SHE_cli_deploy btw. I have been hunting for the rare and hard to recreate bug for quite a long time (without success yet) so any reported connectivity issues between the manager and hosts are super interesting to me. Artur On Mon, Aug 9, 2021 at 11:44 AM Andrei Verovski wrote: > Hi, Artur, > > > Thanks for assistance. Zipped engine starting from the day of upgrade > attached. > Restart via SSH from oVirt Web GUI works. > oVirt engine runs on dedicated server, not hosted engine. > > > > > On 9 Aug 2021, at 11:24, Artur Socha wrote: > > Hi Andrei, > Could you also post a relevant piece of engine.log? I don't have high > expectations to find the answer there but I just want to be sure of it. > VDSM.log does not show any trace of error from the vdsm point of view. For > example it looks like it started correctly and subscribed to receiving > commands from the engine (yet that does not mean I connected to it - only > in listening mode). > > Can you confirm that 'SSH restart' from UI works - by 'works' I mean the > host is actually restarted after a few minutes and there are no ssh related > (public key etc) errors in engine.log? > > Artur > > On Mon, Aug 9, 2021 at 9:55 AM Andrei Verovski > wrote: > >> Hi, >> >> I have oVirt 4.4.7.6-1.el8 and one problematic node (HP ProLiant with >> CentOS 8 stream). >> After replacing server rack router switch and restart got this error I >> can’t recover from: >> >> VDSM node14 command Get Host Capabilities failed: Message timeout which >> can be caused by communication issues >> >> vdsm-network running fine, but vdsmd can’t start on node14 for whatever >> reason. All other nodes running fine. >> >> Aug 09 10:24:12 node14.mydomain.lv vdsmd_init_common.sh[4825]: vdsm: >> Running dummybr >> Aug 09 10:24:13 node14.mydomain.lv vdsmd_init_common.sh[4825]: vdsm: >> Running tune_system >> Aug 09 10:24:13 node14.mydomain.lv vdsmd_init_common.sh[4825]: vdsm: >> Running test_space >> Aug 09 10:24:13 node14.mydomain.lv vdsmd_init_common.sh[4825]: vdsm: >> Running test_lo >> Aug 09 10:24:13 node14.mydomain.lv systemd[1]: Started Virtual Desktop >> Server Manager. >> Aug 09 10:24:16 node14.mydomain.lv sudo[7721]: >> pam_systemd(sudo:session): Failed to create session: Start job for unit >> user-0.slice failed with 'canceled' >> Aug 09 10:24:16 node14.mydomain.lv sudo[7721]: pam_unix(sudo:session): >> session opened for user root by (uid=0) >> Aug 09 10:24:16 node14.mydomain.lv sudo[7721]: pam_unix(sudo:session): >> session closed for user root >> Aug 09 10:24:17 node14.mydomain.lv vdsm[6754]: WARN MOM not available. >> Error: [Errno 2] No such file or directory >> Aug 09 10:24:17 node14.mydomain.lv vdsm[6754]: WARN MOM not available, >> KSM stats will be missing. Error: >> >> >> In web gui -> Management I can’t do anything with the host except >> restart. Stop aborts with error, all other commands are gray-ed out. >> Status is “Unassigned”. Host is answering to pings as usual. >> vdsm.log (from node14) attached. >> >> Thanks in advance for any help. >> >> >> ___ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/privacy-policy.html >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/55M65W57Z43ZVPOARDTK7HKHCAMAUGO5/ >> > > > -- > Artur Socha > Senior Software Engineer, RHV > Red Hat > > > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MRTZJOD25TEF2X7H4O3IZL5ECGNDRSHR/
[ovirt-users] Re: Q: Get Host Capabilities Failed after restart
Hi Andrei, Could you also post a relevant piece of engine.log? I don't have high expectations to find the answer there but I just want to be sure of it. VDSM.log does not show any trace of error from the vdsm point of view. For example it looks like it started correctly and subscribed to receiving commands from the engine (yet that does not mean I connected to it - only in listening mode). Can you confirm that 'SSH restart' from UI works - by 'works' I mean the host is actually restarted after a few minutes and there are no ssh related (public key etc) errors in engine.log? Artur On Mon, Aug 9, 2021 at 9:55 AM Andrei Verovski wrote: > Hi, > > I have oVirt 4.4.7.6-1.el8 and one problematic node (HP ProLiant with > CentOS 8 stream). > After replacing server rack router switch and restart got this error I > can’t recover from: > > VDSM node14 command Get Host Capabilities failed: Message timeout which > can be caused by communication issues > > vdsm-network running fine, but vdsmd can’t start on node14 for whatever > reason. All other nodes running fine. > > Aug 09 10:24:12 node14.mydomain.lv vdsmd_init_common.sh[4825]: vdsm: > Running dummybr > Aug 09 10:24:13 node14.mydomain.lv vdsmd_init_common.sh[4825]: vdsm: > Running tune_system > Aug 09 10:24:13 node14.mydomain.lv vdsmd_init_common.sh[4825]: vdsm: > Running test_space > Aug 09 10:24:13 node14.mydomain.lv vdsmd_init_common.sh[4825]: vdsm: > Running test_lo > Aug 09 10:24:13 node14.mydomain.lv systemd[1]: Started Virtual Desktop > Server Manager. > Aug 09 10:24:16 node14.mydomain.lv sudo[7721]: pam_systemd(sudo:session): > Failed to create session: Start job for unit user-0.slice failed with > 'canceled' > Aug 09 10:24:16 node14.mydomain.lv sudo[7721]: pam_unix(sudo:session): > session opened for user root by (uid=0) > Aug 09 10:24:16 node14.mydomain.lv sudo[7721]: pam_unix(sudo:session): > session closed for user root > Aug 09 10:24:17 node14.mydomain.lv vdsm[6754]: WARN MOM not available. > Error: [Errno 2] No such file or directory > Aug 09 10:24:17 node14.mydomain.lv vdsm[6754]: WARN MOM not available, > KSM stats will be missing. Error: > > > In web gui -> Management I can’t do anything with the host except restart. > Stop aborts with error, all other commands are gray-ed out. > Status is “Unassigned”. Host is answering to pings as usual. > vdsm.log (from node14) attached. > > Thanks in advance for any help. > > > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/55M65W57Z43ZVPOARDTK7HKHCAMAUGO5/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/QMTDLZH4JDWAUKG4ZASTX3APTHK2WQIK/
[ovirt-users] Re: Ovirt Engine -- Connection Refused to all hosts
Hi Nick,
Could you post some more information about your setup?
In particular it would be useful to have the following:
1) *ovirt-engine *version
2) *vdsm-jsonrpc-java *version
3) vdsm logs from the host (*/var/log/vdsm/{vdsm,supervdsm}.log*, check for
errors & warnings)
4) libvirt logs (if any) , * journalctl -u libvirtd*
best,
Artur
On Tue, May 18, 2021 at 8:01 AM Yedidyah Bar David wrote:
> On Tue, May 18, 2021 at 8:37 AM Nick Polites wrote:
> >
> > Hi All,
> >
> > I am not sure if my original post is being reviewed before posting but
> trying again in case it failed to send.
> >
> > I tried logging in this morning to oVrit and see that all of my hosts
> are unresponsive. I am seeing a connection refused error in the engine
> logs. I am able to SSH and ping the host from the engine. Any help would be
> appreciated.
> >
> > 2021-05-15 15:19:21,041Z ERROR
> [org.ovirt.engine.core.vdsbroker.vdsbroker.GetCapabilitiesAsyncVDSCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-65) [] Command
> 'GetCapabilitiesAsyn
> > cVDSCommand(HostName = hlkvm03,
> VdsIdAndVdsVDSCommandParametersBase:{hostId='2186eca7-4d9d-482f-b1b7-b63ac46b96aa',
> vds='Host[hlkvm03,2186eca7-4d9d-482f-b1b7
> > -b63ac46b96aa]'})' execution failed: java.net.ConnectException:
> Connection refused
>
> Is vdsmd up on your hosts? Accessible? Can you check its logs?
>
> Good luck and best regards,
>
> Didi
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/SV4ENLDTVHIPV7EKFCA4EPQNRHAPDV4N/
>
--
Artur Socha
Senior Software Engineer, RHV
Red Hat
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QCWT7RHE5LIQHQGAA6A3R7OC7ODOBYC4/
[ovirt-users] Re: VM Portal. User can't access the details box
Hi Nicolás, First thing would be to check engine's logs /var/log/ovirt-engine/engine.log. Would it be possible to post here a snippet from the time this issue occurred? There might be something in audit log as well (from the admin's account) cheers, Artur On 24.02.2021 11:48, Nicolás wrote: > Hi, > > We're running oVirt 4.1.8. We make an intense use of the VM Portal, as > our students use it to access and handle their machines. We're currently > having an issue with just one of our users. He claims that he created a > VM, and when tried to edit its details (clicking on the pencil), a > screen stating that the "VM Portal is experiencing some issues" is shown > (screenshot added). > > I granted a UserRole permission on a user I handle, and I don't > experience that problem, I can edit the VM with no issues. The user also > states that this happens on any VM he creates. > > I see nothing relevant in the log regarding this issue. > > Please, any hint how to debug this? > > Thanks. > > Nicolás > > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/BVKO35XCMMUIYZHWTFBSJ6Q6ET7UGCZO/ > OpenPGP_signature Description: OpenPGP digital signature ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ICUOW7B3XDIZMFR3NRHTDSSML7IH2XZL/
[ovirt-users] Re: Create new user, but why cannot login ?
Hi Tommy, It looks you are missing some permissions (roles)? Are you trying to login to the administration panel(that's my guess) or to VM portal? Anyway, to resolve this issue assign relevant roles to that newly created user using your admin account. Artur On Fri, Jan 15, 2021 at 7:10 AM tommy wrote: > I just create a new user: > > > > [root@oeng ~]# ovirt-aaa-jdbc-tool user add cuitao > > adding user cuitao... > > user added successfully > > > > [root@oeng ~]# ovirt-aaa-jdbc-tool user password-reset cuitao > > Password: > > Reenter password: > > updating user cuitao... > > user updated successfully > > > > [root@oeng ~]# ovirt-aaa-jdbc-tool user edit cuitao > --password-valid-to="2221-01-15 05:23:41Z" > > updating user cuitao... > > user updated successfully > > > > [root@oeng ~]# ovirt-aaa-jdbc-tool user show cuitao > > -- User cuitao(300163db-8352-4fbd-86ac-d25014364f08) -- > > Namespace: * > > Name: cuitao > > ID: 300163db-8352-4fbd-86ac-d25014364f08 > > Display Name: > > Email: sz_cui...@163.com > > First Name: tommy > > Last Name: cui > > Department: > > Title: > > Description: > > Account Disabled: false > > Account Locked: false > > Account Unlocked At: 1970-01-01 00:00:00Z > > Account Valid From: 2021-01-15 05:23:41Z > > Account Valid To: 2221-01-15 05:23:41Z > > Account Without Password: false > > Last successful Login At: 2021-01-15 05:54:49Z > > Last unsuccessful Login At: 2021-01-15 05:32:12Z > > Password Valid To: 2221-01-15 05:23:41Z > > > > > > And I give VmCreator Role to the new account. > > > > > > > > > > But why cannot login ? > > > > > > > > > > > > > > > > > > > > > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/YSYU4LSH42ENIVVKE6FDVR4KCDUOQIRX/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/OSHRCZN4IU34H3MCBYNOED725SIVKW7Q/
[ovirt-users] Re: java.lang.reflect.UndeclaredThrowableException - oVirt engine UI
Hi Jeremey,
Could you please post some relevant piece of :
1) HE VM
/var/log/ovirt-engine/engine.log
Plus:
# dnf list --installed | grep ovirt-engine
2) Host with HE VM
/var/log/ovirt-hosted-engine-ha/{agent.log,broker.log}
/var/log/vdsm/vdsm.log
Plus:
$ dnf list --installed | egrep "(vdsm|ovirt-engine-appliance)"
The issue you found in BugZilla seems to be quite old and was fixed in
version 4.1x.
