Hi Nir,
First of all, thanks for your continued support with this issue, I do appreciate it!
>What is the result of the test in the UI? I guess you get yellow warning?
Yes.
"Connection to ovirt-imageio-proxy service has failed. Make sure the service is installed, configured, and ovirt-engine certificate is registered as a valid CA in the browser."
>$ENGINE_PREFIX/etc/ovirt-imageio-proxy/image-proxy.conf
there is no such file for me, only logger.conf there
I must notice, imageio proxy is running:
apple 1211 0.0 0.3 295616 25756 pts/0 Sl 11:18 0:03 python git/ovirt-imageio/proxy/ovirt-imageio-proxy
image-proxy.log is very uneventful:
(MainThread) INFO 2019-02-08 11:18:17,239 server:45:server:(start) Starting (pid=1211, version=1.5.0)
(MainThread) INFO 2019-02-08 11:18:17,245 image_proxy:26:root:(main) Server started, unable to notify systemd
>answers file
vi ovirt-engine/var/lib/ovirt-engine/setup/answers/20190207155217-setup.conf
OTOPI answer file, generated by human dialog
[environment:default]
QUESTION/1/OVESETUP_CONFIG_ADMIN_SETUP=str:engine
QUESTION/1/OVESETUP_CONFIG_APPLICATION_MODE=str:both
QUESTION/1/OVESETUP_CONFIG_IMAGEIO_PROXY=str:yes
QUESTION/1/OVESETUP_CONFIG_SAN_WIPE_AFTER_DELETE=str:no
QUESTION/1/OVESETUP_CONFIG_VMCONSOLE_PROXY=str:yes
QUESTION/1/OVESETUP_CONFIG_WEBSOCKET_PROXY=str:yes
QUESTION/1/OVESETUP_DIALOG_CONFIRM_SETTINGS=str:ok
QUESTION/1/OVESETUP_ENGINE_DB_DATABASE=str:engine
QUESTION/1/OVESETUP_ENGINE_DB_HOST=str:localhost
QUESTION/1/OVESETUP_ENGINE_DB_PASSWORD=str:engine
QUESTION/1/OVESETUP_ENGINE_DB_PORT=str:5432
QUESTION/1/OVESETUP_ENGINE_DB_SECURED=str:no
QUESTION/1/OVESETUP_ENGINE_DB_USER=str:engine
QUESTION/1/OVESETUP_ENGINE_ENABLE=str:yes
QUESTION/1/OVESETUP_NETWORK_FQDN_this=str:localhost.localdomain
QUESTION/1/OVESETUP_PKI_ORG=str:localdomain
QUESTION/1/OVESETUP_SYSTEM_UNPRIVILEGED=str:yes
QUESTION/1/ovirt-provider-ovn=str:no
QUESTION/2/OVESETUP_CONFIG_ADMIN_SETUP=str:engine
>Trying to upload to proxy or daemon? from the UI or using upload_disk.py
example?
From what I understood from the doc, imageio proxy needs to be running where the engine is, imageio daemon needs to be running where host is and machine from where the file is uploaded needs neither. So, yeah, that's what I did. From the client machine with nothign but certificate installed (192.168.111.1) I am accessing the engine (192.168.111.2) through UI and trying to upload an image to a data domain accessed by and located on the host (192.168.111.3).
> Did you restart engine after changing the config?
I did a fresh install, so the only time I configured the engine was already with imageio included. But anyway, I restarted it today, same UI warning, same (lack of) results.
> Did you add engine CA to the browser?
Yes, added it to the browser of client machine aka 192.168.111.1. No certificate juggling needs to be done to engine and host machines from what I understood, right?
> Did you check the browser console.log?
