Error: Adding new Host to ovirt-engine
by Ahmad Khiet
Hi,
Can't add new host to ovirt engine, because the following error:
2019-06-12 12:23:09,664 p=4134 u=engine | TASK [ovirt-host-deploy-facts :
Set facts] *************************************
2019-06-12 12:23:09,684 p=4134 u=engine | ok: [10.35.1.17] => {
"ansible_facts": {
"ansible_python_interpreter": "/usr/bin/python2",
"host_deploy_vdsm_version": "4.40.0"
},
"changed": false
}
2019-06-12 12:23:09,697 p=4134 u=engine | TASK [ovirt-provider-ovn-driver
: Install ovs] *********************************
2019-06-12 12:23:09,726 p=4134 u=engine | fatal: [10.35.1.17]: FAILED! =>
{}
MSG:
The conditional check 'cluster_switch == "ovs" or (ovn_central is defined
and ovn_central | ipaddr and ovn_engine_cluster_version is
version_compare('4.2', '>='))' failed. The error was: The ipaddr filter
requires python's netaddr be installed on the ansible controller
The error appears to be in
'/home/engine/apps/engine/share/ovirt-engine/playbooks/roles/ovirt-provider-ovn-driver/tasks/configure.yml':
line 3, column 5, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- block:
- name: Install ovs
^ here
2019-06-12 12:23:09,728 p=4134 u=engine | PLAY RECAP
*********************************************************************
2019-06-12 12:23:09,728 p=4134 u=engine | 10.35.1.17 :
ok=3 changed=0 unreachable=0 failed=1 skipped=0 rescued=0
ignored=0
whats missing!?
Thanks
--
Ahmad Khiet
Red Hat <https://www.redhat.com/>
akhiet(a)redhat.com
M: +972-54-6225629
<https://red.ht/sig>
1 year, 3 months
Merge rights changes in the oVirt Engine project
by Tal Nisan
Hi everyone,
As you probably know we are now in a mode in which we develop our next
zstream version on the master branch as opposed to how we worked before
where the master version was dedicated for the next major version. This
makes the rapid changes in master to be delivered to customers in a much
higher cadence thus affecting stability.
Due to that we think it's best that from now on merges in the master branch
will be done only by stable branch maintainers after inspecting those
closely.
What you need to do in order to get your patch merged:
- Have it pass Jenkins
- Have it get code review +2
- Have it mark verified +1
- It's always encourage to have it tested by OST, for bigger changes it's a
must
Once you have all those covered, please add me as a reviewer and I'll
examine it and merge if everything seems right, if I haven't done it in a
timely manner feel free to ping me.
3 years, 7 months
Error Java SDK Issue??
by Geschwentner, Patrick
Dear Ladies and Gentlemen!
I am currently working with the java-sdk and I encountered a problem.
If I would like to retrieve the disk details, I get the following error:
Disk currDisk = ovirtConnection.followLink(diskAttachment.disk());
The Error is occurring in this line:
[cid:image001.png@01D44537.AF127FD0]
The getResponst looks quiet ok. (I inspected: [cid:image002.png@01D44537.AF127FD0] and it looks ok).
Error:
wrong number of arguments
The code is quiet similar to what you published on github (https://github.com/oVirt/ovirt-engine-sdk-java/blob/master/sdk/src/test/j... ).
Can you confirm the defect?
Best regards
Patrick
3 years, 7 months
virsh on compute host
by Paul Dyer
I am trying to use the command line to stop and start vms in ovirt 4.4.
Previously, I used virsh on the standalone engine machine, but that has
been removed in this release.
On the compute host, I am able to use virsh to list vms, and shutdown vms
from that list. The start command gives me this error:
virsh # start r7-dante
error: failed to get domain 'r7-dante'
I have also tried to use curl with the restapi from the standalone engine.
I have not been able to find examples of how to stop and start vms. Here
is an example of my list of vms...
curl --cacert '/etc/pki/ovirt-engine/ctg.crt' --request GET --header
'Version: 4' --header 'Accept: application/xml' --user 'admin@internal:psw'
https://bacchus.neworleans.com/ovirt-engine/api/vms
Can anyone help me with this?
Thank you. Regards
--
Paul Dyer,
Mercury Consulting Group, RHCE
504-338-8750
3 years, 8 months
Publish master more often
by Yedidyah Bar David
Hi all,
Right now, when we merge a patch e.g. to the engine (and many other
projects), it can take up to several days until it is used by the
hosted-engine ovirt-system-tests suite. Something similar will happen
soon if/when we introduce suites that use ovirt-node.
If I got it right:
- Merge causes CI to build the engine - immediately, takes ~ 1 hour (say)
- A publisher job [1] publishes it to resources.ovirt.org (daily,
midnight (UTC))
- The next run of an appliance build [2] includes it (daily, afternoon)
- The next run of the publisher [1] publishes the appliance (daily, midnight)
- The next run of ost-images [3] includes the appliance (daily,
midnight, 2 hours after the publisher) (and publishes it immediately)
- The next run of ost (e.g. [4]) will use it (daily, slightly *before*
ost-images, but I guess we can change that. And this does not affect
manual runs of OST, so can probably be ignored in the calculation, at
least to some extent).
So if I got it right, a patch merged to the engine in some morning,
will be used by the nightly run of OST HE only after almost 3 days,
and available for manual runs after 2 days. IMO that's too much time.
I might be somewhat wrong, but not very, I think.
One partial solution is to add automation .repos lines to relevant
projects that will link at lastSuccessfulBuild (let's call it lastSB)
of the more important projects they consume - e.g. appliance to use
lastSB of engine+dwh+a few others, node to use lastSB of vdsm, etc.