Artur
On Wed, Sep 30, 2020 at 4:36 PM Jeremey Wise wrote:
> I tried to post on website but .. it did not seem to work... so sorry if
> this is double posting.
>
> oVirt login this AM. accepted username and password but got java error.
>
> Restarted oVirt engine
> ##
>
> hosted-engine --set-maintenance --mode=global
>
> hosted-engine --vm-shutdown
>
> hosted-engine --vm-status
>
> #make sure that the status is shutdown before restarting
>
> hosted-engine --vm-start
>
> hosted-engine --vm-status
>
> #make sure the status is health before leaving maintenance mode
>
> hosted-engine --set-maintenance --mode=none
> ##
> [root@thor ~]# hosted-engine --vm-status
>
>
> --== Host thor.penguinpages.local (id: 1) status ==--
>
> Host ID: 1
> Host timestamp : 65342
> Score : 3400
> Engine status : {"vm": "down", "health": "bad",
> "detail": "unknown", "reason": "vm not running on this host"}
> Hostname : thor.penguinpages.local
> Local maintenance : False
> stopped: False
> crc32 : 824c29fd
> conf_on_shared_storage : True
> local_conf_timestamp : 65342
> Status up-to-date : True
> Extra metadata (valid at timestamp):
> metadata_parse_version=1
> metadata_feature_version=1
> timestamp=65342 (Wed Sep 30 08:11:45 2020)
> host-id=1
> score=3400
> vm_conf_refresh_time=65342 (Wed Sep 30 08:11:45 2020)
> conf_on_shared_storage=True
> maintenance=False
> state=EngineDown
> stopped=False
>
>
> --== Host medusa.penguinpages.local (id: 3) status ==--
>
> Host ID: 3
> Host timestamp : 87556
> Score : 3400
> Engine status : {"vm": "up", "health": "good",
> "detail": "Up"}
> Hostname : medusa.penguinpages.local
> Local maintenance : False
> stopped: False
> crc32 : 63296a70
> conf_on_shared_storage : True
> local_conf_timestamp : 87556
> Status up-to-date : True
> Extra metadata (valid at timestamp):
> metadata_parse_version=1
> metadata_feature_version=1
> timestamp=87556 (Wed Sep 30 08:11:39 2020)
> host-id=3
> score=3400
> vm_conf_refresh_time=87556 (Wed Sep 30 08:11:39 2020)
> conf_on_shared_storage=True
> maintenance=False
> state=EngineUp
> stopped=False
> [root@thor ~]# yum update -y
> Last metadata expiration check: 0:31:17 ago on Wed 30 Sep 2020 09:17:03 AM
> EDT.
> Dependencies resolved.
> Nothing to do.
> Complete!
> [root@thor ~]#
>
>
> Gogled around .. just found this thread.
> ##
> https://bugzilla.redhat.com/show_bug.cgi?id=1378045
>
>
> # pgadmin connect to ovirte01.penguinpages.com as engine to db engine
> select mac_addr from vm_interface
> "00:16:3e:57:0d:47"
> "56:6f:86:41:00:01"
> "56:6f:86:41:00:00"
> "56:6f:86:41:00:02"
> "56:6f:86:41:00:03"
> "56:6f:86:41:00:04"
> "56:6f:86:41:00:05"
> "56:6f:86:41:00:15"
>
> "56:6f:86:41:00:16"
> "56:6f:86:41:00:17"
> "56:6f:86:41:00:18"
> "56:6f:86:41:00:19"
>
>
> # Note one field is "null"
>
> Question:
> 1) is this bad?
> 2) How do I fix?
> 3) Any idea on root cause?
>
> --
> p enguinpages
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/DJZ6RCDN6UB4VTACKZN6YVISKQGLCWPH/
>
--
Artur Socha
Senior Software Engineer, RHV
Red Hat
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PA56NRXMCMUMJGQ3QJHIIA2JU2GEDK7V/
[ovirt-users] Re: Random hosts disconnects
On Fri, Sep 18, 2020 at 1:54 PM Anton Louw wrote: > > > Hi Artur, > > > > Thanks for the reply. I have attached the system logs. There was a > disconnect at 10:54, but no error that is different to the rest. I do see a > whole lot of QEMU Guest Agent and block_io errors in the system logs. Not > entirely sure what this means. > After a very quick search on the internet the first one does not seem to be severe at all - this guest agent provides only some information to VMs about the host. *Sep 18 10:50:41 node05.kvm.voxvm.co.za <http://node05.kvm.voxvm.co.za> libvirtd[23603]: 2020-09-18 08:50:41.493+: 23729: error : qemuDomainAgentAvailable:9133 : Guest agent is not responding: QEMU guest agent is not connected* The second one is unknown to me at all: ISep 18 10:50:52 node05.kvm.voxvm.co.za libvirtd[23603]: 2020-09-18 08:50:52.802+: 23729: error : qemuMonitorJSONBlockIoThrottleInfo:5005 : internal error: block_io_throttle inserted entry was not in expected format Sep 18 Perhaps someone with more libvirt/qemu background will comment on that. > > Checking the vdsm logs at the time or the error, the only entry is the > below: > > > > “2020-09-18 10:55:57,081+ WARN (qgapoller/2) > [virt.periodic.VmDispatcher] could not run at > 0x7f2170395578> on ['d3838612-70bb-4731-a0d4-8f65d31b40a6', > '59a2f394-48fe-4bd9-91d6-08115f2eec0a', > 'f81e3ab8-c1a9-4674-b238-7e229fd43e7c', > '42189fa1-4381-02c7-d830-20eac408da2c', > '423f1c57-f98e-707f-c0f9-d4958d3f0fec', > '64d1eabc-20ff-4288-98ff-dcfd120fe7d2', > '4218baf0-e2a1-42c7-2efd-077407f47b4d', > '42184650-5a60-5403-d758-840bdbf92dd8', > '492ea3fe-0a27-4dde-abf9-7d146ee1b988', > '4218df00-15cd-bdf9-efd9-c5ead49fd89c', > '9c373379-718b-4906-abc1-960fb1820c2d', > 'b9441c7a-0bfd-4d41-a8de-ee24e4259b36', > 'd810325a-1a45-4054-a870-c8c052a22354', > '42189d3f-4570-45ea-6e5a-94c85a5885a1'] (periodic:289)” > > This WARN does not seem to be the cause ... it may be be the result because VM failed to be dispatched (perhaps due to lack of suitable hosts that got disconnected at a moment) > > I am stumped. Do you think it is worth a shot increasing the > vdsConnectionTimeout > and vdsHeartbeatInSeconds to 40 for testing purposes? > I still don't think it will change anything unless your network between those 2 DC is 'tcp over pigeons' kind of setup :) Now, more seriously. Even if increasing timeouts would fix the connectivity I suspect the core issue would still remain ... in the best case scenario it could be postponed a bit. Am I correct assuming those 2 DC are located in 2 different physical locations? If so then I would closely check the network itself first (including hardware like routers/switches). Artur > > > Thanks > > > > *Anton Louw* > *Cloud Engineer: Storage and Virtualization* at *Vox* > -- > *T:* 087 805 | *D:* 087 805 1572 > *M:* N/A > *E:* anton.l...@voxtelecom.co.za > *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > www.vox.co.za > > [image: F] <https://www.facebook.com/voxtelecomZA> > [image: T] <https://www.twitter.com/voxtelecom> > [image: I] <https://www.instagram.com/voxtelecomza/> > [image: L] <https://www.linkedin.com/company/voxtelecom> > [image: Y] <https://www.youtube.com/user/VoxTelecom> > > *From:* Artur Socha > *Sent:* 18 September 2020 13:27 > *To:* Anton Louw > *Cc:* users@ovirt.org > *Subject:* Re: [ovirt-users] Re: Random hosts disconnects > > > > Hi Anton, > > I am not sure if changing this value would fix the issue. Defaults are > pretty high. For example vdsHeartbeatInSeconds=30seconds, > vdsTimeout=180seconds, vdsConnectionTimeout=20seconds. > > > > Do you still have relevant logs from the affected hosts: > > * /var/logs/vdsm/vdsm.log* > > * /var/logs/vdsm/supervdsm.log* > > Please look for any jsonrpc errors ie. write/read errors or (connection) > timeouts. Storage related warnings/errors might also be relevant. > > > > Plus system logs if possible: > > *journalctl -f /usr/share/vdsm/vdsmd* > > *journalctl -f /usr/sbin/libvirtd* > > > > In order to get system logs from particular time period please combine it > with the following example using -S -U options: > > *journalctl -S "2020-01-12 07:00:00" -U "2020-01-12 07:15:00" * > > I haven't a clue what to look there for besides any warnings/errors or > anything else that seems unusual. > > > > Artur > > > > > > On Thu, Sep 17, 2020 at 8:09 AM Anton Louw via Users > wrote: > > > > Hi Everybody, > > > > Did some digging around, and saw a few things regarding > “vdsHeartbeatInSeconds” &
[ovirt-users] Re: Random hosts disconnects
Hi Anton, I am not sure if changing this value would fix the issue. Defaults are pretty high. For example vdsHeartbeatInSeconds=30seconds, vdsTimeout=180seconds, vdsConnectionTimeout=20seconds. Do you still have relevant logs from the affected hosts: * /var/logs/vdsm/vdsm.log* * /var/logs/vdsm/supervdsm.log* Please look for any jsonrpc errors ie. write/read errors or (connection) timeouts. Storage related warnings/errors might also be relevant. Plus system logs if possible: *journalctl -f /usr/share/vdsm/vdsmd* *journalctl -f /usr/sbin/libvirtd* In order to get system logs from particular time period please combine it with the following example using -S -U options: *journalctl -S "2020-01-12 07:00:00" -U "2020-01-12 07:15:00" * I haven't a clue what to look there for besides any warnings/errors or anything else that seems unusual. Artur On Thu, Sep 17, 2020 at 8:09 AM Anton Louw via Users wrote: > > > Hi Everybody, > > > > Did some digging around, and saw a few things regarding > “vdsHeartbeatInSeconds” > > I had a look at the properties file located at > /etc/ovirt-engine/engine-config/engine-config.properties, and do not see an > entry for “vdsHeartbeatInSeconds.type=Integer”. > > Seeing as these data centers are geographically split, could the > “vdsHeartbeatInSeconds” potentially be the issue? Is it safe to increase this > value after I add “vdsHeartbeatInSeconds.type=Integer” into my > engine-config.properties file? > > > > Thanks > > > > *Anton Louw* > *Cloud Engineer: Storage and Virtualization* at *Vox* > -- > *T:* 087 805 | *D:* 087 805 1572 > *M:* N/A > *E:* anton.l...