[Users] Master Storage Domain in status locked.
by Jonas Israelsson
Greetings.
Due to an unfortunate storage misconfiguration (iscsi) the Ovirt-node
was unable to mount it's master storage domain after a power outage.
During the troubleshooting I believe I have managed to get the domain in
some weird state where it now remains in status locked.
If trying to take (only) host/node online it goes back to
non-operational since it's unable to mount the master storage domain.
Rebooting the node and or the engine makes no difference.
Everything storage wise should be OK now.
Any idea on how to recover ?
vdsm.log attached
With kind regards
Jonas
11 years, 7 months
- 1
- 0
Re: [Users] Certificates and PKI seem to be broken after yum update
by Chris Smith
Since I'm not able to reinstall the host from the ovirt-engine web
interface, as another thought I wanted to see if I could bring up a
third host and add it to the cluster.
I have a host Fedora 17 box ready to go but I can't add it to the
cluster. It states that there are no available server in the cluster
to probe the new host.
What about approaching it from the other direction. Would I be able
to stand up an ovirt-h node on the same hardware and then add it to
ovirt from the host itself, using the setup menu?
Could it then obtain spm status and bring the storage domain online?
On Thu, Apr 18, 2013 at 7:20 PM, Chris Smith <whitehat237(a)gmail.com> wrote:
> engine.log attached
>
> On Thu, Apr 18, 2013 at 7:11 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>> Need to know precise error, please attach engine.log.
>>
>>
>> ----- Original Message -----
>>> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> Cc: Users(a)ovirt.org
>>> Sent: Friday, April 19, 2013 2:03:59 AM
>>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum update
>>>
>>> So as of now, I can put the host into maintenance mode using the
>>> ovirt-engine web interface. I can also try and activate it. It
>>> states that the host was activated. The host never actually comes up
>>> or contends for SPM status, and the data center never actually comes
>>> online.
>>>
>>> If I put the host into maintenance mode and try to reinstall it, it
>>> throws an error and size must be between 0 and 50.
>>>
>>> On Thu, Apr 18, 2013 at 6:51 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>>> > I am not sure I understand the status.
>>> >
>>> > Everything is working or not.
>>> > If not, what exactly fails?
>>> > Why do you run it 'again'?
>>> >
>>> > What happens if you reinstall host? Go to maintenance and select reinstall?
>>> >
>>> > I cannot understand how all this results from upgrade, something had
>>> > changed, the CA certificate installed on the host is probably not the CA
>>> > certificate of the engine.
>>> >
>>> > ----- Original Message -----
>>> >> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> >> To: "Alon Bar-Lev" <alonbl(a)redhat.com>, Users(a)ovirt.org
>>> >> Sent: Friday, April 19, 2013 1:45:23 AM
>>> >> Subject: Re: [Users] Certificates and PKI seem to be broken after yum
>>> >> update
>>> >>
>>> >> On Thu, Apr 18, 2013 at 6:44 PM, Chris Smith <whitehat237(a)gmail.com>
>>> >> wrote:
>>> >> > I made a backup of the .truststore, and then followed the steps and
>>> >> > then rebooted both the ovirt-engine and one of the hosts, and
>>> >> > everything worked properly.
>>> >> >
>>> >> > If I run it again, or enter the wrong password it throws an error
>>> >> > about the key store already existing, or that the password was wrong
>>> >> > so I'm pretty sure it's good.
>>> >> >
>>> >> > vdsm.log on the host still shows:
>>> >> >
>>> >> > Traceback (most recent call last):
>>> >> > File "/usr/lib64/python2.7/SocketServer.py", line 582, in
>>> >> > process_request_thread
>>> >> > self.finish_request(request, client_address)
>>> >> > File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py",
>>> >> > line 66, in finish_request
>>> >> > request.do_handshake()
>>> >> > File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
>>> >> > self._sslobj.do_handshake()
>>> >> > SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
>>> >> > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>> >> >
>>> >> > engine.log on the host shows:
>>> >> >
>>> >> > 2013-04-18 18:42:43,632 ERROR
>>> >> > [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>> >> > (QuartzScheduler_Worker-68) Failed to decryptData must start with zero
>>> >> > 2013-04-18 18:42:43,642 ERROR
>>> >> > [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
>>> >> > (QuartzScheduler_Worker-68) XML RPC error in command
>>> >> > GetCapabilitiesVDS ( Vds: transporter ), the error was:
>>> >> > java.util.concurrent.ExecutionException:
>>> >> > java.lang.reflect.InvocationTargetException,
>>> >> > SunCertPathBuilderException: unable to find valid certification path
>>> >> > to requested target
>>> >> >
>>> >> >
>>> >> > On Thu, Apr 18, 2013 at 4:06 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>>> >> >>
>>> >> >> You should ask these question in separate thread so people may pick
>>> >> >> them
>>> >> >> up.
