[ovirt-users] Re: ovirtsdk4 error

2019-12-10 Thread Ondra Machacek 



On 10/12/2019 04:58, jeremy_tourvi...@hotmail.com wrote:

I have a server which runs a project from Github called SecGen.  SecGen uses 
Vagrant to provision VMs from templates.  When I go to my project folder and 
run vagrant up I get an error.

user@localhost:~/bin/SecGen/projects/SecGen20191207_183811$ vagrant up
Bringing machine 'escalation' up with 'ovirt4' provider...
==> escalation: Creating VM with the following settings...
==> escalation:  -- Name:  SecGen-default-scenario-escalation
==> escalation:  -- Cluster:   Default
==> escalation:  -- Template:  Vcentos77
==> escalation:  -- Console Type:  spice
==> escalation:  -- Memory:
==> escalation:   Memory:  512 MB
==> escalation:   Maximum: 512 MB
==> escalation:   Guaranteed:  512 MB
==> escalation:  -- Cpu:
==> escalation:   Cores:   1
==> escalation:   Sockets: 1
==> escalation:   Threads: 1
==> escalation:  -- Cloud-Init:false
==> escalation: An error occured. Recovering..
==> escalation: VM is not created. Please run `vagrant up` first.
/home/user/.vagrant.d/gems/2.4.9/gems/ovirt-engine-sdk-4.0.12/lib/ovirtsdk4/reader.rb:272:in
 `read': Can't find a reader for tag 'html' (OvirtSDK4::Error)
 from 
/home/user/.vagrant.d/gems/2.4.9/gems/ovirt-engine-sdk-4.0.12/lib/ovirtsdk4/service.rb:66:in
 `check_fault'
 from 
/home/user/.vagrant.d/gems/2.4.9/gems/ovirt-engine-sdk-4.0.12/lib/ovirtsdk4/services.rb:35570:in
 `add'
 from 
/home/user/.vagrant.d/gems/2.4.9/gems/vagrant-ovirt4-1.2.2/lib/vagrant-ovirt4/action/create_vm.rb:67:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builtin/before_trigger.rb:23:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builtin/after_trigger.rb:26:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/home/user/.vagrant.d/gems/2.4.9/gems/vagrant-ovirt4-1.2.2/lib/vagrant-ovirt4/action/set_name_of_domain.rb:17:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builtin/before_trigger.rb:23:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:121:in
 `block in finalize_action'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builder.rb:116:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/runner.rb:102:in
 `block in run'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/util/busy.rb:19:in
 `busy'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/runner.rb:102:in
 `run'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builtin/call.rb:53:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builtin/before_trigger.rb:23:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builtin/after_trigger.rb:26:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/home/user/.vagrant.d/gems/2.4.9/gems/vagrant-ovirt4-1.2.2/lib/vagrant-ovirt4/action/connect_ovirt.rb:31:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builtin/before_trigger.rb:23:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builtin/after_trigger.rb:26:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/builtin/config_validate.rb:25:in
 `call'
 from 
/opt/vagrant/embedded/gems/2.2.6/gems/vagrant-2.2.6/lib/vagrant/action/warden.rb:50:in
 `ca

[ovirt-users] Re: Users and VM permissions matrix

2019-11-05 Thread Ondra Machacek 



On 05/11/2019 11:57, Colin Coe wrote:

Hi all

I've been tasked with creating a matrix of users/groups and VMs so we 
can easily see who has access to what (via SPCIE console).


Google has given me a couple of hints but I can get it over the line.

---
users_service = connection.system_service().users_service()
users = users_service.list()

for user in users:
     username = user.user_name.split('@')[0]

     # Follow the link to the permissions of the user:
     perms = connection.follow_link(user.permissions)
     for perm in perms:
         if perm.vm:
             print(username)
             permissions_service = 
connection.system_service().permissions_service()


Well if you would add here:

print (connections.follow_link(perm.role).name)

you would know the name of the role that user have,
but you wouldn't know for which object this role is
assigned.

What exactly should be the output of your script?

For example:

User1:
VMs:
 vm1: UserVmManager
 vm2: UserRole
CLusters:
 cluster1: UserRole

User2:
VMs:
 vm3: UserRole

Group1:
CLusters:
 cluster2: UserRole

?


             print(perm.vm.id )
---

The problem is with permissions, the output from above is:
---
user1
1b645daf-de26-4f33-9e3b-6a12eadd4618
user2
9c79e763-f78d-4bf9-b8ca-20fe197fd80c
user3
f9d00b30-8003-41c3-95a1-10e0c452fa63
user4
1bbadf96-ef95-4ece-b5f3-1fa112aa3571
user5
e9085627-324e-48d3-bc04-52ff7798ddd0
---

I can't work out how to get the actual permissions rather that the ID.

Any ideas?

Thanks


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PILAIVCF7C4LXVATL5T6P4VMZP3Y22G7/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XLX55TM3UJ6EEMZDHBXPW6MJHHT5EK2E/

[ovirt-users] Re: ovirt-web-ui search active directory user problem

2019-10-29 Thread Ondra Machacek 

Did you retart ovirt-engine when you've configured the aaa? If not you
should. If the problem is after ovirt-engine restart, please share the
engine log, so we can investigate what could be the problem.

On 25/10/2019 02:20, 山永军 wrote:
Ovirt version 4.3, active directory windows 2012r2; after adding domain 
authentication through ovirt engine extension AAA LDAP setup, when 
adding domain users through management interface configuration - > 
system permissions, select Search: domain, namespace: *. The following 
go button is gray and cannot be searched. It is normal to search through 
ovirt engine extensions tool test. How can I solve this problem?




___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IFGXSLO35RSQASZR3UH2ICUYBJ6R7HTJ/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/NIVBVBMSH36K6MHZVIWCA7EMH7PH5HGT/

[ovirt-users] Re: Fail to attach/create disk from template when running via Ansible

2019-10-10 Thread Ondra Machacek 

The error message is:

Image does not exist in domain: 
u'image=d680a46a-7188-45f6-b6a7-f830c0b4, 
domain=935de3ac-a735-4fc8-9161-26bfd751ffc7'


Can you please check if the image with id 
'd680a46a-7188-45f6-b6a7-f830c0b4' exists on storage domain with id 
'935de3ac-a735-4fc8-9161-26bfd751ffc7'?


On 08/10/2019 13:05, Vrgotic, Marko wrote:

Dear oVirt,

Just recently, I have upgraded oVirt staging environment from 4.3.4 to 
4.3.6 release.


Since then I noticed the issue when creating VMs from template, using 
Ansible. When creating VM from template using UI, all works well.


Tests were executed with same user, with SuperUser priviledges.

pip freeze

*ansible==2.7.13*

asn1crypto==1.0.0

bcrypt==3.1.7

cffi==1.12.3

cryptography==2.7

dnspython==1.16.0

ipaddress==1.0.22

Jinja2==2.10.1

lxml==4.4.1

MarkupSafe==1.1.1

netaddr==0.7.19

*ovirt-engine-sdk-python==4.3.3*

paramiko==2.6.0

pycparser==2.19

pycurl==7.43.0.3

PyNaCl==1.3.0

PyYAML==5.1.2

six==1.12.0

*Logs from engine: *

2019-10-08 09:57:42,294Z INFO  [org.ovirt.engine.core.bll.AddVmCommand] 
(default task-23) [067ec489-ae6c-4871-8ab6-8296016ca1ce] Lock Acquired 
to object 'EngineLock:{exclusiveLocks='[centos-testvm-024=VM_NAME]', 
sharedLocks='[9ac6f4ad-58d0-4a7e-b424-91f2d76abcac=TEMPLATE, 
a7e42574-be60-4c94-94a5-cc4b30fdb16f=DISK]'}'


2019-10-08 09:57:42,299Z INFO  
[org.ovirt.engine.core.vdsbroker.vdsbroker.HSMClearTaskVDSCommand] 
(EE-ManagedThreadFactory-engine-Thread-43687) [390b4c75] FINISH, 
HSMClearTaskVDSCommand, return: , log id: be932a0


2019-10-08 09:57:42,299Z INFO  
[org.ovirt.engine.core.vdsbroker.irsbroker.SPMClearTaskVDSCommand] 
(EE-ManagedThreadFactory-engine-Thread-43687) [390b4c75] FINISH, 
SPMClearTaskVDSCommand, return: , log id: 3e25883


2019-10-08 09:57:42,303Z INFO  
[org.ovirt.engine.core.bll.tasks.SPMAsyncTask] 
(EE-ManagedThreadFactory-engine-Thread-43687) [390b4c75] 
BaseAsyncTask::removeTaskFromDB: Removed task 
'7e1d68a2-bb49-4456-b228-db851fe6603c' from DataBase


2019-10-08 09:57:42,303Z INFO  
[org.ovirt.engine.core.bll.tasks.CommandAsyncTask] 
(EE-ManagedThreadFactory-engine-Thread-43687) [390b4c75] 
CommandAsyncTask::HandleEndActionResult [within thread]: Removing 
CommandMultiAsyncTasks object for entity 
'4f8a6897-66e8-453b-b706-246cb8505b3e'


2019-10-08 09:57:42,375Z INFO  [org.ovirt.engine.core.bll.AddVmCommand] 
(default task-23) [067ec489-ae6c-4871-8ab6-8296016ca1ce] Running 
command: AddVmCommand internal: false. Entities affected :  ID: 
2e428504-c339-11e9-87ef-00163e3ec101 Type: ClusterAction group CREATE_VM 
with role type USER,  ID: 9ac6f4ad-58d0-4a7e-b424-91f2d76abcac Type: 
VmTemplateAction group CREATE_VM with role type USER,  ID: 
935de3ac-a735-4fc8-9161-26bfd751ffc7 Type: StorageAction group 
CREATE_DISK with role type USER


2019-10-08 09:57:42,488Z INFO  
[org.ovirt.engine.core.bll.AddRngDeviceCommand] (default task-23) 
[332c57d4] Running command: AddRngDeviceCommand internal: true. Entities 
affected :  ID: d5719cf0-2a64-4a28-bbf2-edc1bb05b777 Type: VMAction 
group EDIT_VM_PROPERTIES with role type USER


2019-10-08 09:57:42,498Z INFO  
[org.ovirt.engine.core.vdsbroker.SetVmStatusVDSCommand] (default 
task-23) [332c57d4] START, SetVmStatusVDSCommand( 
SetVmStatusVDSCommandParameters:{vmId='d5719cf0-2a64-4a28-bbf2-edc1bb05b777', 
status='ImageLocked', exitStatus='Normal'}), log id: 2fe004e2


2019-10-08 09:57:42,507Z INFO  
[org.ovirt.engine.core.vdsbroker.SetVmStatusVDSCommand] (default 
task-23) [332c57d4] FINISH, SetVmStatusVDSCommand, return: , log id: 
2fe004e2


2019-10-08 09:57:42,528Z INFO  
[org.ovirt.engine.core.bll.snapshots.CreateSnapshotFromTemplateCommand] 
(default task-23) [067ec489-ae6c-4871-8ab6-8296016ca1ce] Running 
command: CreateSnapshotFromTemplateCommand internal: true. Entities 
affected :  ID: 935de3ac-a735-4fc8-9161-26bfd751ffc7 Type: Storage


2019-10-08 09:57:42,554Z INFO  
[org.ovirt.engine.core.vdsbroker.irsbroker.CreateVolumeVDSCommand] 
(default task-23) [067ec489-ae6c-4871-8ab6-8296016ca1ce] START, 
CreateVolumeVDSCommand( 
CreateVolumeVDSCommandParameters:{storagePoolId='2e3b3484-c339-11e9-8d02-00163e3ec101', 
ignoreFailoverLimit='false', 
storageDomainId='935de3ac-a735-4fc8-9161-26bfd751ffc7', 
imageGroupId='d680a46a-7188-45f6-b6a7-f830c0b4', 
imageSizeInBytes='8589934592', volumeFormat='COW', 
newImageId='9a96018c-ce7d-4c77-a91a-30fc16c7b2ba', imageType='Sparse', 
newImageDescription='', imageInitialSizeInBytes='0', 
imageId='f9e0c4d9-81dd-4e44-8a71-33e55d4399c6', 
sourceImageGroupId='a7e42574-be60-4c94-94a5-cc4b30fdb16f'}), log id: 
37b29c7d


2019-10-08 09:57:42,639Z INFO  
[org.ovirt.engine.core.vdsbroker.irsbroker.CreateVolumeVDSCommand] 
(default task-23) [067ec489-ae6c-4871-8ab6-8296016ca1ce] FINISH, 
CreateVolumeVDSCommand, return: 9a96018c-ce7d-4c77-a91a-30fc16c7b2ba, 
log id: 37b29c7d


2019-10-08 09:57:42,645Z INFO  
[org.ovirt.engine.core.bll.tasks.CommandAsyncTask] (default task-23) 
[067ec489-ae6c-4871-8ab6-8296016ca

[ovirt-users] Re: Reboot a guest via ansible in oVirt

2019-09-24 Thread Ondra Machacek 
Hi, we don't have implemented direct restart. But the next_run state 
does something similar. When there is next_run_configuration on the VM, 
the VM is restarted. I've submitted the issue[1], to add direct restart.


[1] https://github.com/ansible/ansible/issues/62775

On 20/09/2019 16:20, Gianluca Cecchi wrote:

Hello,
I see that there is this Ansible module for vSphere that contains also 
the state "restarted":

https://docs.ansible.com/ansible/latest/modules/vmware_guest_powerstate_module.html

For oVirt I see the ovirt_vm module where state can be one of:
[ absent, next_run, present, registered, running, stopped, suspended, 
exported ]


Can we think to add a restart / restarted one to it too?
BTW: I see discrepancy between this page:
https://www.ovirt.org/develop/release-management/features/infra/ansible_modules.html
where many module names and links to github source are plural (eg 
ovirt_disks) and actual ansible docs and github sources that are 
singular (eg. ovirt_disk)


Thanks,
Gianluca

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3MWZS7R3SUQ2ZXK5OWEAHZNV34DAVJSJ/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IEBYJPW7WTWB3ZYYGOVYB4FBI6O6XD5E/

[ovirt-users] Re: Python to retrive the VM-Config from the snapshot

2019-09-10 Thread Ondra Machacek 

Hi,

this example is the close to what you want to achieve:


https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/vm_backup.py#L137

but instead of line 137, you would have to do something like this:

snap_data = data_vm_service.snapshots_service().list(all_content=True)[0]
ovf_data = snap_data.vm.initialization.configuration.data

On 10/09/2019 15:12, Sven Achtelik wrote:

Hi All,

I’m trying to build a custom solution for Backups using the python. 
Everything works and I can get my disk copies. The last thing is getting 
the VM config and I can’t find any hint on how to get this done with 
python. Is there a way to actually get this information out easily ? 
Somehting like


  * Grab the wanted vm configuration from the needed snapshot - it’ll be
under initialization/configuration/data

URL = SERVER:PORT/api/vms/VM_ID/snapshots/IDMethod = GET  (with 
All-Content:true header)

I also have to mention that I’m not a profession programmer and work 
with what I can find as documentation or code examples.


http://ovirt.github.io/ovirt-engine-sdk/4.1/

https://github.com/oVirt/ovirt-engine-sdk/tree/master/sdk/examples

If some experienced python programmer could give a hint where to look at 
that would be great.


Thank you,

Sven


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/G5ZAPBGVZ7EKYWPXDPIZIKMSBUQBOPWN/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/53WGTDTIVIGX7FRSQHL5GT5REQ4Z2IQS/

[ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup

2019-09-05 Thread Ondra Machacek 
Can you please share the debug log from the 
ovirt-engine-extensions-test-tool?


On 04/09/2019 18:23, Rick A wrote:

thanks for the reply.  That doesn't seem to work for me either.  Strange part is if apply 
the settings anyway and I use a wildcard "*" in ovirt when searching for users, 
it lists users in a specific OU only even though it's set to search DC=domain,DC=com
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LFWJ4MGBF2RRIINHLG7LYCLJ5XACRVFE/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GN3775N5HMSZNIIWQOAEUTEV6ISZOPNI/

[ovirt-users] Re: template permissions not inherited (4.3.4)

2019-07-24 Thread Ondra Machacek 

There is 'Copy template permission' check box, when you open 'create vm'
dialog. Right after fields, name, description, comment, vm id. It's not
visible when using Blank template, but it's visible when you select
different template.

On 22/07/2019 14:28, Timmi wrote:

Hi oVirt List,

I have just a quick question if I should open a ticket for this or if 
I'm doing something wrong.


I created a new VM template with specific permissions in addition to the 
system wide permissions. If I create a new VM with the template I 
notices that only system permissions are copied to the permission of the 
new VM.


Is this the intended behavior? I was somehow under the impression that 
the permission from the template should have been copied to the newly 
created VM.


Tested with Version 4.3.4.3-1.el7

Best regards
Christoph
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ADS2EUY4K3RA2ZF6OEG2GHW6ZPUIZKLH/ 


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/USCBQ6V4ONNHNYNWZNHPL2H26CZ4SND7/

[ovirt-users] Re: ansible tower/awx integration in ovirt

2019-06-19 Thread Ondra Machacek 

We support tower, so you shouldn't have any issues integrate it.
There is oVirt/RHV credentials in the Tower/awx. So you can use those
for the authentication.

On 19/06/2019 10:37, Nathanaël Blanchet wrote:
Hello, I wrote a playbook for workflow that automates a vm creation from 
a template/cloud-init and then add it to our supervision engine and 
finally to our backup system. All currently works fine with awx.


I'd like to use one UI, and I wondered if integrating awx/tower in ovirt 
could be a good way to complete a basic current vm creation.



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/VITNIFS2JDJWNXMZEOPGHUM2OXHX5BMI/

[ovirt-users] Re: ovirt_vm ansible cloud-init ipv6 related

2019-06-19 Thread Ondra Machacek 

Hello,

thanks for the report. This is indeed supported by oVirt, but it's not
supported by ovirt_vm Ansible module, I've opened an issue[1]. Thanks.

[1] https://github.com/ansible/ansible/issues/58054

On 17/06/2019 15:18, Vrgotic, Marko wrote:

Dear oVirt

Would you be so kind to help out clarifying if and how is IPv6 supported 
with


-ansible / ovirt_vm / cloud-init boot protocol.

I have created a VM template which by default uses cloud-init with 
following:


When I boot the VM from UI, each VM gets IPv4 DHCP and IPv6 DHCP6 
address, default cloud-init setup and we have infrastructure for both 
IPv4 and IPv6.


However, when calling same template via Ansible ovirt_vm, using following:

cloud_init_nics:  
   |~


  - nic_name: 
eth0
|~


    nic_boot_protocol: 
dhcp   
|~


    nic_on_boot: true

each VM receives only IPv4 DHCP and only IPv6 RA, but not DHCP IPv6.

Looking at booted VM, following options are not set:

  * /etc/sysconfig/network => NETWORKING_IPV6=yes
  * Or /etc/sysconfig/network-scripts/ifcfg-eth0 => DHCPV6C=yes and
IPV6INIT=yes

We need IPv6 DHCP6 address , especially for registering it host with DNS 
 record.


Is this supported? Am I doing it wrong way?

If its supported please let me know, how can I make sure that VMs 
created using Ansible also initialize DHCPV6.


Please assist.

Marko Vrgotic

ActiveVideo


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MLM7X2UDVV7ACJSNTGIJ433XRTN432VT/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RPY2MP6DPTJVQEWEREEF7UUKY2IVMU3Z/

[ovirt-users] Re: ovirt nic ansible module

2019-06-19 Thread Ondra Machacek 

I've opened an issue. This will be supported since 2.9:

 https://github.com/ansible/ansible/issues/58045

On 18/06/2019 12:00, Nathanaël Blanchet wrote:

Hello,

With that module, we can make the nic present/absent/plugged/unplugged, 
but is there a way to make the link state up or down?


Thanks.


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5PFUP67WHDPYK6XIRL5YJFC4MJY5CPUY/

[ovirt-users] Re: VM SSO

2019-05-14 Thread Ondra Machacek 

On 10/07/2016 09:09 AM, Maxence Sartiaux wrote:

Hello,

I try to use the VM SSO but no login, still on the logon screen ...

I'm on ovirt 4.0.3, connected to an AD (Samba 4.5) + VMs Windows 7/10
stateless sysprep-ed to integrate to the domain and obviously the
guest-agent is installed.

My AD user can connect to the user panel, take a vm and connect to the
console but no sign on on the windows. (the "Connect Automatically"
option is ticked)

Also, i don't know why but my username on ovirt panel has a double
domain  "u...@labo.lan @labo.lan" <- is this my problem ?


That is fine. One is for domain and second one is for UPN, so it's 
actually: UPN@domain.



The AD configuration is the configuration from the extension setup
wizard, no custom config, no mapping

Any ideas ?


Unfortunatelly, we have a regression bug:

 https://bugzilla.redhat.com/show_bug.cgi?id=1381606

There is no workaround I am aware of.



Thank you


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se



--
IMPORTANT!
This message has been scanned for viruses and phishing links.
However, it is your responsibility to evaluate the links and attachments you 
choose to click.
If you are uncertain, we always try to help.
Greetings helpd...@actnet.se

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BQDFCRUTUZCMADYXCM3OKYE5K5CLQNDU/

[ovirt-users] Re: Unable to add permissions for LDAP users

2019-05-14 Thread Ondra Machacek 

On 10/06/2016 01:47 PM, Michael Burch wrote:

I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can
successfully authenticate as an LDAP user. I can also login as
admin@internal and search for, find, and select LDAP users but I cannot
add permissions for them. Each time I get the error "User
admin@internal-authz failed to grant permission for Role UserRole on
System to User/Group ."


This error usually means bad unique attribute used.




I have no control over the LDAP server, which uses custom objectClasses
and uses groupOfNames instead of PosixGroups. I assume I need to set
sequence variables to accommodate our group configuration but I'm at a
loss as to where to begin. the The config I have is as follows:


include = 

vars.server = labauth.lan.lab.org

pool.authz.auth.type = none
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = true
pool.default.ssl.insecure = true

pool.default.connection-options.connectTimeoutMillis = 1
pool.default.connection-options.responseTimeoutMillis = 9
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB

sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars
sequence.my-objectclass-init-vars.020.description = set objectClass
sequence.my-objectclass-init-vars.020.type = var-set
sequence.my-objectclass-init-vars.020.var-set.variable =
simple_filterUserObject
sequence.my-objectclass-init-vars.020.var-set.value =
(objectClass=labPerson)(uid=*)

search.default.search-request.derefPolicy = NEVER

sequence-init.init.900-local-init-vars = local-init-vars
sequence.local-init-vars.010.description = override name space
sequence.local-init-vars.010.type = var-set
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
sequence.local-init-vars.010.var-set.value = *


What's this^ for? I think it's unusable.



sequence.local-init-vars.020.description = apply filter to users
sequence.local-init-vars.020.type = var-set
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
sequence.local-init-vars.020.var-set.value =
${seq:simple_filterUserObject}(employeeStatus=3)

sequence.local-init-vars.030.description = apply filter to groups
sequence.local-init-vars.030.type = var-set
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
sequence.local-init-vars.030.var-set.value =
(objectClass=groupOfUniqueNames)


This looks as hard to maintain file. I would suggest you to insert into 
this file just following:


 include = 

 vars.server = labauth.lan.lab.org

 pool.authz.auth.type = none
 pool.default.serverset.type = single
 pool.default.serverset.single.server = ${global:vars.server}
 pool.default.ssl.startTLS = true
 pool.default.ssl.insecure = true

 pool.default.connection-options.connectTimeoutMillis = 1
 pool.default.connection-options.responseTimeoutMillis = 9

 # Set custom base DN
 sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
 sequence.my-basedn-init-vars.010.description = set baseDN
 sequence.my-basedn-init-vars.010.type = var-set
 sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
 sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB

And then create in directory 
'/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file 
'rfc2307-mycustom.properties' with content:


include = 

sequence-init.init.100-rfc2307-mycustom-init-vars = 
rfc2307-mycustom-init-vars

sequence.rfc2307-mycustom-init-vars.010.description = set unique attr
sequence.rfc2307-mycustom-init-vars.010.type = var-set
sequence.rfc2307-mycustom-init-vars.010.var-set.variable = 
rfc2307_attrsUniqueId

sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE

sequence.rfc2307-mycustom-init-vars.020.type = var-set
sequence.rfc2307-mycustom-init-vars.020.var-set.variable = 
simple_filterUserObject
sequence.rfc2307-mycustom-init-vars.020.var-set.value = 
(objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)



The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I 
guess). It can be extended attribute(+,++).


 $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H 
ldap://labauth.lan.lab.org 'objectClass=labPerson'


 maybe (or even with two +):
$ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H 
ldap://labauth.lan.lab.org 'objectClass=labPerson' +


The question is if even your implementation has unique attribute, does
it?

Also may you share what's your LDAP provider? And maybe if you share
content of some user it would help as well.






