[Engine-devel] ovirt-cli 3.3.0.1 released
by Michael Pasternak
- at vm.start() --vm-os-boot doesn't send the order of devices #921464
- rephrase status command help
- add option to retrieve system summary #854369
- accept IP address as FQ argument rather than string #886067
- fix broken pipe
- Bad error message when trying to create a new Role #908284
- add flag --dont-validate-cert-chain #915231
- collection-based-options could be passed in 2 ways #859684
- make NO_SUCH_ACTION error a bit more clear
- ovirt-cli DistributionNotFound exception on f18 #881011
- ovirt-shell misleading help for command "connect" #907943
- show event -id accept strings instead of numeric values #886786
- Use vncviewer passwordFile instead of passwdInput
More details can be found at [1].
[1] http://wiki.ovirt.org/Cli-changelog
--
Michael Pasternak
RedHat, ENG-Virtualization R&D
10 years, 5 months
[Engine-devel] Error message while trying to delete default cluster
by Shubhendu Tripathi
Hi,
While trying to delete the Default cluster in oVirt it shows the below
error message -
"Cannot remove default Host Cluster.
Cannot remove Cluster. One or more Template(s) are still associated with it"
But in the case of RHSC, Templates are not used and this message is not
relevant. [1].
Can we opt for not installing the templates while engine setup? And
would it be having any impact/consequences ?
Kindly provide your thoughts and possibility of the same.
Thanks and Regards,
Shubhendu
PS:
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1019838
10 years, 5 months
[Engine-devel] Consideration of the permission type
by Piotr Kliczewski
Hello everyone,
I am working on https://bugzilla.redhat.com/show_bug.cgi?id=878812 bug
so I played a bit with the code to understand how permission system
works and noticed few things (please correct me if I am wrong):
- In order to login to admin portal user need to have one of the admin
roles (role_type = 1)
- system tree is built using number of queries
- before running each query permission validation happens so the code
checks whether the user is able to run a query
- I noticed that none of the queries required to build system tree is
admin query and validation depends on result of getUser().isAdmin()
(Please check http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=blob;f=backend/manage...
line 123). This statement is always true for a user which was able to
log in to admin portal.
I was able to come up with following ways to solve this issue (please
help to find the good enough):
- fix verification
- filter results of query
- change a bit permission model. The structure is quite flat (there
are only 2 role_types) or we could go with containers as it was
proposed in bug description.
Thanks,
Piotr
10 years, 5 months
[Engine-devel] OpenLdap and Kerberos for oVirt on f19
by Piotr Kliczewski
Hello everyone,
I working on configuring OpenLdap 2.4.36 with kerberos for oVirt running on f19.
I follow following instruction:
https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
Please note that the instruction was written for f18. In order to have
step 18 working from
command line I had to set SASL_NOCANON to off. The reason was that I got:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
When SASL_NOCANON is off I can search the ldap but have the same issue
from java code:
I got javax.naming.AuthenticationException: [LDAP: error code 49 -
SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context].
Have this when connecting using engine-manage-domains
(http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=blob;f=backend/manage...
line 84).
Can you please point me where is my config issue?
I copied engine-devel for reference.
Thanks,
Piotr
10 years, 5 months
[Engine-devel] daily oVirt 3.3.1 blocker status
by Sandro Bonazzola
Hi,
The following blockers are still not fixed:
VDSM:
Bug 1022961 - Running a VM from a gluster domain uses mount instead of gluster URI
Bug 1022975 - [vdsm] storage domain upgrade fails with attributeError
Federico, Eduardo, can you provide an ETA for those?
The following patches are targeted 3.3 and needs to be reviewed:
http://gerrit.ovirt.org/#/q/branch:%255Eovirt*-3.3.*,n,z
vdsm: support VIR_MIGRATE_ABORT_ON_ERROR Peter V. Saveliev vdsm ovirt-3.3 Oct 27
hsm: fix isoprefix KeyError for inactive domains Federico Simoncelli vdsm ovirt-3.3 Oct 20 +1
Read pool metadata once in StoragePool.getInfo() Federico Simoncelli vdsm ovirt-3.3 Oct 15
Make hsm.getVolumesList() pool independent. Federico Simoncelli vdsm ovirt-3.3 Oct 15
Adding [start|stop]MonitoringDomain(). Federico Simoncelli vdsm ovirt-3.3 Oct 15
stats: return domain lockspace status Federico Simoncelli vdsm ovirt-3.3 Oct 15
Make getRepoStats() a hsm method. Federico Simoncelli vdsm ovirt-3.3 Oct 15
Fix getStorageDomainInfo() logic. Federico Simoncelli vdsm ovirt-3.3 Oct 15
vm: add the transient disk support Federico Simoncelli vdsm ovirt-3.3 Oct 15
please review them and merge ASAP the patches meant to be in 3.3.1.