>>> >> >>
>>> >> >> For the .truststore, try to remove it and then execute:
>>> >> >>
>>> >> >> # rm -f /etc/pki/ovirt-engine/.truststore
>>> >> >> # keytool -import -noprompt -trustcacerts -alias cacert -keypass mypass
>>> >> >> -file /etc/pki/ovirt-engine/certs/ca.der -keystore
>>> >> >> /etc/pki/ovirt-engine/.truststore -storepass mypass
>>> >> >> # chown ovirt:ovirt /etc/pki/ovirt-engine/.truststore
>>> >> >>
>>> >> >> It should recreate the truststore with the ca certificate you have.
>>> >> >>
>>> >> >> ----- Original Message -----
>>> >> >>> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> >> >>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> >> >>> Cc: Users(a)ovirt.org
>>> >> >>> Sent: Thursday, April 18, 2013 7:18:27 AM
>>> >> >>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum
>>> >> >>> update
>>> >> >>>
>>> >> >>> If it would be easier than re-setting up the certificates, I'm also
>>> >> >>> willing to just start over and rebuild, but I would like to export the
>>> >> >>> VM's I have first.
>>> >> >>> One of them is a spacewalk server, another runs DNS, and DHCP for my
>>> >> >>> test network, and I have an asterisk server. I would like to avoid
>>> >> >>> having to re-create all of them.
>>> >> >>>
>>> >> >>> The VM's are up and running now, so I could export all of the
>>> >> >>> configurations / backup the file systems, etc.
>>> >> >>>
>>> >> >>> Preferably I could export the VM's to an NFS export domain, or a
>>> >> >>> mounted NFS share so that I can import them to the new storage domain,
>>> >> >>> after I run engine-cleanup and get everything set back up. Is there
>>> >> >>> an easy way to do this? Is it possible to create and attach an NFS
>>> >> >>> export domain directly from the CLI without access to the ovirt
>>> >> >>> manager without communication between the manager and hosts due to the
>>> >> >>> pki issue? Can I export the VM's directly from the hosts to a
>>> >> >>> standard NFS share?
>>> >> >>>
>>> >> >>> Is there an equivalent xml and image file for the VM?
>>> >> >>>
>>> >> >>> My storage domain is iscsi and is served out from another server over
>>> >> >>> 4 bonded 1 Gbps copper links.
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> On Wed, Apr 17, 2013 at 11:46 PM, Chris Smith <whitehat237(a)gmail.com>
>>> >> >>> wrote:
>>> >> >>> > I checked the .truststore on the ovirt engine, and it seems fine.
>>> >> >>> >
>>> >> >>> > [root@reliant ovirt-engine]# ls -l .truststore
>>> >> >>> > -rwxr-x---. 1 ovirt ovirt 918 Apr 6 21:56 .truststore
>>> >> >>> >
>>> >> >>> > It's not zero bytes anyway.
>>> >> >>> >
>>> >> >>> > It's also the same size as the .truststore in the ovirt engine
>>> >> >>> > backups.
>>> >> >>> >
>>> >> >>> > [root@reliant ovirt-engine-backups]# find ./ -name .truststore -exec
>>> >> >>> > ls
>>> >> >>> > -l
>>> >> >>> > {} \;
>>> >> >>> > -rwxr-x---. 1 ovirt ovirt 918 Aug 26 2012
>>> >> >>> > ./ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore
>>> >> >>> > -rwxr-x---. 1 root root 918 Mar 24 12:42
>>> >> >>> > ./ovirt-engine-2013_03_24_11_15_19/ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore
>>> >> >>> >
>>> >> >>> > I haven't looked at the installCA.sh script yet.
>>> >> >>> >
>>> >> >>> > On Mon, Apr 8, 2013 at 2:58 AM, Alon Bar-Lev <alonbl(a)redhat.com>
>>> >> >>> > wrote:
>>> >> >>> >> This error means that the /etc/pki/ovirt-engine/.truststore is
>>> >> >>> >> unreadable
>>> >> >>> >> or does not contain the /etc/pki/ovirt-engine/ca.pem certificate.