___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


__

[ovirt-users] Re: LDAP - not able to find members of groups

2019-05-09 Thread Ondra Machacek 

By default the openldap configuration on oVirt does connect it via
member attribute of the group, so you shouldn't have any issue logging
in as user from some group. We support also memberOf plugin, but it's
not default for openldap.

On 08/05/2019 13:10, Timmi wrote:

Hi oVirt List,

I manage to connect oVirt to my LDAP and I'm able to search for users 
and groups.


I'm using openLDAP within a ClearOS installation and it looks like this 
is a bit different to the standard openLDAP.


Inside the LDAP groups there is an attribute with is calls "member".

Example:
member    cn=Timmi,ou=Users,ou=Accounts,dc=domain,dc=com

Is someone able to help me how to make sure that oVirt is able to join 
the users to the groups?


Best regards
Timmi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PBQXDJGOZ2ET347YDZFSQPFJGMNSALHD/ 


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EEPERSQD5IMKNYHCS7MUSNVARTPWJSLN/

[ovirt-users] Re: Ansible oVirt.image-template role

2019-05-09 Thread Ondra Machacek 

Can you share what you have in runsetup.yml. According to log, there is
 run only 'gather facts' task and nothing more.

On 09/05/2019 03:41, Jeremy Tourville wrote:
I am trying to run an Ansible playbook that doesn't appear to run 
correctly.  I have followed the example from this blog - 
https://evaryont.me/blog/2018/09/getting-started-with-vagrant-and-ovirt-from-scratch.html


The playbook finishes with an ok status but the template never gets 
built in Ovirt.

I have taken logs from three locations hoping to spot the error:

  * [root@ansible ansible]#ansible-playbook - runsetup.yml
  * [root@ansible ansible]# less /var/log/ansible.log
  * [root@engine ~]# tail -f /var/log/messages (while the playbook is
being run.

The server Ansible is my control node and Engine is my managed host.
Can anyone help me interpret the attached logs in an effort to further 
troubleshoot?  Thanks!




___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3PYBFA3TU2P3STKEOE3L6RUDIF245CYA/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WR4BEEX742LYWYVUDH3NEJNGNP6AOPUB/

[ovirt-users] Re: Fetching DiskAttachmentService in ovirt-python-sdk-4

2019-04-29 Thread Ondra Machacek 

There is also this usage guide:

 https://github.com/oVirt/ovirt-engine-sdk/tree/master/sdk#usage

which may help you better understand difference between the service and
the type.

On 26/04/2019 11:30, Joey Ma wrote:
Beside the doc you've referred to, the example codes for sdk [1] are 
always the recommendation. Well, you could also check the codes of oVirt 
module [2] for Ansible if the examples are incomplete.



[1]: https://github.com/oVirt/ovirt-engine-sdk/tree/master/sdk/examples
[2]: 
https://github.com/ansible/ansible/tree/devel/lib/ansible/modules/cloud/ovirt


On Fri, Apr 26, 2019 at 5:10 PM Kaustav Majumder > wrote:


Thank you so much . It worked. i often get confused with the sdk. Is
there  a doc explaining this?

On Fri, Apr 26, 2019 at 2:37 PM Joey Ma mailto:majunj...@gmail.com>> wrote:

Hi Kaustav,

IHMO, the `attachment` variable is an instance of
DiskAttachment, instead of the type of DiskAttachmentService as
expected. You should probably replace

```python
     # Line 18-20
     if attachment:
         attachment.remove(detach_only=False)
         print("Disk removed")
  ```

with

```python
     if attachment:
         attachment_service =
disk_attachments_service.attachment_service(attachment.id
)
         attachment_service.remove(detach_only=False)
         print("Disk removed")
```


On Fri, Apr 26, 2019 at 4:36 PM Kaustav Majumder
mailto:kmaju...@redhat.com>> wrote:

Hi,
I am trying to detach and delete disk from my vm. I found
this service in the docs
DiskAttachmentService

http://ovirt.github.io/ovirt-engine-sdk/master/services.m.html#ovirtsdk4.services.DiskAttachmentService
I am not able to fetch this service. Below if the snippet of
code I am trying.
https://pastebin.com/UUu0Pfc8

Error-->   File "./pre_setup/delete_vm_disk.py", line 19, in
remove_attached_vm_disk
     attachment.remove(detach_only=False)
AttributeError: 'DiskAttachment' object has no attribute
'remove'





-- 


Thanks,

Kaustav Majumder

___
Users mailing list -- users@ovirt.org 
To unsubscribe send an email to users-le...@ovirt.org

Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:

https://lists.ovirt.org/archives/list/users@ovirt.org/message/O4ZC47JHLBDEHF7ZE27P7AZI2DZ44E4Z/



-- 


Thanks,

Kaustav Majumder


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/2VAGHC6IUUT3RWDADIB3GLYR7KKPPE3L/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AO56DZNQTPCNVDSWHYGPAU2QXFADZVYN/

[ovirt-users] Re: Is there a way to tell whether a permission set for a VM is inherited using REST API?

2019-04-23 Thread Ondra Machacek 
Actually this is bug, as I see we fill the  tag for all 
permissions, even for inherited permissions, but it should be set only 
for direct permissions, that's how you would distinguish it. Same as you

say you can do it via following the specific permission id.

So I am afraid there is no effective way, unfortunatelly. If you don't
have many users, you can list users permissions and find if it has
permission for your VM, which would mean it has direct permission on a
VM.

On 22/04/2019 12:03, Anton E wrote:

Hi everyone!

My question is in the subject for the most part.
I'm trying to backup a vm parameters, including the linked attributes, namely the 
permissions. But I don't want the inherited permissions to be included into the 
backup, I only need the attributes specific to the vm. It looks like there is no 
difference between the inherited and the vm-specific permissions in the output from 
/ovirt-engine/api/vms//permissions service.

What is the best way to distinguish the specific permissions from the inherited ones? 
It seems I can follow the link to the particular permission and see whether the vm 
attribute is set on it and it points to the VM I need, but that would require 
numerous REST requests to be done. Is there a more elegant way? Maybe I can somehow 
filter the output of /ovirt-engine/api/vms//permissions to only include 
the required info?

Thanks in advance.

Best regards,
Anton.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AVHAC4SSJWVYYD5GVJG6WP7GUEMGD67Y/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5QJOSEH2A3KLN7EUJQDKIS4J3K6ZD4RX/

[ovirt-users] Re: Inconsistencies beteween WebUI, API read verbs and API write verbs

2019-04-16 Thread Ondra Machacek 

Hello,

instance type module was merged into Ansible 2.8:

 https://github.com/ansible/ansible/pull/54782

You can try it, if all is working fine for you.

But the issue you had is just missing header 'All-content: true', which 
enable listing all attributes.


$ curl -H 'All-content: true' -u user@profile:password -k 
https://fqdn/ovirt-engine/api/instancetypes


Ondra

On 16/04/2019 16:26, Baptiste Agasse wrote:

Hi All,

As I stated in a previous thread, we use instances types and wanted to automate 
some parts to manage it [1]. Thansk to ovirt-orb/lago and pointers given in the 
last thread, I'm working on ansible an module to manage ovirt instance types, 
but I'm facing some troubles for some of instance type attributes. From the 
API, I don't have access to all fields provided via WebUI (eg: Custom Emulated 
Machine), and it seems that some fields can be added/updated via the API but 
are not part of the response when you read an instance type (eg: VirtIO-SCSI 
Enabled). Provided examples are not exhaustive. I tried to find my way in the 
oVirt engine code-base to see if the fix will be easy for a non java developer 
like me. I find, I think, that it seems to be some API definitions for instance 
type [2] that define, if I understand it well, all verbs that can be applied to 
each resource and what field can be put when adding an instance type, but 
nothing about fields to be included when you read a resource (and I'm not sure 
if its related to v4 API). I find also some java code [3] [4] that seems 
related to this but As I'm not a java developer, its a little bit difficult for 
me to find my path in it. For me this inconsistencies are a bug, but as you 
stated that instance types are in deep maintenance mode, do you think that bug 
will get some attention ?

My objective is to have a ansible module that manage the hardware/bios related 
stuff (memory, boot sequence, scsi controller, bios type, almost all the 
things) and HA for instance type.

Have a nice day.

Cheers.

[1]: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TJAXYBMSIAAAYLAYCSLOTONY54WT7K3O/
[2]: 
https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/modules/restapi/interface/definition/src/main/resources/rsdl_metadata.yaml#L3990
[3]: 
https://github.com/oVirt/ovirt-engine/blob/ede62008318d924556bc9dfc5710d90e9519670d/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendInstanceTypesResource.java
[4]: 
https://github.com/oVirt/ovirt-engine/blob/ede62008318d924556bc9dfc5710d90e9519670d/backend/manager/modules/restapi/types/src/main/java/org/ovirt/engine/api/restapi/types/InstanceTypeMapper.java
[5]: 
https://ovirt.github.io/ovirt-engine-sdk/4.1/types.m.html#ovirtsdk4.types.InstanceType


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QV6Y4MSGTW3UOYXFKEDM4SKM5HUWGEMN/

[ovirt-users] Re: Different credentials ovirt_vm module

2019-04-10 Thread Ondra Machacek 

Hello,

this seems ok to me. Can you please check the engine.log, for some error?

On 09/04/2019 22:26, Florian Rädler wrote:

Hi,

how can i use other credentials (run once) in the ansible playbook for 
Sysprep domain join?


My playbook:

User_name and root_password does not sound like it’s the right option.

How can I realize that?

BR

Florian




Pflichtangaben anzeigen 



Nähere Informationen zur Datenverarbeitung im DB-Konzern finden Sie 
hier: http://www.deutschebahn.com/de/konzern/datenschutz


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZOKA7M24U5HSZREVH7JRB33T43K2MDLX/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EEROHMFYZWR4U2IAWPOKKJSXGNES52UX/

[ovirt-users] Re: Info about AD integration and Root CA

2019-02-23 Thread Ondra Machacek 

Hi,

Sorry, but this seems to be Active directory specific issue. I would
suggest to ask on some Microsoft AD specific forum for such issue.

On 21/02/2019 16:41, Gianluca Cecchi wrote:

Hello,
in docs for 4.2 RHV (I think it applies to oVirt 4.2 too) for attaching 
to AD there is the statement

"
To set up secure connection between the LDAP server and the Manager, 
ensure a PEM-
encoded CA certificate has been prepared. See Section D.2, “Setting Up 
Encrypted

Communication between the Manager and an LDAP Server” for more information.
"
and in Appendix
"
To set up encrypted communication between the Red Hat Virtualization 
Manager and an LDAP server, obtain the root CA certificate of the LDAP 
server. . .

"
and in readme file referred in the Appendix 
(/usr/share/doc/ovirt-engine-extension-aaa-ldap-1.3.8/README) there is 
the command:


"
Active Directory

     Windows: > certutil -ca.cert myrootca.der
     Linux:   $ openssl -in myrootca.der -inform DER -out myrootca.pem
"

In my case on Windows DC (that is a Windows 2012 R2 server with "Domain 
functional level: Windows Server 2003") I get this error:


C:\Users\Administrator.MYDOMAIN>certutil -ca.cert mydomain.der
CertUtil: The system cannot find the file specified.

C:\Users\Administrator.MYDOMAIN>

What does it mean exactly?

Thanks in advance,
Gianluca



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/D5FYNS2LTBI33ZO73ULERQMK7XDRMXVR/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EEXI653RXNQCHR7W4JASFTTKLHOMDMYA/

[ovirt-users] Re: latest pycurl 7.43 brokes ovirtsdk4

2019-01-24 Thread Ondra Machacek 

Can you please open issue on AWX: https://github.com/ansible/awx/issues ?

On 1/23/19 5:18 PM, Nathanaël Blanchet wrote:
And the AWX embedded pycurl 7.43 also brakes the ovirt4.py dynamic 
inventory!


  [WARNING]: Unable to parse /opt/awx/embedded/lib/python2.7/site-
packages/awx/plugins/inventory/ovirt4.py as an inventory source

Le 23/01/2019 à 11:55, Nathanaël Blanchet a écrit :



Le 23/01/2019 à 09:27, Ondra Machacek a écrit :

On 1/22/19 5:54 PM, Nathanaël Blanchet wrote:

Hi all,

If anyone uses latest pycurl 7.43 provided by pip or ansible 
tower/awx, any ovirtsdk4 calling will issue with the log:


The full traceback is:
WARNING: The below traceback may *not* be related to the actual 
failure.
   File "/tmp/ansible_ovirt_auth_payload_L1HK9E/__main__.py", line 
202, in 

 import ovirtsdk4 as sdk
   File 
"/opt/awx/embedded/lib64/python2.7/site-packages/ovirtsdk4/__init__.py", 
line 22, in 

 import pycurl

fatal: [localhost]: FAILED! => {
 "changed": false,
 "invocation": {
 "module_args": {
 "ca_file": null,
 "compress": true,
 "headers": null,
 "hostname": null,
 "insecure": true,
 "kerberos": false,
 "ovirt_auth": null,
 "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
 "state": "present",
 "timeout": 0,
 "token": null,
 "url": "https://acore.v100.abes.fr/ovirt-engine/api";,
 "username": "admin@internal"
 }
 },
 "msg": "ovirtsdk4 version 4.2.4 or higher is required for this 
module"

}

The only way is to set the version of pycurl with

pip install -U "pycurl == 7.19.0"

(Before this, in tower/awx, you should  create venv)


What's the version of AWX, where pycurl 7.43 is provided? I use latest
and I have 7.19. But anyway, I've tried to update to 7.43, and this 
worked for me with nss:


AWX 2.1.2
/opt/awx/embedded/lib64/python2.7/site-packages/pycurl-7.43.0.1.dist-info



$ source venv/awx/bin/activate
$ export PYCURL_SSL_LIBRARY=nss; pip install pycurl --compile 
--no-cache-dir

$ python -c 'import pycurl; print pycurl.version'
PycURL/7.43.0.2 libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 
libssh2/1.4.3


Yes, I've tried your trick and 7.43 works with the nss support like 
you say, but...


  * how can anyone guess he needs the nss library
  * it doesn't work out the box with the awx embedded  pycurl, so we
    must use venv

So it should be good to compile the embedded awx pycurl to natively 
support nss, out of venv.






--
Nathanaël Blanchet

Supervision réseau
Pôle Infrastrutures Informatiques
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax  33 (0)4 67 54 84 14
blanc...@abes.fr
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PMOHDZADCP3R6GKYFUHSDH5NRAZJGNOM/ 




___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XHMXO3BPP2ZM5W4LM57TC5462TEKEWCC/

[ovirt-users] Re: latest pycurl 7.43 brokes ovirtsdk4

2019-01-23 Thread Ondra Machacek 

On 1/22/19 5:54 PM, Nathanaël Blanchet wrote:

Hi all,

If anyone uses latest pycurl 7.43 provided by pip or ansible tower/awx, 
any ovirtsdk4 calling will issue with the log:


The full traceback is:
WARNING: The below traceback may *not* be related to the actual failure.
   File "/tmp/ansible_ovirt_auth_payload_L1HK9E/__main__.py", line 202, 
in 

     import ovirtsdk4 as sdk
   File 
"/opt/awx/embedded/lib64/python2.7/site-packages/ovirtsdk4/__init__.py", 
line 22, in 

     import pycurl

fatal: [localhost]: FAILED! => {
     "changed": false,
     "invocation": {
     "module_args": {
     "ca_file": null,
     "compress": true,
     "headers": null,
     "hostname": null,
     "insecure": true,
     "kerberos": false,
     "ovirt_auth": null,
     "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
     "state": "present",
     "timeout": 0,
     "token": null,
     "url": "https://acore.v100.abes.fr/ovirt-engine/api";,
     "username": "admin@internal"
     }
     },
     "msg": "ovirtsdk4 version 4.2.4 or higher is required for this module"
}

The only way is to set the version of pycurl with

pip install -U "pycurl == 7.19.0"

(Before this, in tower/awx, you should  create venv)


What's the version of AWX, where pycurl 7.43 is provided? I use latest
and I have 7.19. But anyway, I've tried to update to 7.43, and this 
worked for me with nss:


$ source venv/awx/bin/activate
$ export PYCURL_SSL_LIBRARY=nss; pip install pycurl --compile --no-cache-dir
$ python -c 'import pycurl; print pycurl.version'
PycURL/7.43.0.2 libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3





___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PWZQUVHCGXH37EGPIB76ZO3A5K55SMQT/

[ovirt-users] Re: AffinityGroup API

2018-11-27 Thread Ondra Machacek 

So both of the user's roles are administrative,
so please try to remove following line in your script:

 > conn_attr[:headers] = {'Filter' => true }

This should be used only with roles which are not administrative,
like UserVmManager, etc.

On 11/27/18 1:21 PM, Staniforth, Paul wrote:

The user also has AffinityGroupManager role for the cluster this role has 
permission Manipulate Affinity Groups.

It is the same account that works when using the python SDK

2018-11-27 11:36:50,791Z INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5237) 
[b225cdb] Running command: CreateUserSessionCommand internal: false.
2018-11-27 11:36:50,988Z INFO  
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-5229) [21e2d0fe] EVENT_ID: USER_VDC_LOGIN(30), User secgen@internal-authz 
connecting from 'x.x.x.x' using session 
'mT2aF7+FziRwE3ZZ29y7y2QHidDX4aAquc5fwo5swyLVMxufAyF26JbmDNeN9ylob1+zSSH9JWu4bBDt2wdHGw=='
 logged in.
2018-11-27 11:36:51,081Z INFO  
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-5233) [] 
User @internal successfully logged in with scopes: ovirt-app-api 
ovirt-ext=token-in
fo:authz-search ovirt-ext=token-info:public-authz-search 
ovirt-ext=token-info:validate ovirt-ext=token:passw..d-access
2018-11-27 11:36:51,154Z INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5233) 
[1d0e61f8] Running command: CreateUserSessionCommand internal: false.
2018-11-27 11:36:51,604Z INFO  
[org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] 
(default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] No permission found 
for user 'd5b7e8f0-603e-47c5-a420-1f5f6834aa02' or one of the groups he is 
member of, when running action 'AddAffinityGroup', Required permissions are: 
Action type: 'ADMIN' Action group: 'MANIPULATE_AFFINITY_GROUPS' Object type: 
'Cluster'  Object ID: 'beac8771-1dbc-4046-99b1-c17d072fb27f'.
2018-11-27 11:36:51,604Z WARN  
[org.ovirt.engine.core.bll.scheduling.commands.AddAffinityGroupCommand] 
(default task-5233) [dd01962d-bead-499a-a31f-1ead974483ac] Validation of action 
'AddAffinityGroup' failed for user @internal-authz. Reasons: 
VAR__TYPE__AFFINITY_GROUP,VAR__ACTION__ADD,USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2018-11-27 11:36:51,606Z ERROR 
[org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default 
task-5233) [] Operation Failed: [User is not authorized to perform this action.]

Regards,
     Paul S.



From: Schreuders, Cliffe
Sent: 27 November 2018 11:55
To: Ondra Machacek; Staniforth, Paul
Cc: Andrej Krejcir; users; Shaw, Thomas
Subject: Re: [ovirt-users] AffinityGroup API

Hi Ondra,

Thanks. Here is a sample script that illustrates the problem. The same error 
occurs when adding a VM to an existing affinity group.

Sample code:
require 'ovirtsdk4'

conn_attr = {}
conn_attr[:url] = 'https:///ovirt-engine/api'
conn_attr[:username] = ''
conn_attr[:passwxxd] = ''
conn_attr[:debug] = true
conn_attr[:headers] = {'Filter' => true }

ovirt_connection = OvirtSDK4::Connection.new(conn_attr)
vms_service = ovirt_connection.system_service.vms_service
clusters_service = ovirt_connection.system_service.clusters_service
cluster = clusters_service.list(search: 'name=Default')[0]
cluster_service = clusters_service.cluster_service(cluster.id)
cluster_affinitygroups_service = cluster_service.affinity_groups_service

begin
   affinity_group_name = "affinity_group_test123"
   puts "Creating affinity group: #{affinity_group_name}"

   cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new(
  name: affinity_group_name,
  description: 'a description',
  vms_rule: OvirtSDK4::AffinityRule.new(
   enabled: true,
   positive: true,
   enforcing: true
  )
   ))
rescue Exception => e
   warn "Failed to create affinity group"
   warn e.message
end

Output:
cliffe@office:~/Code/ovirt_scripts$ ruby add_affinity_group.rb
Creating affinity group: affinity_group_test123
Failed to create affinity group
Fault reason is "Operation Failed". Fault detail is "[User is not authorized to 
perform this action.]". HTTP response code is 400.

The user has ReadOnlyAdmin permissions.

I would be happy to be told if I'm doing something wrong here, I didn't find 
any ruby examples that worked with affinity groups.

Paul could you please provide the engine.log entries? Thanks.

Cheers,

Cliffe.

On 27/11/2018 10:04, Ondra Machacek wrote:
Can you please share the script? And also what's the permission of the
user you are executing the script.

When see error 'User is not authorized to perform the action', we print
in engine.log, what&

[ovirt-users] Re: AffinityGroup API

2018-11-27 Thread Ondra Machacek 

Can you please share the script? And also what's the permission of the
user you are executing the script.

When see error 'User is not authorized to perform the action', we print
in engine.log, what's exactly wrong meaning we print what permissions
the user is missing in order to execute that action. So it may help you
find out what's wrong as well.

On 11/26/18 5:35 PM, Schreuders, Cliffe wrote:

Yes, the related issue we came across was that when using the Ruby gem,
assigning a VM to an Affinity Group raises an exception that states the
User is not authorized to perform the action; however, using the same
account works fine from the Admin portal and carrying out the exact same
steps via the Python SDK works as expected. The end result is that we
ended up calling a Python script from our Ruby code just to set the
affinity group.

Thanks, Paul.

On 26/11/2018 12:11, Staniforth, Paul wrote:

Hi Andrej

I believe they are using 4.2.5 they get a permission error although they can 
use the python SDK with the same account.

Paul S.
____
From: Ondra Machacek 
Sent: 26 November 2018 11:41
To: Staniforth, Paul
Cc: Andrej Krejcir; users
Subject: Re: [ovirt-users] AffinityGroup API

What version of the SDK do you use?
I can see it's supported in latest version.

On 11/26/18 11:13 AM, Andrej Krejcir wrote:

Hi,

I don't know much about ruby SDK. I think the SDKs for various languages
are generated from the API specification.

Ondra, is this a bug in ruby SDK?


Andrej

On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul <
p.stanifo...@leedsbeckett.ac.uk> wrote:


Hello Andrej,

Also the Affinity Groups apparently aren't  available
in the Ruby SDK should I add this to the bug report?


Thanks,

Paul S.
--
*From:* Andrej Krejcir 
*Sent:* 21 November 2018 13:32
*To:* Staniforth, Paul
*Cc:* users
*Subject:* Re: [ovirt-users] AffinityGroup API

Hi,

Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] so we
can add it?

As a workaround, the hosts can be modified by PUT request to the
AffinityGroup endpoint directly, for example:

PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678

   
   
   
   


However, this will replace all hosts in the affinity group with the hosts
listed.


Best regards,
Andrej


[1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine

On Wed, 21 Nov 2018 at 13:26,  wrote:


Hello,
 When using the API to update an AffinityGroup there is a
AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but there
is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or
remove hosts.

Thanks,
Paul S.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLDHSE6CPUVZOD3I2TI2YBQD/


To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html



To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IZEOPB3SYNBYEE6B7KKBHA6E24IOZ7HY/

[ovirt-users] Re: IPA Users via AD DC's

2018-11-26 Thread Ondra Machacek 

On 11/26/18 5:44 AM, TomK wrote:

Hello,

I've configured LDAP via IPA in oVirt 4.X.  It works for locally defined 
users in IPA but not those mapped from the AD DC.  So I had two questions:


1) Is there a format of the username and password I need to type in for 
this to work?  Or is retrieving AD DC mapped users not possible with 
oVirt right now?


It's not possible right now.



2) Can I use two providers in oVirt simultaneously?  One IPA and the 
other AD?




Sure, you can have two profiles, one for IPA and one for AD.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/G4DHVUB62GKB3Y7IZGTVMLSF27JCUSFY/

[ovirt-users] Re: AffinityGroup API

2018-11-26 Thread Ondra Machacek 

What version of the SDK do you use?
I can see it's supported in latest version.

On 11/26/18 11:13 AM, Andrej Krejcir wrote:

Hi,

I don't know much about ruby SDK. I think the SDKs for various languages
are generated from the API specification.

Ondra, is this a bug in ruby SDK?


Andrej

On Fri, 23 Nov 2018 at 18:06, Staniforth, Paul <
p.stanifo...@leedsbeckett.ac.uk> wrote:


Hello Andrej,

  Also the Affinity Groups apparently aren't  available
in the Ruby SDK should I add this to the bug report?


