[ovirt-users] Info on fence_rhevm against oVirt 4.1.1

Gianluca Cecchi gianluca.cecchi at gmail.com
Thu Apr 27 23:54:11 UTC 2017 

On Thu, Apr 27, 2017 at 6:32 PM, Juan Hernández <jhernand at redhat.com> wrote:

> That is a known issue:
>
>   fence_rhevm can only work as RHEV admin user not a regular user (that
> requires "Filter: true http header)
>   https://bugzilla.redhat.com/1287059
>
> That was fixed in fence-agents-4.0.11-47.el7, but I guess it wasn't
> backported to CentOS 6.
>
> I'd suggest that you open a bug for this component in the Red Hat
> Enterprise Linux bug tracker, requesting that the fix be back-ported.
>
> Meanwhile, if you are in a hurry, you can take the CentOS 7 fence_rhev
> script, which should work.
>
> You will most likely also need to add --ssl-indecure to the command line
> of the agent, because you will most likely be using the default self
> signed certificate authority used by the engine.
>
> Note that the latest version of this script uses the 'Filter: true'
> header to drop privileges. That means that even when using
> 'admin at internal' you have to make sure that 'admin at internal' has
> permissions for the VM that you want to fence, otherwise it will not be
> able to find/fence it.
>

Thanks for the feedback Juan.
I confirm that using fence_rhevm from latest CentOS 7 version it worked.
These were the lines in my cluster.conf

		<clusternode name="p2viclnorasvi1" nodeid="1" votes="1">
			<fence>
				<method name="1">
					<device name="ovirt_fencedelay" port="p2vorasvi1"/>
				</method>
			</fence>
		</clusternode>
		<clusternode name="p2viclnorasvi2" nodeid="2" votes="1">
			<fence>
				<method name="1">
					<device name="ovirt_fence" port="p2vorasvi2"/>
				</method>
			</fence>
		</clusternode>
	</clusternodes>
	<quorumd label="p2vcluorasvi" votes="1">
		<heuristic interval="2" program="ping -c1 -w1 172.16.10.231"
score="1" tko="200"/>
	</quorumd>
	<fencedevices>
		<fencedevice agent="fence_rhevm" delay="30" ipaddr="10.4.192.43"
login="g.cecchi at internal"
passwd_script="/usr/local/bin/pwd_dracnode01.sh"
name="ovirt_fencedelay" ssl="on" ssl_insecure="on" shell_timeout="20"
power_wait="10"/>
		<fencedevice agent="fence_rhevm" ipaddr="10.4.192.43"
login="g.cecchi at internal"
passwd_script="/usr/local/bin/pwd_dracnode02.sh" name="ovirt_fence"
ssl="on" ssl_insecure="on" shell_timeout="20" power_wait="10"/>
	</fencedevices>

Using admin at internal didn't work even if I set the permissions at vm
level too...

It worked with my username (g.cecchi) that has SuperUser system
privilege and also at VM level.

Is it yet necessary to have a user with SuperUser privilege at system level?

Tomorrow (today... ;-) I'm going to open a bugzilla to backport the feature.

Thanks again,
Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170428/a83ea0dc/attachment.html>

More information about the Users mailing list