>>> >> >>> >>
>>> >> >>> >> Unfortunately, the pki administration is weak in current
>>> >> >>> >> implementation,
>>> >> >>> >> you can trace the installation script and checkout the calls to
>>> >> >>> >> installCA.sh to how to reproduce, please note that password are
>>> >> >>> >> encrypted
>>> >> >>> >> in database using the private key locate in .keystore so if you are
>>> >> >>> >> to
>>> >> >>> >> re-generate anything remember to keep the engine private key.
>>> >> >>> >>
>>> >> >>> >> However, if you succeed in login, the remaining problem you have is
>>> >> >>> >> the
>>> >> >>> >> .truststore permissions and/or content.
>>> >> >>> >>
>>> >> >>> >> Regards,
>>> >> >>> >> Alon Bar-Lev.
>>> >> >>> >>
>>> >> >>> >> ----- Original Message -----
>>> >> >>> >>> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> >> >>> >>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> >> >>> >>> Cc: Users(a)ovirt.org
>>> >> >>> >>> Sent: Monday, April 8, 2013 9:46:46 AM
>>> >> >>> >>> Subject: Re: [Users] Certificates and PKI seem to be broken after
>>> >> >>> >>> yum
>>> >> >>> >>> update
>>> >> >>> >>>
>>> >> >>> >>> After setting the .keystore owner and group owner to ovirt, and
>>> >> >>> >>> rebooting, I now have a new error in engine.log
>>> >> >>> >>>
>>> >> >>> >>> 2013-04-08 02:39:16,787 ERROR
>>> >> >>> >>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>> >> >>> >>> (QuartzScheduler_Worker-95) Failed to decryptData must start with
>>> >> >>> >>> zero
>>> >> >>> >>> 2013-04-08 02:39:16,845 ERROR
>>> >> >>> >>> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
>>> >> >>> >>> (QuartzScheduler_Worker-95) XML RPC error in command
>>> >> >>> >>> GetCapabilitiesVDS ( Vds: transporter ), the error was:
>>> >> >>> >>> java.util.concurrent.ExecutionException:
>>> >> >>> >>> java.lang.reflect.InvocationTargetException,
>>> >> >>> >>> SunCertPathBuilderException: unable to find valid certification
>>> >> >>> >>> path
>>> >> >>> >>> to requested target
>>> >> >>> >>>
>>> >> >>> >>> Are there other files that may have been affected that I can also
>>> >> >>> >>> correct ownership or permissions on?
>>> >> >>> >>>
>>> >> >>> >>> On the host side, I get certificate unknown in vdsm.log
>>> >> >>> >>>
>>> >> >>> >>> File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
>>> >> >>> >>> self._sslobj.do_handshake()
>>> >> >>> >>> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
>>> >> >>> >>> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>> >> >>> >>> Thread-757809::ERROR::2013-04-08
>>> >> >>> >>> 02:44:05,424::SecureXMLRPCServer::73::root::(handle_error) client
>>> >> >>> >>> ('172.16.23.8', 54489)
>>> >> >>> >>> Traceback (most recent call last):
>>> >> >>> >>> File "/usr/lib64/python2.7/SocketServer.py", line 582, in
>>> >> >>> >>> process_request_thread
>>> >> >>> >>> self.finish_request(request, client_address)
>>> >> >>> >>> File
>>> >> >>> >>> "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py",
>>> >> >>> >>> line 66, in finish_request
>>> >> >>> >>> request.do_handshake()
>>> >> >>> >>> File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
>>> >> >>> >>> self._sslobj.do_handshake()
>>> >> >>> >>> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
>>> >> >>> >>> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>> >> >>> >>>
>>> >> >>> >>> Is there a procedure for just re-establishing PKI and certs for
>>> >> >>> >>> the
>>> >> >>> >>> engine and hosts?
>>> >> >>> >>>
>>> >> >>> >>> On Sun, Apr 7, 2013 at 4:58 AM, Alon Bar-Lev <alonbl(a)redhat.com>
>>> >> >>> >>> wrote:
>>> >> >>> >>> >
>>> >> >>> >>> > OK... you are running a very old version of engine (3.1).
>>> >> >>> >>> >
>>> >> >>> >>> > The upgrade did not upgraded into 3.2, so nothing as far as I
>>> >> >>> >>> > know
>>> >> >>> >>> > should
>>> >> >>> >>> > have been changed.