@voxtelecom.co.za > *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > www.vox.co.za > > [image: F] <https://www.facebook.com/voxtelecomZA> > [image: T] <https://www.twitter.com/voxtelecom> > [image: I] <https://www.instagram.com/voxtelecomza/> > [image: L] <https://www.linkedin.com/company/voxtelecom> > [image: Y] <https://www.youtube.com/user/VoxTelecom> > > *From:* Anton Louw via Users > *Sent:* 16 September 2020 09:01 > *To:* users@ovirt.org > *Subject:* [ovirt-users] Random hosts disconnects > > > > > > Hi All, > > > > I have a strange issue in my oVirt environment. I currently have a > standalone manager which is running in VMware. In my oVirt environment, I > have two Data Centers. The manager is currently sitting on the same subnet > as DC1. Randomly, hosts in DC2 will say “Not Responding” and then 2 seconds > later, the hosts will activate again. > > > > The strange thing is, when the manager was sitting on the same subnet as > DC2, hosts in DC1 will randomly say “Not Responding” > > > > I have tried going through the logs, but I cannot see anything out of the > ordinary regarding why the hosts would drop connection. I have attached the > engine.log for anybody that would like to do a spot check. > > > > Thanks > > > > *Anton Louw* > > *Cloud Engineer: Storage and Virtualization* at *Vox* > -- > > *T:* 087 805 | *D:* 087 805 1572 > *M:* N/A > *E:* anton.l...@voxtelecom.co.za > *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > www.vox.co.za > > > > [image: F] <https://www.facebook.com/voxtelecomZA> > > > > [image: T] <https://www.twitter.com/voxtelecom> > > > > [image: I] <https://www.instagram.com/voxtelecomza> > > > > [image: L] <https://www.linkedin.com/company/voxtelecom> > > > > [image: Y] <https://www.youtube.com/user/VoxTelecom> > > > > > > [image: #VoxBrand] > <https://www.vox.co.za/fibre/fibre-to-the-home/?prod=HOME> > > > *Disclaimer* > > The contents of this email are confidential to the sender and the intended > recipient. Unless the contents are clearly and entirely of a personal > nature, they are subject to copyright in favour of the holding company of > the Vox group of companies. Any recipient who receives this email in error > should immediately report the error to the sender and permanently delete > this email from all storage devices. > > This email has been scanned for viruses and malware, and may have been > automatically archived by *Mimecast Ltd*, an innovator in Software as a > Service (SaaS) for business. Providing a *safer* and *more useful* place > for your human generated data. Specializing in; Security, archiving and > compliance. To find out more Click Here > <https://www.voxtelecom.co.za/security/mimecast/?prod=Enterprise>. > > > > ___ >
[ovirt-users] Re: KeyCloak Integration
Hi Anton,
Just to let you know. I investigated this issue. If you want to use
keycloak in version >=10 you would need to define all additional scopes as
'optional client scopes' in your client configuration.
In my case, on my test environment, I only had to add
'ovirt-ext=auth:sequence-priority=~' but in your case you may need all
listed in error_description:
*{"error_description":"Cannot authenticate user Invalid scopes:
ovirt-app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
ovirt-ext=token:password-access.","error":"access_denied"}*
This configuration change is required because it has been changed/fixed how
'unknown' scopes are handled in keycloak. Now keycloak must always be aware
of all scopes and previously unknown ones were simply ignored.
Here is BZ with details:
https://bugzilla.redhat.com/show_bug.cgi?id=1849569
best,
Artur
On Tue, Jun 23, 2020 at 5:03 PM Artur Socha wrote:
> On Tue, 2020-06-23 at 14:41 +, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> Apologies for the late response. So we have downgraded the version of
> KeyCloak, and all seems to be working 100% again, I can obtain a token, and
> do API calls.
>
> Hi Anton,
> I'm glad it works now. This keycloak version (9.0.x) will stay for some
> time the recommended & supported choice for oVirt because it is part of
> 'Red Hat SSO' just like oVirt is part of 'Red Hat Virtualization'.
> Artur
>
>
>
> Thank you very much for all the help
>
>
>
> *From:* Artur Socha
> *Sent:* 22 June 2020 16:52
> *To:* Anton Louw ; users@ovirt.org
> *Cc:* Stephen Hutchinson
> *Subject:* Re: [ovirt-users] KeyCloak Integration
>
>
>
> On Mon, 2020-06-22 at 15:14 +0200, Artur Socha wrote:
>
> Anton,
>
> I managed to re-create the issue on my local environment.
>
> Previously I tested it against Keycloak 8.0.1 with users loaded from LDAP.
> Currently I have users/groups created via Keycloak management panel. I need
> to investigate it further which of the two changes is the root cause (it
> works fine with the old setup)
>
>
>
> One more update: it seems the issue is keycloak version related. Trying to
> figure out what was changed and how it affected engine sso integration.
>
>
>
> Latest keycloak version I tested and verified that works is 9.0.3. Perhaps
> it could be possible for you to use it until we fully support 10.0.x ?
>
> Artur
>
>
>
> *Anton Louw*
> *Cloud Engineer: Storage and Virtualization* at *Vox*
> --
> *T:* 087 805 | *D:* 087 805 1572
> *M:* N/A
> *E:* anton.l...@voxtelecom.co.za
> *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
> [image: F] <https://www.facebook.com/voxtelecomZA>
> [image: T] <https://www.twitter.com/voxtelecom>
> [image: I] <https://www.instagram.com/voxtelecomza/>
> [image: L] <https://www.linkedin.com/company/voxtelecom>
> [image: Y] <https://www.youtube.com/user/VoxTelecom>
>
> Artur
>
>
>
> On Mon, 2020-06-22 at 11:05 +, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> Great, thanks a lot!
>
>
>
>
>
> *Anton Louw*
>
> *Cloud Engineer: Storage and Virtualization* at *Vox*
> --
>
> *T:* 087 805 | *D:* 087 805 1572
> *M:* N/A
> *E:* anton.l...@voxtelecom.co.za
> *A:* Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
>
>
> [image: F] <https://www.facebook.com/voxtelecomZA>
>
>
>
> [image: T] <https://www.twitter.com/voxtelecom>
>
>
>
> [image: I] <https://www.instagram.com/voxtelecomza>
>
>
>
> [image: L] <https://www.linkedin.com/company/voxtelecom>
>
>
>
> [image: Y] <https://www.youtube.com/user/VoxTelecom>
>
>
>
>
>
> *From:* Artur Socha
> *Sent:* 22 June 2020 11:23
> *To:* Anton Louw ; users@ovirt.org
> *Cc:* Stephen Hutchinson
> *Subject:* Re: [ovirt-users] KeyCloak Integration
>
>
>
> Hi Anton,
>
> Thanks for the specs. I have create BZ issue for tracking:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1849569
>
> Feel free to add comments/change it when needed.
>
>
>
> Artur
>
>
>
> On Fri, 2020-06-19 at 10:57 +, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> Please see below:
>
>
>
> ovirt-engine.noarch 4.3.10.4-1.el7@ovirt-4.3
>
> ovirt-engine-extension-aaa-misc.noarch 1.0.4-1.el7 @ovirt-4.3
>
> mod_auth_openidc.x86_64 1.8.8-5.el7 @base
>
>
&
[ovirt-users] Re: Unassigned hosts
Hi Nardus,
There is one more thing to be checked.
1) could you check if there are any packets sent from the affected host to
the engine?
on host:
# outgoing traffic
sudo tcpdump -i -c 1000 -nnvvS dst
2) same the other way round. Check if there are packets received on engine
side from affected host
on engine:
# incoming traffic
sudo tcpdump -i -c 1000 -nnvvS src
Artur
On Thu, Aug 6, 2020 at 4:51 PM Artur Socha wrote:
> Thanks Nardus,
> After a quick look I found what I was suspecting - there are way too many
> threads in Blocked state. I don't know yet the reason but this is very
> helpful. I'll let you know about the findings/investigation. Meanwhile, you
> may try restarting the engine as (a very brute and ugly) workaround).
> You may try to setup slightly bigger thread pool - may save you some time
> until the next hiccup. However, please be aware that this may come with the
> cost in memory usage and higher cpu usage (due to increased context
> switching)
> Here are some docs:
>
> # Specify the thread pool size for jboss managed scheduled executor service
> used by commands to periodically execute
> # methods. It is generally not necessary to increase the number of threads in
> this thread pool. To change the value
> # permanently create a conf file 99-engine-scheduled-thread-pool.conf in
> /etc/ovirt-engine/engine.conf.d/
> ENGINE_SCHEDULED_THREAD_POOL_SIZE=100
>
>
> A.
>
>
> On Thu, Aug 6, 2020 at 4:19 PM Nardus Geldenhuys
> wrote:
>
>> Hi Artur
>>
>> Please find attached, also let me know if I need to rerun. They 5 min
>> apart
>>
>> [root@engine-aa-1-01 ovirt-engine]# ps -ef | grep jboss | grep -v grep
>> | awk '{ print $2 }'
>> 27390
>> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
>> your_engine_thread_dump_1.txt
>> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
>> your_engine_thread_dump_2.txt
>> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
>> your_engine_thread_dump_3.txt
>>
>> Regards
>>
>> Nar
>>
>> On Thu, 6 Aug 2020 at 15:55, Artur Socha wrote:
>>
>>> Sure thing.
>>> On engine host please find jboss pid. You can use this command:
>>>
>>> ps -ef | grep jboss | grep -v grep | awk '{ print $2 }'
>>>
>>> or jps tool from jdk. Sample output on my dev environment is:
>>>
>>> ± % jps
>>>!2860
>>> 64853 jboss-modules.jar
>>> 196217 Jps
>>>
>>> Then use jstack from jdk:
>>> jstack > your_engine_thread_dump.txt
>>> 2 or 3 dumps taken in approximately 5 minutes intervals would be even
>>> more useful.
>>>
>>> Here you can find even more options
>>> https://www.baeldung.com/java-thread-dump
>>>
>>> Artur
>>>
>>> On Thu, Aug 6, 2020 at 3:15 PM Nardus Geldenhuys
>>> wrote:
>>>
>>>> Hi
>>>>
>>>> Can create thread dump, please send details on howto.
>>>>
>>>> Regards
>>>>
>>>> Nardus
>>>>
>>>> On Thu, 6 Aug 2020 at 14:17, Artur Socha wrote:
>>>>
>>>>> Hi Nardus,
>>>>> You might have hit an issue I have been hunting for some time ( [1]
>>>>> and [2] ).
>>>>> [1] could not be properly resolved because at a time was not able to
>>>>> recreate an issue on dev setup.