This will require more maintenance (adding/removing/fixing projects as
needed) and cause some more load on CI (as now packages will be
downloaded from it instead of from resources.ovirt.org).
Another solution is to run relevant jobs (publisher/appliance/node)
far more often - say, once every two hours. This will also add load,
and might cause "perceived" instability - as things will likely
fluctuate between green and red more often.
I think I prefer the latter. What do you think?
Thanks and best regards,
[1] https://jenkins.ovirt.org/job/ovirt_master_publish-rpms_nightly/
[2] https://jenkins.ovirt.org/job/ovirt-appliance_master_build-artifacts-el8-...
[3] https://jenkins.ovirt.org/job/ost-images_master_standard-poll-upstream-so...
[4] https://jenkins.ovirt.org/job/ovirt-system-tests_he-basic-suite-master/
--
Didi
3 years, 9 months
test_verify_engine_certs (was: [oVirt Jenkins] ovirt-system-tests_basic-suite-master_nightly - Build # 894 - Failure!)
by Yedidyah Bar David
On Mon, Feb 22, 2021 at 3:12 AM <jenkins(a)jenkins.phx.ovirt.org> wrote:
>
> Project: https://jenkins.ovirt.org/job/ovirt-system-tests_basic-suite-master_nightly/
> Build: https://jenkins.ovirt.org/job/ovirt-system-tests_basic-suite-master_night...
> Build Number: 894
> Build Status: Failure
> Triggered By: Started by timer
>
> -------------------------------------
> Changes Since Last Success:
> -------------------------------------
> Changes for Build #894
> [Andrej Cernek] ost_utils: Remove explicit object inheritance
>
>
>
>
> -----------------
> Failed Tests:
> -----------------
> 1 tests failed.
> FAILED: basic-suite-master.test-scenarios.test_002_bootstrap.test_verify_engine_certs[CA certificate]
>
> Error Message:
> ost_utils.shell.ShellError: Command failed with rc=1. Stdout: Stderr: unable to load certificate 139734854465344:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
>
> Stack Trace:
> key_format = 'X509-PEM-CA'
> verification_fn = <function <lambda> at 0x7f6aab2add90>, engine_fqdn = 'engine'
> engine_download = <function engine_download.<locals>.download at 0x7f6aa98d5ea0>
>
> @pytest.mark.parametrize("key_format, verification_fn", [
> pytest.param(
> 'X509-PEM-CA',
> lambda path: shell.shell(["openssl", "x509", "-in", path, "-text", "-noout"]),
> id="CA certificate"
> ),
> pytest.param(
> 'OPENSSH-PUBKEY',
> lambda path: shell.shell(["ssh-keygen", "-l", "-f", path]),
> id="ssh pubkey"
> ),
> ])
> @order_by(_TEST_LIST)
> def test_verify_engine_certs(key_format, verification_fn, engine_fqdn,
> engine_download):
> url = 'http://{}/ovirt-engine/services/pki-resource?resource=ca-certificate&format={}'
I guess (didn't check, only looked at engine git log) that this is a
result of [1].
Anyone looking at this?
This is trying to download the engine ca cert via http, and then do
some verification on it.
Generally speaking, this is a chicken-and-egg problem: You can't
securely download
a ca cert if you need this cert to securely download it.
For OST, it might be easy to fix by s/http/https/ and perhaps passing
some param to
make it not check certs in https. But I find it quite reasonable that
others are doing
similar things and will now be broken by this change [1]. If so, we
might decide that
this is "by design" - that whoever that gets broken, should fix their
stuff one way or
another (like OST above, or via safer means if possible/relevant, such
as using ssh
to securely connect to the engine machine and then get the cert from
there somehow
(do we have an api for this?)). Or we can decide that it's an engine
bug - that [1]
should have allowed this specific url to bypass hsts.
[1] https://gerrit.ovirt.org/c/ovirt-engine/+/113508
>
> with http_proxy_disabled(), tempfile.NamedTemporaryFile() as tmp:
> engine_download(url.format(engine_fqdn, key_format), tmp.name)
> try:
> > verification_fn(tmp.name)
>
> ../basic-suite-master/test-scenarios/test_002_bootstrap.py:292:
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> ../basic-suite-master/test-scenarios/test_002_bootstrap.py:275: in <lambda>
> lambda path: shell.shell(["openssl", "x509", "-in", path, "-text", "-noout"]),
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>
> args = ['openssl', 'x509', '-in', '/tmp/tmpnj42cxm2', '-text', '-noout']
> bytes_output = False, kwargs = {}
> process = <subprocess.Popen object at 0x7f6aa98143c8>, out = ''
> err = 'unable to load certificate\n139734854465344:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE\n'
>
> def shell(args, bytes_output=False, **kwargs):
> process = subprocess.Popen(args,
> stdout=subprocess.PIPE,
> stderr=subprocess.PIPE,
> **kwargs)
> out, err = process.communicate()
>
> if not bytes_output:
> out = out.decode("utf-8")
> err = err.decode("utf-8")
>
> if process.returncode:
> > raise ShellError(process.returncode, out, err)
> E ost_utils.shell.ShellError: Command failed with rc=1. Stdout:
> E
> E Stderr:
> E unable to load certificate
> E 139734854465344:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
(As I said, didn't check myself - I suppose that hsts causes httpd to
return some kind of redirect, and this is the way openssl fails when
we input this redirect instead of a cert).
Best regards,
--
Didi
3 years, 9 months