Thanks,

  Paul S.
--
*From:* Andrej Krejcir 
*Sent:* 21 November 2018 13:32
*To:* Staniforth, Paul
*Cc:* users
*Subject:* Re: [ovirt-users] AffinityGroup API

Hi,

Yes, the AffinityGroupHosts is missing. Can you please open a bug[1] so we
can add it?

As a workaround, the hosts can be modified by PUT request to the
AffinityGroup endpoint directly, for example:

PUT /ovirt-engine/api/clusters/1234/affinitygroups/5678

 
 
 
 


However, this will replace all hosts in the affinity group with the hosts
listed.


Best regards,
Andrej


[1] - https://bugzilla.redhat.com/enter_bug.cgi?product=ovirt-engine

On Wed, 21 Nov 2018 at 13:26,  wrote:


Hello,
   When using the API to update an AffinityGroup there is a
AffinityGroupVm and AffinityGroupVms so I can add or remove VMs but there
is no AffinityGroupHost or AffinityGroupHosts, therefore I can't add or
remove hosts.

Thanks,
  Paul S.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BUMDJ34JRLDHSE6CPUVZOD3I2TI2YBQD/


To view the terms under which this email is distributed, please go to:-
http://disclaimer.leedsbeckett.ac.uk/disclaimer/disclaimer.html





___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OKN7LZIBOOZ5K3S5XD47PSV6XXYE46VL/

[ovirt-users] Re: ovirt-host-upgrade failed on centos 7.5 host with new ansible 2.7.1+ and its default yum: dnf backend

2018-11-20 Thread Ondra Machacek 

What's your version of python2-dnf?
base.update_cache was introduced in 2.1.0-1.

On 11/20/18 11:25 AM, Oliver Riesener wrote:

Hi,

i found an permanent updates avail on centos 7.5 host with ovirt 
4.2.7.5-1-el7 and ansible 2.7.1+.


Background: ansible 2.7.1+ "auto use" the yum: backend.

The new avail backend and auto selected backend "yum 4" uses "dnf" and 
didn't

recognize the attribute "update_cache: yes" in yum: ansible task.

 Solution:

* switch backend to old yum style.

# diff 
/usr/share/ovirt-engine/playbooks/roles/ovirt-host-upgrade/tasks/main.yml.orig 
/usr/share/ovirt-engine/playbooks/roles/ovirt-host-upgrade/tasks/main.yml

11a12
 > use_backend: yum

* on ovirt node the file and the problem didn't exists.

best regards.


TASK [ovirt-host-upgrade : Install ovirt-host package if it isn't 
installed] 
** 

task path: 
/usr/share/ovirt-engine/playbooks/roles/ovirt-host-upgrade/tasks/main.yml:8
fatal: [ovn-elem.example.org]: FAILED! => {"ansible_facts": {"pkg_mgr": 
"dnf"}, "changed": false, "module_stderr": "Shared connection to 
ovn-elem.example.org closed.\r\n", "module_stdout": "Traceback (most 
recent call last):\r\n  File 
\"/root/.ansible/tmp/ansible-tmp-1542705098.43-115863495291729/AnsiballZ_dnf.py\", 
line 113, in \r\n    _ansiballz_main()\r\n  File 
\"/root/.ansible/tmp/ansible-tmp-1542705098.43-115863495291729/AnsiballZ_dnf.py\", 
line 105, in _ansiballz_main\r\n    invoke_module(zipped_mod, temp_path, 
ANSIBALLZ_PARAMS)\r\n  File 
\"/root/.ansible/tmp/ansible-tmp-1542705098.43-115863495291729/AnsiballZ_dnf.py\", 
line 48, in invoke_module\r\n    imp.load_module('__main__', mod, 
module, MOD_DESC)\r\n  File 
\"/tmp/ansible_dnf_payload_KN71mV/__main__.py\", line 1079, in 
\r\n  File \"/tmp/ansible_dnf_payload_KN71mV/__main__.py\", line 
1068, in main\r\n  File \"/tmp/ansible_dnf_payload_KN71mV/__main__.py\", 
line 1044, in run\r\n  File 
\"/tmp/ansible_dnf_payload_KN71mV/__main__.py\", line 570, in 
_base\r\nAttributeError: 'Base' object has no attribute 
'update_cache'\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the 
exact error", "rc": 1}

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MKQXH2WXICTHXJLNXW36TW7RUMAKRV45/ 


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/N6QLJXPI4SZ5RP3IGKEKCILJRMSZ5ES3/

[ovirt-users] Re: Ovirt-engine Domain integration to SAMBA4.7 AD domain controller

2018-11-14 Thread Ondra Machacek 



On 11/14/18 6:26 AM, aru_bar...@yahoo.com wrote:

1.I have one samba4 AD domain controller[samba4dc.eipl.com]
2. I get PEM.code from default smb file from domain controller
3. when i try the following command to check user "ovirt-engine-extensions-tool aaa 
login-user --profile=eipl.com --user-name=administrator"
it show me the following error "SEVERE  Cannot resolve principal 
'administra...@eipl.com'" so please give me any idea about this


Such ERROR is indicating that user with UPN administra...@eipl.com 
doesnt exists. You need to specify custom UPN suffix to user-name in 
case you use custom UPNS, for example ... 
--user-name=administra...@custom.eipl.com



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UTSXYZ7L5K7DJ7E3CIH62267FT7BXIZI/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/S3FCVXI4EC2CASYWUGZGDRDHNQCLOFNU/

[ovirt-users] Re: LDAP Bind failing because of SSLHandshakeException after Virtualization Manager was rebooted

2018-11-14 Thread Ondra Machacek 

On 11/13/18 10:09 PM, Will Hegedus wrote:

So, it turns out that one of the domain controllers had a different certificate 
chain (outside of my team's control) which was inexplicably causing the whole 
thing to fail.

I would run "ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user 
--user-name=prea...@liberty.edu --profile=liberty.edu" and everything would look fine up until the point 
that it needed to "doFetchPrincipalRecord", at which point it would fail to get the principal 
record for the account. The bind would succeed, but because "Creating LDAPConnectionPool" would 
fail on *just one* of the domain controllers, it for some reason seemed to invalidate all of the entries in 
that pool, thereby causing the fetching of principal records to fail even though the bind succeeded on one of 
the OK domain controllers.

Is this behavior intended? I really think this should be classified as a bug.

For what it's worth, this was resolved by getting the certificate chain from 
the problem DC and then adding it to the Java Keystore with the other 
certificate chain that all the other domain controllers use.


Please open a bug will detail information of the AD infrastructure, like
what's the forest what's the domains, and which DC are in domain, and I
will try to take a look. Thanks a lot!


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZCQPBSP4HW35JNJDPJUULDQVAP7C5A43/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JNWW5R2Y5AA2TX3HRZD5VLJQCFKRESOV/

[ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed

2018-11-14 Thread Ondra Machacek 

You need to create some users in 'dc=cyber-range,dc=lan', you can switch
to it in 389ds GUI console  and there create some users, and use those
users in aaa-ldap-setup and also in oVirt engine gui.

On 11/9/18 10:24 AM, Jeremy Tourville wrote:

An update, I was able to complete the setup.  It says it was successful but I still can't 
login using the engine web interface.  I selected the newly created profile using the 
dropdown arrow and entered my admin user and password.  I get an error "Unable to 
login.  Verify your login information or contact the system administrator."

I attached my log showing the setup completion.


From: Jeremy Tourville 
Sent: Monday, November 5, 2018 2:58 PM
To: Ondra Machacek
Cc: users@ovirt.org
Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed


Can you try to run that on command line[1], or can you double check that such 
user exists?


Here is the result of the command:
[root@ldap ~]# ldapsearch -x -H ldap://ldap.cyber-range.lan -b 
'dc=cyber-range,dc=lan' -D 
'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W uid=admin
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: uid=admin
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Basically, I did not create any users except for the ones that were "created" 
during the setup-ds-admin.pl script run. 
https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/
I ran the script just like the article did to include names, I did however 
change the server and domain names to match mine.  I didn't create any users 
using the GUI or ldapmodify after the initial setup.  Do I need to create a 
user with the needed bind privileges or is my problem somewhere else?


From: Ondra Machacek 
Sent: Monday, November 5, 2018 4:15 AM
To: Jeremy Tourville; Donny Davis
Cc: users@ovirt.org
Subject: Re: [ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed

Looking at logs you may see:

2018-10-31 16:48:09,331-05 FINEPerforming SearchRequest
'SearchRequest(baseDN='dc=cyber-range,dc=lan', scope=SUB, deref=NEVER,
sizeLimit=0, timeLimit=0,
filter='&(objectClass=organizationalPerson)(uid=*)(uid=admin)',
attrs={nsuniqueid, uid, cn, displayName, department, givenName, sn,
title, mail})' request on server 'ldap.cyber-range.lan'
2018-10-31 16:48:09,333-05 FINESearchResult:
SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0,
referencesReturned=0)

So the AAA is trying to search user uid=admin in namespace
dc=cyber-range,dc=lan. But the 389ds return nothing. Can you try to run
that on command line[1], or can you double check that such user exists?

Seems like admin which you use in vars.user, from namespace
o=NetscapeRoot, can't search in namespace dc=cyber-range,dc=lan.

Try to use as vars.use user from namespace dc=cyber-range,dc=lan.

[1] ldapsearch -x -H ldap://ldap.cyber-range.lan -b
'dc=cyber-range,dc=lan' -D
'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W
uid=admin

On 11/2/18 2:01 PM, Jeremy Tourville wrote:

I have been trying to find the setting to confirm that.

On Nov 2, 2018 7:43 AM, Donny Davis  wrote:
Is binding allowed in your 389ds instance?


On Fri, Nov 2, 2018, 8:11 AM Jeremy Tourville 
mailto:jeremy_tourvi...@hotmail.com> wrote:
The backend is 389 DS, no this is not Govt related.  This will be used as a 
training platform for my local ISSA chapter.  This is a new 389 DS server.  I 
followed the instructions at 
https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/
The server is "stock" with the exceptions of the settings for startTLS and 
adding certificates, etc (basically, whatever is needed to integrate with the Ovirt 
Engine.)
I am using my Admin account to perform the bind.  What I don't understand is 
why everything else in the aaa setup script works except the login sequence.  
It would seem like my certificates are correct, correct use of the admin DN, 
etc.  The funny part is I can login to the server using the admin account and 
password yet the same admin account and password fail when using the aaa setup 
script.  But, that is why I am using the expert knowledge on the list!  Maybe I 
have overlooked a simple prerequisite setting needed for setup somewhere?

I'll wait for someone to chime in on possible reasons to get this message:
SEVERE  Authn.Result code is: CREDENTIALS_INVALID
[ ERROR ] Login sequence failed

__
Users mailing list -- users@ovirt.org<mailto:users@ovirt.org>
To unsubscribe send an email to 
users-le...@ovirt.org<mailto:users-le...@ovirt.org>
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https:

[ovirt-users] Re: poweroff and reboot with ovirt_vm ansible module

2018-11-05 Thread Ondra Machacek 

Joey is right, we don't such functionality. But feel free to open an
issue here[1] and we can implement it.

[1] https://github.com/ansible/ansible/issues

On 11/3/18 1:10 AM, Joey Ma wrote:

hi,

AFAIK, setting state=stopped is the only way to poweroff a VM. While to
reboot a VM, you could also follow the steps below:
1. Update a VM with some new properties that requires a restart operation,
also with the param: next_run=true
2. Set state=next_run in your playbook and apply it

Then the VM could reboot automatically.

On Sat, Nov 3, 2018 at 1:19 AM Nathanaël Blanchet  wrote:


Hello, is there a way to poweroff or reboot (without stopped and running
state) a vm with the ovirt_vm ansible module?

--
Nathanaël Blanchet

Supervision réseau
Pôle Infrastrutures Informatiques
227 avenue Professeur-Jean-Louis-Viala
34193 MONTPELLIER CEDEX 5
Tél. 33 (0)4 67 54 84 55
Fax  33 (0)4 67 54 84 14
blanc...@abes.fr
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/EBJOTJJKW3TGI63D2FXAK53ORXEUU3LO/




___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/L5PEO3WOODJIB2WOV4HW2JD7UFOX2CVF/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3HPGM2N7WTTV5SDH6BQ7PVDLRTLUZY2R/

[ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed

2018-11-05 Thread Ondra Machacek 

Looking at logs you may see:

2018-10-31 16:48:09,331-05 FINEPerforming SearchRequest 
'SearchRequest(baseDN='dc=cyber-range,dc=lan', scope=SUB, deref=NEVER, 
sizeLimit=0, timeLimit=0, 
filter='&(objectClass=organizationalPerson)(uid=*)(uid=admin)', 
attrs={nsuniqueid, uid, cn, displayName, department, givenName, sn, 
title, mail})' request on server 'ldap.cyber-range.lan'
2018-10-31 16:48:09,333-05 FINESearchResult: 
SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, 
referencesReturned=0)


So the AAA is trying to search user uid=admin in namespace 
dc=cyber-range,dc=lan. But the 389ds return nothing. Can you try to run 
that on command line[1], or can you double check that such user exists?


Seems like admin which you use in vars.user, from namespace 
o=NetscapeRoot, can't search in namespace dc=cyber-range,dc=lan.


Try to use as vars.use user from namespace dc=cyber-range,dc=lan.

[1] ldapsearch -x -H ldap://ldap.cyber-range.lan -b 
'dc=cyber-range,dc=lan' -D 
'uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot' -W 
uid=admin


On 11/2/18 2:01 PM, Jeremy Tourville wrote:

I have been trying to find the setting to confirm that.

On Nov 2, 2018 7:43 AM, Donny Davis  wrote:
Is binding allowed in your 389ds instance?


On Fri, Nov 2, 2018, 8:11 AM Jeremy Tourville 
mailto:jeremy_tourvi...@hotmail.com> wrote:
The backend is 389 DS, no this is not Govt related.  This will be used as a 
training platform for my local ISSA chapter.  This is a new 389 DS server.  I 
followed the instructions at 
https://www.unixmen.com/install-and-configure-ldap-server-in-centos-7/
The server is "stock" with the exceptions of the settings for startTLS and 
adding certificates, etc (basically, whatever is needed to integrate with the Ovirt 
Engine.)
I am using my Admin account to perform the bind.  What I don't understand is 
why everything else in the aaa setup script works except the login sequence.  
It would seem like my certificates are correct, correct use of the admin DN, 
etc.  The funny part is I can login to the server using the admin account and 
password yet the same admin account and password fail when using the aaa setup 
script.  But, that is why I am using the expert knowledge on the list!  Maybe I 
have overlooked a simple prerequisite setting needed for setup somewhere?

I'll wait for someone to chime in on possible reasons to get this message:
SEVERE  Authn.Result code is: CREDENTIALS_INVALID
[ ERROR ] Login sequence failed

__
Users mailing list -- users@ovirt.org
To unsubscribe send an email to 
users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TGT7ASCWSUTU6TDT2HIBLBCRL2CEF3G6/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JN4AMQUNTFGL2NDUWNDG2AZTF7YIQPN6/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OMANIY4OZWNQBSSEXHCJTHI4VW4IPUGY/

[ovirt-users] Re: Automated VM rollout

2018-10-31 Thread Ondra Machacek 

In case of virtio_scsi, you should use following:

/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_{{ disk_id[:-16] }}

Where disk_id[:-16], is id which you get from API, for example:

 /api/disks/cdb62095-62ba-4137-8fa0-6375748d8868

so the result path is:

 /dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_cdb62095-62ba-4137-8

Which is symlink to sda, sdb, sdX...

On 10/30/18 12:01 PM, Markus Schaufler wrote:

Hi!

We are developing a tool for automated vm rollouts and struggle with the disk 
ordering which seems to be completly random?
ie. when creating a vm with 3 disks the order on the virtio scsi bus is 
different each time - which of course causes troubles when executing the next 
steps.

Thanks for any hints on this!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SWKWTGERQAO4LKBA4UGGLEI3TEW7TAMN/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OPHGY2AH3UUTWP7OSB4UJJ6PKWVXFP3Z/

[ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed

2018-10-25 Thread Ondra Machacek 



On 10/24/18 1:00 AM, Jeremy Tourville wrote:

I am having trouble completing the AAA extension setup.  It fails at the end 
when testing the login flow, if I test the search that part works.
I can confirm that I am able to login to my system using the admin account so 
there is not a password issue.

I have listed my results below to include log level=finest.  I have also 
attached a log.  Sugeestions on troubleshooting are appreciated. I am not sure 
where to start.  Thanks!

   Please provide credentials to test login flow:
   Enter user name: admin
   Enter user password:
[ INFO  ] Executing login sequence...
   Login output:
   2018-10-23 16:43:46,432-05 INFO
=== 
   =
   2018-10-23 16:43:46,452-05 INFO 
Initia  
  lization 
   2018-10-23 16:43:46,452-05 INFO
=== 
   =
   2018-10-23 16:43:46,565-05 INFOLoading extension 
'ldap.cyber-range   
 .lan-authn'
   2018-10-23 16:43:46,668-05 INFOExtension 
'ldap.cyber-range.lan-aut   
 hn' loaded
   2018-10-23 16:43:46,672-05 INFOLoading extension 
'ldap.cyber-range   
 .lan'
   2018-10-23 16:43:46,681-05 INFOExtension 'ldap.cyber-range.lan' 
lo  
  aded
   2018-10-23 16:43:46,682-05 INFOInitializing extension 
'ldap.cyber-
range.lan-authn'
   2018-10-23 16:43:46,682-05 INFO
[ovirt-engine-extension-aaa-ldap.au 
   thn::ldap.cyber-range.lan-authn] 
Creating LDAP pool 'authz'
   2018-10-23 16:43:47,236-05 INFO
[ovirt-engine-extension-aaa-ldap.au 
   thn::ldap.cyber-range.lan-authn] 
LDAP pool 'authz' information: vendor='389 Proj 
   ect' 
version='389-Directory/1.3.7.5 B2018.269.1826'
   2018-10-23 16:43:47,237-05 INFO
[ovirt-engine-extension-aaa-ldap.au 
   thn::ldap.cyber-range.lan-authn] 
Creating LDAP pool 'authn'
   2018-10-23 16:43:47,518-05 INFO
[ovirt-engine-extension-aaa-ldap.au 
   thn::ldap.cyber-range.lan-authn] 
LDAP pool 'authn' information: vendor='389 Proj 
   ect' 
version='389-Directory/1.3.7.5 B2018.269.1826'
   2018-10-23 16:43:47,518-05 INFOExtension 
'ldap.cyber-range.lan-aut   
 hn' initialized
   2018-10-23 16:43:47,519-05 INFOInitializing extension 
'ldap.cyber-
range.lan'
   2018-10-23 16:43:47,520-05 INFO
[ovirt-engine-extension-aaa-ldap.au 
   thz::ldap.cyber-range.lan] Creating 
LDAP pool 'authz'
   2018-10-23 16:43:47,759-05 INFO
[ovirt-engine-extension-aaa-ldap.au 
   thz::ldap.cyber-range.lan] LDAP pool 
'authz' information: vendor='389 Project' v 
   
ersion='389-Directory/1.3.7.5 B2018.269.1826'
   2018-10-23 16:43:47,760-05 INFO
[ovirt-engine-extension-aaa-ldap.au 
   thz::ldap.cyber-range.lan] Available 
Namespaces: [dc=cyber-range,dc=lan]
   2018-10-23 16:43:47,760-05 INFOExtension 'ldap.cyber-range.lan' 
in  
  itialized
   2018-10-23 16:43:47,761-05 INFOStart of enabled extensions list
   2018-10-23 16:43:47,761-05 INFOInstance

[ovirt-users] Re: REST API on Engine

2018-10-25 Thread Ondra Machacek 

On 10/24/18 7:15 AM, Vrgotic, Marko wrote:

Dear oVirt team,

My project with the company for Operations is a success and department is 
successfully using oVirt 4.2.6 (started with 4.2.0 this January) platform with 
SHE and 12 Hypervisors, hooked to GlusterFS distributed-replicated, managed 
outside of oVirt. It is used for Support of Customers, Projects and Trainings.
Thank you oVirt community for such a great platform.
In fact, if it going so well that now I have the task to build new platform for 
Development/Engineering.

Since the users foot print is going to grow from 10 to 80 or 120, plus all the 
automated testing, I am wondering is there a way to make REST API of the Engine 
in HA/LB mode.


Well, since you are using HE, you have REST API in HA mode, as API is
running alongside with engine. AFAIK we don't provide any other way for
HA or LB.


For the other services, that is purpose of SHE and DB can always be in 
clustered mode, but I currently need information if there is something I can do 
in this direction for REST API.

Kindly awaiting your reply.


— — —
Met vriendelijke groet / Kind regards,

Marko Vrgotic
Sr.  System Engineer
m.vrgo...@activevideo.com
tel. +31 (0)35 677 4131
ActiveVideo BV
Mediacentrum 3741
Joop van den Endeplein 1
1217 WJ Hilversum



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WA75RHOG75SWAFLBVKQXQP64TATR5BL5/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/FUTHTN7YNMEH2MWHHRGCEBPD4CHKXTDG/

[ovirt-users] Re: LDAP-Error

2018-09-27 Thread Ondra Machacek 

You get following error:

  Internal Server Error: Cannot resolve principal 'nbud...@psecure.net'
2018-09-26 21:30:35,573+05 ERROR [org.ovirt.engine.core.sso.utils.SsoUt

Meaning that user with UPN(user principal name) nbud...@psecure.net 
can't be found. Please double check if the user with that UPN exists.


On 9/26/18 6:09 PM, Budur Nagaraju wrote:

Hi

Have configured LDAP authentication in oVirt4.2, but unable to login facing
issues below is the error log and configuration, able to search the users
in the UI at same time unable to search the Group.

Can someone help on the same?


Error :

https://pastebin.com/76cZdV7d

Configuration:

https://pastebin.com/nRmibZh7

Thanks,
Nagaraju


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XYNGCLUPDFRI4QSGBBFSYXS4RIVSZZJU/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4GZ235JVW7YRRFXR54QNC4CTXTV7EREP/

[ovirt-users] Re: Ldap-configure

2018-09-26 Thread Ondra Machacek 

Hi,

you can check the documentation:


https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/#chapter-15-users-and-roles

On 9/26/18 10:12 AM, Budur Nagaraju wrote:

Hi

Can you please let us know how to configure LDAP authentication in oVirt
4.2 ?

Thanks,
Nagaraju


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DNHC4DIEM6OSYWR7XG4SXMHL7I6UUIE7/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/I6EES4XIBQ65PSV64S5CMBU2IPLGSFEA/

[ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed

2018-09-25 Thread Ondra Machacek 

Can you please share the whole log?

On 9/25/18 8:25 AM, mopiel games wrote:

i try it with new user dn:uid=user,dc=exalt,dc=ps but it show this :
2018-09-25 09:23:04,441+03 FINEST  simple_attrsGroupRecord = entryUUID, cn, 
description
2018-09-25 09:23:04,441+03 FINEST  simple_attrsPrincipalRecord = entryUUID, 
uid, cn, displayName, department, givenName, sn, title, mail
2018-09-25 09:23:04,441+03 FINEST  simple_attrsUserName = uid
2018-09-25 09:23:04,441+03 FINEST  simple_baseDN = dc=exalt,dc=ps
2018-09-25 09:23:04,441+03 FINEST  simple_bindFormat = dn
2018-09-25 09:23:04,441+03 FINEST  simple_filterGroupObject = 
(objectClass=groupOfNames)
2018-09-25 09:23:04,441+03 FINEST  simple_filterUserObject = 
(objectClass=uidObject)(uid=*)
2018-09-25 09:23:04,441+03 FINEST  simple_groupLogic = member
2018-09-25 09:23:04,441+03 FINEST  stop = true
2018-09-25 09:23:04,441+03 FINEST  user = user
2018-09-25 09:23:04,441+03 FINEST  VARS-END
2018-09-25 09:23:04,441+03 FINErunSequence Return name='authn'
2018-09-25 09:23:04,441+03 FINEdoAuthenticateCredentials Return 
{Extkey[name=AAA_AUTHN_RESULT;type=class 
java.lang.Integer;uuid=AAA_AUTHN_RESULT[af9771dc-a0bb-417d-a700-277616aedd85];]=12}
2018-09-25 09:23:04,441+03 FINEST  Invoke Output BEGIN
2018-09-25 09:23:04,441+03 FINEST  
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class 
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=0,
 Extkey[name=AAA_AUTHN_RESULT;type=class 
java.lang.Integer;uuid=AAA_AUTHN_RESULT[af9771dc-a0bb-417d-a700-277616aedd85];]=12}
2018-09-25 09:23:04,441+03 FINEST  Invoke Output END
2018-09-25 09:23:04,442+03 INFOAPI: 
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='ldap23.exalt.ps' 
result=CREDENTIALS_INVALID
2018-09-25 09:23:04,445+03 SEVERE  Authn.Result code is: CREDENTIALS_INVALID
2018-09-25 09:23:04,445+03 FINEException:
java.lang.RuntimeException: Authn.Result code is: CREDENTIALS_INVALID
 at 
org.ovirt.engine.exttool.aaa.AAAServiceImpl$Action.lambda$static$3(AAAServiceImpl.java:188)
 at 
org.ovirt.engine.exttool.aaa.AAAServiceImpl$Action.execute(AAAServiceImpl.java:417)
 at 
org.ovirt.engine.exttool.aaa.AAAServiceImpl.run(AAAServiceImpl.java:686)
 at 
org.ovirt.engine.exttool.core.ExtensionsToolExecutor.main(ExtensionsToolExecutor.java:120)
 at org.jboss.modules.Module.run(Module.java:352)
 at org.jboss.modules.Module.run(Module.java:320)
 at org.jboss.modules.Main.main(Main.java:593)

2018-09-25 09:23:04,446+03 FINEExiting with status '1'
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/YEEHGMJQASFSOUG554SKW7WRUBIG436F/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZMI6OXB5B5RLJELLQ5HDBDKISIZZDD4H/

[ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup failed

2018-09-24 Thread Ondra Machacek 
If you are sure you are passing correct credentials, then please save 
the correct configuration and run following command:


 $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user 
--user-name=taha --profile=ldap23.exalt.ps


and share the output.