>>>>> I suspect [2] is related.
>>>>>
>>>>> Would you be able to prepare a thread dump from your engine instance?
>>>>> Additionally, please check for potential libvirt errors/warnings.
>>>>> Can you also paste the output of:
>>>>> sudo yum list installed | grep vdsm
>>>>> sudo yum list installed | grep ovirt-engine
>>>>> sudo yum list installed | grep libvirt
>>>>>
>>>>> Usually, according to previous reports, restarting the engine helps to
>>>>> restore connectivity with hosts ... at least for some time.
>>>>>
>>>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1845152
>>>>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1846338
>>>>>
>>>>> regards,
>>>>> Artur
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Aug 6, 2020 at 8:01 AM Nardus Geldenhuys
>>>>> wrote:
>>>>>
>>>>>> Also see this in engine:
>>>>>>
>>>>>> Aug
[ovirt-users] Re: Unassigned hosts
Thanks Nardus,
After a quick look I found what I was suspecting - there are way too many
threads in Blocked state. I don't know yet the reason but this is very
helpful. I'll let you know about the findings/investigation. Meanwhile, you
may try restarting the engine as (a very brute and ugly) workaround).
You may try to setup slightly bigger thread pool - may save you some time
until the next hiccup. However, please be aware that this may come with the
cost in memory usage and higher cpu usage (due to increased context
switching)
Here are some docs:
# Specify the thread pool size for jboss managed scheduled executor
service used by commands to periodically execute
# methods. It is generally not necessary to increase the number of
threads in this thread pool. To change the value
# permanently create a conf file 99-engine-scheduled-thread-pool.conf
in /etc/ovirt-engine/engine.conf.d/
ENGINE_SCHEDULED_THREAD_POOL_SIZE=100
A.
On Thu, Aug 6, 2020 at 4:19 PM Nardus Geldenhuys wrote:
> Hi Artur
>
> Please find attached, also let me know if I need to rerun. They 5 min apart
>
> [root@engine-aa-1-01 ovirt-engine]# ps -ef | grep jboss | grep -v grep |
> awk '{ print $2 }'
> 27390
> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
> your_engine_thread_dump_1.txt
> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
> your_engine_thread_dump_2.txt
> [root@engine-aa-1-01 ovirt-engine]# jstack -F 27390 >
> your_engine_thread_dump_3.txt
>
> Regards
>
> Nar
>
> On Thu, 6 Aug 2020 at 15:55, Artur Socha wrote:
>
>> Sure thing.
>> On engine host please find jboss pid. You can use this command:
>>
>> ps -ef | grep jboss | grep -v grep | awk '{ print $2 }'
>>
>> or jps tool from jdk. Sample output on my dev environment is:
>>
>> ± % jps
>> !2860
>> 64853 jboss-modules.jar
>> 196217 Jps
>>
>> Then use jstack from jdk:
>> jstack > your_engine_thread_dump.txt
>> 2 or 3 dumps taken in approximately 5 minutes intervals would be even
>> more useful.
>>
>> Here you can find even more options
>> https://www.baeldung.com/java-thread-dump
>>
>> Artur
>>
>> On Thu, Aug 6, 2020 at 3:15 PM Nardus Geldenhuys
>> wrote:
>>
>>> Hi
>>>
>>> Can create thread dump, please send details on howto.
>>>
>>> Regards
>>>
>>> Nardus
>>>
>>> On Thu, 6 Aug 2020 at 14:17, Artur Socha wrote:
>>>
>>>> Hi Nardus,
>>>> You might have hit an issue I have been hunting for some time ( [1]
>>>> and [2] ).
>>>> [1] could not be properly resolved because at a time was not able to
>>>> recreate an issue on dev setup.
>>>> I suspect [2] is related.
>>>>
>>>> Would you be able to prepare a thread dump from your engine instance?
>>>> Additionally, please check for potential libvirt errors/warnings.
>>>> Can you also paste the output of:
>>>> sudo yum list installed | grep vdsm
>>>> sudo yum list installed | grep ovirt-engine
>>>> sudo yum list installed | grep libvirt
>>>>
>>>> Usually, according to previous reports, restarting the engine helps to
>>>> restore connectivity with hosts ... at least for some time.
>>>>
>>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1845152
>>>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1846338
>>>>
>>>> regards,
>>>> Artur
>>>>
>>>>
>>>>
>>>> On Thu, Aug 6, 2020 at 8:01 AM Nardus Geldenhuys
>>>> wrote:
>>>>
>>>>> Also see this in engine:
>>>>>
>>>>> Aug 6, 2020, 7:37:17 AM
>>>>> VDSM someserver command Get Host Capabilities failed: Message timeout
>>>>> which can be caused by communication issues
>>>>>
>>>>> On Thu, 6 Aug 2020 at 07:09, Strahil Nikolov
>>>>> wrote:
>>>>>
>>>>>> Can you fheck for errors on the affected host. Most probably you need
>>>>>> the vdsm logs.
>>>>>>
>>>>>> Best Regards,
>>>>>> Strahil Nikolov
>>>>>>
>>>>>> На 6 август 2020 г. 7:40:23 GMT+03:00, Nardus Geldenhuys <
>>>>>> nard...@gmail.com> написа:
>>>>>> >Hi Strahil
>>>>>> >
>>>>>> >Hope you are well. I get the following error when I tried to confirm
>>>>>&g
[ovirt-users] Re: Unassigned hosts
Sure thing.
On engine host please find jboss pid. You can use this command:
ps -ef | grep jboss | grep -v grep | awk '{ print $2 }'
or jps tool from jdk. Sample output on my dev environment is:
± % jps
!2860
64853 jboss-modules.jar
196217 Jps
Then use jstack from jdk:
jstack > your_engine_thread_dump.txt
2 or 3 dumps taken in approximately 5 minutes intervals would be even more
useful.
Here you can find even more options
https://www.baeldung.com/java-thread-dump
Artur
On Thu, Aug 6, 2020 at 3:15 PM Nardus Geldenhuys wrote:
> Hi
>
> Can create thread dump, please send details on howto.
>
> Regards
>
> Nardus
>
> On Thu, 6 Aug 2020 at 14:17, Artur Socha wrote:
>
>> Hi Nardus,
>> You might have hit an issue I have been hunting for some time ( [1] and
>> [2] ).
>> [1] could not be properly resolved because at a time was not able to
>> recreate an issue on dev setup.
>> I suspect [2] is related.
>>
>> Would you be able to prepare a thread dump from your engine instance?
>> Additionally, please check for potential libvirt errors/warnings.
>> Can you also paste the output of:
>> sudo yum list installed | grep vdsm
>> sudo yum list installed | grep ovirt-engine
>> sudo yum list installed | grep libvirt
>>
>> Usually, according to previous reports, restarting the engine helps to
>> restore connectivity with hosts ... at least for some time.
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1845152
>> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1846338
>>
>> regards,
>> Artur
>>
>>
>>
>> On Thu, Aug 6, 2020 at 8:01 AM Nardus Geldenhuys
>> wrote:
>>
>>> Also see this in engine:
>>>
>>> Aug 6, 2020, 7:37:17 AM
>>> VDSM someserver command Get Host Capabilities failed: Message timeout
>>> which can be caused by communication issues
>>>
>>> On Thu, 6 Aug 2020 at 07:09, Strahil Nikolov
>>> wrote:
>>>
>>>> Can you fheck for errors on the affected host. Most probably you need
>>>> the vdsm logs.
>>>>
>>>> Best Regards,
>>>> Strahil Nikolov
>>>>
>>>> На 6 август 2020 г. 7:40:23 GMT+03:00, Nardus Geldenhuys <
>>>> nard...@gmail.com> написа:
>>>> >Hi Strahil
>>>> >
>>>> >Hope you are well. I get the following error when I tried to confirm
>>>> >reboot:
>>>> >
>>>> >Error while executing action: Cannot confirm 'Host has been rebooted'
>>>> >Host.
>>>> >Valid Host statuses are "Non operational", "Maintenance" or
>>>> >"Connecting".
>>>> >
>>>> >And I can't put it in maintenance, only option is "restart" or "stop".
>>>> >
>>>> >Regards
>>>> >
>>>> >Nar
>>>> >
>>>> >On Thu, 6 Aug 2020 at 06:16, Strahil Nikolov
>>>> >wrote:
>>>> >
>>>> >> After rebooting the node, have you "marked" it that it was rebooted ?
>>>> >>
>>>> >> Best Regards,
>>>> >> Strahil Nikolov
>>>> >>
>>>> >> На 5 август 2020 г. 21:29:04 GMT+03:00, Nardus Geldenhuys <
>>>> >> nard...@gmail.com> написа:
>>>> >> >Hi oVirt land
>>>> >> >
>>>> >> >Hope you are well. Got a bit of an issue, actually a big issue. We
>>>> >had
>>>> >> >some
>>>> >> >sort of dip of some sort. All the VM's is still running, but some of
>>>> >> >the
>>>> >> >hosts is show "Unassigned" or "NonResponsive". So all the hosts was
>>>> >> >showing
>>>> >> >UP and was fine before our dip. So I did increase
>>>> >vdsHeartbeatInSecond
>>>> >> >to
>>>> >> >240, no luck.
>>>> >> >
>>>> >> >I still get a timeout on the engine lock even thou I can connect to
>>>> >> >that
>>>> >> >host from the engine using nc to test to port 54321. I also did
>>>> >restart
>>>> >> >vdsmd and also rebooted the host with no luck.
