Re: [ovirt-users] seria consol setup
- Original Message - > From: "Yedidyah Bar David" > To: "Christophe TREFOIS" , "Francesco Romani" > > Cc: "Fabrice Bacchella" , "users" > > Sent: Thursday, March 31, 2016 8:00:04 AM > Subject: Re: [ovirt-users] seria consol setup > > On Wed, Mar 30, 2016 at 7:28 PM, Christophe TREFOIS > wrote: > > Hi, > > > > I have a question on this. > > > > Can there be multiple SSH keys in that box in the GUI? > > > > For instance, we might have 2 keys for our “Admin” account? > > Not sure, Francesco? Yes, you can paste multiple new-line separated public keys in the same box. -- Francesco Romani RedHat Engineering Virtualization R & D Phone: 8261328 IRC: fromani ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
On Wed, Mar 30, 2016 at 7:28 PM, Christophe TREFOIS wrote: > Hi, > > I have a question on this. > > Can there be multiple SSH keys in that box in the GUI? > > For instance, we might have 2 keys for our “Admin” account? Not sure, Francesco? > > Thanks for your help, > > — > C > > > >> On 23 Mar 2016, at 12:46, Fabrice Bacchella >> wrote: >> >>> >>> Le 23 mars 2016 à 12:28, Yedidyah Bar David a écrit : >>> >>> On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella >>> wrote: I'm reading the documentation here : http://www.ovirt.org/documentation/admin-guide/serial-console-setup/ After a few strace, I found the ssh configuration used for the custom ssh that listen on port : /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config And I have a big problem with it. It says "GSSAPIAuthentication no" but public key authentication is not allowed in my data center, we use kerberos every where. So I wonder if I can edit this file ? How is it managed by ovirt ? >>> >>> In general, things under /usr are only packaged, not "managed". So a >>> next upgrade will overwrite your changes. >> >> Ok, so I just need to take care how modifications and upgrade are done >> (using puppet) and everything should be fine. >>> >>> Seems like both its systemd unit and sysv init script read >>> /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add >>> ${OPTIONS} to sshd's command line. So you can try to: >>> >>> echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >> >>> /etc/sysconfig/ovirt-vmconsole-proxy-sshd >>> >>> >> >> I tried that. It works. I now have pure kerberos only problems. But that's a >> good direction. >> >>> and restart it. >>> >> >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users > -- Didi ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
Hi, I have a question on this. Can there be multiple SSH keys in that box in the GUI? For instance, we might have 2 keys for our “Admin” account? Thanks for your help, — C > On 23 Mar 2016, at 12:46, Fabrice Bacchella > wrote: > >> >> Le 23 mars 2016 à 12:28, Yedidyah Bar David a écrit : >> >> On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella >> wrote: >>> I'm reading the documentation here : >>> http://www.ovirt.org/documentation/admin-guide/serial-console-setup/ >>> >>> After a few strace, I found the ssh configuration used for the custom ssh >>> that listen on port : >>> /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config >>> >>> And I have a big problem with it. >>> It says "GSSAPIAuthentication no" but public key authentication is not >>> allowed in my data center, we use kerberos every where. >>> So I wonder if I can edit this file ? How is it managed by ovirt ? >> >> In general, things under /usr are only packaged, not "managed". So a >> next upgrade will overwrite your changes. > > Ok, so I just need to take care how modifications and upgrade are done (using > puppet) and everything should be fine. >> >> Seems like both its systemd unit and sysv init script read >> /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add >> ${OPTIONS} to sshd's command line. So you can try to: >> >> echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >> >> /etc/sysconfig/ovirt-vmconsole-proxy-sshd >> >> > > I tried that. It works. I now have pure kerberos only problems. But that's a > good direction. > >> and restart it. >> > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
>> >> su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys --debug >> list' >> ERROR: Internal error >> >> --debug don't provide any help > > You should find them in the journal/system logger; otherwise it is a > {different,new} bug. > Ok, I found it in /var/log/messages : ... ovirt-vmconsole-list: ERROR main:274 Error: hostname 'localhost' doesn't match u'FQDN' But why as I do have in /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d/10-setup.conf ENGINE_VERIFY_HOST=False That's the default, I didn't changed it. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