On 9/24/18 11:11 AM, mopiel games wrote:

in the ovirt-engine-extension-aaa-ldap-setup i  try to login to the ldap user 
but it show  CREDENTIALS_INVALID ,put if i make search option it will show 
successful :
the question is how to make login successfully ?
  
[root@ovirt_engine home]# ovirt-engine-extension-aaa-ldap-setup

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
   Configuration files: 
['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packa

  ging.conf']
   Log file: 
/tmp/ovirt-engine-extension-aaa-ldap-setup-20180924120156-wutrcv.log
   Version: otopi-1.7.8 (otopi-1.7.8-1.el7)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
   Welcome to LDAP extension configuration program
   Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IBM Security Directory Server
5 - IBM Security Directory Server RFC-2307 Schema
6 - IPA
7 - Novell eDirectory RFC-2307 Schema
8 - OpenLDAP RFC-2307 Schema
9 - OpenLDAP Standard Schema
   10 - Oracle Unified Directory RFC-2307 Schema
   11 - RFC-2307 Schema (Generic)
   12 - RHDS
   13 - RHDS RFC-2307 Schema
   14 - iPlanet
   Please select: 9

   NOTE:
   It is highly recommended to use DNS resolution for LDAP server.
   If for some reason you intend to use hosts or plain address disable 
DNS usage.

   Use DNS (Yes, No) [Yes]:
   Available policy method:
1 - Single server
2 - DNS domain LDAP SRV record
3 - Round-robin between multiple hosts
4 - Failover between multiple hosts
   Please select: 1
   Please enter host address: ldap23.exalt.ps
[ INFO  ] Trying to resolve host 'ldap23.exalt.ps'

   NOTE:
   It is highly recommended to use secure protocol to access the LDAP 
server.
   Protocol startTLS is the standard recommended method to do so.
   Only in cases in which the startTLS is not supported, fallback to 
non standard ld 

 aps protocol.
   Use plain for test environments only.

   Please select protocol to use (startTLS, ldaps, plain) [startTLS]: 
ldaps
   Please select method to obtain PEM encoded CA certificate (File, 
URL, Inline, Sys

  tem, Insecure): file
   File path: /home/server.pem
[ INFO  ] Connecting to LDAP using 'ldaps://ldap23.exalt.ps:636'
[ INFO  ] Connection succeeded
   Enter search user DN (for example uid=username,dc=example,dc=com or 
leave empty f   
   
or anonymous): cn=admin,dc=exalt,dc=ps
   Enter search user password:
[ INFO  ] Attempting to bind using 'cn=admin,dc=exalt,dc=ps'
   Please enter base DN (dc=exalt,dc=ps) [dc=exalt,dc=ps]:
   Are you going to use Single Sign-On for Virtual Machines (Yes, No) 
[Yes]: no
   Please specify profile name that will be visible to users 
[ldap23.exalt.ps]:
[ INFO  ] Stage: Setup validation

   NOTE:
   It is highly recommended to test drive the configuration before 
applying it into

   engine.
   Login sequence is executed automatically, but it is recommended to 
also execute S  

earch sequence manually after successful Login sequence.

   Please provide credentials to test login flow:
   Enter user name: taha
   Enter user password:
[ INFO  ] Executing login sequence...
   Login output:
   2018-09-24 12:03:10,832+03 INFO
==

[ovirt-users] Re: ovirt4 api create snapshot

2018-09-07 Thread Ondra Machacek 



On 09/06/2018 01:07 PM, David David wrote:

hi
i have a vm with 3 disks and i want to take a snapshot with only two disks
how to do a multiple disk snapshot in the code below?

 snap = snaps_service.add(
 snapshot=types.Snapshot(
 description=snap_description,
 persist_memorystate=False,
 disk_attachments=[
 types.DiskAttachment(
 disk=types.Disk(
 id=disk_id
 )
 )
 ]
 ),
 )


DiskAttachments is a list, so you just need to specify as much of the 
disk as you need:


  snap = snaps_service.add(
  snapshot=types.Snapshot(
  description=snap_description,
  persist_memorystate=False,
  disk_attachments=[
  types.DiskAttachment(
  disk=types.Disk(
  id=disk_id
  )
  ),
  types.DiskAttachment(
  disk=types.Disk(
  id=disk_id_2
  )
  ),
  ]
  ),
  )





___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WKJTBKT4NZ2XIHBR6M5GPSWQS7K7KCTZ/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZTYQJOUTO3HIVJJNYG446B7ADB6WVAKC/

[ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup credentials invalid

2018-08-31 Thread Ondra Machacek 
Well, can you share whole engine.log after restart of ovirt-engine 
service to login attempt?


On 08/30/2018 04:44 PM, Douglas Duckworth wrote:

Thanks!

I set that after completing setup though still cannot login:

2018-08-30 10:42:46,470-04 ERROR
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default
task-5) [] Cannot authenticate user 'me@scu' connecting from '10.0.0.136':
Unable to log in. Verify your login information or contact the system
administrator.

How can I get get more verbose logging?

Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Weill Cornell Medicine
1300 York Avenue
New York, NY 10065
E: d...@med.cornell.edu
O: 212-746-6305
F: 212-746-8690



On Thu, Aug 30, 2018 at 8:36 AM, Ondra Machacek  wrote:


On 08/29/2018 08:04 PM, Douglas Duckworth wrote:

Hi

I am not able to finish ovirt-engine-extension-aaa-ldap-setup due to the
error "credentials invalid."

My password's correct.  Our directory server's OpenLDAP standard schema.
Our accounts are under OU=People.  We are binding with a service account
that has access to the entire DN.

Any way to discern more information from attached logs?


As you can see you get:

2018-08-29 13:47:44,129-04 WARNING Exception: anonymous bind disallowed

More info how to solve this issue is here:

   https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
ovirt.org_pipermail_users_2018-2DFebruary_086924.html&d=DwICaQ&c=
lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-
CbhH6xUjnRkaqPFUS2wTJ2cw&m=4tJ1lC_P1F3IAyLlVozg5gbalhcKCbsX2fQO69cYaWY&s=
GKdSUL68LUZfQo0jXz6oizzkl38dkjJBqsxlNjlNhg0&e=





Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Weill Cornell Medicine
1300 York Avenue
New York, NY 10065
E: d...@med.cornell.edu
O: 212-746-6305
F: 212-746-8690



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://urldefense.proofpoint.

com/v2/url?u=https-3A__www.ovirt.org_site_privacy-2Dpolicy_&d=DwICaQ&c=
lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-
CbhH6xUjnRkaqPFUS2wTJ2cw&m=4tJ1lC_P1F3IAyLlVozg5gbalhcKCbsX2fQO69cYaWY&s=
EMrnI4emKvoDHpfvwPDhoIiX_UZd3_cUeYWCl26APHk&e=

oVirt Code of Conduct: https://urldefense.proofpoint.

com/v2/url?u=https-3A__www.ovirt.org_community_about_
community-2Dguidelines_&d=DwICaQ&c=lb62iw4YL4RFalcE2hQUQealT9-
RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=4tJ1lC_
P1F3IAyLlVozg5gbalhcKCbsX2fQO69cYaWY&s=K5tHvffPexNoF9tOFEFopJcv4ROA1s
JUfLr9dvAglXM&e=

List Archives: https://urldefense.proofpoint.

com/v2/url?u=https-3A__lists.ovirt.org_archives_list_users-
40ovirt.org_message_ROWSZGMEMSYKUWEIDAKZMSVTKHPPOEDN_&d=DwICaQ&c=
lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-
CbhH6xUjnRkaqPFUS2wTJ2cw&m=4tJ1lC_P1F3IAyLlVozg5gbalhcKCbsX2fQO69cYaWY&s=
lyUWPBTItHvb0nXgveWBdPUGNTyuAdUx4OnaME4dOrY&e=







___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/Z2OQVPODAHU4TQ4MCPOE2ZS2LSDM4LJU/

[ovirt-users] Re: ovirt-engine-extension-aaa-ldap-setup credentials invalid

2018-08-30 Thread Ondra Machacek 

On 08/29/2018 08:04 PM, Douglas Duckworth wrote:

Hi

I am not able to finish ovirt-engine-extension-aaa-ldap-setup due to the
error "credentials invalid."

My password's correct.  Our directory server's OpenLDAP standard schema.
Our accounts are under OU=People.  We are binding with a service account
that has access to the entire DN.

Any way to discern more information from attached logs?


As you can see you get:

2018-08-29 13:47:44,129-04 WARNING Exception: anonymous bind disallowed

More info how to solve this issue is here:

 https://lists.ovirt.org/pipermail/users/2018-February/086924.html





Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Weill Cornell Medicine
1300 York Avenue
New York, NY 10065
E: d...@med.cornell.edu
O: 212-746-6305
F: 212-746-8690



___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/ROWSZGMEMSYKUWEIDAKZMSVTKHPPOEDN/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GTDZ3LVHOAMIZ5AXEJIXSFCMH44A36MT/

[ovirt-users] Re: ovirt-ansible download/upload of snapshots for backup

2018-08-16 Thread Ondra Machacek 



On 08/15/2018 03:19 PM, Николаев Алексей wrote:

Hi community!
Does the ansible module "ovirt_snapshots" support download/upload of snapshots?
According to the https://bugzilla.redhat.com/show_bug.cgi?id=1405805 support of
this functionality is already implemented in the ovirt API.
How to use ovirt-ansible to implement the following backup strategy: take a
snapshot, back up a virtual machine from a snapshot, save a backup to storage,
data domain, export domain, etc?


This isn't yet supported by ansible, but we should add this support.

Can you please open an issue here:

 https://github.com/ansible/ansible/issues





___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QDSBYMQFTKYMZJEAXGPKKWLZ4FJLRFGA/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WKTWTML5ZIUKNWH32KNOKFYWU6IJVEII/

[ovirt-users] Re: [ovirt-engine-api-model] Any solutions to add custom key/value pairs into entities?

2018-08-14 Thread Ondra Machacek 

Hi,

On 08/14/2018 11:53 AM, Joey Ma wrote:

Hi all,

In my case, I need to add customized KVs into API model entities, such 
as VM, Disk, Template and etc.


I looked through the API model documents and got some existing 
Tag/Property/CustomProperty structs, all of which have limitations and 
can not work it out.


Are there any solutions?


there is no such solution.

May I ask what is the use case for this. Why it would be useful, if it 
doesn't have any backend mapping, so no real function?




Thanks,
Joey




___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/GGCLMYBPFTPDOZLHRKAFCM2CBAMMXIUW/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WZY3B4OM65AZ2KXHQ2KRY4ZJOJD2GTIR/

[ovirt-users] Re: AAA question...takes long time to log in

2018-07-31 Thread Ondra Machacek 

On 07/27/2018 01:59 AM, sipandb...@hotmail.com wrote:

I work at a company with a massive AD infrastructure. Is there any way to 
specify a specific OU to search through instead of just providing a top level 
DN? We use sssd for all our authing needs on our linux machines and would like 
to do something like below:

ldap_user_search_base = OU=Employees,OU=blah users,DC=blah,DC=com
enumerate = false

When I connect on cli it looks like Ovirt is reaching out and grabbing a ton of 
info it doesn't really need. It takes on average 40 second to allow me to log 
in on CLI or UI. This is not an AD issue as we use AD on everything in our labs 
and have no issues with speed.

I applied these changes and it didn't speed anything up.

https://ovirt.org/develop/release-management/features/infra/aaa_faq/

I can see from a tcpdump that I am in fact hitting my local AD servers and not 
going across the world to get an answer.


Do you use include  or include ?

ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN which means less 
network requests to AD servers, but higher load on less AD servers,

to fetch users/groups information.

ad-recursive.properties is using more request on more AD servers to get 
full users/groups information, but has higher load on network. So it's 
bad if you have high latency on network, but good in case you have slow 
AD servers, but good latency network.


Try both and you can see which will show better performance for you.

In order to modify baseDN of search user request, you may add to your 
profile.properties file:


 search.ad-query-principals.search-request.baseDN = 
OU=Employees,OU=blah users,${seq:_ad_baseDN}




Thanks!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WOHX5FFV5LFWRQRQCFFYJE2YEUBPJKAW/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/UVT3TMWMK5JTJHM5MDPOV6EJDDVP52TP/

[ovirt-users] Re: Sync LDAP users in Ovirt

2018-07-24 Thread Ondra Machacek 

If it's possible in SDK it's also possible in API.

To get all domains:

http://ovirt.github.io/ovirt-engine-api-model/4.2/#services/domains/methods/list

To get all users in domain:

http://ovirt.github.io/ovirt-engine-api-model/4.2/#services/domain_users/methods/list

To add user from domain:

http://ovirt.github.io/ovirt-engine-api-model/4.2/#services/users/methods/add

To assign permissions to added user:

http://ovirt.github.io/ovirt-engine-api-model/4.2/#services/assigned_permissions/methods/add


On 07/24/2018 12:06 PM, Hari Prasanth Loganathan wrote:

Hi Ondra,

We are not using ovirtSDK, It is completely new to us.

*Is there an oVirt API *
    1) To discover all the users in LDAP using the provided domain 
and namespace?

    2) Add all the discovered users in Ovirt?
    3) Assign the superuser permission for all the discovered users?

Thanks,
Hari

On Tue, Jul 24, 2018 at 3:26 PM, Ondra Machacek <mailto:omach...@redhat.com>> wrote:


Something like this should work for you:

import ovirtsdk4 as sdk
import ovirtsdk4.types as types

DOMAIN_NAME = 'internal-authz'

connection = sdk.Connection(...)

users_service = connection.system_service().users_service()

domains_service = connection.system_service().domains_service()
domain = next((domain for domain in domains_service.list() if
domain.name <http://domain.name> == DOMAIN_NAME), None)
domain_service = domains_service.domain_service(domain.id
<http://domain.id>)
users = domain_service.users_service().list()
for user in users:
     users_service.add(
         types.User(
             user_name=user.user_name,
             domain=types.Domain(
                 name=domain.name <http://domain.name>,
             ),
         ),
     )

connection.close()


On 07/24/2018 11:51 AM, Hari Prasanth Loganathan wrote:

Also Ondra,

I added the list of users in a group in LDAP and I am able to
discover all the users in ovirt UI (In add users and groups tab).
*Is there an API *to discover the users in LDAP and add in the
user's table in Ovirt?

Thanks,
Hari

On Tue, Jul 24, 2018 at 2:53 PM, Hari Prasanth Loganathan
mailto:hariprasant...@msystechnologies.com>
<mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>>> wrote:

     Hi Ondra,

     Thanks much for the suggestion. Much Appreciated.

     It's not, but you can write a script which can do this. -
Could you
     give a small brief on the type of script we need to write?



     On Tue, Jul 24, 2018 at 12:50 PM, Ondra Machacek
     mailto:omach...@redhat.com>
<mailto:omach...@redhat.com <mailto:omach...@redhat.com>>> wrote:

         It's not, but you can write a script which can do this.
But if
         you want
         all users from the ldap are able to login I would
suggest to you
         create
         some group in LDAP and add all users as a member of
this group
         and add
         this group to ovirt and assign it the permissions.

         On 07/23/2018 08:36 PM, Hari Prasanth Loganathan wrote:

             Guys any update on this ?

             Any help is much useful for me 😊

             On Mon, 23 Jul 2018 at 9:04 PM, Hari Prasanth
Loganathan
             mailto:hariprasant...@msystechnologies.com>
             <mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>>
             <mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>

             <mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>>>> wrote:

                  Hi Team,

                  Good Morning.

                  I configured the ovirt with LDAP setup.

                  Is there an *oVirt tool* (or any way) to add
all the
             users from LDAP
                  to Ovirt?

                  _*Observation*_ :

                  1) I am able to see that when I try to login
with the
             user from
                  LDAP, that user is added in Ovirt database, So
Is there
             a way to
                  sync all the users from LDAP to Ovirt using
any oVirt
             tool or API?

                  Any help is much appreciated.

                  Thanks,
                  Hari


             DISCLAIMER- *MSysTe

[ovirt-users] Re: Sync LDAP users in Ovirt

2018-07-24 Thread Ondra Machacek 

Something like this should work for you:

import ovirtsdk4 as sdk
import ovirtsdk4.types as types

DOMAIN_NAME = 'internal-authz'

connection = sdk.Connection(...)

users_service = connection.system_service().users_service()

domains_service = connection.system_service().domains_service()
domain = next((domain for domain in domains_service.list() if 
domain.name == DOMAIN_NAME), None)

domain_service = domains_service.domain_service(domain.id)
users = domain_service.users_service().list()
for user in users:
users_service.add(
types.User(
user_name=user.user_name,
domain=types.Domain(
name=domain.name,
),
),
)

connection.close()


On 07/24/2018 11:51 AM, Hari Prasanth Loganathan wrote:

Also Ondra,

I added the list of users in a group in LDAP and I am able to discover 
all the users in ovirt UI (In add users and groups tab).
*Is there an API *to discover the users in LDAP and add in the user's 
table in Ovirt?


Thanks,
Hari

On Tue, Jul 24, 2018 at 2:53 PM, Hari Prasanth Loganathan 
<mailto:hariprasant...@msystechnologies.com>> wrote:


Hi Ondra,

Thanks much for the suggestion. Much Appreciated.

It's not, but you can write a script which can do this. - Could you
give a small brief on the type of script we need to write?



On Tue, Jul 24, 2018 at 12:50 PM, Ondra Machacek
mailto:omach...@redhat.com>> wrote:

It's not, but you can write a script which can do this. But if
you want
all users from the ldap are able to login I would suggest to you
create
some group in LDAP and add all users as a member of this group
and add
this group to ovirt and assign it the permissions.

On 07/23/2018 08:36 PM, Hari Prasanth Loganathan wrote:

Guys any update on this ?

Any help is much useful for me 😊

On Mon, 23 Jul 2018 at 9:04 PM, Hari Prasanth Loganathan
mailto:hariprasant...@msystechnologies.com>
<mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>>> wrote:

     Hi Team,

     Good Morning.

     I configured the ovirt with LDAP setup.

     Is there an *oVirt tool* (or any way) to add all the
users from LDAP
     to Ovirt?

     _*Observation*_ :

     1) I am able to see that when I try to login with the
user from
     LDAP, that user is added in Ovirt database, So Is there
a way to
     sync all the users from LDAP to Ovirt using any oVirt
tool or API?

     Any help is much appreciated.

     Thanks,
     Hari


DISCLAIMER- *MSysTechnologies LLC*

This email message, contents and its attachments may contain
confidential, proprietary or legally privileged information
and is intended solely for the use of the individual or
entity to whom it is actually intended. If you have
erroneously received this message, please permanently delete
it immediately and notify the sender. If you are not the
intended recipient of the email message,you are notified
strictly not to disseminate,distribute or copy this
e-mail.E-mail transmission cannot be guaranteed to be secure
or error-free as Information could be intercepted,
corrupted, lost, destroyed, incomplete or contain viruses
and MSysTechnologies LLC accepts no liability for the
contents and integrity of this mail or for any damage caused
by the limitations of the e-mail transmission.



___
Users mailing list -- users@ovirt.org <mailto:users@ovirt.org>
To unsubscribe send an email to users-le...@ovirt.org
<mailto:users-le...@ovirt.org>
Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
<https://www.ovirt.org/site/privacy-policy/>
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
List Archives:

https://lists.ovirt.org/archives/list/users@ovirt.org/message/TNDRY46K7PYM2TCIHR3IHUL2B6LPV2QC/

<https://lists.ovirt.org/archives/list/users@ovirt.org/message/TNDRY46K7PYM2TCIHR3IHUL2B6LPV2QC/>




DISCLAIMER- *MSysTechnologies LLC*

This email message, contents and its attachments may contain 
confidential, proprietary or legally privileged information and is 
intended solely for the use of the individual or entity to whom it is 
actually intended. If you have

[ovirt-users] Re: Sync LDAP users in Ovirt

2018-07-24 Thread Ondra Machacek 

It's not, but you can write a script which can do this. But if you want
all users from the ldap are able to login I would suggest to you create
some group in LDAP and add all users as a member of this group and add
this group to ovirt and assign it the permissions.

On 07/23/2018 08:36 PM, Hari Prasanth Loganathan wrote:

Guys any update on this ?

Any help is much useful for me 😊

On Mon, 23 Jul 2018 at 9:04 PM, Hari Prasanth Loganathan 
> wrote:


Hi Team,

Good Morning.

I configured the ovirt with LDAP setup.

Is there an *oVirt tool* (or any way) to add all the users from LDAP
to Ovirt?

_*Observation*_ :

1) I am able to see that when I try to login with the user from
LDAP, that user is added in Ovirt database, So Is there a way to
sync all the users from LDAP to Ovirt using any oVirt tool or API?

Any help is much appreciated.

Thanks,
Hari


DISCLAIMER- *MSysTechnologies LLC*

This email message, contents and its attachments may contain 
confidential, proprietary or legally privileged information and is 
intended solely for the use of the individual or entity to whom it is 
actually intended. If you have erroneously received this message, please 
permanently delete it immediately and notify the sender. If you are not 
the intended recipient of the email message,you are notified strictly 
not to disseminate,distribute or copy this e-mail.E-mail transmission 
cannot be guaranteed to be secure or error-free as Information could be 
intercepted, corrupted, lost, destroyed, incomplete or contain viruses 
and MSysTechnologies LLC accepts no liability for the contents and 
integrity of this mail or for any damage caused by the limitations of 
the e-mail transmission.




___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/TNDRY46K7PYM2TCIHR3IHUL2B6LPV2QC/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/Z2V7TFHEVRKAD4QOCLRSMA5THEOQG6IM/

[ovirt-users] Re: Ovirt4.2 AD integration issue

2018-07-24 Thread Ondra Machacek 

Can you please share the full debug log?

On 07/23/2018 02:55 PM, Arun S wrote:

Hello,


I need help to resolve Ovirt AD auth setup issue.


I have setup ovirt-engine-4.2 and I am trying to integrate with AD for 
user authentication.



Using  (ad.properties) I am able to bind to AD, however test login is 
failing with "Invalid credentials"



---

FINEST: message = 80090308: LdapErr: DSID-0C090400, comment: 
AcceptSecurityContext error, data 52e, v1db1



API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS 
profile='abc.internal' result=CREDENTIALS_INCORRECT

  SEVERE  Authn.Result code is: CREDENTIALS_INCORRECT

---


Users credentials is correct.





___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/U4ADVGWHVR3WBTLBXEMGUQCJT7LW5UIB/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/BMHCLYGLKKBXP2EBDLARWGTNOETEO2HN/

[ovirt-users] Re: Problem with following host link for vm list using Java SDK.

2018-07-12 Thread Ondra Machacek 

On 07/12/2018 11:25 PM, dchamb...@bugfixer.net wrote:

When trying to do VM list using the 4.2.4 Java SDK against a 4.2.4 engine, I am 
getting an error while trying to follow the host link to get host info. Any 
suggestions on fixing this?

List vms = vmsService.list()
 .follow("host")
 .send().vms();


Check the following example:


https://github.com/oVirt/ovirt-engine-sdk-java/blob/master/sdk/src/test/java/org/ovirt/engine/sdk4/examples/FollowVmLinks.java#L62

If you need host you just need to do:

 Host host = connection.followLink(vm.host());



Exception in thread "main" org.ovirt.engine.sdk4.Error: Failed to send request
 at 
org.ovirt.engine.sdk4.internal.HttpConnection.send(HttpConnection.java:255)
 at 
org.ovirt.engine.sdk4.internal.HttpConnection.send(HttpConnection.java:229)
 at 
org.ovirt.engine.sdk4.internal.services.VmsServiceImpl$ListRequestImpl.send(VmsServiceImpl.java:563)
 at 
org.ovirt.engine.sdk4.internal.services.VmsServiceImpl$ListRequestImpl.send(VmsServiceImpl.java:477)
 at com.foo.ovirt.test.VMList.main(VMList.java:59)
Caused by: org.ovirt.engine.sdk4.Error: The response content type 
'text/html;charset=UTF-8' isn't the expected XML
 at 
org.ovirt.engine.sdk4.internal.HttpConnection.checkContentType(HttpConnection.java:287)
 at 
org.ovirt.engine.sdk4.internal.HttpConnection.send(HttpConnection.java:251)
 ... 4 more
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IGLEJESNPJRX3P7ED6AUEFG7LD2PC6ZL/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/H4NJ72HVVYII3EAZ265Y5L75AIYQBT4H/

[ovirt-users] Re: Python-SDK4: Check snapshot deletion result?