>>>> >> >
>>>> >> > nc -v someserver 54321
>>>> >> >Ncat: Version 7.50 ( https://nmap.org/ncat )
>>>> >&
[ovirt-users] Re: Unassigned hosts
Hi Nardus, You might have hit an issue I have been hunting for some time ( [1] and [2] ). [1] could not be properly resolved because at a time was not able to recreate an issue on dev setup. I suspect [2] is related. Would you be able to prepare a thread dump from your engine instance? Additionally, please check for potential libvirt errors/warnings. Can you also paste the output of: sudo yum list installed | grep vdsm sudo yum list installed | grep ovirt-engine sudo yum list installed | grep libvirt Usually, according to previous reports, restarting the engine helps to restore connectivity with hosts ... at least for some time. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1845152 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1846338 regards, Artur On Thu, Aug 6, 2020 at 8:01 AM Nardus Geldenhuys wrote: > Also see this in engine: > > Aug 6, 2020, 7:37:17 AM > VDSM someserver command Get Host Capabilities failed: Message timeout > which can be caused by communication issues > > On Thu, 6 Aug 2020 at 07:09, Strahil Nikolov > wrote: > >> Can you fheck for errors on the affected host. Most probably you need the >> vdsm logs. >> >> Best Regards, >> Strahil Nikolov >> >> На 6 август 2020 г. 7:40:23 GMT+03:00, Nardus Geldenhuys < >> nard...@gmail.com> написа: >> >Hi Strahil >> > >> >Hope you are well. I get the following error when I tried to confirm >> >reboot: >> > >> >Error while executing action: Cannot confirm 'Host has been rebooted' >> >Host. >> >Valid Host statuses are "Non operational", "Maintenance" or >> >"Connecting". >> > >> >And I can't put it in maintenance, only option is "restart" or "stop". >> > >> >Regards >> > >> >Nar >> > >> >On Thu, 6 Aug 2020 at 06:16, Strahil Nikolov >> >wrote: >> > >> >> After rebooting the node, have you "marked" it that it was rebooted ? >> >> >> >> Best Regards, >> >> Strahil Nikolov >> >> >> >> На 5 август 2020 г. 21:29:04 GMT+03:00, Nardus Geldenhuys < >> >> nard...@gmail.com> написа: >> >> >Hi oVirt land >> >> > >> >> >Hope you are well. Got a bit of an issue, actually a big issue. We >> >had >> >> >some >> >> >sort of dip of some sort. All the VM's is still running, but some of >> >> >the >> >> >hosts is show "Unassigned" or "NonResponsive". So all the hosts was >> >> >showing >> >> >UP and was fine before our dip. So I did increase >> >vdsHeartbeatInSecond >> >> >to >> >> >240, no luck. >> >> > >> >> >I still get a timeout on the engine lock even thou I can connect to >> >> >that >> >> >host from the engine using nc to test to port 54321. I also did >> >restart >> >> >vdsmd and also rebooted the host with no luck. >> >> > >> >> > nc -v someserver 54321 >> >> >Ncat: Version 7.50 ( https://nmap.org/ncat ) >> >> >Ncat: Connected to 172.40.2.172:54321. >> >> > >> >> >2020-08-05 20:20:34,256+02 ERROR >> >> >> >>[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> >> >(EE-ManagedThreadFactory-engineScheduled-Thread-70) [] EVENT_ID: >> >> >VDS_BROKER_COMMAND_FAILURE(10,802), VDSM someserver command Get Host >> >> >Capabilities failed: Message timeout which can be caused by >> >> >communication >> >> >issues >> >> > >> >> >Any troubleshoot ideas will be gladly appreciated. >> >> > >> >> >Regards >> >> > >> >> >Nar >> >> >> > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/C4HB2J3MH76FI2325Z4AV4VCCEKH4M3S/ > -- Artur Socha Senior Software Engineer, RHV Red Hat ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/RZPEGTZ6WD35MMSHF357RQI34E66N7MB/
[ovirt-users] Re: KeyCloak Integration
On Mon, 2020-06-22 at 15:14 +0200, Artur Socha wrote: > Anton, > I managed to re-create the issue on my local environment. > Previously I tested it against Keycloak 8.0.1 with users loaded from LDAP. > Currently I have users/groups created via Keycloak management panel. I need to > investigate it further which of the two changes is the root cause (it works > fine with the old setup) One more update: it seems the issue is keycloak version related. Trying to figure out what was changed and how it affected engine sso integration. Latest keycloak version I tested and verified that works is 9.0.3. Perhaps it could be possible for you to use it until we fully support 10.0.x ? Artur > Artur > On Mon, 2020-06-22 at 11:05 +, Anton Louw wrote: > > > > > > > > Hi Artur, > > > > Great, thanks a lot! > > > > > > > > > > > > > > > > Anton Louw > > > > > > Cloud Engineer: Storage and Virtualization at Vox > > > > > > > > > > > > > > T: 087 805 | D: 087 805 1572 > > M: N/A > > > > E: anton.l...@voxtelecom.co.za > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Artur Socha > > > > > > Sent: 22 June 2020 11:23 > > > > To: Anton Louw ; users@ovirt.org > > > > Cc: Stephen Hutchinson > > > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > > > > > > Hi Anton, > > > > > > Thanks for the specs. I have create BZ issue for tracking: > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1849569 > > > > > > Feel free to add comments/change it when needed. > > > > > > > > > > > > Artur > > > > > > > > > > > > On Fri, 2020-06-19 at 10:57 +, Anton Louw wrote: > > > > > > > > Hi Artur, > > > > > > Please see below: > > > > > > ovirt-engine.noarch 4.3.10.4-1.el7@ovirt-4.3 > > > ovirt-engine-extension-aaa-misc.noarch 1.0.4-1.el7 @ovirt-4.3 > > > mod_auth_openidc.x86_64 1.8.8-5.el7 @base > > > > > > [root@virt ~]# cat /etc/*elease > > > CentOS Linux release 7.7.1908 (Core) > > > NAME="CentOS Linux" > > > VERSION="7 (Core)" > > > ID="centos" > > > ID_LIKE="rhel fedora" > > > VERSION_ID="7" > > > PRETTY_NAME="CentOS Linux 7 (Core)" > > > ANSI_COLOR="0;31" > > > CPE_NAME="cpe:/o:centos:centos:7" > > > HOME_URL="https://www.centos.org/; > > > BUG_REPORT_URL="https://bugs.centos.org/; > > > > > > CENTOS_MANTISBT_PROJECT="CentOS-7" > > > CENTOS_MANTISBT_PROJECT_VERSION="7" > > > REDHAT_SUPPORT_PRODUCT="centos" > > > REDHAT_SUPPORT_PRODUCT_VERSION="7" > > > > > > CentOS Linux release 7.7.1908 (Core) > > > CentOS Linux release 7.7.1908 (Core) > > > > > > KeyCloak – > > > > > > > > > > > > > > > > > > > > > Server Version > > > > > > > > > > > > 10.0.1 > > > > > > > > > > > > > > > > > > Thanks a lot for your help Artur. Please let me know if you need anything > > > else. > > > > > > > > > > > > From: Artur Socha > > > > > > > > > Sent: 19 June 2020 12:39 > > > > > > To: Anton Louw ; > > > users@ovirt.org > > > > > > Cc: Stephen Hutchinson > > > > > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > > > > > > > > > > > On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote: > > > > > > > &
[ovirt-users] Re: KeyCloak Integration
Anton,I managed to re-create the issue on my local environment. Previously I tested it against Keycloak 8.0.1 with users loaded from LDAP. Currently I have users/groups created via Keycloak management panel. I need to investigate it further which of the two changes is the root cause (it works fine with the old setup)Artur On Mon, 2020-06-22 at 11:05 +, Anton Louw wrote: > > > > Hi Artur, > > Great, thanks a lot! > > > > > > > > Anton Louw > > > Cloud Engineer: Storage and Virtualization at Vox > > > > > > > T: 087 805 | D: 087 805 1572 > M: N/A > > E: anton.l...@voxtelecom.co.za > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > From: Artur Socha > > > Sent: 22 June 2020 11:23 > > To: Anton Louw ; users@ovirt.org > > Cc: Stephen Hutchinson > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > Hi Anton, > > > Thanks for the specs. I have create BZ issue for tracking: > > > https://bugzilla.redhat.com/show_bug.cgi?id=1849569 > > > Feel free to add comments/change it when needed. > > > > > > Artur > > > > > > On Fri, 2020-06-19 at 10:57 +, Anton Louw wrote: > > > > > Hi Artur, > > > > Please see below: > > > > ovirt-engine.noarch 4.3.10.4-1.el7@ovirt-4.3 > > ovirt-engine-extension-aaa-misc.noarch 1.0.4-1.el7 @ovirt-4.3 > > mod_auth_openidc.x86_64 1.8.8-5.el7 @base > > > > [root@virt ~]# cat /etc/*elease > > CentOS Linux release 7.7.1908 (Core) > > NAME="CentOS Linux" > > VERSION="7 (Core)" > > ID="centos" > > ID_LIKE="rhel fedora" > > VERSION_ID="7" > > PRETTY_NAME="CentOS Linux 7 (Core)" > > ANSI_COLOR="0;31" > > CPE_NAME="cpe:/o:centos:centos:7" > > HOME_URL="https://www.centos.org/; > > BUG_REPORT_URL="https://bugs.centos.org/; > > > > CENTOS_MANTISBT_PROJECT="CentOS-7" > > CENTOS_MANTISBT_PROJECT_VERSION="7" > > REDHAT_SUPPORT_PRODUCT="centos" > > REDHAT_SUPPORT_PRODUCT_VERSION="7" > > > > CentOS Linux release 7.7.1908 (Core) > > CentOS Linux release 7.7.1908 (Core) > > > > KeyCloak – > > > > > > > > > > > > > > Server Version > > > > > > > > 10.0.1 > > > > > > > > > > > > Thanks a lot for your help Artur. Please let me know if you need anything > > else. > > > > > > > > From: Artur Socha > > > > > > Sent: 19 June 2020 12:39 > > > > To: Anton Louw ; > > users@ovirt.org > > > > Cc: Stephen Hutchinson > > > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > > > > > > On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote: > > > > > > > > Yes I didn’t get to the OVN part yet, as I first wanted to test the if the > > > token can be obtained. > > > > > > This is the first time we are testing KeyCloak in any environment, so we > > > have never been able to obtain a token for API access. > > > > > > > > > Please post the exact versions of: > > > > > > - ovirt-engine* : > > > > > > yum list --installed | grep ovirt-engine > > > > > > yum list --intalled | grep > > ovirt-engine-extension-aaa-misc > > > > > > yum list --installed | grep > > mod_auth_openidc > > > > > > - keycloak > > > > > > - OS > > > > > > cat /etc/*elease > > > > > > > > > > > > I'll submit a bug ... which, most likely, I will assign to myself anyway :) > > > > > > > > > > > > Artur > > > > > > > > > > > > > > > > > > Anton Louw > > > > > > > > > > Cloud Engineer: Storage and Virtualization > > at Vox > > > > > > > > > > > > > > > > > >
[ovirt-users] Re: KeyCloak Integration
Hi Anton,Thanks for the specs. I have create BZ issue for tracking: https://bugzilla.redhat.com/show_bug.cgi?id=1849569Feel free to add comments/change it when needed. Artur On Fri, 2020-06-19 at 10:57 +, Anton Louw wrote: > > > > Hi Artur, > > Please see below: > > ovirt-engine.noarch 4.3.10.4-1.el7@ovirt-4.3 > ovirt-engine-extension-aaa-misc.noarch 1.0.4-1.el7 @ovirt-4.3 > mod_auth_openidc.x86_64 1.8.8-5.el7 @base > > [root@virt ~]# cat /etc/*elease > CentOS Linux release 7.7.1908 (Core) > NAME="CentOS Linux" > VERSION="7 (Core)" > ID="centos" > ID_LIKE="rhel fedora" > VERSION_ID="7" > PRETTY_NAME="CentOS Linux 7 (Core)" > ANSI_COLOR="0;31" > CPE_NAME="cpe:/o:centos:centos:7" > HOME_URL="https://www.centos.org/; > BUG_REPORT_URL="https://bugs.centos.org/; > > CENTOS_MANTISBT_PROJECT="CentOS-7" > CENTOS_MANTISBT_PROJECT_VERSION="7" > REDHAT_SUPPORT_PRODUCT="centos" > REDHAT_SUPPORT_PRODUCT_VERSION="7" > > CentOS Linux release 7.7.1908 (Core) > CentOS Linux release 7.7.1908 (Core) > > KeyCloak – > > > > > > > Server Version > > > > 10.0.1 > > > > > > Thanks a lot for your help Artur. Please let me know if you need anything > else. > > > > From: Artur Socha > > > Sent: 19 June 2020 12:39 > > To: Anton Louw ; users@ovirt.org > > Cc: Stephen Hutchinson > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote: > > > > > Yes I didn’t get to the OVN part yet, as I first wanted to test the if the > > token can be obtained. > > > > This is the first time we are testing KeyCloak in any environment, so we > > have never been able to obtain a token for API access. > > > > > Please post the exact versions of: > > > - ovirt-engine* : > > > yum list --installed | grep ovirt-engine > > > yum list --intalled | grep > ovirt-engine-extension-aaa-misc > > > yum list --installed | grep > mod_auth_openidc > > > - keycloak > > > - OS > > > cat /etc/*elease > > > > > > I'll submit a bug ... which, most likely, I will assign to myself anyway :) > > > > > > Artur > > > > > > > > > Anton Louw > > > Cloud Engineer: Storage and Virtualization at Vox > > > > > > > T: 087 805 | D: 087 805 1572 > M: N/A > > E: anton.l...@voxtelecom.co.za > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > From: Artur Socha > > > > > > Sent: 19 June 2020 12:16 > > > > To: Anton Louw ; > > users@ovirt.org > > > > Cc: Stephen Hutchinson > > > > Subject: Re: [ovirt-users] KeyCloak Integration > > > > > > > > > > On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote: > > > > > > > > Hi Artur, > > > > > > Sure, please see below output: > > > > > > [root@virt ~]# curl -vvv -H "Accept:application/json" ' > > > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api' > > > * About to connect() to > > > virt.example.co.za port 443 (#0) > > > * Trying > > > 127.0.0.1... > > > * Connected to > > > virt.example.co.za (127.0.0.1) port 443 (#0) > > > * Initializing NSS with certpath: sql:/etc/pki/nssdb > > > * CAfile: /etc/pki/tls/certs/ca-bundle.crt > > > CApath: none > > > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > > > * Server certificate: > > > * subject: CN=*.example.co.za,OU=Domain Control Validated > > > * start date: Sep 25 07:46:12 2019 GMT > > > * expire date: Oct 02 07:39:01 2020 GMT > > > * common name: *example.co.za > > > * issuer: CN=Starfield Secure Certificate Authority - G2,OU= > > > http://certs.starfieldtech.com/repository/,O="Starfield Technologies, > > > Inc.&qu
[ovirt-users] Re: KeyCloak Integration
On Fri, 2020-06-19 at 10:21 +, Anton Louw wrote:
>
>
>
> Yes I didn’t get to the OVN part yet, as I first wanted to test the if the
> token can be obtained.