>>> >> >>> >>> >
>>> >> >>> >>> > But the .keystore permissions is owned by root now, so some
>>> >> >>> >>> > other
>>> >> >>> >>> > package
>>> >> >>> >>> > (maybe selinux-policy) changed permissions...
>>> >> >>> >>> >
>>> >> >>> >>> > The simplest way to test is to:
>>> >> >>> >>> > # cp -a /etc/pki/ovirt-engine /etc/pki/ovirt-engine.backup1
>>> >> >>> >>> > # chown -R ovirt:ovirt /etc/pki/ovirt-engine
>>> >> >>> >>> >
>>> >> >>> >>> > But if that file permissions was changed, I can only assume
>>> >> >>> >>> > other
>>> >> >>> >>> > files
>>> >> >>> >>> > were also changes...
>>> >> >>> >>> >
>>> >> >>> >>> > Regards,
>>> >> >>> >>> > Alon
>>> >> >>> >>> >
>>> >> >>> >>> > ----- Original Message -----
>>> >> >>> >>> >> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> >> >>> >>> >> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> >> >>> >>> >> Cc: Users(a)ovirt.org
>>> >> >>> >>> >> Sent: Sunday, April 7, 2013 11:51:17 AM
>>> >> >>> >>> >> Subject: Re: [Users] Certificates and PKI seem to be broken
>>> >> >>> >>> >> after
>>> >> >>> >>> >> yum
>>> >> >>> >>> >> update
>>> >> >>> >>> >>
>>> >> >>> >>> >> I did a yum update and rebooted.
>>> >> >>> >>> >>
>>> >> >>> >>> >> engine-upgrade was run on 24-March
>>> >> >>> >>> >>
>>> >> >>> >>> >> When run now, it states that there are no updates available.
>>> >> >>> >>> >>
>>> >> >>> >>> >> [root@reliant ~]# engine-upgrade
>>> >> >>> >>> >> Loaded plugins: versionlock
>>> >> >>> >>> >> Checking for updates... (This may take several minutes)
>>> >> >>> >>> >> No updates available
>>> >> >>> >>> >>
>>> >> >>> >>> >>
>>> >> >>> >>> >> [root@reliant ovirt-engine]# cat
>>> >> >>> >>> >> ovirt-engine-upgrade_2013_03_24_12_04_06.log
>>> >> >>> >>> >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found
>>> >> >>> >>> >> existing
>>> >> >>> >>> >> pgpass file, fetching DB host value
>>> >> >>> >>> >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found
>>> >> >>> >>> >> existing
>>> >> >>> >>> >> pgpass file, fetching DB port value
>>> >> >>> >>> >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found
>>> >> >>> >>> >> existing
>>> >> >>> >>> >> pgpass file, fetching DB admin value
>>> >> >>> >>> >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::302::root:: Yum
>>> >> >>> >>> >> list
>>> >> >>> >>> >> updates
>>> >> >>> >>> >> started
>>> >> >>> >>> >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::273::root:: Yum
>>> >> >>> >>> >> unlock
>>> >> >>> >>> >> started
>>> >> >>> >>> >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::285::root:: Yum
>>> >> >>> >>> >> unlock
>>> >> >>> >>> >> completed successfully
>>> >> >>> >>> >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::308::root:: Getting
>>> >> >>> >>> >> list
>>> >> >>> >>> >> of packages to upgrade
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::engine-upgrade::260::root:: Yum
>>> >> >>> >>> >> lock
>>> >> >>> >>> >> started
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >> >>> >>> >> command --> '/bin/rpm -q ovirt-engine'
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >> >>> >>> >> ovirt-engine-3.1.0-4.fc17.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >> >>> >>> >> command --> '/bin/rpm -q ovirt-engine-backend'
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >> >>> >>> >> ovirt-engine-backend-3.1.0-4.fc17.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >> >>> >>> >> command --> '/bin/rpm -q ovirt-engine-config'
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >> >>> >>> >> ovirt-engine-config-3.1.0-4.fc17.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >> >>> >>> >> command --> '/bin/rpm -q ovirt-engine-genericapi'
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >> >>> >>> >> ovirt-engine-genericapi-3.1.0-4.fc17.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >> >>> >>> >> command --> '/bin/rpm -q ovirt-engine-notification-service'
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >> >>> >>> >> ovirt-engine-notification-service-3.1.0-4.fc17.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >> >>> >>> >> command --> '/bin/rpm -q ovirt-engine-restapi'
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >> >>> >>> >> ovirt-engine-restapi-3.1.0-4.fc17.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >> >>> >>> >> command --> '/bin/rpm -q ovirt-engine-tools-common'