2018-07-12 Thread Ondra Machacek 

On 07/11/2018 10:10 AM, nico...@devels.es wrote:

Hi,

We're using ovirt-engine-sdk-python 4.1.6 on oVirt 4.1.9, currently 
we're trying to delete some snapshots via a script like this:


     sys_serv = conn.system_service()
     vms_service = sys_serv.vms_service()
     vm_service = vms_service.vm_service(vmid)
     snaps_service = vm_service.snapshots_service()
     snaps_service.service('SNAPSHOT-ID').remove()


In case of failure this line should raise Error, so you should know it
failed.



This works, mostly... however, sometimes the deletion fails:

     Failed to delete snapshot 'snapshot name' for VM 'vm'.

Is it currently possible to know via Python-SDK that the deletion 
actually failed? I know I can check the state of a snapshot, but I'd 
like to check the result of the task. Is that possible somehow?


Thanks.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/AFGSUUJ3RNWX6H66RRGDPFLM6YEL577F/ 


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LM7C5WTUC63WIDYX37OKCG7FCBPFNTA6/

[ovirt-users] Re: oVirt Authentication and Authorization

2018-06-29 Thread Ondra Machacek 

What's your use-case? You need all users to access without any
username/password? Why not rather share some username/password of guest 
account them?


On 06/29/2018 12:39 PM, Hari Prasanth Loganathan wrote:
Guys any update on this, If you have any clarification in my query 
please let me know.


Thanks,
Hari

On Thu, Jun 28, 2018 at 6:19 PM, Hari Prasanth Loganathan 
> wrote:


Hi Team,

We have three components in our setup

1) Our Script (application using python)
2) Ovirt
3) LDAP (Also integrated to oVirt)

1) Our Python application is authenticating to LDAP and it creates a
token for our application
2) For accessing the API's in oVIrt, I need to contact to the oVirt
API which authenticates and creates a token for it
3) then I need to maintain the token of my application with its
mapping to the ovirt tokenId in my application.

When I want to hit any oVirt API, First I perform the token check in
my application (using my application token) then I need to perform
the ovirt token check in oVirt.

1)*I would like to know Is there a way to skip the authentication
and authorization in oVIrt?
*
2)*Or Is it possible to point the authentication check for oVirt (to
my application / to some URL which I configure) which always return
true and allow for all oVirt API's?*


*I did some analysis and verified the oVirt code in github,
Identified that it is going via a fliter in web.xml which points to
the class, Is it possible to tune this? *

    
     RestApiSessionValidationFilter

org.ovirt.engine.core.aaa.filters.RestApiSessionValidationFilter

     
     
     RestApiSessionValidationFilter
     /*
     

     
     SessionValidationFilter

org.ovirt.engine.core.aaa.filters.SessionValidationFilter

     
     
     SessionValidationFilter
     /*
     

     
     SsoRestApiAuthFilter

org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter

     
     
     SsoRestApiAuthFilter
     /*
     

     
     SsoRestApiNegotiationFilter

org.ovirt.engine.core.aaa.filters.SsoRestApiNegotiationFilter

     
     
     SsoRestApiNegotiationFilter
     /*
     

If my query is not clear, please let me know.

Thanks,
Hari





___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/R5QK6VPZ5OQXHBODY4BY5JHJCC4X2ZKV/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5LS7XGP4WIYRHXHKNIM2C2JPYC4DKKJB/

[ovirt-users] Re: Ignore extra parameters in oVirt API

2018-06-21 Thread Ondra Machacek 

Well, if they may use 4.0, you should write code which support 4.0 and
don't use any 4.2 features, as it won't work anyway on 4.2.

If you want to support features from 4.2, and use it against 4.0 where 
it will be igonored and use it also agains 4.2 where it will be 
supported, it's quite simple to do in our SDKs, not sure how it can be 
done in your script, is it bash or something else?


On 06/21/2018 01:05 PM, Hari Prasanth Loganathan wrote:
the problem is, I can't write different client codes for the different 
version.
Consider my case, I developed my script considering the oVirt version 
4.2, If my client is using 4.1 then he needs the same script to be 
supported.
What If the client is using further older version say 4.0, So do you 
want me to write the script for every version of oVirt. It is not correct.


So could you let me know, Is there a way to ignore extra properties in 
oVirt Rest API?


On Thu, Jun 21, 2018 at 4:30 PM, Ondra Machacek <mailto:omach...@redhat.com>> wrote:


Well, I don't know what are you using to generate the JSON,
but you just need to check if engine is v4.1 and then send the JSON
without the field and if version is v4.2 and higher you can use that
field.

If you share you script maybe I can advice, or if you are using any SDK.
It would be even simpler as you just set the field to None/null/nil
and it won't be generated to the XML body which SDK send.

On 06/21/2018 12:52 PM, Hari Prasanth Loganathan wrote:

Thanks, Ondra for confirming.

You need to handle this situation client side.

So you are saying there is a work-around in client side, I
didn't get this point, Could you explain, please.

    On Thu, Jun 21, 2018 at 4:20 PM, Ondra Machacek
mailto:omach...@redhat.com>
<mailto:omach...@redhat.com <mailto:omach...@redhat.com>>> wrote:

     We do not support this.

     For xml we use event handler, which takes unknown fields as
error:



https://github.com/oVirt/ovirt-engine/blob/68753f46f09419ddcdbb632453501273697d1a20/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/xml/JAXBProvider.java#L182

<https://github.com/oVirt/ovirt-engine/blob/68753f46f09419ddcdbb632453501273697d1a20/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/xml/JAXBProvider.java#L182>

<https://github.com/oVirt/ovirt-engine/blob/68753f46f09419ddcdbb632453501273697d1a20/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/xml/JAXBProvider.java#L182


<https://github.com/oVirt/ovirt-engine/blob/68753f46f09419ddcdbb632453501273697d1a20/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/xml/JAXBProvider.java#L182>>

     For json we don't have turn of the feature
FAIL_ON_UNKNOWN_PROPERTIES,
     you would need to put it on line 29 to make it working:



https://github.com/oVirt/ovirt-engine/blob/e06859fef6c38a955a4e0e1f6b0ddaa1e8eae8fb/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/json/CustomObjectMapper.java#L28

<https://github.com/oVirt/ovirt-engine/blob/e06859fef6c38a955a4e0e1f6b0ddaa1e8eae8fb/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/json/CustomObjectMapper.java#L28>

<https://github.com/oVirt/ovirt-engine/blob/e06859fef6c38a955a4e0e1f6b0ddaa1e8eae8fb/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/json/CustomObjectMapper.java#L28


<https://github.com/oVirt/ovirt-engine/blob/e06859fef6c38a955a4e0e1f6b0ddaa1e8eae8fb/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/json/CustomObjectMapper.java#L28>>

     You need to handle this situation client side.

     On 06/21/2018 11:21 AM, Hari Prasanth Loganathan wrote:

         Could somebody explain this please?

         On Thu, Jun 21, 2018 at 7:41 AM, Hari Prasanth Loganathan
         mailto:hariprasant...@msystechnologies.com>
         <mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>>
         <mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>
         <mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>>>> wrote:

              *Hi Ondra / Ori,*


https://github.com/oVirt/ovirt-engine/search?q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B&unscoped_q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B

<https://github.com/oVirt/ovirt-engine/search?q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B&unscoped_q=FAIL_ON_UNKN

[ovirt-users] Re: Ignore extra parameters in oVirt API

2018-06-21 Thread Ondra Machacek 

Well, I don't know what are you using to generate the JSON,
but you just need to check if engine is v4.1 and then send the JSON
without the field and if version is v4.2 and higher you can use that
field.

If you share you script maybe I can advice, or if you are using any SDK.
It would be even simpler as you just set the field to None/null/nil and 
it won't be generated to the XML body which SDK send.


On 06/21/2018 12:52 PM, Hari Prasanth Loganathan wrote:

Thanks, Ondra for confirming.

You need to handle this situation client side.

So you are saying there is a work-around in client side, I didn't get 
this point, Could you explain, please.


On Thu, Jun 21, 2018 at 4:20 PM, Ondra Machacek <mailto:omach...@redhat.com>> wrote:


We do not support this.

For xml we use event handler, which takes unknown fields as error:



https://github.com/oVirt/ovirt-engine/blob/68753f46f09419ddcdbb632453501273697d1a20/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/xml/JAXBProvider.java#L182

<https://github.com/oVirt/ovirt-engine/blob/68753f46f09419ddcdbb632453501273697d1a20/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/xml/JAXBProvider.java#L182>

For json we don't have turn of the feature FAIL_ON_UNKNOWN_PROPERTIES,
you would need to put it on line 29 to make it working:



https://github.com/oVirt/ovirt-engine/blob/e06859fef6c38a955a4e0e1f6b0ddaa1e8eae8fb/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/json/CustomObjectMapper.java#L28

<https://github.com/oVirt/ovirt-engine/blob/e06859fef6c38a955a4e0e1f6b0ddaa1e8eae8fb/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/json/CustomObjectMapper.java#L28>

You need to handle this situation client side.

On 06/21/2018 11:21 AM, Hari Prasanth Loganathan wrote:

Could somebody explain this please?

On Thu, Jun 21, 2018 at 7:41 AM, Hari Prasanth Loganathan
mailto:hariprasant...@msystechnologies.com>
<mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>>> wrote:

     *Hi Ondra / Ori,*


https://github.com/oVirt/ovirt-engine/search?q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B&unscoped_q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B

<https://github.com/oVirt/ovirt-engine/search?q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B&unscoped_q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B>

<https://github.com/oVirt/ovirt-engine/search?q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B&unscoped_q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B


<https://github.com/oVirt/ovirt-engine/search?q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B&unscoped_q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B>>

     Check the above link, As per the code it is always set as
false, So
     is there a way in payload / headers in client API / server
     configuration in oVirt engine which can ignore the extra
payload
     parameters?

     Any help / workaround is much appreciated.

     Thanks, Greg for pointing the right ppl.

     Thanks,
     Hari

     On Thu, Jun 21, 2018 at 1:35 AM, Greg Sheremeta
mailto:gsher...@redhat.com>
     <mailto:gsher...@redhat.com <mailto:gsher...@redhat.com>>>
wrote:

         +Ondra and Ori

         On Wed, Jun 20, 2018 at 1:07 PM Hari Prasanth Loganathan
         mailto:hariprasant...@msystechnologies.com>
         <mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>>> wrote:

             Guys any update on this?  if you have any
clarification let
             me know please.

             Thanks

             On Wed, 20 Jun 2018 at 5:41 PM, Hari Prasanth
Loganathan
             mailto:hariprasant...@msystechnologies.com>
             <mailto:hariprasant...@msystechnologies.com
<mailto:hariprasant...@msystechnologies.com>>> wrote:

                 Hi Team,

                 I got one clue, using the code base :

https://github.com/oVirt/ovirt-engine/blob/e2aad594a55c7272b513736616cb4b9841c2c43d/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectDeserializer.java

<https://github.com/oVirt/ovirt-engine/blob/e2aad594a55c7272b513736616cb4b9841c2c43d/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectDeserializer.java>

<https://github.com/oVirt/ovirt-engine/blob/e2aad594a55c7272b513736616cb4b9841c2c43d/backend/manager/

[ovirt-users] Re: Ignore extra parameters in oVirt API

2018-06-21 Thread Ondra Machacek 

We do not support this.

For xml we use event handler, which takes unknown fields as error:


https://github.com/oVirt/ovirt-engine/blob/68753f46f09419ddcdbb632453501273697d1a20/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/xml/JAXBProvider.java#L182

For json we don't have turn of the feature FAIL_ON_UNKNOWN_PROPERTIES,
you would need to put it on line 29 to make it working:


https://github.com/oVirt/ovirt-engine/blob/e06859fef6c38a955a4e0e1f6b0ddaa1e8eae8fb/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/json/CustomObjectMapper.java#L28

You need to handle this situation client side.

On 06/21/2018 11:21 AM, Hari Prasanth Loganathan wrote:

Could somebody explain this please?

On Thu, Jun 21, 2018 at 7:41 AM, Hari Prasanth Loganathan 
> wrote:


*Hi Ondra / Ori,*


https://github.com/oVirt/ovirt-engine/search?q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B&unscoped_q=FAIL_ON_UNKNOWN_PROPERTIES%2C+false%29%3B



Check the above link, As per the code it is always set as false, So
is there a way in payload / headers in client API / server
configuration in oVirt engine which can ignore the extra payload
parameters?

Any help / workaround is much appreciated.

Thanks, Greg for pointing the right ppl.

Thanks,
Hari

On Thu, Jun 21, 2018 at 1:35 AM, Greg Sheremeta mailto:gsher...@redhat.com>> wrote:

+Ondra and Ori

On Wed, Jun 20, 2018 at 1:07 PM Hari Prasanth Loganathan
mailto:hariprasant...@msystechnologies.com>> wrote:

Guys any update on this?  if you have any clarification let
me know please.

Thanks

On Wed, 20 Jun 2018 at 5:41 PM, Hari Prasanth Loganathan
mailto:hariprasant...@msystechnologies.com>> wrote:

Hi Team,

I got one clue, using the code base :

https://github.com/oVirt/ovirt-engine/blob/e2aad594a55c7272b513736616cb4b9841c2c43d/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/serialization/json/JsonObjectDeserializer.java




formattedMapper.configure(Feature.FAIL_ON_UNKNOWN_PROPERTIES,
false);

As a default, this flag is set as false, then How I get
this error? Any idea?


Thanks,
Hari



On Wed, Jun 20, 2018 at 5:21 PM, Hari Prasanth
Loganathan mailto:hariprasant...@msystechnologies.com>> wrote:

Hi all,

To clarify my payload is like below,

*_Expected :_*

{
    "alias": "testdisk",
    "shareable": false,
    "storage_type": "cinder",
    "openstack_volume_type": {
         "name": "ceph"
     },
    "description": "",
    "storage_domains": {
  "storage_domain": [{
             "name": "cinder_newone"
          }]
     },
    "provisioned_size": 1073741824,
  "interface": "virtio",
  "format": "cow"
}
_*
*_
_*I sent : *_

{
    "alias": "testdisk",
    "shareable": false,
    "storage_type": "cinder",
    "openstack_volume_type": {
         "name": "ceph"
     },
    "description": "",
    "storage_domains": {
  "storage_domain": [{
             "name": "cinder_newone"
          }]
     },
    "provisioned_size": 1073741824,
  "interface": "virtio",
  "format": "cow",
* "test" : "value"*
}


Is there a way to ignore the *test* field? Please
let me know any way / work around.


Any help is much appreciated.

Thanks,
Hari


On Wed, Jun 20, 2018 at 3:09 PM, Hari Prasanth
Loganathan mailto:hariprasant...@msystechnologies.com>>

[ovirt-users] Re: LDAP logins do not work

2018-06-14 Thread Ondra Machacek 

This error:

The user u...@example.com@example.com is not authorized to perform login

means that you don't have any role assigned to your user.

Please check following documentation:


https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/#user-authorization

to understand permission model of oVirt.

On 06/14/2018 02:39 PM, Michael Watters wrote:

ldapsearch works correctly and I'm able to bind to AD without any
issues.  ovirt-engine-extension-aaa-ldap-setup also shows searches
working correctly.

One thing I've discovered is that I can login as "u...@domain.com" but
then receive an error as follows.


The user u...@example.com@example.com is not authorized to perform login


How do I enable debug logs?  The log entries from the engine.log file
are the same as my previous message.


On 06/14/2018 06:37 AM, Ondra Machacek wrote:

Can you share the debug log, and also make sure the search user you are
using is correct for example by running the ldapsearch command with it.

On 06/13/2018 05:33 PM, Michael Watters wrote:

I've ran the ovirt-engine-extension-aaa-ldap-setup command to configure
LDAP authentication using Active Directory however I am unable to
authenticate using valid credentials.  Here is the output show while
testing the login flow.

[ INFO  ] Executing login sequence...
    Login output:
    2018-06-13 11:27:17,931-04 INFO

    2018-06-13 11:27:17,960-04 INFO
 Initialization 
    2018-06-13 11:27:17,960-04 INFO

    2018-06-13 11:27:17,999-04 INFO    Loading extension
'example.com-authn'
    2018-06-13 11:27:18,072-04 INFO    Extension
'example.com-authn' loaded
    2018-06-13 11:27:18,077-04 INFO    Loading extension
'example.com-authz'
    2018-06-13 11:27:18,089-04 INFO    Extension
'example.com-authz' loaded
    2018-06-13 11:27:18,090-04 INFO    Initializing extension
'example.com-authn'
    2018-06-13 11:27:18,091-04 INFO
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP
pool 'authz'
    2018-06-13 11:27:19,574-04 WARNING Exception: 80090308:
LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e,
v3839
    2018-06-13 11:27:19,576-04 INFO
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP
pool 'authn'
    2018-06-13 11:27:20,668-04 INFO
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool
'authn' information: vendor='null' version='null'
    2018-06-13 11:27:20,674-04 WARNING Ignoring records from
pool:
'authz'
    2018-06-13 11:27:20,676-04 WARNING Ignoring records from
pool:
'authz'
    2018-06-13 11:27:20,676-04 INFO    Extension
'example.com-authn' initialized
    2018-06-13 11:27:20,677-04 INFO    Initializing extension
'example.com-authz'
    2018-06-13 11:27:20,679-04 INFO
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP
pool 'authz'
    2018-06-13 11:27:21,270-04 WARNING Exception: 80090308:
LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e,
v3839
    2018-06-13 11:27:21,273-04 INFO
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP
pool 'gc'
    2018-06-13 11:27:22,065-04 WARNING Exception: 80090308:
LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e,
v1db1
    2018-06-13 11:27:22,069-04 WARNING Ignoring records from
pool:
'authz'
    2018-06-13 11:27:22,072-04 WARNING Ignoring records from
pool:
'authz'
    2018-06-13 11:27:22,085-04 WARNING Ignoring records from
pool:
'authz'
    2018-06-13 11:27:22,086-04 INFO
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available
Namespaces: []
    2018-06-13 11:27:22,087-04 INFO    Extension
'example.com-authz' initialized
    2018-06-13 11:27:22,088-04 INFO    Start of enabled
extensions
list
    2018-06-13 11:27:22,089-04 INFO    Instance name:
'example.com-authz', Extension name:
'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos',
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/tmp/tmpPQluAI/extensions.d/example.com-authz.properties', Initialized:
'true'
    2018-06-13 11:27:22,089-04 INFO    Instance name:
'example.com-authn', Ext

[ovirt-users] Re: LDAP logins do not work

2018-06-14 Thread Ondra Machacek 

Can you share the debug log, and also make sure the search user you are
using is correct for example by running the ldapsearch command with it.

On 06/13/2018 05:33 PM, Michael Watters wrote:

I've ran the ovirt-engine-extension-aaa-ldap-setup command to configure
LDAP authentication using Active Directory however I am unable to
authenticate using valid credentials.  Here is the output show while
testing the login flow.

[ INFO  ] Executing login sequence...
   Login output:
   2018-06-13 11:27:17,931-04 INFO

   2018-06-13 11:27:17,960-04 INFO
 Initialization 
   2018-06-13 11:27:17,960-04 INFO

   2018-06-13 11:27:17,999-04 INFO    Loading extension
'example.com-authn'
   2018-06-13 11:27:18,072-04 INFO    Extension
'example.com-authn' loaded
   2018-06-13 11:27:18,077-04 INFO    Loading extension
'example.com-authz'
   2018-06-13 11:27:18,089-04 INFO    Extension
'example.com-authz' loaded
   2018-06-13 11:27:18,090-04 INFO    Initializing extension
'example.com-authn'
   2018-06-13 11:27:18,091-04 INFO
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP
pool 'authz'
   2018-06-13 11:27:19,574-04 WARNING Exception: 80090308:
LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e,
v3839
   2018-06-13 11:27:19,576-04 INFO
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP
pool 'authn'
   2018-06-13 11:27:20,668-04 INFO
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool
'authn' information: vendor='null' version='null'
   2018-06-13 11:27:20,674-04 WARNING Ignoring records from pool:
'authz'
   2018-06-13 11:27:20,676-04 WARNING Ignoring records from pool:
'authz'
   2018-06-13 11:27:20,676-04 INFO    Extension
'example.com-authn' initialized
   2018-06-13 11:27:20,677-04 INFO    Initializing extension
'example.com-authz'
   2018-06-13 11:27:20,679-04 INFO
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP
pool 'authz'
   2018-06-13 11:27:21,270-04 WARNING Exception: 80090308:
LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e,
v3839
   2018-06-13 11:27:21,273-04 INFO
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP
pool 'gc'
   2018-06-13 11:27:22,065-04 WARNING Exception: 80090308:
LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e,
v1db1
   2018-06-13 11:27:22,069-04 WARNING Ignoring records from pool:
'authz'
   2018-06-13 11:27:22,072-04 WARNING Ignoring records from pool:
'authz'
   2018-06-13 11:27:22,085-04 WARNING Ignoring records from pool:
'authz'
   2018-06-13 11:27:22,086-04 INFO
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available
Namespaces: []
   2018-06-13 11:27:22,087-04 INFO    Extension
'example.com-authz' initialized
   2018-06-13 11:27:22,088-04 INFO    Start of enabled extensions
list
   2018-06-13 11:27:22,089-04 INFO    Instance name:
'example.com-authz', Extension name:
'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos',
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/tmp/tmpPQluAI/extensions.d/example.com-authz.properties', Initialized:
'true'
   2018-06-13 11:27:22,089-04 INFO    Instance name:
'example.com-authn', Extension name:
'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.7', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos',
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/tmp/tmpPQluAI/extensions.d/example.com-authn.properties', Initialized:
'true'
   2018-06-13 11:27:22,090-04 INFO    End of enabled extensions list
   2018-06-13 11:27:22,090-04 INFO

   2018-06-13 11:27:22,090-04 INFO
== Execution ===
   2018-06-13 11:27:22,091-04 INFO

   2018-06-13 11:27:22,091-04 INFO    Iteration: 0
   2018-06-13 11:27:22,093-04 INFO    Profile='example.com'
authn='example.com-authn' authz='example.com-authz' mapping='null'
   2018-06-13 11:27:22,094-04 INFO    API:
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com'
user='d861703'
   2018-06-13 11:27:22,251-04 INFO    API:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com'
result=CREDENTIA

[ovirt-users] Re: how to use oVirt engine API to retrieve the attached VM list by a disk id.

2018-05-31 Thread Ondra Machacek 

Looking the API, the Disk type has element 'vms', but we don't feed it
with data:


https://github.com/oVirt/ovirt-engine-api-model/blob/master/src/main/java/types/Device.java#L50

I can fix the API so it returns it. So feel free to open a bug if you
need it.

But maybe, can you describe your exact use case? You user just input
disk 'id' and you are suppose to return the VM which it's attached to?
If you need to know only if it's attached 'true/false', you can use

  /api/disks?search=number_of_vms=1

On 06/01/2018 04:57 AM, Joey Ma wrote:

Hi Ondra,

I tried your URL but it not worked. I want to retrieve all the attached 
vms by a disk, so I cloud not provide a specified vm name for searching. 
Also tried with https://fqdn/ovirt-engine/api/vms?search= 
<https://fqdn/ovirt-engine/api/disks?search=vm_names=myvmname>_disk=DISKNAME_, 
unfortunately the `disk` parameter is not supported.



Put it differently, how could I get the disk list by rest API as same as 
shown by visiting admin portal at 
https://fqdn/ovirt-engine/webadmin/?#disks, which indicates the attached 
vm name for each disk.



<https://10.1.111.222/ovirt-engine/webadmin/?locale=en_US#disks>


On Fri, Jun 1, 2018 at 8:51 AM, Joey Ma <mailto:majunj...@gmail.com>> wrote:


OK, got it. Search is a powerful solution. Thank you very much.

On Thu, May 31, 2018 at 6:49 PM, Ondra Machacek mailto:omach...@redhat.com>> wrote:

On 05/31/2018 09:28 AM, iterjpnic  wrote:

Hi all,

I use oVirt engine API v4.2 for implementing terraform oVirt
provider. And I want to check if a Disk has been attached to
a VM, so I need to find all vms attached by this disk.
But after I checked the GET-Response data from the
"/ovirt-engine/api/disks/" rest url, there has no
disk-attachment/vm related properties or links. I could get
a trade-off, by the following steps:
1. getting all vms
2. get all disk-attachments of each vm
3. check if the given disk id equals to the `disk` property
of each disk-attachment`
4. If equals, append the vm to result list

Is there any simpler and smarter way to get this? Thanks.