- Original Message - > From: "Fabrice Bacchella" > To: "Francesco Romani" > Cc: "Yedidyah Bar David" , "users" > Sent: Wednesday, March 23, 2016 4:29:15 PM > Subject: Re: [ovirt-users] seria consol setup > > I'm trying, my configuration is still incomplete, I added in my httpd.conf: > > > ServerName XXX > DocumentRoot htdocs > > RedirectMatch ^/$ /ovirt-engine/ > > SSLEngine on > SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer > SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass > SSLCACertificateFile /etc/pki/ovirt-engine/apache-ca.pem > > RequestHeader unset Expect early > > > ^/(ovirt-engine($|/)|api($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.key.txt$|rhevm.ssh.key.txt$)> > ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5 > > AddOutputFilterByType DEFLATE text/javascript text/css text/html > text/xml text/json application/xml application/json > application/x-yaml > > > > > and in /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d/99-my.conf > ENGINE_BASE_URL=https://localhost:1443/ovirt-engine/ > > but no progress : > > su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys --debug > list' > ERROR: Internal error > > --debug don't provide any help You should find them in the journal/system logger; otherwise it is a {different,new} bug. Bests, -- Francesco Romani RedHat Engineering Virtualization R & D Phone: 8261328 IRC: fromani ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
I'm trying, my configuration is still incomplete, I added in my httpd.conf: ServerName XXX DocumentRoot htdocs RedirectMatch ^/$ /ovirt-engine/ SSLEngine on SSLCertificateFile /etc/pki/ovirt-engine/certs/apache.cer SSLCertificateKeyFile /etc/pki/ovirt-engine/keys/apache.key.nopass SSLCACertificateFile /etc/pki/ovirt-engine/apache-ca.pem RequestHeader unset Expect early ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5 AddOutputFilterByType DEFLATE text/javascript text/css text/html text/xml text/json application/xml application/json application/x-yaml and in /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d/99-my.conf ENGINE_BASE_URL=https://localhost:1443/ovirt-engine/ but no progress : su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys --debug list' ERROR: Internal error --debug don't provide any help but curl -vk -XPOST https://localhost:1443/ovirt-engine/services/vmconsole-proxy fails of course, but because the query is no good. More messages from ovirt-vmconsole-proxy-keys would be very helpfull. > Le 23 mars 2016 à 13:32, Francesco Romani a écrit : > > - Original Message - >> From: "Fabrice Bacchella" >> To: "Francesco Romani" >> Cc: "Yedidyah Bar David" , "users" >> Sent: Wednesday, March 23, 2016 1:21:11 PM >> Subject: Re: [ovirt-users] seria consol setup >> >> >>> Le 23 mars 2016 à 12:32, Francesco Romani a écrit : >>> >>> - Original Message - >>>> From: "Yedidyah Bar David" >>>> To: "Fabrice Bacchella" , "Francesco Romani" >>>> >>>> Cc: "users" >>>> Sent: Wednesday, March 23, 2016 12:28:52 PM >>>> Subject: Re: [ovirt-users] seria consol setup >>> >>>>> I can always use puppet to modify just this line, it will be fine for me. >>>>> >>>>> The point 4 in Automatic Setup is not very helpfull: >>>>> " • once the setup succesfully run, and once ovirt-engine is >>>>> running, >>>>> you can log in and register a SSH key. (TODO: add picture)" >>>>> >>>>> what does it mean ? >>> >>> It just means that you need to add SSH public keys for the users which want >>> to use >>> the serial console. >>> >>> E.g. log in user portal >>> in the top right corner there is the $user drop down menu, click on it >>> select "options" >>> paste public key here >>> >>> HTH, >> >> It tried that, I didn't work. > > What didn't work? Adding the keys or -AFAIK- the full authentication? > >> By digging in log and configuration, I think >> it's because I have an Apache server in front of ovirt-engine, using a >> specific SSO authentication module (using CAS), so the certificate-base >> authentication is failing, if my comprehension is good. So you should add a >> few line about that in the documentation. > > Will improve in this regard > >> Should I make the proxy helper >> talks directly to tomcat by playing with ENGINE_BASE_URL in >> /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d ? > > Yes, the proxy helper is supposed to talk directly with the Engine. > >> There is also a small glitch in the documentation: >> su - ovirt-vmconsole -c 'ovirt-vmconsole-proxy-keys list' >> but it should be: >> su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys list' > > Thanks, will fix. > > Bests, > > -- > Francesco Romani > RedHat Engineering Virtualization R & D > Phone: 8261328 > IRC: fromani ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
> Le 23 mars 2016 à 13:32, Francesco Romani a écrit : > >>> E.g. log in user portal >>> in the top right corner there is the $user drop down menu, click on it >>> select "options" >>> paste public key here >>> >>> HTH, >> >> It tried that, I didn't work. > > What didn't work? Adding the keys or -AFAIK- the full authentication? I was still unable to connect, but for the reasons explained latter. So i will continue to play with my apache setup to check it if can resolve that. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