Yes. There is an error but seems to be unrelated. Here is the log from my firefox:
Fri Feb 08 11:26:59 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Polling for status
webadmin:1:8676
Fri Feb 08 11:26:59 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Upload phase: Resuming
webadmin:1:8676
Fri Feb 08 11:27:03 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Polling for status
webadmin:1:8676
Fri Feb 08 11:27:03 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Upload phase: Resuming
webadmin:1:8676
Fri Feb 08 11:27:07 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Polling for status
webadmin:1:8676
Fri Feb 08 11:27:07 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Upload phase: Transferring
webadmin:1:8676
Fri Feb 08 11:27:07 GMT+100 2019
SEVERE: Uncaught exception
com.google.gwt.core.client.JavaScriptException: (TypeError) : a.n is null
at Unknown.BFs(webadmin-147.js)
at Unknown._Fs(webadmin-147.js)
at Unknown.K_p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.x0p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.A0p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.N2p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.Q2p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.n2p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.q2p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.i8e(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.F1(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.U1(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.onreadystatechange<(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.Qu(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.Tu(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.Su/<(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.anonymous(Unknown)
webadmin:1:8591
Fri Feb 08 11:27:07 GMT+100 2019 remote
SEVERE: Uncaught exception
com.google.gwt.core.client.JavaScriptException: (TypeError) : a.n is null
at Unknown.BFs(webadmin-147.js)
at Unknown._Fs(webadmin-147.js)
at Unknown.K_p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.x0p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.A0p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.N2p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.Q2p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.n2p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.q2p(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.i8e(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.F1(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.U1(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.onreadystatechange<(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.Qu(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.Tu(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.Su/<(http://192.168.111.2:8080/ovirt-engine/webadmin/?locale=en_US)
at Unknown.anonymous(Unknown)
webadmin:1:8591
Fri Feb 08 11:27:11 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Polling for status
webadmin:1:8676
Fri Feb 08 11:27:11 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Upload phase: Transferring
webadmin:1:8676
Fri Feb 08 11:27:15 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Polling for status
webadmin:1:8676
Fri Feb 08 11:27:15 GMT+100 2019 org.ovirt.engine.ui.uicommonweb.models.storage.UploadImageHandler
INFO: Upload phase: Paused by System
> Can you share your logs?
Please let me know if there are additional logs needed. I think this + previous email is all I got.
> Maybe you can be interested in implementing this?
I am for sure, I would be glad to simplify the process if possible, but let me first understand how this thing works right now :)
Btw I have my notes about what needs to be fixed with dev docs for both engine and imageio (lacking python libs, postgres needs some caressing etc.), so I'm planning to improve documentation a bit. Well, after I can get imageio working.
Thanks,
Fedor
----- Original Message -----
From: "Nir Soffer" <nsoffer@redhat.com>
To: "Fedor Gavrilov" <fgavrilo@redhat.com>
Cc: "Roy Golan" <rgolan@redhat.com>, "devel" <devel@ovirt.org>, "Daniel Erez" <derez@redhat.com>, "Yedidyah Bar David" <didi@redhat.com>
Sent: Thursday, February 7, 2019 6:42:48 PM
Subject: Re: [ovirt-devel] Re: imageio proxy and engine dev setup
On Thu, Feb 7, 2019 at 7:32 PM Fedor Gavrilov <fgavrilo@redhat.com> wrote:
> I just did a fresh setup, applying the latest suggestions and it seems now
> there is ab error message in the engine log when I press "test connection"
> in upload image window:
>
What is the result of the test in the UI? I guess you get yellow warning?
>
> ***
> 192.168.111.1 is machine where iso is
> 192.168.111.2 is engine
> 192.168.111.3 is host and nfs storage
> ***
>
> ----------------------------------------
> Exception happened during processing of request from ('192.168.111.1',
> 46230)
> Traceback (most recent call last):
> File "/usr/lib64/python2.7/SocketServer.py", line 596, in
> process_request_thread
> self.finish_request(request, client_address)
> File "/usr/lib64/python2.7/SocketServer.py", line 331, in finish_request
> self.RequestHandlerClass(request, client_address, self)
> File "/usr/lib64/python2.7/SocketServer.py", line 652, in __init__
> self.handle()
> File "/usr/lib64/python2.7/wsgiref/simple_server.py", line 116, in handle
> self.raw_requestline = self.rfile.readline(65537)
> File "/usr/lib64/python2.7/socket.py", line 480, in readline
> data = self._sock.recv(self._rbufsize)
> File "/usr/lib64/python2.7/ssl.py", line 772, in recv
> return self.read(buflen)
> File "/usr/lib64/python2.7/ssl.py", line 659, in read
> v = self._sslobj.read(len)
> SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate
> (_ssl.c:1941)
> ----------------------------------------
>
This looks like bad proxy configuration, it does not accept the engine
certificate.