Hi, you can use following:

https://fqdn/ovirt-engine/api/disks?search=vm_names=myvmname
<https://fqdn/ovirt-engine/api/disks?search=vm_names=myvmname>

___
Users mailing list -- users@ovirt.org <mailto:users@ovirt.org>
To unsubscribe send an email to users-le...@ovirt.org
<mailto:users-le...@ovirt.org>
Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
<https://www.ovirt.org/site/privacy-policy/>
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
List Archives:

https://lists.ovirt.org/archives/list/users@ovirt.org/message/6LVOIVEUUO7PXVV36GH3V6GSURQV4ALO/

<https://lists.ovirt.org/archives/list/users@ovirt.org/message/6LVOIVEUUO7PXVV36GH3V6GSURQV4ALO/>




___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LFIML6UKL2GI7P3O3CO4SMP7OFILR5F4/

[ovirt-users] Re: how to use oVirt engine API to retrieve the attached VM list by a disk id.

2018-05-31 Thread Ondra Machacek 

On 05/31/2018 09:28 AM, iterjpnic  wrote:

Hi all,

I use oVirt engine API v4.2 for implementing terraform oVirt provider. And I 
want to check if a Disk has been attached to a VM, so I need to find all vms 
attached by this disk.
But after I checked the GET-Response data from the 
"/ovirt-engine/api/disks/" rest url, there has no disk-attachment/vm 
related properties or links. I could get a trade-off, by the following steps:
1. getting all vms
2. get all disk-attachments of each vm
3. check if the given disk id equals to the `disk` property of each 
disk-attachment`
4. If equals, append the vm to result list

Is there any simpler and smarter way to get this? Thanks.


Hi, you can use following:

 https://fqdn/ovirt-engine/api/disks?search=vm_names=myvmname


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6LVOIVEUUO7PXVV36GH3V6GSURQV4ALO/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/SNO3RV3U3UIEGOILXLJ2LTRNOZHCPHHN/

[ovirt-users] Re: Unable to login after upgrade

2018-05-31 Thread Ondra Machacek 
That's very strange, can you please share the upgrade log if you still 
have it?


Also can you please share the output of:

$ select * from users;

and

$ select * from permissions;

and also please share content of:

 /etc/ovirt-engine/extensions.d/internal-authn.properties
 /etc/ovirt-engine/extensions.d/internal-auth.properties
 /etc/ovirt-engine/aaa/internal.properties

On 05/30/2018 06:12 PM, Michael Watters wrote:
It looks like the issue was caused by a new admin account being created 
in the internal-authz domain.  Here is what the engine logs show.


2018-05-30 11:15:21,893-04 INFO 
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-9) 
[] User admin@internal successfully logged in with scopes: 
ovirt-app-admin ovirt-app-api ovirt-app-portal 
ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all 
ovirt-ext=token-info:authz-search 
ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate 
ovirt-ext=token:password-access


2018-05-30 11:15:22,175-04 INFO 
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default 
task-11) [77362b19] Running command: CreateUserSessionCommand internal: 
false.


2018-05-30 11:15:22,252-04 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] 
(default task-11) [77362b19] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User 
admin@internal-authz connecting from '10.209.44.27' failed to log 
in.


2018-05-30 11:15:22,253-04 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default 
task-11) [] The user admin@internal is not authorized to perform login


I was able to login after updating the permissions table to use the new 
user ID as follows.


update permissions set ad_element_id = (select user_id from users where 
domain = 'internal-authz' and username = 'admin') where ad_element_id = 
(select user_id from users where domain = 'internal' and username = 
'admin') ;


Despite this the ovirt-aaa-jdbc-tool still shows the wrong user ID when 
querying the admin account.  For example:


[root@mdct-ovirt-engine-dev ~]# ovirt-aaa-jdbc-tool user show admin
-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
Namespace: *
Name: admin
ID: fdfc627c-d875-11e0-90f0-83df133b58cc
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Locked: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2016-11-16 15:27:01Z
Account Valid To: 2216-11-16 15:27:01Z
Account Without Password: false
Last successful Login At: 2018-05-30 16:02:46Z
Last unsuccessful Login At: 2018-05-29 19:25:28Z
Password Valid To: 2216-09-29 15:27:01Z

Is there a way to resolve this conflict?  Where does the 
admin@internal-authz account come from?  I tried renaming the account 
but it is recreated every time that the engine is restarted.



On 05/29/2018 04:31 PM, Alex K wrote:
Are you using engine IP to login? Perhaps the sso default file was 
overwritten?


Alex

On Tue, May 29, 2018, 20:32 Michael Watters > wrote:


I recently upgraded one of our ovirt engines from 4.1 to the 4.2.3
release and the admin account is no longer able to login. After
entering the user name and password I receive a message that
states "The
user admin@internal is not authorized to perform login".

Is there a way to resolve this?  Resetting the password did not work.
___
Users mailing list -- users@ovirt.org 
To unsubscribe send an email to users-le...@ovirt.org

Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:

https://lists.ovirt.org/archives/list/users@ovirt.org/message/FT3NKC36NMNDQEIWCVPMYSYSLVZSGJOM/





___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DT7ERVLLGIYEE2WM6UTPR37CMSZRCCYY/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IGJ4WW434U7BVIMRPCK3DEMF34RMISEN/

[ovirt-users] Re: Simple API call to start VM

2018-05-30 Thread Ondra Machacek 

On 05/30/2018 08:07 AM, Kirin van der Veer wrote:

Hi oVirt users,
I have (what I hope) is a simple problem.
I want to make an https request to start a VM via the oVirt REST API.
Here is the command that I think should work:
curl --user "admin:SECRETPASSWORD" --request POST --header 


s/admin/admin@internal

"Content-Type: application/xml" --header "Accept: application/xml" 
--data '' 
https://ovirtengine.localnet:443/api/vms/69c47a91-bbv1-4eda-b71d-7bddf82ee8ab/start


missing ovirt-engine in URL:

https://ovirtengine.localnet:443/ovirt-engine/api/vms/69c47a91-bbv1-4eda-b71d-7bddf82ee8ab/start



However I get a 404 in response (see below):


404 Not Found

Not Found
The requested URL /api/vms/60c47a91-bca1-4eda-b71d-7bddf82ee8ab/start 
was not found on this server.



Where have I made a mistake here?



*IMPORTANT NOTE. *If you are NOT AN AUTHORISED RECIPIENT of this e-mail, 
please contact Planet Innovation Pty Ltd by return e-mail or by 
telephone on +613 9945 7510.  In this case, you should not read, print, 
re-transmit, store or act in reliance on this e-mail or any attachments, 
and should destroy all copies of them.  This e-mail and any attachments 
are confidential and may contain legally privileged information and/or 
copyright material of Planet Innovation Pty Ltd or third parties. You 
should only re-transmit, distribute or commercialise the material if you 
are authorised to do so.  Although we use virus scanning software, we 
deny all liability for viruses or alike in any message or 
attachment. This notice should not be removed.


**


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/5N6N4BHF6ZFJLEARSEALCON7DJIMXRCZ/


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PMBVQNUH2PBD655YECVHNMXHAEVWAAYT/

[ovirt-users] Re: LDAP Authentication issues

2018-05-29 Thread Ondra Machacek 
What's you LDAP and what profile did you choose? This looks like you have
chosen incorect profile during setup. Are you sure you arent using posix
group and using non-posix aaa profile? Sharing a debug log of
ovirt-engine-extensions-tool would be helpfull.


On Fri, May 25, 2018, 10:04 AM Callum Smith  wrote:

> Dear All,
>
> I'm having problems getting LDAP running, login works, but I'm getting
> "user is not authorised to perform login" - this is even if i specify the
> UserRole specifically to the LDAP group the user is in.
>
> 2018-05-25 08:56:16,212+01 INFO
>  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-23) []
> User callum@Biomedical Research Computing successfully logged in with
> scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal
> ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all
> ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search
> ovirt-ext=token-info:validate ovirt-ext=token:password-access
> 2018-05-25 08:56:16,391+01 INFO
>  [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-25)
> [63e60fe9] Running command: CreateUserSessionCommand internal: false.
> 2018-05-25 08:56:16,430+01 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-25) [63e60fe9] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User
> callum@Biomedical Research Computing connecting from '192.168.65.254'
> failed to log in.
> 2018-05-25 08:56:16,430+01 ERROR
> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-25)
> [] The user callum@Biomedical Research Computing is not authorized to
> perform login
>
>
> on a side note: is it possible to assign permissions to all members of an
> LDAP tree where they dont have a common group membership?
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk
>
> ___
> Users mailing list -- users@ovirt.org
> To unsubscribe send an email to users-le...@ovirt.org
>
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PCOI5I47AKTGEWCHVKKAEOOCN5FDOTYW/

[ovirt-users] Re: Obtain dynamic inventory onto local machine using ovirt4.py for self-hosted engine

2018-05-22 Thread Ondra Machacek 

On 05/22/2018 06:44 PM, 03ce...@gmail.com wrote:

I have successfully deployed self-hosted-engine (4.2) on centos (7.4) server.

the server address is ovirt where the self-hosted engine running on it has fdqn 
as engine.ovirt. I  have ovirt,ini configured on server acan run the ovirt4.py 
from the server to obtain the vms in groups. But I want to control the vms 
using ansible from my macbook and run ansible playbooks locally.

so I have downloaded the ovirt.ini and ovirt4.py from server and tried running 
it, but had no success.

Is there something special needs setting up for 'self-hosted-ovirt-engine' as 
oppose to vanilla ovirt-engine which will allow me to control vms from my 
macbook?


You don't need to do anything special.
What's the error you get?



thanks.
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org

[ovirt-users] Re: Use local ansible to talk to engineVM and other vm

2018-05-22 Thread Ondra Machacek 

On 05/21/2018 11:51 AM, 03ce...@gmail.com wrote:

I have a self-hosted-engine (4.2) running on a centos 7.4 server.

I have downloaded ovirt ansible roles from ansible-galaxy and can run them from 
the server where the engineVM is running and able to deploy new vms, clusters, 
dc, etc.

I have seen the use of ovirt4.py file to target and group hosts which you can 
target for specific plays. However, the box where self-hosted-engine is running 
is a physical server but I am looking to run ansible from my local machine 
instead to manage vms running on engineVM. Is there a way to achieve this?


Sure you can use your own computer to manage the VMs.

In your playbook you just need to specify group/host where the tasks of
the playbook should run.

So if using the ovirt4.py script as your inventory file, you need to
just specify specific group where you want to run the tasks in your
playbook like this:

- hosts: tag_httpd
  tasks:
...

If you want to Create/Delete VMs using ovirt_* modules, you can do it
from your computer as well, but you need to install Python SDK version
4. You can download it from pip using following command: pip install
ovirt-engine-sdk-python.



Thank you in advance.
  
___

Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org

[ovirt-users] Re: sdk api and follow question / bug

2018-05-14 Thread Ondra Machacek 

On 05/10/2018 10:32 AM, Peter Hudec wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

I'm using API to get stats about the VM using the FOLLOW syntax
described in
http://ovirt.github.io/ovirt-engine-api-model/4.2/#documents/003_common_
concepts/follow

In my case I list all VM with FOLLOWING
  - 'statistics',
  - 'nics.statistics',
  - 'disk_attachments.disk.statistics'

On my env with about 50 VM the query took about 12s but the paring for
the monitoring system is easy.

The question is, it's better to split the code and use more queries as
the note in the API docs recommends? Not sure it will be faster and
less cpu intensive on the engine side.


It won't. It's better just in terms of network load, not engine load.



Also the disk_attachments.disk.statistics on VMs seems to be broken,
I'm not getting the data on 4.2.2 installation. /using json syntax,
not xml/


Can you please describe what exactly isn't working?
You won't get that for any VM? Can describe the steps how to reproduce
it? Do you get HTTP 404 or 500?



regards
Peter

- -- 
*Peter Hudec*

Infraštruktúrny architekt
phu...@cnc.sk 

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* 

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEERCwM7E/ZOYb1ejhCbZu8qDuIhFsFAlr0A60ACgkQbZu8qDuI
hFuh9RAAxP7o7Ve7tGN2c9ClG5FQcOpUH9Jwa6JiieEauFP3ivIdN1vVwA+YhgVW
Ij9iDrXBWdtlVrlQojqInMrWjNUQoeSAiJGTee/LztjeKrxK7Hkbd6JC8GAL0WbK
NWjHtzODX98MHhY7tgFoCW0xApUcN4c+jp5E8IuN/Gh19Ml3Nk9okUbbXDAnOxNK
1n5y1wnye2Gjk7hVwHoccY4V74FgjQ/hKbVRwjhDXHsHa9VHBpLJKtRhu1+5JdDj
ba79B5KM7w9CYI/QnLDsKeGLHsEylEnw6zY6+seitRAtIGfe7XB+PDddt9dSoC91
bwZfVEx6GCUr6lp+YJsbd/BCFdjLpMhWuI1q3d0A1rzuB4P/9/ehK2fB5ZtE5IDx
snkfNOk9sn/+AxuR79GnORdAOL38VFtNg1vZeHBVCg9byQ+mPcIlXdavYmZw9Sn3
lqsuS8xzcVltRw30eF9ne8uIlDETUdLQ84/RI2kxcbXT6naGWH9pbtto5ttY84Oc
QLAzIKeSFj9GFQm06b5wCReA7gpApU1eMeBlXEhGfUwwpQ4Ma2QjGVHLM6yyIbHG
uqKQcaU2z0gZANmDMw1RSv6AbDiDYvF5UNznCJklrxKycLKgiLVYEfsDcT8+mSKK
pFqazDVn6HzEa+SnU+peSQxb0N1oCfnufUqyCumih+8FNmjr1V8=
=u7vS
-END PGP SIGNATURE-
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org

Re: [ovirt-users] Fwd: FreeIPA authentication broken

2018-04-25 Thread Ondra Machacek 

Yep, you need to restart ovirt-engine service so the changes take
effect.

Anyway, we need to figure out what removed your IPA.properties and
IPA.jks file. What did you do before it stop work?

On 04/25/2018 12:37 AM, Kristian Petersen wrote:


-- Forwarded message --
From: *Kristian Petersen* <mailto:nesre...@chem.byu.edu>>

Date: Tue, Apr 24, 2018 at 12:38 PM
Subject: Re: [ovirt-users] FreeIPA authentication broken
To: Ondra Machacek mailto:omach...@redhat.com>>


That directory only contains internal.properties.  So I copied the 
IPA.properties, IPA-authn.properties, and IPA.jks files all into the 
'aaa' subdirectory and set ownership and permissions as you directed.  I 
reran the command you gave me initially and it prompted me for a 
password for the user when entered the process exited with status 0.  
However, the web interface still isn't letting me log in.  Do I need to 
restart a service for the changes to be effective in the web UI?


On Mon, Apr 23, 2018 at 11:59 PM, Ondra Machacek <mailto:omach...@redhat.com>> wrote:


Right, you are missing file /etc/ovirt-engine/aaa/IPA.properties

It's not subdirectory of /etc/ovirt-engine/extensions.d, but it's in
/etc/ovirt-engine/ in 'aaa' subdirectory, can you check what's there?
Please check also the correct permissions of that file, it should be
'600' and owned by ovirt user.


On 04/23/2018 10:25 PM, Kristian Petersen wrote:

Looks like it can't find the IPA.properties file.  I tried
following the path it is complaining about but there are only
files in /etc/ovirt-engine/extensions.d on the engine VM.  No
subdirectories.  However, that directory appears to contain the
files it is looking for.  Both IPA-authn.properties and
IPA.properties are there as are the internal properties files. 
Is there a config file we can edit to tell it to look in the

right place?




--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry



--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA authentication broken

2018-04-23 Thread Ondra Machacek 

Right, you are missing file /etc/ovirt-engine/aaa/IPA.properties

It's not subdirectory of /etc/ovirt-engine/extensions.d, but it's in
/etc/ovirt-engine/ in 'aaa' subdirectory, can you check what's there?
Please check also the correct permissions of that file, it should be
'600' and owned by ovirt user.

On 04/23/2018 10:25 PM, Kristian Petersen wrote:
Looks like it can't find the IPA.properties file.  I tried following the 
path it is complaining about but there are only files in 
/etc/ovirt-engine/extensions.d on the engine VM.  No subdirectories.  
However, that directory appears to contain the files it is looking for.  
Both IPA-authn.properties and IPA.properties are there as are the 
internal properties files.  Is there a config file we can edit to tell 
it to look in the right place?



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA authentication broken

2018-04-23 Thread Ondra Machacek 

On 04/23/2018 04:30 PM, Kristian Petersen wrote:

Hey everyone,

I had FreeIPA authentication set up on my oVirt instance and it was 
working great.  Then something happened that disconnected my NFS storage 
and caused a problem with my hosted-engine.  Once I got it back up and 
running again, my FreeIPA authentication was sill a choice for 
authentication, but it always rejects my password even though it is 
correct.  I have tried running the setup again to no avail.  Nothing 
shows up in the httpd error log when the login fails.  The engine.log 
from ovirt-engine in /var/log shows the following upon attempting to 
authenticate with a user from freeIPA:


2018-04-23 08:08:24,384-06 WARN  
[org.ovirt.engineextensions.aaa.ldap.Framework] (default task-34) [] 
Ignoring records from pool: 'authz'
2018-04-23 08:08:24,384-06 ERROR 
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default 
task-34) [] Cannot authenticate user 'nesretep@IPA' connecting from 
'UNKNOWN': The username or password is incorrect.


Can you try to run this command:

 $ ovirt-engine-extensions-tool --log-level=FINEST 
--log-file=/tmp/aaa.log aaa login-user --user-name nesretep --profile IPA


and share /tmp/aaa.log?



I'm not sure why 'authz' is being ignored but it is certainly why IPA 
authentication isn't working as 'username@authz' is how IPA logins show 
up in oVirt when they do work.  Any ideas where to look next?

--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Some questions about Ovirt REST API

2018-04-12 Thread Ondra Machacek 

Ah sorry, POST isn't working and GET works, I misread it.

Can you please share the generated file:

{project_path}/backend/manager/modules/restapi/interface/definition/target/generated-sources/model/org/ovirt/engine/api/resource/VmMytestResource.java

Maybe you can even send patches to review as draft for start, we could
better understand the patch then.

On 04/12/2018 10:14 AM, gss...@pku.edu.cn wrote:

Do you mean /@override/ /getMytestsResource() / in BackendVmResource ?
I have done that, otherwise GET would not pass.

*From:* Ondra Machacek <mailto:omach...@redhat.com>
*Date:* 2018-04-12 15:43
*To:* gss...@pku.edu.cn <mailto:gss...@pku.edu.cn>; users
<mailto:users@ovirt.org>
*Subject:* Re: [ovirt-users] Some questions about Ovirt REST API
On 04/11/2018 08:19 AM, gss...@pku.edu.cn wrote:
 > Hi,
 >
 > I wants to creating my own service under
../vms/{vmid}/myservice.Here is
 > my methods:
 >
 > 1. create VmMytestService in
 > /https://github.com/oVirt/ovirt-engine-api-model project./
 > add/@Service VmMytestService mytests() in /VmService .java
 > 2. mvn install it and change the root pom.xml
 > /4.3.9-SNAPSHOT / in my Ovirt project.
 > 3.create BackendVmMytestService implements VmMytestResource
Did you also in BackendVmResource implemented 'mytests' method?
 > 4.override /get() and add() /methods.
 >
 > After that, I use /curl/  tool to send GET and POST request. GET is
 > working and return.
 > However, I get this return after POST request.
 >
 > Would you help me with that issue?
 >
 > Thanks,
 > wenzt
 >
 >
 > ___
 > Users mailing list
 > Users@ovirt.org
 > http://lists.ovirt.org/mailman/listinfo/users
 >


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Some questions about Ovirt REST API

2018-04-12 Thread Ondra Machacek 



On 04/11/2018 08:19 AM, gss...@pku.edu.cn wrote:

Hi,

I wants to creating my own service under ../vms/{vmid}/myservice.Here is 
my methods:


1. create VmMytestService in 
/https://github.com/oVirt/ovirt-engine-api-model project./

add/@Service VmMytestService mytests() in /VmService .java
2. mvn install it and change the root pom.xml 
/4.3.9-SNAPSHOT / in my Ovirt project.

3.create BackendVmMytestService implements VmMytestResource


Did you also in BackendVmResource implemented 'mytests' method?


4.override /get() and add() /methods.

After that, I use /curl/  tool to send GET and POST request. GET is 
working and return.

However, I get this return after POST request.

Would you help me with that issue?

Thanks,
wenzt


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Query on VM Clone

2018-03-29 Thread Ondra Machacek 



On 03/29/2018 01:02 PM, Karli Sjöberg wrote:

On Thu, 2018-03-29 at 11:21 +0200, Ondra Machacek wrote:

On 03/29/2018 11:09 AM, Hari Prasanth Loganathan wrote:

Hi Team,

1) I perform the VM clone using the following API

api/vms/{vmId}/clone

2) The above API is returning the job id
3) Using the job Id, we continuously query the oVirt to get the
status
of the clone operation.
/api/jobs/${vmCloneJobId}
  We are able to successfully get the status of the clone
operation.

But the problem is, we are not able to identify the newly created
VM
(created using clone).

AFAIK, The only way to get the newly created VM is to get all the
VM
list from oVirt. Is there an easy way to identify the newly created
VM
using the jobId?


In order to run the clone operation you must pas the VM name, so you
know the name, so later to fetch the VM you can just run:

api/vms?search=name=thenameofclonnedvm


Hijacking this a little, because I got curious about something:)

Is it possible to do regex searches? Because I remember working on
something different, the searches could potentially end up with
multiple matched objects, like "thenameofclonnedvm",
"thenameofclonnedvm-berta", "thenameofclonnedvm3" and so on. So I was
always forced to treat the result as a potential array, loop the
objects (this was with Python) and test for an exact match, even if it
was just one object. So it would be nicer if you could go like:

api/vms?search=name='^thenameofclonnedvm$'

And be sure to have an exact match every time. Is that possible?


You can read more about search engine here:


https://www.ovirt.org/documentation/admin-guide/appe-Using_Search_Bookmarks_and_Tags/

So if you have for example following VMs in system:

 vm
 vm1
 vm2
 vm3

And you do search like:

  api/vms?search=name=vm

It will return only single Vm called 'vm', but it always return a 
collection, but with just single item.


And you do search like:

 api/vms?search=name=vm*

It will return all VMs starting on 'vm' string. So it's collection of 
vm, vm1, vm2 and vm3.


So by default it search for exact string, but you may use wildcards to
improve the search.



TIA

/K



Is this approach OK for you?



Thanks,
Hari

DISCLAIMER

The information in this e-mail is confidential and may be subject
to
legal privilege. It is intended solely for the addressee. Access to
this
e-mail by anyone else is unauthorized. If you have received this
communication in error, please address with the subject heading
"Received in error," send to i...@msystechnologies.com
<mailto:i...@msystechnologies.com>,  then delete the e-mail and
destroy
any copies of it. If you are not the intended recipient, any
disclosure,
copying, distribution or any action taken or omitted to be taken
in
reliance on it, is prohibited and may be unlawful. The views,
opinions,
conclusions and other information expressed in this electronic mail
and
any attachments are not given or endorsed by the company unless
otherwise indicated by an authorized representative independent of
this
message.

MSys cannot guarantee that e-mail communications are secure or
error-free, as information could be intercepted, corrupted,
amended,
lost, destroyed, arrive late or incomplete, or contain viruses,
though
all reasonable precautions have been taken to ensure no viruses
are
present in this e-mail. As our company cannot accept responsibility
for
any loss or damage arising from the use of this e-mail or
attachments we
recommend that you subject these to your virus checking procedures
prior
to use


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Query on VM Clone

2018-03-29 Thread Ondra Machacek 

On 03/29/2018 11:09 AM, Hari Prasanth Loganathan wrote:

Hi Team,

1) I perform the VM clone using the following API

api/vms/{vmId}/clone

2) The above API is returning the job id
3) Using the job Id, we continuously query the oVirt to get the status 
of the clone operation.

/api/jobs/${vmCloneJobId}
     We are able to successfully get the status of the clone operation.

But the problem is, we are not able to identify the newly created VM 
(created using clone).


AFAIK, The only way to get the newly created VM is to get all the VM 
list from oVirt. Is there an easy way to identify the newly created VM 
using the jobId?


In order to run the clone operation you must pas the VM name, so you 
know the name, so later to fetch the VM you can just run:


api/vms?search=name=thenameofclonnedvm

Is this approach OK for you?