>
>
>
> This is the first time we are testing KeyCloak in any environment, so we have
> never been able to obtain a token for API access.
>
>
Please post the exact versions of:
- ovirt-engine* :
yum list --installed | grep ovirt-engine
yum list --intalled | grep ovirt-engine-extension-aaa-misc
yum list --installed | grep mod_auth_openidc
- keycloak
- OS
cat /etc/*elease
I'll submit a bug ... which, most likely, I will assign to myself anyway :)
Artur
> Thanks
>
>
>
> From: Artur Socha
>
>
> Sent: 19 June 2020 12:16
>
> To: Anton Louw ; users@ovirt.org
>
> Cc: Stephen Hutchinson
>
> Subject: Re: [ovirt-users] KeyCloak Integration
>
>
>
>
> On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote:
>
> >
> > Hi Artur,
> >
> > Sure, please see below output:
> >
> > [root@virt ~]# curl -vvv -H "Accept:application/json" '
> > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
> > * About to connect() to
> > virt.example.co.za port 443 (#0)
> > * Trying
> > 127.0.0.1...
> > * Connected to
> > virt.example.co.za (127.0.0.1) port 443 (#0)
> > * Initializing NSS with certpath: sql:/etc/pki/nssdb
> > * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> > CApath: none
> > * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> > * Server certificate:
> > * subject: CN=*.example.co.za,OU=Domain Control Validated
> > * start date: Sep 25 07:46:12 2019 GMT
> > * expire date: Oct 02 07:39:01 2020 GMT
> > * common name: *example.co.za
> > * issuer: CN=Starfield Secure Certificate Authority - G2,OU=
> > http://certs.starfieldtech.com/repository/,O="Starfield Technologies,
> > Inc.",L=Scottsdale,ST=Arizona,C=US
> > > GET /ovirt-
> > engine/sso/oauth/token?grant_type=password=myuser=mypass
> > cope=ovirt-app-api HTTP/1.1
> > > User-Agent: curl/7.29.0
> > > Host:
> > virt.example.co.za
> > > Accept:application/json
> > >
> > < HTTP/1.1 400 Bad Request
> > < Date: Fri, 19 Jun 2020 09:52:11 GMT
> > < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
> > < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647;
> > Expires=Wed, 07-Jul-2088 13:06:18 GMT
> > < X-XSS-PROTECTION: 1; MODE=BLOCK
> > < X-CONTENT-TYPE-OPTIONS: NOSNIFF
> > < X-FRAME-OPTIONS: SAMEORIGIN
> > < Content-Type: application/json
> > < Content-Length: 233
> > < Connection: close
> > <
> > * Closing connection 0
> > {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> > info:public-authz-search ovirt-ext=token-info:validate ovirt-
> > ext=token:password-access."}
> >
> > 1) Test connection using python script (from the blog post ) using sdk. I
> > suspect it will not work either.
> > Testing from Python gives me the same error as well.
> >
> > 2) I saw some errors in the log on revoking token. Please go to keycloak
> > admin panel, and under users kill all its active sessions. Then, please
> > without logging in to engine admin UI, use that curl
> > to obtain token.
> > Tested this again, but still getting the below:
> > {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> > scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> > info:public-authz-search ovirt-ext=token-info:validate
> > ovirt-ext=token:password-access."}
> >
>
> Thanks for these test ... unfortunately nothing helped
>
>
>
>
>
>
>
> > 3) Does it work without OVN integration enabled?
> > Can you explain a bit more? How can I disable OVN integration to test this?
>
>
>
>
> I had in mind reverting OVN vs Keycloak integration done according to
> "Configuring OVN" chapter in
>
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
>
>
>
> Unless, of course, you skipped it.
>
>
>
>
>
>
> Most likely you found a bug. Have you ever been able to obtain token for api
> access with keycloak integration (even w
[ovirt-users] Re: KeyCloak Integration
On Fri, 2020-06-19 at 10:03 +, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> Sure, please see below output:
>
>
>
> [root@virt ~]# curl -vvv -H "Accept:application/json" '
> https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=myuser=mypass=ovirt-app-api'
>
> * About to connect() to virt.example.co.za port 443 (#0)
>
> * Trying 127.0.0.1...
>
> * Connected to virt.example.co.za (127.0.0.1) port 443 (#0)
>
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
>
> CApath: none
>
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>
> * Server certificate:
>
> * subject: CN=*.example.co.za,OU=Domain Control Validated
>
> * start date: Sep 25 07:46:12 2019 GMT
>
> * expire date: Oct 02 07:39:01 2020 GMT
>
> * common name: *.example.co.za
>
> * issuer: CN=Starfield Secure Certificate Authority - G2,OU=
> http://certs.starfieldtech.com/repository/,O="Starfield Technologies,
> Inc.",L=Scottsdale,ST=Arizona,C=US
>
> > GET /ovirt-
> engine/sso/oauth/token?grant_type=password=myuser=mypass
> pe=ovirt-app-api HTTP/1.1
>
> > User-Agent: curl/7.29.0
>
> > Host: virt.example.co.za
>
> > Accept:application/json
>
> >
>
> < HTTP/1.1 400 Bad Request
>
> < Date: Fri, 19 Jun 2020 09:52:11 GMT
>
> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
>
> < Set-Cookie: locale=en_US; path=/; secure; HttpOnly; Max-Age=2147483647;
> Expires=Wed, 07-Jul-2088 13:06:18 GMT
>
> < X-XSS-PROTECTION: 1; MODE=BLOCK
>
> < X-CONTENT-TYPE-OPTIONS: NOSNIFF
>
> < X-FRAME-OPTIONS: SAMEORIGIN
>
> < Content-Type: application/json
>
> < Content-Length: 233
>
> < Connection: close
>
> <
>
> * Closing connection 0
>
> {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate ovirt-
> ext=token:password-access."}
>
>
>
> 1) Test connection using python script (from the blog post ) using sdk. I
> suspect it will not work either.
>
> Testing from Python gives me the same error as well.
>
>
>
> 2) I saw some errors in the log on revoking token. Please go to keycloak admin
> panel, and under users kill all its active sessions. Then, please without
> logging in to engine admin UI, use that curl
> to obtain token.
>
> Tested this again, but still getting the below:
>
> {"error_code":"access_denied","error":"Cannot authenticate user Invalid
> scopes: ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate
> ovirt-ext=token:password-access."}
>
>
Thanks for these test ... unfortunately nothing helped
> 3) Does it work without OVN integration enabled?
>
> Can you explain a bit more? How can I disable OVN integration to test this?
I had in mind reverting OVN vs Keycloak integration done according to
"Configuring OVN" chapter in
https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
Unless, of course, you skipped it.
Most likely you found a bug. Have you ever been able to obtain token for api
access with keycloak integration (even with you previous environments)? I am now
trying to understand what happened and how to reproduce it before submitting the
bug into http://bugzilla.redhat.com id="-x-evo-selection-start-marker">
>
> Thanks
>
>
>
>
>
>
> Anton Louw
>
>
> Cloud Engineer: Storage and Virtualization at Vox
>
>
>
>
>
>
> T: 087 805 | D: 087 805 1572
> M: N/A
>
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> From: Artur Socha
>
>
> Sent: 19 June 2020 11:40
>
> To: Anton Louw ; users@ovirt.org
>
> Cc: Stephen Hutchinson
>
> Subject: Re: [ovirt-users] KeyCloak Integration
>
>
>
>
> On Fri, 2020-06-19 at 08:34 +, Anton Louw wrote:
>
> >
> > Hi Artur,
> >
> > Thank you for the quick response.
> >
> &
[ovirt-users] Re: KeyCloak Integration
On Fri, 2020-06-19 at 08:34 +, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> Thank you for the quick response.
>
>
>
> I have actually tried creating another user, but I still get the same error. I
> have attached the output of curl -vvv as well as the logs the engine and
> keycloak logs.
This `curl -vvv ...` is actually is incorrect because it is missing -H before
'Accept' header. However, previous attempts that led to this error seemed to
be fine. Could you just re-send output of the correct curl?
There are few things we can test to try to narrow down the root cause:
1) Test connection using python script (from the blog post ) using sdk. I
suspect it will not work either.
2) I saw some errors in the log on revoking token. Please go to keycloak admin
panel, and under users kill all its active sessions. Then, please without
logging in to engine admin UI, use that curl to obtain token.
3) Does it work without OVN integration enabled?