Can you share:
- $ENGINE_PREFIX/etc/ovirt-imageio-proxy/image-proxy.conf?
- your engine-setup answer file
Didi, where do we keep the answer file?
Not sure what it means though. Certificate is installed in my browser, just
> double-checked that.
> When trying to upload the file nevertheless, this is what appears in
> engine logs:
>
Trying to upload to proxy or daemon? from the UI or using upload_disk.py
example?
2019-02-07 18:27:34,768+01 INFO
> [org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-56)
> [1b6235be-02b4-446a-b486-22cce0d7a1bb] Adding image ticket to
> ovirt-imageio-proxy, id 00e11769-70c4-4b92-9cb9-4ff633566d8e
> 2019-02-07 18:27:34,820+01 ERROR
> [org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-56)
> [1b6235be-02b4-446a-b486-22cce0d7a1bb] Failed to add image ticket to
> ovirt-imageio-proxy: javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: No subject alternative names
> matching IP address 192.168.111.2 found
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> [jsse.jar:1.8.0_191]
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
> [jsse.jar:1.8.0_191]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
> [jsse.jar:1.8.0_191]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
> [jsse.jar:1.8.0_191]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
> [jsse.jar:1.8.0_191]
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
> [jsse.jar:1.8.0_191]
> at
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
> [rt.jar:1.8.0_191]
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> [rt.jar:1.8.0_191]
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
> [rt.jar:1.8.0_191]
> at
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
> [rt.jar:1.8.0_191]
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
> [rt.jar:1.8.0_191]
> at
> org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand.addImageTicketToProxy(TransferDiskImageCommand.java:837)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand.startImageTransferSession(TransferDiskImageCommand.java:763)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand.handleImageIsReadyForTransfer(TransferDiskImageCommand.java:452)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand.handleInitializing(TransferDiskImageCommand.java:423)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand.executeStateHandler(TransferDiskImageCommand.java:358)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand.proceedCommandExecution(TransferDiskImageCommand.java:345)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.storage.disk.image.TransferImageCommandCallback.doPolling(TransferImageCommandCallback.java:21)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethodsImpl(CommandCallbacksPoller.java:175)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.tasks.CommandCallbacksPoller.invokeCallbackMethods(CommandCallbacksPoller.java:109)
> [bll.jar:]
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> [rt.jar:1.8.0_191]
> at
> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
> [rt.jar:1.8.0_191]
> at
> org.glassfish.enterprise.concurrent.internal.ManagedScheduledThreadPoolExecutor$ManagedScheduledFutureTask.access$201(ManagedScheduledThreadPoolExecutor.java:383)
> [javax.enterprise.concurrent-1.0.jar:]
> at
> org.glassfish.enterprise.concurrent.internal.ManagedScheduledThreadPoolExecutor$ManagedScheduledFutureTask.run(ManagedScheduledThreadPoolExecutor.java:534)
> [javax.enterprise.concurrent-1.0.jar:]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> [rt.jar:1.8.0_191]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> [rt.jar:1.8.0_191]
> at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_191]
> at
> org.glassfish.enterprise.concurrent.ManagedThreadFactoryImpl$ManagedThread.run(ManagedThreadFactoryImpl.java:250)
> [javax.enterprise.concurrent-1.0.jar:]
> at
> org.jboss.as.ee.concurrent.service.ElytronManagedThreadFactory$ElytronManagedThread.run(ElytronManagedThreadFactory.java:78)
> Caused by: java.security.cert.CertificateException: No subject alternative
> names matching IP address 192.168.111.2 found
> at
> sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
> [rt.jar:1.8.0_191]
> at
> sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
> [rt.jar:1.8.0_191]
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> [jsse.jar:1.8.0_191]
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> [jsse.jar:1.8.0_191]
> ... 30 more
>
> 2019-02-07 18:27:34,830+01 ERROR
> [org.ovirt.engine.core.bll.storage.disk.image.TransferDiskImageCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-56)
> [1b6235be-02b4-446a-b486-22cce0d7a1bb] Failed to add image ticket to
> ovirt-imageio-proxy
>
Expected when proxy will not accept engine request because of bad
certificate.