- Original Message - > From: "Fabrice Bacchella" > To: "Francesco Romani" > Cc: "Yedidyah Bar David" , "users" > Sent: Wednesday, March 23, 2016 1:21:11 PM > Subject: Re: [ovirt-users] seria consol setup > > > > Le 23 mars 2016 à 12:32, Francesco Romani a écrit : > > > > - Original Message - > >> From: "Yedidyah Bar David" > >> To: "Fabrice Bacchella" , "Francesco Romani" > >> > >> Cc: "users" > >> Sent: Wednesday, March 23, 2016 12:28:52 PM > >> Subject: Re: [ovirt-users] seria consol setup > > > >>> I can always use puppet to modify just this line, it will be fine for me. > >>> > >>> The point 4 in Automatic Setup is not very helpfull: > >>> " • once the setup succesfully run, and once ovirt-engine is > >>> running, > >>> you can log in and register a SSH key. (TODO: add picture)" > >>> > >>> what does it mean ? > > > > It just means that you need to add SSH public keys for the users which want > > to use > > the serial console. > > > > E.g. log in user portal > > in the top right corner there is the $user drop down menu, click on it > > select "options" > > paste public key here > > > > HTH, > > It tried that, I didn't work. What didn't work? Adding the keys or -AFAIK- the full authentication? > By digging in log and configuration, I think > it's because I have an Apache server in front of ovirt-engine, using a > specific SSO authentication module (using CAS), so the certificate-base > authentication is failing, if my comprehension is good. So you should add a > few line about that in the documentation. Will improve in this regard > Should I make the proxy helper > talks directly to tomcat by playing with ENGINE_BASE_URL in > /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d ? Yes, the proxy helper is supposed to talk directly with the Engine. > There is also a small glitch in the documentation: > su - ovirt-vmconsole -c 'ovirt-vmconsole-proxy-keys list' > but it should be: > su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys list' Thanks, will fix. Bests, -- Francesco Romani RedHat Engineering Virtualization R & D Phone: 8261328 IRC: fromani ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
> Le 23 mars 2016 à 12:32, Francesco Romani a écrit : > > - Original Message - >> From: "Yedidyah Bar David" >> To: "Fabrice Bacchella" , "Francesco Romani" >> >> Cc: "users" >> Sent: Wednesday, March 23, 2016 12:28:52 PM >> Subject: Re: [ovirt-users] seria consol setup > >>> I can always use puppet to modify just this line, it will be fine for me. >>> >>> The point 4 in Automatic Setup is not very helpfull: >>> " • once the setup succesfully run, and once ovirt-engine is running, >>> you can log in and register a SSH key. (TODO: add picture)" >>> >>> what does it mean ? > > It just means that you need to add SSH public keys for the users which want > to use > the serial console. > > E.g. log in user portal > in the top right corner there is the $user drop down menu, click on it > select "options" > paste public key here > > HTH, It tried that, I didn't work. By digging in log and configuration, I think it's because I have an Apache server in front of ovirt-engine, using a specific SSO authentication module (using CAS), so the certificate-base authentication is failing, if my comprehension is good. So you should add a few line about that in the documentation. Should I make the proxy helper talks directly to tomcat by playing with ENGINE_BASE_URL in /etc/ovirt-engine/ovirt-vmconsole-proxy-helper.conf.d ? On a https enabled connector for tomcat ? I have actually in my apache configuration: AuthType CAS Require valid-user CASAuthNHeader X-Remote-User ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600 retry=5 AddOutputFilterByType DEFLATE text/javascript text/css text/html text/xml text/json application/xml application/json application/x-yaml There is also a small glitch in the documentation: su - ovirt-vmconsole -c 'ovirt-vmconsole-proxy-keys list' but it should be: su - ovirt-vmconsole -c '/usr/libexec/ovirt-vmconsole-proxy-keys list' ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
> Le 23 mars 2016 à 13:07, Yedidyah Bar David a écrit : > > On Wed, Mar 23, 2016 at 1:46 PM, Fabrice Bacchella > wrote: >> >>> Le 23 mars 2016 à 12:28, Yedidyah Bar David a écrit : >>> >>> On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella >>> wrote: I'm reading the documentation here : http://www.ovirt.org/documentation/admin-guide/serial-console-setup/ After a few strace, I found the ssh configuration used for the custom ssh that listen on port : /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config And I have a big problem with it. It says "GSSAPIAuthentication no" but public key authentication is not allowed in my data center, we use kerberos every where. So I wonder if I can edit this file ? How is it managed by ovirt ? >>> >>> In general, things under /usr are only packaged, not "managed". So a >>> next upgrade will overwrite your changes. >> >> Ok, so I just need to take care how modifications and upgrade are done >> (using puppet) and everything should be fine. > > But isn't the below enough? It is, but I need to add to many options, it will become clumsy. So I'm keeping it in my mind. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