Thanks,
Hari

DISCLAIMER

The information in this e-mail is confidential and may be subject to 
legal privilege. It is intended solely for the addressee. Access to this 
e-mail by anyone else is unauthorized. If you have received this 
communication in error, please address with the subject heading 
"Received in error," send to i...@msystechnologies.com 
,  then delete the e-mail and destroy 
any copies of it. If you are not the intended recipient, any disclosure, 
copying, distribution or any action taken or omitted to be taken in 
reliance on it, is prohibited and may be unlawful. The views, opinions, 
conclusions and other information expressed in this electronic mail and 
any attachments are not given or endorsed by the company unless 
otherwise indicated by an authorized representative independent of this 
message.


MSys cannot guarantee that e-mail communications are secure or 
error-free, as information could be intercepted, corrupted, amended, 
lost, destroyed, arrive late or incomplete, or contain viruses, though 
all reasonable precautions have been taken to ensure no viruses are 
present in this e-mail. As our company cannot accept responsibility for 
any loss or damage arising from the use of this e-mail or attachments we 
recommend that you subject these to your virus checking procedures prior 
to use



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Authentication

2018-03-22 Thread Ondra Machacek 

On 03/22/2018 11:25 PM, Bryan Sockel wrote:

Hey Guys,

Was working on switching my authentication over to TLS, and during the 
process I have lost the Internal Authentication option on my drop down 
list.  Need to Know how to add it back it back to the list of drop down 
items.


Just re-run engine-setup.



Thanks



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Setting up a LDAP conf

2018-03-16 Thread Ondra Machacek 

On 03/16/2018 12:26 AM, Jose Fernandes wrote:

Hello,


I have an OpenDJ LDAP server, and I need some help to do query on a 
specific filter search.


I remember I used to setup OpenDJ some time ago, please check this blog
post:

 http://machacekondra.blogspot.cz/2015/05/saml-and-ovirt-35.html

The important part there for you is the file:

 /usr/share/ovirt-engine-extension-aaa-ldap/profiles/opendj.properties

Then you can use it as 'include = ' in authz/authn.




We can't figure out how to create a "aaa/profile1.properties" file with 
these configs.



This is how we can filter the users with ldapsearch on our ldap server:


-H ldaps://server:port-D uid=user,ou=OU,dc=SERVER,dc=com,dc=br -W -b 
ou=aa,dc=bb,dc=cc,dc=dd uid=jose.fernandes



  - My configuration does not permit I search the users on base, so I 
need to do this filter on "ou=aa,dc=bb,dc=cc,dc=dd"


  - Port is different from common.


Someone can help me to create the config file?


Regards,

José Fernandes



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] How to setup users to see a subset of VMs in oVirt

2018-03-06 Thread Ondra Machacek 

On 03/06/2018 12:03 AM, Jean Pickard wrote:

Hello,
I need to create user accounts in oVirt that can only manage a specific 
set of VMs and I don't want them to see any other ones.

example:
User1 can only see VM1, VM2, VM3, VM4
User2 can only see VM5, VM6, VM7
Admin can see all of them.
How do I accomplish this?


Maybe this can help you:

 http://lists.ovirt.org/pipermail/users/2018-March/087432.html



Thank you,

Payman Vazinkhoo


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Users/Groups Permissions

2018-03-06 Thread Ondra Machacek 

On 03/05/2018 10:42 AM, markus.schauf...@ooe.gv.at wrote:

Hi!

Still new to oVirt and got another question:

I have many Windows and Linux VMs and created for each the Windows and 
Linux machines two Usergroups (limited and admins).


Now I want to grant the groups according permissions to according VMs. 
How can I do this without clicking through every VM manually (e.g. by 
mark several vms in the UI and manage their permissions or via CLI)?


You can use our Python SDK, please see below example:


https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/assign_permission_to_vms.py

Or you can use Ansible if you are familiar with it:


http://docs.ansible.com/ansible/latest/ovirt_permissions_module.html#examples

The playbook would look like:

 ---
- hosts: localhost
  connection: local
  vars:
 username: admin@internal
 password: thepassowrd
 insecure: True
 url: https://ovirt.example.com/ovirt-engine/api

  tasks:
  - name: Obtain SSO token
ovirt_auth:
  url: "{{ url }}"
  username: "{{ username }}"
  password: "{{ password }}"
  insecure: "{{ insecure }}"

  - name: Add permissions to user
ovirt_permissions:
  auth: "{{ ovirt_auth }}"
  user_name: user2
  authz_name: internal-authz
  object_type: vm
  object_name: "{{ item }}"
  role: UserVmManager
with_items:
  - myvm1
  - myvm2
  - myvm3

  - name: Revoke SSO token
ovirt_auth:
  state: absent
  ovirt_auth: "{{ ovirt_auth }}"



Many thanks in advance,

*Markus Schaufler, MSc*

Amt der Oö. Landesregierung
Direktion Präsidium

Abteilung Informationstechnologie

Referat ST3 Server

A-4021 Linz, Kärntnerstraße 16

*Tel.:*+43 (0)732 7720 – 13138

*Fax:*+43 (0)732 7720 - 213255

*email:*markus.schauf...@ooe.gv.at 

*Internet:*www.land-oberoesterreich.gv.at 



*DVR:*0069264

Der Austausch von Nachrichten mit o.a. Absender via e-mail dient 
ausschließlich Informationszwecken.
Rechtsgültige Erklärungen dürfen über dieses Medium nur an das 
offizielle Postfach it.p...@ooe.gv.at  
übermittelt werden.




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Q: Can't connect to oVirt shell / SSL cert issue

2018-03-05 Thread Ondra Machacek 



On 03/05/2018 01:28 PM, Andrei Verovski wrote:

On 03/05/2018 12:58 PM, Ondra Machacek wrote:

You should use CA certificate if you use default one it's:

  /etc/pki/ovirt-engine/ca.pem


Executed as root
ovirt-shell -l https://node00.mydomain.com/ovirt-engine/api --cert-file
/etc/pki/ovirt-engine/ca.pem -u "admin@internal"


Right, there should be '--ca-file /etc/pki/ovirt-engine/ca.pem', not
--cert-file /etc/pki/ovirt-engine/ca.pem



=== ERROR ===
server CA certificate file must be specified for SSL secured connection.

ca.pem exists in specified location.



You can find more information about oVirt PKI here:

  https://www.ovirt.org/develop/release-management/features/infra/pki/

On 03/05/2018 11:51 AM, Andrei Verovski wrote:

Hi,

Thanks,  corrected URL accepted.

However, I've run into SSL certificate issue:
ovirt-shell -l https://node00.mydomain.com/ovirt-engine/api
--cert-file /etc/pki/ovirt-engine/certs/engine.cer -u "admin@internal"

 ERROR 
server CA certificate file must be specified for SSL secured connection.

certificate file exists, verified
/etc/pki/ovirt-engine/certs/engine.cer

without specifying SSL cert file its not possible to connect at all
 ERROR 
No response returned from server. If you're using HTTP protocol
against a SSL secured server, then try using HTTPS instead.

Or I should use another certificate from same directory ?

Thanks.


On 03/05/2018 06:46 AM, Karli Sjöberg wrote:



Den 4 mars 2018 23:39 skrev Andrei Verovski :

     Hi !

     I'm trying to connect via Bash from same machine where oVirt engine
     installed
     ovirt-shell --url=http://node00.mydomain.com/api -u admin


Hi!

You've forgotten 'ovirt-engine' before 'api':
http://node00.mydomain.com/ovirt-engine/api

/K

     After entering password I've got:
     === ERROR ===
     [404] - Not Found

     What is wrong here?
     Thanks in advance.
     Andrei
     ___
     Users mailing list
     Users@ovirt.org
     http://lists.ovirt.org/mailman/listinfo/users


Hi !

I'm trying to connect via Bash from same machine where oVirt engine
installed
ovirt-shell --url=http://node00.mydomain.com/api -u admin
After entering password I've got:
=== ERROR ===
[404] - Not Found

What is wrong here?
Thanks in advance.
Andrei
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users





___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users






___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Q: Can't connect to oVirt shell / SSL cert issue

2018-03-05 Thread Ondra Machacek 

You should use CA certificate if you use default one it's:

 /etc/pki/ovirt-engine/ca.pem

You can find more information about oVirt PKI here:

 https://www.ovirt.org/develop/release-management/features/infra/pki/

On 03/05/2018 11:51 AM, Andrei Verovski wrote:

Hi,

Thanks,  corrected URL accepted.

However, I've run into SSL certificate issue:
ovirt-shell -l https://node00.mydomain.com/ovirt-engine/api --cert-file 
/etc/pki/ovirt-engine/certs/engine.cer -u "admin@internal"


 ERROR 
server CA certificate file must be specified for SSL secured connection.

certificate file exists, verified
/etc/pki/ovirt-engine/certs/engine.cer

without specifying SSL cert file its not possible to connect at all
 ERROR 
No response returned from server. If you're using HTTP protocol
against a SSL secured server, then try using HTTPS instead.

Or I should use another certificate from same directory ?

Thanks.


On 03/05/2018 06:46 AM, Karli Sjöberg wrote:



Den 4 mars 2018 23:39 skrev Andrei Verovski :

Hi !

I'm trying to connect via Bash from same machine where oVirt engine
installed
ovirt-shell --url=http://node00.mydomain.com/api -u admin


Hi!

You've forgotten 'ovirt-engine' before 'api':
http://node00.mydomain.com/ovirt-engine/api

/K

After entering password I've got:
=== ERROR ===
[404] - Not Found

What is wrong here?
Thanks in advance.
Andrei
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Hi !

I'm trying to connect via Bash from same machine where oVirt engine
installed
ovirt-shell --url=http://node00.mydomain.com/api -u admin
After entering password I've got:
=== ERROR ===
[404] - Not Found

What is wrong here?
Thanks in advance.
Andrei
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users





___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt API (4.0 and 4.1) not reporting vms running on a given storage domain

2018-03-02 Thread Ondra Machacek 

On 03/02/2018 05:24 PM, Luca 'remix_tj' Lorenzetto wrote:

On Fri, Mar 2, 2018 at 3:21 PM, Ondra Machacek  wrote:

Hi,

As per documentation:

http://ovirt.github.io/ovirt-engine-api-model/4.1/#services/storage_domain_vms

That resource is used to list VMs on export storage domain, not on data
domain.

If you want to find VMs using specific storage you may use following query:

   /ovirt-engine/api/vms?search=storage.name=nameofthestorage


Hi Ondra,

thanks. So what's the purpose of the ovirt_storage_vms_facts, only
working with export domains (which has been deprecated?)


Mainly listing the unregistered VMs, so it works as export domain.



Luca



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt API (4.0 and 4.1) not reporting vms running on a given storage domain

2018-03-02 Thread Ondra Machacek 

Hi,

As per documentation:

http://ovirt.github.io/ovirt-engine-api-model/4.1/#services/storage_domain_vms

That resource is used to list VMs on export storage domain, not on data 
domain.


If you want to find VMs using specific storage you may use following query:

  /ovirt-engine/api/vms?search=storage.name=nameofthestorage

On 03/01/2018 07:19 PM, Luca 'remix_tj' Lorenzetto wrote:

Hello,

i need to extract the list of the vms running on a given storage domain.
Copying some code from ansible's ovirt_storage_vms_facts simplified my
work but i stopped with a strange behavior: no vm is listed.

I thought it was an issue with my code, but looking more in detail at
api's i tried opening:

ovirt-engine/api/storagedomains/52b661fe-609e-48f9-beab-f90165b868c4/vms

And what i get is



And this for all the storage domains available.

Is there something wrong with the versions i'm running? Do i require
some options in the query?

I'm running RHV, so i can't upgrade to 4.2 yet

Luca


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Hosts firewall custom setup

2018-02-27 Thread Ondra Machacek 



On 02/27/2018 11:29 AM, Nicolas Ecarnot wrote:

Le 26/02/2018 à 15:00, Yedidyah Bar David a écrit :

But how do we add custom rules in case of firewalld type?


Please see: https://ovirt.org/blog/2017/12/host-deploy-customization/

Hello Didi and al,

- I followed the advices found in this blog page, I created the exact 
same filename with the adequate content.

- I've setup the cluster type to firewalld
- I restarted ovirt-engine
- I reinstalled a host

I see no usage of this Ansible yml file.
I see the creation of an ansible deploy log file for my host, and I see 
the usual firewall ports being opened, but I see nowhere any usage of 
the /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml file.

- I added the debug msg part in the ansible recipe, but to no avail.
- Huge grepping through the /var/log of the engine shows no calls of 
this script.


Thus, I see no effect on ports of the host's firewalld config.

What should I look at now?


It looks like you hit the following bug:

 https://bugzilla.redhat.com/show_bug.cgi?id=1549163

It will be fixed in 4.2.2 release.

I believe you can meanwhile remove line:

 - oVirt-metrics

from file:

/usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy/meta/main.yml



Thank you.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ovirt-ansible-modules vs ovirt 3.6

2018-02-27 Thread Ondra Machacek 

Hi,

unfortunately no, ovirt-ansible-modules can be used only with oVirt >= 4.0.

On 02/27/2018 12:22 PM, Николаев Алексей wrote:

Hi community!
Is it possible to use ovirt-ansible-modules with ovirt-engine 3.6 api?
I'm trying to obtain SSO token by ovirt_auth. And get error:
"The response content type 'text/html;charset=UTF-8' isn't the expected 
JSON".

However, everything works fine with ovirt-engine 4.2 api.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] API endpoint for a VM to fetch metadata about itself

2018-02-27 Thread Ondra Machacek 

Yep, you can search for a VM using many attributes, for example to
search for a VM using IP address:

 https://fqdn/ovirt-engine/api/vms?search=ip=1.2.3.4

Here you have more search parameters you can use to find a VM:


https://www.ovirt.org/documentation/admin-guide/appe-Using_Search_Bookmarks_and_Tags/#searching-for-virtual-machines

On 02/27/2018 02:04 AM, Geoff Sweet wrote:
OK, that's a great place for me to start. However the problem is that 
all my post-install tooling is now running on a VM that knows nothing 
about itself (having been installed via pxe and kickstart) like it's 
{vm_id}.  Can the API be used to query for a VM and it's attributes 
based on something like a MAC address or the IP itself?


-Geoff

On Sun, Feb 25, 2018 at 11:05 PM, Ondra Machacek <mailto:omach...@redhat.com>> wrote:


We don't have any such resource. We have those information in different
  places of the API. For example to find the information about
devices of
the VM, like network device information (IP address, MAC, etc), you can
query:

  /ovirt-engine/api/vms/{vm_id}/reporteddevices

The FQDN is listed right in the basic information of the VM quering the
VM itself:

   /ovirt-engine/api/vms/{vm_id}

You can find all the information about specific attributes returned by
the API here in the documentation:

http://ovirt.github.io/ovirt-engine-api-model/4.2/#types/vm
<http://ovirt.github.io/ovirt-engine-api-model/4.2/#types/vm>

On 02/25/2018 03:13 AM, Geoff Sweet wrote:

Is there an API endpoint that VM's can query to discover it's
oVirt metadata? Something similar to AWS's
http://169.254.169.254/latest/meta-data/
<http://169.254.169.254/latest/meta-data/>
<http://169.254.169.254/latest/meta-data/
<http://169.254.169.254/latest/meta-data/>> query in EC2? I'm
trying to stitch a lot of automation workflow together and so
far I have had great luck with oVirt. But the next small hurdle
is to figure out how all the post-install setup stuff can figure
out who the VM is so it can the appropriate configurations.

Thanks!
-Geoff


___
Users mailing list
Users@ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users
<http://lists.ovirt.org/mailman/listinfo/users>



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] API endpoint for a VM to fetch metadata about itself

2018-02-25 Thread Ondra Machacek 

We don't have any such resource. We have those information in different
 places of the API. For example to find the information about devices of
the VM, like network device information (IP address, MAC, etc), you can
query:

 /ovirt-engine/api/vms/{vm_id}/reporteddevices

The FQDN is listed right in the basic information of the VM quering the
VM itself:

  /ovirt-engine/api/vms/{vm_id}

You can find all the information about specific attributes returned by
the API here in the documentation:

 http://ovirt.github.io/ovirt-engine-api-model/4.2/#types/vm

On 02/25/2018 03:13 AM, Geoff Sweet wrote:
Is there an API endpoint that VM's can query to discover it's oVirt 
metadata? Something similar to AWS's 
http://169.254.169.254/latest/meta-data/ 
 query in EC2? I'm trying to 
stitch a lot of automation workflow together and so far I have had great 
luck with oVirt. But the next small hurdle is to figure out how all the 
post-install setup stuff can figure out who the VM is so it can the 
appropriate configurations.


Thanks!
-Geoff


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Internal Server Error while add Permission [cli]

2018-02-16 Thread Ondra Machacek 

Hi,

in the /var/log/ovirt-engine/server.log there will be some trace of the 
exception, right after running that command, can you please share it?


Thanks.

On 02/16/2018 09:40 AM, Thomas Fecke wrote:

Hey dear Community,

I work a bit with that ovirt shell. That worked pretty fine but I got 
some Problems when I try to add Permission:


What I want to do:

Add a Role to an VM

What I did:

add permission --parent-vm-name vm1 --user-id user1 --role-id UserVmCreator

Error:

status: 500

   reason: Internal Server Error

   detail:

ErrorInternal Server 
Error


Any other cli command works fine for me. What am I doing wrong? Thank you !



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] 4.2 aaa LDAP setup issue

2018-02-13 Thread Ondra Machacek 

Hello,

On 02/09/2018 08:17 PM, Jamie Lawrence wrote:

Hello,

I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP 
servers are fine and function normally for a number of other services, but I 
can't get this working.

Our LDAP setup requires startTLS and a login. That last bit seems to be where 
the trouble is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert 
and I pass it the path to the same cert used via nslcd/PAM for logging in to 
the host, it replies:

[ INFO  ] Connecting to LDAP using 'ldap://x.squaretrade.com:389'
[ INFO  ] Executing startTLS
[WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info': 
'authentication required', 'desc': 'Server is unwilling to perform'}
[ ERROR ] Cannot connect using any of available options

"Unwilling to perform" makes me think -aaa-ldap-setup is trying something the 
backend doesn't support, but I'm having trouble guessing what that could be since the 
tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass later 
in the script. And the log isn't much more forthcoming.

I double-checked the cert with openssl; it is a valid, PEM-encoded cert.

Before I head in to the code, has anyone seen this?


Looks like you have disallowed anonymous bind on your LDAP.
We are trying to estabilish anonymous bind to test the connection.

I would recommend to try to do a manual configuration, the documentation
is here:


https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L17

Then in your /etc/ovirt-engine/aaa/profile1.properties add following
line:

pool.default.auth.type = simple

Then test the configuration using ovirt-engine-extensions-tool.
If it's OK just restart ovirt-engine and all should be fine.



Thanks,

-j

- - - - snip - - - -

Relevant log details:

2018-02-08 15:15:08,625-0800 DEBUG 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._getURLs:281 
URLs: ['ldap://x.squaretrade.com:389']
2018-02-08 15:15:08,626-0800 INFO 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:391 Connecting to LDAP using 'ldap://x.squaretrade.com:389'
2018-02-08 15:15:08,627-0800 INFO 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:442 Executing startTLS
2018-02-08 15:15:08,640-0800 DEBUG 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:445 Perform search
2018-02-08 15:15:08,641-0800 DEBUG 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:459 Exception
Traceback (most recent call last):
   File 
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
 line 451, in _connectLDAP
 timeout=60,
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 555, in 
search_st
 return 
self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 546, in 
search_ext_s
 return self.result(msgid,all=1,timeout=timeout)[1]
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 458, in 
result
 resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 462, in 
result2
 resp_type, resp_data, resp_msgid, resp_ctrls = 
self.result3(msgid,all,timeout)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in 
result3
 resp_ctrl_classes=resp_ctrl_classes
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in 
result4
 ldap_result = 
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in 
_ldap_call
 result = func(*args,**kwargs)
UNWILLING_TO_PERFORM: {'info': 'authentication required', 'desc': 'Server is 
unwilling to perform'}
2018-02-08 15:15:08,642-0800 WARNING 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:463 Cannot connect using 'ldap://x.squaretrade.com:389': 
{'info': 'authentication required', 'desc': 'Server is unwilling to perform'}
2018-02-08 15:15:08,643-0800 ERROR 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._customization_late:787 Cannot connect using any of available options
2018-02-08 15:15:08,644-0800 DEBUG 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._customization_late:788 Exception
Traceback (most recent call last):
   File 
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
 line 782, in _customization_late
 insecure=insecure,
   File 
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
 line 468, in _connectLDAP
 _('Cannot connect using any of available options')
SoftRuntimeError: Cannot connect using any of availabl

Re: [ovirt-users] Engine AAA LDAP startTLS Protocol Issue

2018-02-08 Thread Ondra Machacek 

On 02/08/2018 11:04 AM, Alan Griffiths wrote:

Hi,

Trying to configure Engine to authenticate against OpenLDAP and I seem
to be hitting a protocol bug.

Attempts to test the login during the setup fail with

2018-02-07 12:27:37,872Z WARNING Exception: The connection reader was
unable to successfully complete TLS negotiation:
SSLException(message='Received fatal alert: protocol_version',
trace='getSSLException(Alerts.java:208) /
getSSLException(Alerts.java:154) / recvAlert(SSLSocketImpl.java:2033)
/ readRecord(SSLSocketImpl.java:1135) /
performInitialHandshake(SSLSocketImpl.java:1385) /
startHandshake(SSLSocketImpl.java:1413) /
startHandshake(SSLSocketImpl.java:1397) /
run(LDAPConnectionReader.java:301)', revision=0)

Running a packet trace I see that it's trying to negotiate with TLS
1.0, but my LDAP server only support TLS 1.2.


I've sent a fix:

 https://gerrit.ovirt.org/87327

To workaround it just please add to you profile properties file:

 pool.default.ssl.startTLSProtocol = TLSv1.2



This looks like a regression as it works fine in 4.0.

I see the issue in both 4.1 and 4.2

4.1.9.1
4.2.0.2

Should I submit a bug?

Thanks,

Alan
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt CLI Question

2018-02-08 Thread Ondra Machacek 

On 02/07/2018 11:28 PM, Andrei V wrote:

Hi,

How to force power off, and then launch (after timeout e.g. 20sec)
particular VM from bash or Python script?


Please check the following Python script:


https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/stop_vm.py

It stops the VM and wait until it's in DOWN state.

Then there is a script to start the VM:


https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/start_vm.py



Is 20sec is enough to get oVirt engine updated after forced power off  >
What happened with this wiki? Seems like it is deleted or moved.
http://wiki.ovirt.org/wiki/CLI#Usage


CLI was deprecated, and is not available anymore, since 4.0 I think.
You can use Ansible modules or Python SDK.



Is this project part of oVirt distro? It looks like in state of active
development with last updates 2 months ago.
https://github.com/fbacchella/ovirtcmd


No, it isn't part of oVirt distribution.



Thanks !
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Reassign ovirtmgmt to a new bond with ansible

2017-12-14 Thread Ondra Machacek 

Hi,

On 12/13/2017 11:52 AM, Luca 'remix_tj' Lorenzetto wrote:

Hello,

I'm trying to create a playbook for deployment of a new node in my
ovirt deployment. I'm using the role ovirt-infra from
ovirt-infra-roles 1.1.1.

I'm creating a new bond and assigning ovirtmgmt to that bond:

This is the value of the variable host_networks printed out by ansible:

TASK [host_networks]
*
ok: [localhost] => {
 "host_networks": [
 {
 "bond": {
 "interfaces": [
 "enp2s0f0",
 "enp2s0f1"
 ],
 "mode": 1,
 "name": "bond0"
 },
 "check": true,
 "name": "ovirt01.intranet.company.it",
 "networks": [
 {
 "address": "10.5.40.197",
 "boot_protocol": "static",
 "gateway": "10.5.43.254",
 "name": "ovirtmgmt",
 "prefix": "255.255.252.0"
 }
 ],
 "save": true
 },
 {
 "bond": {
 "interfaces": [
 "enp2s0f2",
 "enp2s0f3"
 ],
 "mode": 1,
 "name": "bond1"
 },
 "check": true,
 "name": "ovirt01.intranet.company.it",
 "networks": [
 {
 "address": "10.5.160.47",
 "boot_protocol": "static",
 "name": "NFS",
 "netmask": "255.255.252.0"
 }
 ],
 "save": true
 }
 ]
}



When running the playbook i get:

Error: Fault reason is "Operation Failed". Fault detail is "[Cannot
setup Networks. Network ovirtmgmt is already attached via attachment
3315148d-f669-48b0-9c16-601faaea9ce5. A new attachment cannot be used
for the same network, please reuse the existing one.]"

How do i reuse the existing attachment?

The other network (NFS) has been attached without issues.


This is unfortunately a bug, David(CCed) yesterday reported same issue
to me. He will (or did) open an issue on github. I will fix it for 2.5, 
release and hopefully also for 2.4.3.