> 2019-02-07 18:27:34,836+01 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (EE-ManagedThreadFactory-engineScheduled-Thread-56)
> [1b6235be-02b4-446a-b486-22cce0d7a1bb] EVENT_ID:
> TRANSFER_IMAGE_STOPPED_BY_SYSTEM_FAILED_TO_ADD_TICKET_TO_PROXY(1,070),
> Transfer was stopped by system. Reason: failed to add image ticket to
> ovirt-imageio-proxy.
>
> I will continue looking into it tomorrow as well, but any advice is much
> appreciated.
>
> Thanks,
> Fedor Gavrilov
>
> ----- Original Message -----
> From: "Nir Soffer" <nsoffer@redhat.com>
> To: "Fedor Gavrilov" <fgavrilo@redhat.com>
> Cc: "Roy Golan" <rgolan@redhat.com>, "devel" <devel@ovirt.org>, "Daniel
> Erez" <derez@redhat.com>
> Sent: Wednesday, February 6, 2019 10:26:00 PM
> Subject: Re: [ovirt-devel] Re: imageio proxy and engine dev setup
>
> On Wed, Feb 6, 2019 at 12:24 PM Fedor Gavrilov <fgavrilo@redhat.com>
> wrote:
>
> First, please keep Daniel in the CC, this is your best chance to get a help
> on
> this, and a good practice for most issues :-)
>
> Thanks, Roy! I will try setting it up according to what you suggested.
> > Last attempt failed indeed: according to logs, both daemon and proxy
> tried
> > establishing a connection with each other with some 200 OK in logs, no
> > error messages but nevertheless upload did not happen after all.
> >
>
> Did you restart engine after changing the config?
> Did you add engine CA to the browser?
> Did you check the browser console.log?
> Can you share your logs?
>
Can you reply to these questions?
> Speaking about it, does anyone know more straightforward way to have ISO
> > disk on data domain?
>
>
> Uploading from the UI is the most straightforward way. But you need to get
> a working setup
> first.
>
> I am not as much interested in debugging ISO upload but rather attaching it
> > to VM.
> >
>
> Sad that you are not interested in this yet, but in the meantime you can
> use the ovirt SDK
> upload_disk.py example.
>
> 1. install first the ovirt python sdk version 4:
>
> dnf install python3-ovirt-engine-sdk4
>
> 2. Download the upload disk example:
>
>
>
> https://github.com/oVirt/ovirt-engine-sdk/blob/master/sdk/examples/upload_disk.py
>
> 3. Change the configuration to match your setup (e.g. storage domain name)
>
> 4. Upload:
>
> python upload_disk.py --direct /path/to/disk.iso
>
Did you try this?
Getting proxy to work with development setup may take more time, but this method is very easy to use and does not requite the proxy.
You can run this one of the host since they already have engine ca file, or from another host after you copy engine ca file.
> Note that --direct goes directly to the host, this is faster compared with
> going to the proxy.
>
> I think we should have a proper command line tool that make all this much
> easier. We have
> this RFE:
> https://bugzilla.redhat.com/show_bug.cgi?id=1626262
>
> Maybe you can be interested in implementing this?
>
> Nir
>