Artur
>
> Thank you
>
>
>
>
>
>
> Anton Louw
>
>
> Cloud Engineer: Storage and Virtualization at Vox
>
>
>
>
>
>
> T: 087 805 | D: 087 805 1572
> M: N/A
>
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> From: Artur Socha
>
>
> Sent: 19 June 2020 10:23
>
> To: Anton Louw ; users@ovirt.org
>
> Subject: Re: [ovirt-users] KeyCloak Integration
>
>
>
>
> O
>
>
> n Fri, 2020-06-19 at 07:35 +, Anton Louw via Users wrote:
>
> >
> > Hi Everybody,
>
>
>
>
> Hi Anton,
>
> >
> > So I have implemented KeyCloak into our oVirt environment, which works, up
> > until a point. So WebUI access works, but when calling the API, using:
> >
> > curl -k -H "Accept: application/json" '
> > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=admin@openidchttp=mypass=ovirt-app-api'
> >
> > I get the below error:
> >
> > {"error_description":"Cannot authenticate user Invalid scopes:
> > ovirt-app-api
> > ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-
> > ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-
> > ext=token:password-access.","error":"access_denied"}
> >
> > If my configs are removed, and I use “admin@internal” for my username, then
> > it works.
> >
> > I followed the below article step by step, and I double checked that all the
> > scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)
> >
> >
> > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> >
> > Anybody have any ideas?
>
>
>
>
> It is my blind shot but could create & check another user?
>
>
>
>
>
> One more thing to check please use curl -vvv to check if there are any
> redirects along the way.
>
>
>
> I will check keycloak settings on my setup - perhaps there is something non-
> obvious that could have been missed.
>
>
>
>
>
> Any chance to get a bit more logs from engine.log and even from keycloak?
> Perhaps there is something there that could help.
>
>
>
>
>
> Artur
>
>
>
>
> >
> > Thank you
> >
> >
> >
> >
> >
> > Anton Louw
> >
> >
> >
> >
> > Cloud Engineer: Storage and Virtualization
> > at Vox
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > T:
> > 087 805 |
> > D: 087 805 1572
> >
> > M: N/A
> >
> > E:
> > anton.l...@voxtelecom.co.za
> >
> > A: Rutherford Estate,
> > 1 Scott Street, Waverley, Johannesburg
> >
> > www.vox.co.za
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
&
[ovirt-users] Re: KeyCloak Integration
On Fri, 2020-06-19 at 07:35 +, Anton Louw via Users wrote:
>
>
>
> Hi Everybody,
Hi Anton,
>
>
> So I have implemented KeyCloak into our oVirt environment, which works, up
> until a point. So WebUI access works, but when calling the API, using:
>
>
> curl -k -H "Accept: application/json" '
> https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password=admin@openidchttp=mypass=ovirt-app-api'
>
>
>
> I get the below error:
>
>
>
> {"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-api
> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-
> info:public-authz-search ovirt-ext=token-info:validate ovirt-
> ext=token:password-access.","error":"access_denied"}
>
>
>
> If my configs are removed, and I use “admin@internal” for my username, then it
> works.
>
>
>
> I followed the below article step by step, and I double checked that all the
> scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)
>
>
>
>
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
>
>
>
> Anybody have any ideas?
It is my blind shot but could create & check another user?
One more thing to check please use curl -vvv to check if there are any redirects
along the way. I will check keycloak settings on my setup - perhaps there is
something non-obvious that could have been missed.
Any chance to get a bit more logs from engine.log and even from keycloak?
Perhaps there is something there that could help.
Artur
>
> Thank you
>
>
>
>
>
>
>
> Anton Louw
>
>
> Cloud Engineer: Storage and Virtualization at Vox
>
>
>
>
>
>
> T: 087 805 | D: 087 805 1572
> M: N/A
>
> E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Disclaimer
> The contents of this email are confidential to the sender and the intended
> recipient. Unless the contents are clearly and entirely of a personal nature,
> they are subject to copyright in favour of the holding company of the Vox
> group of companies. Any recipient who receives this email in error should
> immediately report the error to the sender and permanently delete this email
> from all storage devices.
>
> This email has been scanned for viruses and malware, and may have been
> automatically archived by Mimecast Ltd, an innovator in Software as a Service
> (SaaS) for business. Providing a safer and more useful place for your human
> generated data. Specializing in; Security, archiving and compliance. To find
> out more Click Here.
>
>
>
>
>
>
>
>
>
> ___Users mailing list --
> users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJYE2B3NP4LT4TN4CJX4C7BU/
signature.asc
Description: This is a digitally signed message part
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CXYLGC5W5EYD3LO54FPWYOWX6ZCMLYMB/
[ovirt-users] Re: Node Unresponsive
On Thu, 2020-05-07 at 13:07 +, Anton Louw via Users wrote: > > > > Hi All, > > > > One of my nodes went into a unresponsive state, but the VMs running on that > host are still up. I just want to know, can I restart VDSM on that node, or > will it impact the running VMs? In another article, somebody restarted > the engine, and that resolved their issue. I would like to first test the > VDSM and if that does not work, I will restart the engine. > Hi Anton,Would it be possible to post /var/log/vdsm.logfrom that affected host + relevant engine.log? I am currently investigating engine-to-host connectivity issue that may or may not be related [1]. What are the exact versions of engine and vdsm packages?( dnf list --installed | egrep "ovirt|vdsm|jsonrpc" ) [1] https://bugzilla.redhat.com/show_bug.cgi?id=1828669 thanks!Artur > > Thanks > > > > > > > > Anton Louw > > > Cloud Engineer: Storage and Virtualization at Vox > > > > > > > T: 087 805 | D: 087 805 1572 > M: N/A > > E: anton.l...@voxtelecom.co.za > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > Disclaimer > The contents of this email are confidential to the sender and the intended > recipient. Unless the contents are clearly and entirely of a personal nature, > they are subject to copyright in favour of the holding company of the Vox > group of companies. Any recipient who receives this email in error should > immediately report the error to the sender and permanently delete this email > from all storage devices. > > This email has been scanned for viruses and malware, and may have been > automatically archived by Mimecast Ltd, an innovator in Software as a Service > (SaaS) for business. Providing a safer and more useful place for your human > generated data. Specializing in; Security, archiving and compliance. To find > out more Click Here. > > > > > > > > > > ___Users mailing list -- > users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/2SDQ32OZPQ7KGL2U6PPA6ZYCXOVA57WY/ signature.asc Description: This is a digitally signed message part ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YWWZGHK6VHL7GLLNPSG5O6EB35RQC55A/
[ovirt-users] Re: oVirt and KeyCloak intergration
On Wed, 2020-04-22 at 14:43 +0200, Artur Socha wrote: > On Wed, 2020-04-22 at 12:28 +, Anton Louw wrote: > > > > > > > > Hi Artur, > > > > > > > > You are a champion! I can access oVirt now. Thank you so much. > > > You're welcome! > I am happy it worked because I had no more ideas what to check next :) > > > One last question, can I create additional groups in ie. Read Only, etc? And > > then will this be done in KeyCloak or in the oVIrt UI? typo fixed: > This ovirt-administrator group is only for accessing(authentication & sso) > ovirt engine admin panel and, as far as I understand it, it *** does NOT *** > restrict access to particular engine's admin functions. I think that proper > authorization is done only at the engine's UI level. See 'User > Authorization' under > https://ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html > > > > > > Thank you > > > > > > > > > > > > > > > > > > Anton Louw > > > > > > Cloud Engineer: Storage and Virtualization at Vox > > > > > > > > > > > > > > T: 087 805 | D: 087 805 1572 > > M: N/A > > > > E: anton.l...@voxtelecom.co.za > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Artur Socha > > > > > > Sent: 22 April 2020 13:21 > > > > To: Anton Louw ; users@ovirt.org > > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > > > > > > > On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote: > > > > > On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote: > > > > > > > > > > > > Ok so this is definitely looking better. I get an error, but at least > > now it > > > > > > is saying : “The user admin@openidchttp is not authorized to perform > > login” > > > > > > > > > > > > This is strange though, because admin in by default should be allowed > > > > > > access? > > > > > > > > > > Well, yes and no :) > > > > > > > > > > In order for user to be considered admin (for ovirt engine) it must belong > > to > > > > > keycloak's ovirt-administrator group (in keycloak admin panel see Manage- > > > > > > Groups->Members) > > > > > > > > Small clarification: > > > > > > > > In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' -> > > Members > > > > > > > > Note that the group must have the exact name: ovirt-administrator > > > > > > > > > > > > > > > > > > I think you are very close to have it up-and-running. > > > > > > > > > > > > > > > > > > > > > > From: Anton Louw > > > > > > Sent: 22 April 2020 12:38 > > > > > > To: Artur Socha ; > > users@ovirt.org > > > > > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration > > > > > > > > > > > > Perfect, I’ll test and let you know. > > > > > > > > > > > > Thanks > > > > > > > > > > > > From: Artur Socha > > > > > > Sent: 22 April 2020 12:32 > > > > > > To: Anton Louw ; > > users@ovirt.org > > > > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > > > > > > > > > > > + users@ovirt.org > > > > > > > > > > > > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote: > > > > > > > > > > > > > > > > > > > > > Hi Artur, > > > > > > > > > > > > > > I would just like to make sure I am following correctly, comparing > > your > > > > > > > entries against mine. > > > > > > > > > > > > >
[ovirt-users] Re: oVirt and KeyCloak intergration
On Wed, 2020-04-22 at 12:28 +, Anton Louw wrote: > > > > Hi Artur, > > > > You are a champion! I can access oVirt now. Thank you so much. > You're welcome!I am happy it worked because I had no more ideas what to check next :) > One last question, can I create additional groups in ie. Read Only, etc? And > then will this be done in KeyCloak or in the oVIrt UI? This ovirt-administrator group is only for accessing(authentication & sso) ovirt engine admin panel and, as far as I understand it, it does restrict access to particular engine's admin functions. I think that proper authorization is done only at the engine's UI level. See 'User Authorization' under https://ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html > > > Thank you > > > > > > Anton Louw > > > Cloud Engineer: Storage and Virtualization at Vox > > > > > > > T: 087 805 | D: 087 805 1572 > M: N/A > > E: anton.l...@voxtelecom.co.za > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > From: Artur Socha > > > Sent: 22 April 2020 13:21 > > To: Anton Louw ; users@ovirt.org > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > > > On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote: > > > On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote: > > > > > > > > Ok so this is definitely looking better. I get an error, but at least now > it > > > > is saying : “The user admin@openidchttp is not authorized to perform > login” > > > > > > > > This is strange though, because admin in by default should be allowed > > > > access? > > > > > > Well, yes and no :) > > > > > > In order for user to be considered admin (for ovirt engine) it must belong > to > > > keycloak's ovirt-administrator group (in keycloak admin panel see Manage- > > > > Groups->Members) > > > > Small clarification: > > > > In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' -> Members > > > > Note that the group must have the exact name: ovirt-administrator > > > > > > > > > > I think you are very close to have it up-and-running. > > > > > > > > > > > > > > From: Anton Louw > > > > Sent: 22 April 2020 12:38 > > > > To: Artur Socha ; > users@ovirt.org > > > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration > > > > > > > > Perfect, I’ll test and let you know. > > > > > > > > Thanks > > > > > > > > From: Artur Socha > > > > Sent: 22 April 2020 12:32 > > > > To: Anton Louw ; > users@ovirt.org > > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > > > > > > > + users@ovirt.org > > > > > > > > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote: > > > > > > > > > > > > > > > Hi Artur, > > > > > > > > > > I would just like to make sure I am following correctly, comparing your > > > > > entries against mine. > > > > > > > > > > Your setup: > > > > > ... > > > > > config.mapAuthRecord.regex.pattern = > > > > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$ > > > > > ... > > > > > > > > > > > > > > > My setup: > > > > > … > > > > > config.mapAuthRecord.regex.pattern = > > > > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$ > > > > > … > > > > > > > > > > Should I add the additional 2 “\\” in on my side? > > > > > > > > > > > > Yes, please try adding it. In my case I learned about this issue by > > > > debugging > > > > the code because the real exception generated by incorrect regexp syntax > was > > > > hidden behind generic error message giving no clues about the true cause. > > > > > > > > > > > > > > Your setup: > > > > > ... > > > > > > > &
