[ovirt-users] Info on fence_rhevm against oVirt 4.1.1

Juan Hernández jhernand at redhat.com
Thu Apr 27 16:32:22 UTC 2017 

On 04/27/2017 05:35 PM, Gianluca Cecchi wrote:
> On Thu, Apr 27, 2017 at 4:58 PM, Gianluca Cecchi
> <gianluca.cecchi at gmail.com <mailto:gianluca.cecchi at gmail.com>> wrote:
> 
>     On Thu, Apr 27, 2017 at 4:43 PM, Gianluca Cecchi
>     <gianluca.cecchi at gmail.com <mailto:gianluca.cecchi at gmail.com>> wrote:
> 
>         Hello,
>         I'm trying to use fence_rhevm in a CentOS 6.8 guest that is part
>         of a virtual rhcs cluster
> 
>         My sw version for fence_agents inside guest is
>         fence-agents-4.0.15-12.el6.x86_64 and I notice that for this
>         particular agent nothing changes also using the latest available
>         package fence-agents-4.0.15-13.el6.x86_64.rpm apart
> 
>         [root at p2vnorasvi1 ~]# diff fence_rhevm /usr/sbin/fence_rhevm
>         13c13
>         < BUILD_DATE="(built Wed Mar 22 04:24:11 UTC 2017)"
>         ---
>         > BUILD_DATE="(built Tue May 10 22:28:47 UTC 2016)"
>         [root at p2vnorasvi1 ~]# 
> 
>         The VM name in oVirt 4.1.1 is p2vorasvi1
> 
>         Running this command against the engine I get
> 
>         [root at p2vnorasvi1 network-scripts]# fence_rhevm -a 10.4.192.43
>         -l "admin at internal" -p "mypassword" -z --shell-timeout=20
>         --power-wait=10 -v -o status -n p2vorasvi1
>         vms/?search=name%3Dp2vorasvi1
> 
>         <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>         <html><head>
>         <title>404 Not Found</title>
>         </head><body>
>         <h1>Not Found</h1>
>         <p>The requested URL /api/vms/ was not found on this server.</p>
>         </body></html>
> 
> 
>         Failed: Unable to obtain correct plug status or plug is not
>         available
> 
>         Actually I get the same error even if I put a wrong password....
> 
>         What am I missing...?
>         Do I have to specify DC/cluster if I have more than one, or
>         other parameters?
> 
>         Thanks,
>         Gianluca
> 
> 
> 
>     If I change this in fence_rhevm
> 
>     [root at p2vnorasvi1 sbin]# diff fence_rhevm fence_rhevm.orig 
>     84c84
>     < url += "//" + opt["--ip"] + ":" + str(opt["--ipport"]) +
>     "/ovirt-engine/api/" + command
>     ---
>     > url += "//" + opt["--ip"] + ":" + str(opt["--ipport"]) + "/api/" +
>     command
> 
>     I now get 401 unauthorized....
> 
>     [root at p2vnorasvi1 sbin]# fence_rhevm -a 10.4.192.43 -z -l
>     "admin at internal" -p "mypassword"  --shell-timeout=20 --power-wait=10
>     -v -o status -n p2vorasvi1
>     vms/?search=name%3Dp2vorasvi1
> 
>     <html><head><title>Error</title></head><body>Unauthorized</body></html>
> 
>     Failed: Unable to obtain correct plug status or plug is not available
> 
> 
>     [root at p2vnorasvi1 sbin]# 
> 
>     and in engine ssl_access.log
> 
>     127.0.0.1 - - [27/Apr/2017:16:51:55 +0200] "POST
>     /ovirt-engine/sso/oauth/token HTTP/1.1" 200 153
>     10.4.168.91 - - [27/Apr/2017:16:51:55 +0200] "GET
>     /ovirt-engine/api/vms/?search=name%3Dp2vorasvi2 HTTP/1.1" 401 71
> 
> 
> 
> Tried also using v3 in url, this way:
> 
> [root at p2vnorasvi1 sbin]# diff fence_rhevm fence_rhevm.orig 
> 84c84
> < url += "//" + opt["--ip"] + ":" + str(opt["--ipport"]) +
> "/ovirt-engine/api/v3/" + command
> ---
>> url += "//" + opt["--ip"] + ":" + str(opt["--ipport"]) + "/api/" + command
> [root at p2vnorasvi1 sbin]# 
> 
> [root at p2vnorasvi1 sbin]# fence_rhevm -a 10.4.192.43 -z -l
> "admin at internal" -p "mypassword"  --shell-timeout=20 --login-timeout=20
> --power-wait=10 -v -o status -n p2vorasvi1
> vms/?search=name%3Dp2vorasvi1
> 
> <html><head><title>Error</title></head><body>Unauthorized</body></html>
> 
> Failed: Unable to obtain correct plug status or plug is not available
> 
> 
> [root at p2vnorasvi1 sbin]# 
> 

That is a known issue:

  fence_rhevm can only work as RHEV admin user not a regular user (that
requires "Filter: true http header)
  https://bugzilla.redhat.com/1287059

That was fixed in fence-agents-4.0.11-47.el7, but I guess it wasn't
backported to CentOS 6.

I'd suggest that you open a bug for this component in the Red Hat
Enterprise Linux bug tracker, requesting that the fix be back-ported.

Meanwhile, if you are in a hurry, you can take the CentOS 7 fence_rhev
script, which should work.

You will most likely also need to add --ssl-indecure to the command line
of the agent, because you will most likely be using the default self
signed certificate authority used by the engine.

Note that the latest version of this script uses the 'Filter: true'
header to drop privileges. That means that even when using
'admin at internal' you have to make sure that 'admin at internal' has
permissions for the VM that you want to fence, otherwise it will not be
able to find/fence it.

More information about the Users mailing list