On Wed, Mar 23, 2016 at 1:46 PM, Fabrice Bacchella wrote: > >> Le 23 mars 2016 à 12:28, Yedidyah Bar David a écrit : >> >> On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella >> wrote: >>> I'm reading the documentation here : >>>http://www.ovirt.org/documentation/admin-guide/serial-console-setup/ >>> >>> After a few strace, I found the ssh configuration used for the custom ssh >>> that listen on port : >>> /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config >>> >>> And I have a big problem with it. >>> It says "GSSAPIAuthentication no" but public key authentication is not >>> allowed in my data center, we use kerberos every where. >>> So I wonder if I can edit this file ? How is it managed by ovirt ? >> >> In general, things under /usr are only packaged, not "managed". So a >> next upgrade will overwrite your changes. > > Ok, so I just need to take care how modifications and upgrade are done (using > puppet) and everything should be fine. But isn't the below enough? >> >> Seems like both its systemd unit and sysv init script read >> /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add >> ${OPTIONS} to sshd's command line. So you can try to: >> >> echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >> >> /etc/sysconfig/ovirt-vmconsole-proxy-sshd >> >> > > I tried that. It works. I now have pure kerberos only problems. But that's a > good direction. Good. So that should be enough, no? IIRC command-line options override conf file in sshd, no need to play games with rpm/yum. Thanks for the report. Best, -- Didi ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
> Le 23 mars 2016 à 12:28, Yedidyah Bar David a écrit : > > On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella > wrote: >> I'm reading the documentation here : >>http://www.ovirt.org/documentation/admin-guide/serial-console-setup/ >> >> After a few strace, I found the ssh configuration used for the custom ssh >> that listen on port : >> /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config >> >> And I have a big problem with it. >> It says "GSSAPIAuthentication no" but public key authentication is not >> allowed in my data center, we use kerberos every where. >> So I wonder if I can edit this file ? How is it managed by ovirt ? > > In general, things under /usr are only packaged, not "managed". So a > next upgrade will overwrite your changes. Ok, so I just need to take care how modifications and upgrade are done (using puppet) and everything should be fine. > > Seems like both its systemd unit and sysv init script read > /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add > ${OPTIONS} to sshd's command line. So you can try to: > > echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >> > /etc/sysconfig/ovirt-vmconsole-proxy-sshd > > I tried that. It works. I now have pure kerberos only problems. But that's a good direction. > and restart it. > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
- Original Message - > From: "Yedidyah Bar David" > To: "Fabrice Bacchella" , "Francesco Romani" > > Cc: "users" > Sent: Wednesday, March 23, 2016 12:28:52 PM > Subject: Re: [ovirt-users] seria consol setup > > I can always use puppet to modify just this line, it will be fine for me. > > > > The point 4 in Automatic Setup is not very helpfull: > > " • once the setup succesfully run, and once ovirt-engine is running, > > you can log in and register a SSH key. (TODO: add picture)" > > > > what does it mean ? It just means that you need to add SSH public keys for the users which want to use the serial console. E.g. log in user portal in the top right corner there is the $user drop down menu, click on it select "options" paste public key here HTH, -- Francesco Romani RedHat Engineering Virtualization R & D Phone: 8261328 IRC: fromani ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] seria consol setup
On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella wrote: > I'm reading the documentation here : > http://www.ovirt.org/documentation/admin-guide/serial-console-setup/ > > After a few strace, I found the ssh configuration used for the custom ssh > that listen on port : > /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config > > And I have a big problem with it. > It says "GSSAPIAuthentication no" but public key authentication is not > allowed in my data center, we use kerberos every where. > So I wonder if I can edit this file ? How is it managed by ovirt ? In general, things under /usr are only packaged, not "managed". So a next upgrade will overwrite your changes. Seems like both its systemd unit and sysv init script read /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add ${OPTIONS} to sshd's command line. So you can try to: echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >> /etc/sysconfig/ovirt-vmconsole-proxy-sshd and restart it. > I can always use puppet to modify just this line, it will be fine for me. > > The point 4 in Automatic Setup is not very helpfull: > " • once the setup succesfully run, and once ovirt-engine is running, > you can log in and register a SSH key. (TODO: add picture)" > > what does it mean ? No idea. Adding Francesco. -- Didi ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users