I'm not aware of other blockers.
If you're aware of any other blocker, please add it to the tracker bug (Bug 1019391 - Tracker: oVirt 3.3.1 release)
--
Sandro Bonazzola
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com
10 years, 5 months
[Engine-devel] Migrating an existing installation to hosted engine
by Yedidyah Bar David
Hi all,
A message with the same subject was sent to arch around a month ago, see [1].
In short, it suggested two approaches:
1. Use p2v (or v2v)
2. Clean install of OS/engine software and use backup/restore.
Following that, I pushed a few changes for engine-backup and engine-setup,
with the intention of doing, briefly:
1. hosted-engine --deploy on new host
2. Install OS/software on new vm
3. backup on old engine machine
4. On new vm, do restore, which only restores the database and files,
followed by engine-setup, which will fix whatever else needs to be fixed.
Some of the changes are still pending, and are under some controversy. See
[2], [3], [4].
A more detailed description of the suggested migration path is in [5].
What do you think?
Should engine-setup do as little as possible to the system, or as much as
needed to save the admin from any manual work?
Should engine-setup doing an upgrade do the same as a new setup, or just
whatever that's needed to adapt the config/database to the new code?
A specific example: if admin chose during initial setup to automatically
configure the firewall (iptables/firewalld), should upgrade update it again,
or not touch it?
Should engine-backup do all these things when doing a restore?
Should we have some other utility to do these things?
Should we merely document them and let the admin do this manually?
[1] http://lists.ovirt.org/pipermail/arch/2013-October/001677.html
[2] https://bugzilla.redhat.com/1024707
[3] http://gerrit.ovirt.org/20736
[4] http://gerrit.ovirt.org/20737
[5] http://www.ovirt.org/Migrate_to_Hosted_Engine
--
Didi
10 years, 5 months
[Engine-devel] UI Refresh synchronization
by Alexander Wels
Hi guys,
I am working on providing our users with a better experience in regards to
refresh synchronization. Quite often it will happen that you as a user will do
a particular action, and it takes a whole refresh cycle for you to see the UI
updated in response to that action. For instance if you remove a VM in the
webadmin and click the ok button in the UI, the grid will still show the VM
until the next refresh cycle, not when the VM is actually removed.
I have created a wiki page that outlines the issues, and the ways we are
intending to solve these issues [1]. Feel free to comment/e-mail/etc to let me
know what you guys think.
Alexander
[1] http://www.ovirt.org/Features/Design/UIRefreshSynchronization
10 years, 5 months
[Engine-devel] Permissions involved in using REST API
by Jonathan Daugherty
Hi all,
I'm interested in setting up a non-administrative user account to be
used to access the oVirt REST API. I have a user who is testing this
functionality by integrating some Vagrant-related software to talk to
oVirt. The user's oVirt account is a non-admin account with enough
privileges to create and modify VMs on one of my clusters.
What we found is that the account is unable to make requests to, say,
/api/vms
(he gets 401 or 404 responses) and instead gets a response indicating
that the account has "insufficient permissions." My engine.log says of
the access only this:
2013-11-06 14:50:28,158 ERROR
[org.ovirt.engine.api.restapi.resource.AbstractBackendResource]
(ajp--127.0.0.1-8702-13) Operation Failed: query execution faile
d due to insufficient permissions.
and in server.log I have see Java tracebacks involving this[1]:
2013-11-06 14:50:28,159 WARN
[org.jboss.resteasy.core.SynchronousDispatcher]
(ajp--127.0.0.1-8702-13) failed to execute:
org.ovirt.engine.api.restapi.resource.BaseBackendResource$WebFaultException
Later we found that assigning an Admin role to the user's account at the
data center level with no permissions enabled permitted API access. So
the user was able to make requests to /api/ URLs and get data and was
able to log into the oVirt administration portal but was unable to take
further action.
So my questions are:
- Is this expected behavior? Is there some smaller (less permissive)
change in privileges I can use to bring about the same behavior?
- Is there some place where such behavior is documented? I couldn't
find any. The documentation on permissions on the RHEV docs only
mentions the overall impact of using specific roles and permissions
and says nothing about API access consequences or "Admin" roles with
no permissions.
My initial assumption was that any user with credentials would be able
to make API requests, but that the corresponding API responses would be
filtered based on what the user had privileges to see just as with the
User Portal.
Thanks!
[1] A full trace can be found at http://pastebin.com/czcfQkYL
--
Jonathan Daugherty
Software Engineer
Galois, Inc.
10 years, 5 months