[ovirt-users] Re: oVirt and KeyCloak intergration
On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote: > On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote: > > > > Ok so this is definitely looking better. I get an error, but at least now it > > is saying : “The user admin@openidchttp is not authorized to perform login” > > > > This is strange though, because admin in by default should be allowed > > access? > > Well, yes and no :) > > In order for user to be considered admin (for ovirt engine) it must belong to > keycloak's ovirt-administrator group (in keycloak admin panel see Manage- > > Groups->Members) Small clarification: In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' -> Members Note that the group must have the exact name: ovirt-administrator > > I think you are very close to have it up-and-running. > > > > > > From: Anton Louw > > Sent: 22 April 2020 12:38 > > To: Artur Socha ; users@ovirt.org > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration > > > > Perfect, I’ll test and let you know. > > > > Thanks > > > > From: Artur Socha > > Sent: 22 April 2020 12:32 > > To: Anton Louw ; users@ovirt.org > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > > > + users@ovirt.org > > > > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote: > > > > > > > > > Hi Artur, > > > > > > I would just like to make sure I am following correctly, comparing your > > > entries against mine. > > > > > > Your setup: > > > ... > > > config.mapAuthRecord.regex.pattern = > > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$ > > > ... > > > > > > > > > My setup: > > > … > > > config.mapAuthRecord.regex.pattern = > > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$ > > > … > > > > > > Should I add the additional 2 “\\” in on my side? > > > > > > Yes, please try adding it. In my case I learned about this issue by > > debugging > > the code because the real exception generated by incorrect regexp syntax was > > hidden behind generic error message giving no clues about the true cause. > > > > > > > > Your setup: > > > ... > > > > > negotiate|oauth/token- > > > http-auth)|^/ovirt-engine/callback> > > > > > > > > > Require valid-user > > > AuthType openid-connect > > > > > > ErrorDocument 401 " > > url=/ovirt-engine/sso/login-unauthorized\"/> > > engine/sso/login-unauthorized\">Here" > > > > > > > > > … > > > > > > My setup: > > > … > > > > > negotiate|oauth/token- > > > http-auth)|^/ovirt-engine/callback> > > > > > > > > > Require valid-user > > > AuthType openid-connect > > > > > > ErrorDocument 401 "Here" > > > > > > > > > … > > > > > > I remember I had syntax errors, but mine was changed. > > > > > > Does this look fine to you? > > > > > > Yeah, your version looks good too. You have ' instead of " so that is ok. > > > > > > Anton Louw > > Cloud Engineer: Storage and Virtualization at Vox > > T: 087 805 | D: 087 805 1572 > > M: N/A > > E: anton.l...@voxtelecom.co.za > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks > > > > > > > > > > > > Anton Louw > > > Cloud Engineer: Storage and Virtualization at Vox > > > T: 087 805 | D: 087 805 1572 > > > M: N/A > > > E: anton.l...@voxtelecom.co.za > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Anton Louw > > > Sent: 22 April 2020 10:07 > > > To: Artur Socha > > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration > > > > > > Hi Artur, > > > > > > Great, I will try the below and let you know. I appreciate your efforts. > > &g
[ovirt-users] Re: oVirt and KeyCloak intergration
On Wed, 2020-04-22 at 10:42 +, Anton Louw wrote: > > > Ok so this is definitely looking better. I get an error, but at least now it > is saying : “The user admin@openidchttp is not authorized to perform login” > > This is strange though, because admin in by default should be allowed access? Well, yes and no :) In order for user to be considered admin (for ovirt engine) it must belong to keycloak's ovirt-administrator group (in keycloak admin panel see Manage- >Groups->Members) I think you are very close to have it up-and-running. > > From: Anton Louw > Sent: 22 April 2020 12:38 > To: Artur Socha ; users@ovirt.org > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration > > Perfect, I’ll test and let you know. > > Thanks > > From: Artur Socha > Sent: 22 April 2020 12:32 > To: Anton Louw ; users@ovirt.org > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > + users@ovirt.org > > On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote: > > > > > > Hi Artur, > > > > I would just like to make sure I am following correctly, comparing your > > entries against mine. > > > > Your setup: > > ... > > config.mapAuthRecord.regex.pattern = > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$ > > ... > > > > > > My setup: > > … > > config.mapAuthRecord.regex.pattern = > > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$ > > … > > > > Should I add the additional 2 “\\” in on my side? > > > Yes, please try adding it. In my case I learned about this issue by debugging > the code because the real exception generated by incorrect regexp syntax was > hidden behind generic error message giving no clues about the true cause. > > > > > Your setup: > > ... > > > http-auth)|^/ovirt-engine/callback> > > > > > > Require valid-user > > AuthType openid-connect > > > > ErrorDocument 401 " > url=/ovirt-engine/sso/login-unauthorized\"/> > engine/sso/login-unauthorized\">Here" > > > > > > … > > > > My setup: > > … > > > http-auth)|^/ovirt-engine/callback> > > > > > > Require valid-user > > AuthType openid-connect > > > > ErrorDocument 401 "Here" > > > > > > … > > > > I remember I had syntax errors, but mine was changed. > > > > Does this look fine to you? > > > Yeah, your version looks good too. You have ' instead of " so that is ok. > > > Anton Louw > Cloud Engineer: Storage and Virtualization at Vox > T: 087 805 | D: 087 805 1572 > M: N/A > E: anton.l...@voxtelecom.co.za > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > www.vox.co.za > > > > > > > > > > > > > > Thanks > > > > > > > > Anton Louw > > Cloud Engineer: Storage and Virtualization at Vox > > T: 087 805 | D: 087 805 1572 > > M: N/A > > E: anton.l...@voxtelecom.co.za > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > > From: Anton Louw > > Sent: 22 April 2020 10:07 > > To: Artur Socha > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration > > > > Hi Artur, > > > > Great, I will try the below and let you know. I appreciate your efforts. > > > > Sure, you may report it, I was in such a rush that I only hit “reply” and > > not “Reply All” > > > > I do recall that I had to make some changes to the below as the it > > complained about syntax errors: > > > > ErrorDocument 401 " > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> > href=\"/ovirt-engine/sso/login-unauthorized\">Here" > > > > > > > > I will let you know the outcome when I change the below as you suggested. > > > > Cheers > > > > From: Artur Socha > > Sent: 22 April 2020 09:51 > > To: Anton Louw > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > > > I checked your logs and I did not notice anything suspicious. > > However, now I recall I made some changes compared to blog post > > example: > > > > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties > > I added escaping in regexp for '\' >
[ovirt-users] Re: oVirt and KeyCloak intergration
+ users@ovirt.org On Wed, 2020-04-22 at 09:57 +, Anton Louw wrote: > > > > Hi Artur, > > > > I would just like to make sure I am following correctly, comparing your > entries against mine. > > > > > Your setup: > > ... > > config.mapAuthRecord.regex.pattern = > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$ > > ... > > > > > > My setup: > > … > > config.mapAuthRecord.regex.pattern = > ^(?.*?)((\\(?@)(?.*?)@.*)|(?@.*))$ > > … > > > > Should I add the additional 2 “\\” in on my side? Yes, please try adding it. In my case I learned about this issue by debugging the code because the real exception generated by incorrect regexp syntax was hidden behind generic error message giving no clues about the true cause. > > > Your setup: > > ... > > http-auth)|^/ovirt-engine/callback> > > > > > > Require valid-user > > AuthType openid-connect > > > > ErrorDocument 401 " engine/sso/login-unauthorized\"/> unauthorized\">Here" > > > > > > … > > > > My setup: > > … > > http-auth)|^/ovirt-engine/callback> > > > > > > Require valid-user > > AuthType openid-connect > > > > ErrorDocument 401 "Here" > > > > > > … > > > > I remember I had syntax errors, but mine was changed. > > > > Does this look fine to you? > Yeah, your version looks good too. You have ' instead of " so that is ok. > Thanks > > > > > > > > Anton Louw > > > Cloud Engineer: Storage and Virtualization at Vox > > > > > > > T: 087 805 | D: 087 805 1572 > M: N/A > > E: anton.l...@voxtelecom.co.za > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg > > www.vox.co.za > > > > > > > > > > > > > > > > > > > > > > > > > From: Anton Louw > > > Sent: 22 April 2020 10:07 > > To: Artur Socha > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration > > > > Hi Artur, > > Great, I will try the below and let you know. I appreciate your efforts. > > > Sure, you may report it, I was in such a rush that I only hit “reply” and not > “Reply All” > > I do recall that I had to make some changes to the below as the it complained > about syntax errors: > > ErrorDocument 401 " > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> > href=\"/ovirt-engine/sso/login-unauthorized\">Here" > > > > > > I will let you know the outcome when I change the below as you suggested. > > Cheers > > > > From: Artur Socha > > > Sent: 22 April 2020 09:51 > > To: Anton Louw > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration > > > > I checked your logs and I did not notice anything suspicious. > > > However, now I recall I made some changes compared to blog post > > example: > > > > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties > > I added escaping in regexp for '\' > > ... > > config.mapAuthRecord.regex.pattern = > > ^(?.*?)(((?@)(?.*?)@.*)|(?@.*))$ > > ... > > > > 2) /etc/httpd/ovirt-openidc.conf > > Escaping for '"' in error document snippet > > ... > > > negotiate|oauth/token-http-auth)|^/ovirt-engine/callback> > > > > > > Require valid-user > > AuthType openid-connect > > > > ErrorDocument 401 " > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/> > href=\"/ovirt-engine/sso/login-unauthorized\">Here" > > > > > > > > ... > > > > These two issues were most probably caused by the blog site rendering. > > > > > > You might want to check engine.log (or server.log not really sure which > > one was that) for aaa extension initialization logs. They should > > appear at the beginning just after restarting engine. > > > > Unfortunately, at the moment I do not have running keycloak setup (I > > used to have a local VM) but I will try to find some time to set it up > > again once I'm done with another work item that actually consumes > > almost entire disk space