___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP sources

2017-11-15 Thread Ondra Machacek 
Hello,

On Wed, Nov 15, 2017 at 9:03 AM, Magnus Isaksson  wrote:
> Hello,
>
> I have tried googling and searching in the documentation, but i can't seem
> to find any instructions on how to remove a authentication source.
>
> The background is that i did set up an FreeIPA server for auth, worked
> perfectly, but i ran into some problems using that to auth other systems, so
> i had to setup a new FreeIPA server and added that to oVirt, but now i want
> to remove the old one, but can not seem to find how.
> Anyone sitting on that info?

You have to remove the extension files of the old IPA server. It's
following files:

 - /etc/ovirt-engine/extensions.d/ipa-old-authn.properties
 - /etc/ovirt-engine/extensions.d/ipa-old-authn.properties
 - /etc/ovirt-engine/aaa/ipa-old.properties

Also don't forget to remove all users and groups of the old profile
via webadmin.

>
> And while on the subject, how do i set the FreeIPA auth as default auth
> source in oVirt?

Yes, this is supported since 4.0 release. You can check more info in
this bugzilla:

 https://bugzilla.redhat.com/show_bug.cgi?id=1296274

What you need to do is, add this line:

ovirt.engine.aaa.authn.default.profile=true

to your authn properties file of the profile, you want to have the default.

>
> Regards
>  Magnus
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Testing ansible playbook against a mock engine?

2017-10-25 Thread Ondra Machacek 
On Wed, Oct 25, 2017 at 9:40 AM, Luca 'remix_tj' Lorenzetto
 wrote:
> Hello,
>
> i'm planning to create a big standardization playbook for my
> environment to ensure that all the required configs (networks, hosts,
> host's nics and networks) are correctly set up.
> Since i don't want to test against a running setup, i'd like to spawn
> a transient one for testing.
>
> I already know Lago, but i think is bit overkill for testing an
> ansible playbook.
>
> Is there any tool that creates only an engine instance with some fake
> hosts configured so i can test the playbook against it?

There is an fake vdsm project:

 https://www.ovirt.org/develop/developer-guide/vdsm/fake/

but it has only limited functionality, it's listed in the wiki page.
Other than that I am not aware of anything how to achieve that.
The only way is Lago or Vagrant.

>
> Luca
>
> --
> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
> calcoli che potrebbero essere affidati a chiunque se si usassero delle
> macchine"
> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>
> "Internet è la più grande biblioteca del mondo.
> Ma il problema è che i libri sono tutti sparsi sul pavimento"
> John Allen Paulos, Matematico (1945-vivente)
>
> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

2017-10-11 Thread Ondra Machacek 
I don't know what did you downloaded.
It should be CA used to sign the LDAP services on AD.

If it's CA created by AD SSL, you can get it for example as follows:

1. Press "Start" -> "Run" and write "cmd" and press "Enter".
2. Extract the CA certificate using the following command:

```
> certutil -ca.cert ca.der
```
3. Copy ca.der to oVirt machine into /tmp.
4. Convert to PEM format using the following command:

```
$ openssl x509 -in /tmp/ca.der -inform DER -out /tmp/ca.crt
```

On Wed, Oct 11, 2017 at 3:02 PM, nicola gentile
 wrote:
> I do this already.
> The CA certificate that i download is fine also for ldap?
>
> Nick
>
> 2017-10-11 14:56 GMT+02:00 Ondra Machacek :
>> You can download it just a temporary, for example to /tmp.
>> Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory.
>> After that you can remove the CA file and keep just jks file.
>>
>> On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile
>>  wrote:
>>> Yes I created by aaa-setup tool.
>>> I noticed that the CA certificate was expired, than I download new
>>> certificate and I run aaa-setup tool.
>>>
>>> is there a specific place to put the certificate file ca? I put in root 
>>> home.
>>>
>>> Thank a lot
>>>
>>> Nick
>>>
>>> 2017-10-11 14:18 GMT+02:00 Ondra Machacek :
>>>> It fails on SSL handshake:
>>>>  sun.security.validator.ValidatorException: No trusted certificate found
>>>>
>>>> How did you create 'polito.it.jks' file? By aaa-setup tool?
>>>> Are use sure you've entered correct CA certificate there?
>>>>
>>>> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
>>>>  wrote:
>>>>> 2017-10-11 10:11 GMT+02:00 nicola gentile :
>>>>>> Hi Martin,
>>>>>> I attach aaa.log you suggest
>>>>>>
>>>>>> Nick
>>>>>>
>>>>>> 2017-10-10 20:41 GMT+02:00 Martin Perina :
>>>>>>> Hi,
>>>>>>>
>>>>>>> most probably you are affected by [1], so could you please check
>>>>>>> certificates on all your AD servers?
>>>>>>> You can verify using following command:
>>>>>>>
>>>>>>>   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>>>>>> --user-name= --profile=
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
>>>>>>>  wrote:
>>>>>>>>
>>>>>>>> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
>>>>>>>>  wrote:
>>>>>>>> > I run the command you suggest
>>>>>>>> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D 
>>>>>>>> > u...@dom.it
>>>>>>>> > -W -x sAMAccountName=user_to_search userPrincipalName | grep
>>>>>>>> > userPrincipalName
>>>>>>>> >
>>>>>>>> > This is the result:
>>>>>>>> >
>>>>>>>> > Enter LDAP Password:
>>>>>>>> > # requesting: userPrincipalName
>>>>>>>> >
>>>>>>>>
>>>>>>>> Supposing you're using all the right parameters in ldapsearch command,
>>>>>>>> it seems that the user you were looking up is not a valid user in that
>>>>>>>> directory server.
>>>>>>>>
>>>>>>>> Please check with someone that can access to AD and verify the status
>>>>>>>> of the user with ADSI Edit.
>>>>>>>>
>>>>>>>> Luca
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>>>>>>>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>>>>>>>> macchine"
>>>>>>>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>>>>>>>
>>>>>>>> "Internet è la più grande biblioteca del mondo.
>>>>>>>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>>>>>>>> John Allen Paulos, Matematico (1945-vivente)
>>>>>>>>
>>>>>>>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
>>>>>>>> 
>>>>>>>> ___
>>>>>>>> Users mailing list
>>>>>>>> Users@ovirt.org
>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>
>>>>> ___
>>>>> Users mailing list
>>>>> Users@ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

2017-10-11 Thread Ondra Machacek 
You can download it just a temporary, for example to /tmp.
Then aaa-setup-tool wil create jks file in /etc/ovirt-engine/aaa/ directory.
After that you can remove the CA file and keep just jks file.

On Wed, Oct 11, 2017 at 2:37 PM, nicola gentile
 wrote:
> Yes I created by aaa-setup tool.
> I noticed that the CA certificate was expired, than I download new
> certificate and I run aaa-setup tool.
>
> is there a specific place to put the certificate file ca? I put in root home.
>
> Thank a lot
>
> Nick
>
> 2017-10-11 14:18 GMT+02:00 Ondra Machacek :
>> It fails on SSL handshake:
>>  sun.security.validator.ValidatorException: No trusted certificate found
>>
>> How did you create 'polito.it.jks' file? By aaa-setup tool?
>> Are use sure you've entered correct CA certificate there?
>>
>> On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
>>  wrote:
>>> 2017-10-11 10:11 GMT+02:00 nicola gentile :
>>>> Hi Martin,
>>>> I attach aaa.log you suggest
>>>>
>>>> Nick
>>>>
>>>> 2017-10-10 20:41 GMT+02:00 Martin Perina :
>>>>> Hi,
>>>>>
>>>>> most probably you are affected by [1], so could you please check
>>>>> certificates on all your AD servers?
>>>>> You can verify using following command:
>>>>>
>>>>>   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>>>> --user-name= --profile=
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>> Martin
>>>>>
>>>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>>>>>
>>>>>
>>>>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
>>>>>  wrote:
>>>>>>
>>>>>> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
>>>>>>  wrote:
>>>>>> > I run the command you suggest
>>>>>> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
>>>>>> > -W -x sAMAccountName=user_to_search userPrincipalName | grep
>>>>>> > userPrincipalName
>>>>>> >
>>>>>> > This is the result:
>>>>>> >
>>>>>> > Enter LDAP Password:
>>>>>> > # requesting: userPrincipalName
>>>>>> >
>>>>>>
>>>>>> Supposing you're using all the right parameters in ldapsearch command,
>>>>>> it seems that the user you were looking up is not a valid user in that
>>>>>> directory server.
>>>>>>
>>>>>> Please check with someone that can access to AD and verify the status
>>>>>> of the user with ADSI Edit.
>>>>>>
>>>>>> Luca
>>>>>>
>>>>>>
>>>>>> --
>>>>>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>>>>>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>>>>>> macchine"
>>>>>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>>>>>
>>>>>> "Internet è la più grande biblioteca del mondo.
>>>>>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>>>>>> John Allen Paulos, Matematico (1945-vivente)
>>>>>>
>>>>>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
>>>>>> 
>>>>>> ___
>>>>>> Users mailing list
>>>>>> Users@ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>>>
>>>
>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Fwd: ovirt-engine-extension-aaa-ldap active directory

2017-10-11 Thread Ondra Machacek 
It fails on SSL handshake:
 sun.security.validator.ValidatorException: No trusted certificate found

How did you create 'polito.it.jks' file? By aaa-setup tool?
Are use sure you've entered correct CA certificate there?

On Wed, Oct 11, 2017 at 1:30 PM, nicola gentile
 wrote:
> 2017-10-11 10:11 GMT+02:00 nicola gentile :
>> Hi Martin,
>> I attach aaa.log you suggest
>>
>> Nick
>>
>> 2017-10-10 20:41 GMT+02:00 Martin Perina :
>>> Hi,
>>>
>>> most probably you are affected by [1], so could you please check
>>> certificates on all your AD servers?
>>> You can verify using following command:
>>>
>>>   ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>>> --user-name= --profile=
>>>
>>>
>>> Thanks
>>>
>>> Martin
>>>
>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463
>>>
>>>
>>> On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto
>>>  wrote:

 On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
  wrote:
 > I run the command you suggest
 > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
 > -W -x sAMAccountName=user_to_search userPrincipalName | grep
 > userPrincipalName
 >
 > This is the result:
 >
 > Enter LDAP Password:
 > # requesting: userPrincipalName
 >

 Supposing you're using all the right parameters in ldapsearch command,
 it seems that the user you were looking up is not a valid user in that
 directory server.

 Please check with someone that can access to AD and verify the status
 of the user with ADSI Edit.

 Luca


 --
 "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
 calcoli che potrebbero essere affidati a chiunque se si usassero delle
 macchine"
 Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

 "Internet è la più grande biblioteca del mondo.
 Ma il problema è che i libri sono tutti sparsi sul pavimento"
 John Allen Paulos, Matematico (1945-vivente)

 Luca 'remix_tj' Lorenzetto, http://www.remixtj.net ,
 
 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] How to import a qcow2 disk into ovirt

2017-10-04 Thread Ondra Machacek 
Check this log file on engine machine:

 /var/log/ovirt-imageio-proxy/image-proxy.log

And this on the host which is used to upload:

 /var/log/ovirt-imageio-daemon/daemon.log

Any errors there?

On Wed, Oct 4, 2017 at 2:38 PM, nicola.gentile.to
 wrote:
> Thanks Alexander,
>
> nothing not work
> always the same error
> any suggestions?
>
> thank
>
>
> Il 04/10/2017 14:12, Alexander Witte ha scritto:
>
> Hey Nick,
>
> I had the same problem and in my case the engine firewall was blocking.  I
> tried disabling it temporarily and it worked.  I think the specific port to
> allow is 54322.
>
>
> Sent from my iPhone
>
> On Oct 4, 2017, at 5:50 AM, nicola.gentile.to 
> wrote:
>
> hi,
> I tried to import qcow2 vm image (1.1) on ovirt.
> My version of ovirt is 4.1.6.2-1.el7.centos on centos.
>
> By admin portal I click on Disk-> Upload -> Start
> then I choose a file qcow2, I set the dimension and alias, but after
> inizialization the following message appears:
>
> Unable to upload image to disk a8c878e2-8255-4aa1-8954-a76e0bdf3b88 due to a
> network error. Make sure ovirt-imageio-proxy service is installed and
> configured, and ovirt-engine's certificate is registered as a valid CA in
> the browser. The certificate can be fetched from
> https:///ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
>
> I have registered the certificate in the browser but nothing not work.
> I tried with Firefox and Chromium browsers.
>
> I tried to modify the ovirt-imageio-proxy.conf with setting 'use_ssl =
> false' but not work.
>
> I attach engine logs
>
> How can I solve? Thank very much
> Regards
>
> Nick
>
>
> Il 08/09/2016 09:00, Yaniv Dary ha scritto:
>
> Can you send a screenshot of your browser when the issue happens?
>
> Yaniv Dary
> Technical Product Manager
> Red Hat Israel Ltd.
> 34 Jerusalem Road
> Building A, 4th floor
> Ra'anana, Israel 4350109
>
> Tel : +972 (9) 7692306
> 8272306
> Email: yd...@redhat.com
> IRC : ydary
>
>
> On Fri, Sep 2, 2016 at 11:10 PM, Martín Follonier
>  wrote:
>>
>>
>> Hi,
>>
>> I've done all the recommendations in this thread, and I'm still getting
>> the "Paused by System" message just after the transfer starts.
>>
>> Honestly I don't know were else to look at, cause I don't find any log
>> entry or packet capture that give me a hint about what is happening.
>>
>> I'll appreciate any help! Thank you in advance!
>>
>> Regards
>>
>> Martin
>>
>> On Thu, Sep 1, 2016 at 5:01 PM, Amit Aviram  wrote:
>>
>> > You can do both,
>> > Through the database, the table is "vdc_options". change "option_value"
>> > where "option_name" = 'ImageProxyAddress' .
>> >
>> > On Thu, Sep 1, 2016 at 4:56 PM, Gianluca Cecchi
>> > > > > wrote:
>> >
>> >> On Thu, Sep 1, 2016 at 3:53 PM, Amit Aviram  wrote:
>> >>
>> >>> You can just replace this value in the DB and change it to the right
>> >>> FQDN, it is a config value named "ImageProxyAddress". replace
>> >>> "localhost"
>> >>> with the right address (notice that the port is there too).
>> >>>
>> >>> If this will keep happen after users will have the latest version, we
>> >>> will have to open a bug and fix whatever causes the URL to be
>> >>> "localhost".
>> >>>
>> >>>
>> >> Do you mean through "engine-config" or directly into database?
>> >> In this second case which is the table involved?
>> >>
>> >> Gianluca
>> >>
>> >
>> >
>>
>> [root@ractorshe bin]# systemctl stop ovirt-imageio-proxy
>>
>> engine=# select * from vdc_options where option_name='ImageProxyAddress';
>>  option_id |option_name|  option_value   | version
>> ---+---+-+-
>>950 | ImageProxyAddress | localhost:54323 | general
>> (1 row)
>>
>> engine=# update vdc_options set option_value='ractorshe.mydomain:54323'
>> where option_name='ImageProxyAddress';
>> UPDATE 1
>> engine=# select * from vdc_options where option_name='ImageProxyAddress';
>> option_id |option_name| option_value |
>> version
>>
>> ---+---+--+-
>>950 | ImageProxyAddress | ractorshe.mydomain:54323 | general
>> (1 row)
>>
>> engine=#
>>
>> engine=# select * from vdc_options where option_name='ImageProxyAddress';
>> option_id |option_name| option_value |
>> version
>>
>> ---+---+--+-
>>950 | ImageProxyAddress | ractorshe.mydomain:54323 | general
>> (1 row)
>>
>>
>> systemctl stop ovirt-engine
>> (otherwise it remained localhost)
>>
>> systemctl start ovirt-engine
>>
>> systemctl start ovirt-imageio-proxy
>>
>> Now transfer is ok.
>> I tried a qcow2 disck configured as 40Gb but containing about 1.6Gb of
>> data.
>> I'm going to connect it to a VM and see if all is ok also from a contents
>> point of view.
>>
>> Gianluca
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://list

Re: [ovirt-users] Having issue with external IPA

2017-10-01 Thread Ondra Machacek 
On Sun, Oct 1, 2017 at 1:07 PM, Yan Naing Myint
 wrote:
> Hello guys,
>
> I'm having problem with adding users from my FreeIPA server to oVirt.
> 1. Status of ovirt-engine-extension-aaa-ldap-setup is success with RHDS
> 2. I cannot add IPA users in oVirt webadmin panel
> 3. In oVirt web admin panel it says "Error while executing action AddUser:
> Internal Engine Error"
>
> What will be the problem or is it a bug?

Can you please share the log from the following command?

 $ ovirt-engine-extensions-tool --log-level=FINEST
--log-file=/tmp/aaa.log aaa search --entity-name=mgorca
--extension-name=cyberwings.local

> Is there any suggestion of how do it make it work?
>
> in the engine.log it says;
>
> 2017-10-01 17:30:52,436+06 ERROR
> [org.ovirt.engine.core.bll.aaa.AddUserCommand] (default task-113)
> [bf5822eb-39da-49e5-b2ab-9865f71346a3] Transaction rolled-back for command
> 'org.ovirt.engine.core.bll.aaa.AddUserCommand'.
> 2017-10-01 17:30:52,459+06 WARN
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-113) [bf5822eb-39da-49e5-b2ab-9865f71346a3] EVENT_ID:
> USER_FAILED_ADD_ADUSER(327), Correlation ID:
> bf5822eb-39da-49e5-b2ab-9865f71346a3, Call Stack: null, Custom ID: null,
> Custom Event ID: -1, Message: Failed to add User 'mgorca' to the system.
>
> in cyberwings.local.properties
>
> ovirt.engine.extension.name = cyberwings.local
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = ../aaa/cyberwings.local.properties
> config.globals.baseDN.simple_baseDN = dc=cyberwings,dc=local
>
> in cyberwings.local-authn.properties
> ovirt.engine.extension.name = cyberwings.local-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = cyberwings.local
> ovirt.engine.aaa.authn.authz.plugin = cyberwings.local
> config.profile.file.1 = ../aaa/cyberwings.local.properties
> config.globals.baseDN.simple_baseDN = dc=cyberwings,dc=local
>
>
> --
> Yan Naing Myint
> CEO
> Server & Network Engineer
> Cyber Wings Co., Ltd
> http://cyberwings.asia
> 09799950510
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Failure while using ovirt-image-template role

2017-09-29 Thread Ondra Machacek 
On Thu, Sep 28, 2017 at 12:23 AM, Marc Seward  wrote:
> Hi,
>
> I'm trying to use the ovirt-image-template role to import a Glance image as
> a template into ovirt and I'm running into this error with
> python-ovirt-engine-sdk4-4.1.6-1.el7ev.x86_64
>
> I'd appreciate any pointers.
>
>
> TASK [ovirt.ovirt-ansible-roles/roles/ovirt-image-template : Find data
> domain]
> 
> task path:
> /etc/ansible/roles/ovirt.ovirt-ansible-roles/roles/ovirt-image-template/tasks/glance_image.yml:21
> fatal: [localhost]: FAILED! => {
> "failed": true,
> "msg": "You need to install \"jmespath\" prior to running json_query
> filter"

What version of Ansible/ovirt-ansible-roles do you use?
Ansible 2.3.2 has a dependency for jmespath, and so ovirt-ansble 1.0.3.

> }
>
> TASK [ovirt.ovirt-ansible-roles/roles/ovirt-image-template : Logout from
> oVirt] ***
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ansible ovirt_vms parameter cloud_init_nics

2017-09-27 Thread Ondra Machacek 
On Wed, Sep 27, 2017 at 9:32 AM, TranceWorldLogic .
 wrote:
> Hi,
>
> I was trying to initialize more than one nic via cloud init using ansible as
> shown below
>
> vars:
>myNicList: [ { nic_name: "eth0, nic_boot_protocol: "dhcp", nic_on_boot:
> "true"},{ nic_name: "eth0, nic_boot_protocol: "dhcp", nic_on_boot: "true"} ]

It looks good, you just miss ", right after eth0, so it should be:

myNicList: [ { nic_name: "eth0", nic_boot_protocol: "dhcp",
nic_on_boot: "true"},{ nic_name: "eth1", nic_boot_protocol: "dhcp",
nic_on_boot: "true"} ]

Also you can pass it as follows(could be more readable):

  myNicList:
  - nic_name: eth0
nic_boot_protocol: dhcp
nic_on_boot: true
  - nic_name: eth1
nic_boot_protocol: dhcp
nic_on_boot: true

>
> ovirt_vms:
>auth: "{{ ovirt_auth }}"
>name: test
>...
>cloud_init_nics : "{{ myNicList }}"
>
> Here I am getting error object is type none.
> When I tired to debug ovirt_vms module it showed me below outpu:
>
>cloud_init_nics: [
>{},
>{}
>]
>
> My quesion is, how can I pass list of dictionary in ansible to ovirt_vms via
> variable ?
>
> Please help me, I am stuck.
>
> Thanks,
> ~Rohit
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt automation through Ansible and cloud-init in oVirt 4.1.5 + Ansible 2.3.1

2017-09-11 Thread Ondra Machacek 
On Sat, Sep 9, 2017 at 2:02 AM, Julián Tete  wrote:
> oVirt Version: 4.1.5
>
> Ansible: 2.3.1
>
> Hello Friends of oVirt
>
> I want to automate the creation, provisioning and deployment of virtual
> machines in oVirt, using Ansible.
>
> I want to use a non-cloud image for the template. It has cloud-init
> installed. And it looks for the IP http: //169.254.169 and the following
> error message: "Calling 'http: //169.254.169 ."
>
> It looks like oVirt uses a config drive with a user-data.txt file
>
> This is my Ansible Playbook:
>
> ---
> # Primer Play
> - hosts: oVirtEnginePruebas
>   remote_user: root
>   tasks:
> - name : Definiendo la conexion con el Engine de oVirt
>   ovirt_auth:
>   url: https://engine1.example.com/ovirt-engine/api
>   username: admin@internal
>   password: mysupersecretpassword
>   ca_file: /etc/pki/ovirt-engine/ca.pem
>
> - name : Creando la maquina virtual requerida
>   ovirt_vms:
>   auth: "{{ ovirt_auth }}"
>   state: present
>   name: CentOS7CloudInit
>   template: CloudInitTemplate
>   cluster: Default

Why you need this? I think you can remove and use just the task below.

>
> - name : Se establecen las propiedades de la maquina virtual y los
> parametros de cloud-init
>   ovirt_vms:
>   auth: "{{ ovirt_auth }}"
>   name: CentOS7CloudInit
>   template: CloudInitTemplate
>   cluster: Default
>   memory: 5GiB
>   cpu_cores: 8
>   high_availability: true
>   cloud_init:
> host_name: cloudinit.example.com
> nic_name: eth0
> nic_boot_protocol: static
> nic_ip_address: 192.168.0.238
> nic_netmask: 255.255.255.0
> nic_gateway: 192.168.0.1
> dns_servers: 8.8.8.8
> dns_search: example.com
> nic_on_boot: true
> user_name: root
> root_password: mysupersecretpassword

This looks OK, and should work, what is the issue you have?

>
> - name : Desconectando con el Engine de oVirt revocando el token SSO
>   ovirt_auth:
>   state: absent
>   ovirt_auth: "{{ ovirt_auth }}"
> ~
>
>
> I just want to use Ansible for this, I do not want to use the oVirt
> webinterface to run run once every time I want to provision a machine.
>
> How can I do that ?
>
> Thanks in advance
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] testing REST API

2017-08-18 Thread Ondra Machacek 
On Fri, Aug 18, 2017 at 11:38 PM, wodel youchi  wrote:
>
> Hi;
>
> I am reading the REST API Guide, it's the first time that I am testing this.
>
> I have hard time to use OAuth authentication to make queries.
>
> I can get the token with curl and with a firefox REST module
> curl --cacert ca.crt -X POST -H 'Content-Type: 
> application/x-www-form-urlencoded' -H 'Accept: application/json' -d 
> 'grant_type=password&scope=ovirt-appapi&username=admin%40internal&password=mypass'
>  https://engine101.example.com/ovirt-engine/sso/oauth/token HTTP/1.1

You have incorrect scope. You have ovirt-appapi , but it should be ovirt-app-api

>
>
> engine log :
> [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-1) [] 
> User admin@internal successfully logged in with scopes: ovirt-appapi
>
>
> But when I try to use it I get this error :
> curl --cacert ca.crt -X GET  -H 'application/xml' -H 'Authorization: Bearer 
> fT0knxah-wEOyi-VdhmozKv-hz-wohVm268BBJts-MYxNZ548K0UZCSmv5nY18Z6gPiFdl-VAySjqr_N4gPGAA'
>https://engine101.example.com/ovirt-engine/api/vms HTTP/1.1
>
> engine log:
> ERROR [org.ovirt.engine.core.aaa.filters.SsoRestApiAuthFilter] (default 
> task-30) [] Cannot authenticate using authentication Headers: The required 
> scope ovirt-app-api is not granted.
>
> With basic authentication, it's working, so I don't know where is the problem.
>
> Regards.
>
> Garanti sans virus. www.avast.com
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

  1   2   3   4   >