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >> >>> >>> >> ovirt-engine-tools-common-3.1.0-4.fc17.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >> >>> >>> >> command --> '/bin/rpm -q ovirt-engine-userportal'
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >> >>> >>> >> ovirt-engine-userportal-3.1.0-4.fc17.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >> >>> >>> >> command --> '/bin/rpm -q ovirt-engine-webadmin-portal'
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >> >>> >>> >> ovirt-engine-webadmin-portal-3.1.0-4.fc17.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::286::root:: cmd =
>>> >> >>> >>> >> /bin/rpm
>>> >> >>> >>> >> -q ovirt-engine ovirt-engine-backend ovirt-engine-config
>>> >> >>> >>> >> ovirt-engine-genericapi ovirt-engine-notification-service
>>> >> >>> >>> >> ovirt-engine-restapi ovirt-engine-tools-common
>>> >> >>> >>> >> ovirt-engine-userportal
>>> >> >>> >>> >> ovirt-engine-webadmin-portal >>
>>> >> >>> >>> >> /etc/yum/pluginconf.d/versionlock.list
>>> >> >>> >>> >> 2013-03-24 12:04:28::DEBUG::common_utils::291::root:: output =
>>> >> >>> >>> >> 2013-03-24 12:04:28::DEBUG::common_utils::292::root:: stderr =
>>> >> >>> >>> >> 2013-03-24 12:04:28::DEBUG::common_utils::293::root:: retcode =
>>> >> >>> >>> >> 0
>>> >> >>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::270::root:: Yum
>>> >> >>> >>> >> lock
>>> >> >>> >>> >> completed successfully
>>> >> >>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::320::root:: No
>>> >> >>> >>> >> packages
>>> >> >>> >>> >> marked for update
>>> >> >>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::324::root::
>>> >> >>> >>> >> Installed
>>> >> >>> >>> >> packages:
>>> >> >>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::325::root::
>>> >> >>> >>> >> ['ovirt-engine-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-backend-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-config-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-dbscripts-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-genericapi-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-notification-service-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-restapi-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-setup-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-tools-common-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-userportal-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-engine-webadmin-portal-3.1.0-4.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch',
>>> >> >>> >>> >> 'ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch',
>>> >> >>> >>> >> 'vdsm-bootstrap-4.10.0-13.fc17.noarch']
>>> >> >>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::327::root:: Yum
>>> >> >>> >>> >> list
>>> >> >>> >>> >> updated completed successfully
>>> >> >>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::609::root:: No
>>> >> >>> >>> >> updates
>>> >> >>> >>> >> available
>>> >> >>> >>> >>
>>> >> >>> >>> >>
>>> >> >>> >>> >> Here's what's installed.
>>> >> >>> >>> >>
>>> >> >>> >>> >> [root@reliant yum.repos.d]# yum list installed | grep ovirt
>>> >> >>> >>> >> ovirt-engine.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-backend.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-cli.noarch 3.2.0.5-1.fc17
>>> >> >>> >>> >> @updates
>>> >> >>> >>> >> ovirt-engine-config.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-dbscripts.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-genericapi.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-notification-service.noarch
>>> >> >>> >>> >> 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-restapi.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-sdk.noarch 3.2.0.2-1.fc17
>>> >> >>> >>> >> @updates
>>> >> >>> >>> >> ovirt-engine-setup.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-tools-common.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-userportal.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-engine-webadmin-portal.noarch 3.1.0-4.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-image-uploader.noarch 3.1.0-0.git9c42c8.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-iso-uploader.noarch 3.1.0-0.git1841d9.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-log-collector.noarch 3.1.0-0.git10d719.fc17
>>> >> >>> >>> >> @ovirt-stable
>>> >> >>> >>> >> ovirt-release-fedora.noarch 4-2
>>> >> >>> >>> >> @/ovirt-release-fedora.noarch
>>> >> >>> >>> >>
>>> >> >>> >>> >> On Sun, Apr 7, 2013 at 2:16 AM, Alon Bar-Lev
>>> >> >>> >>> >> <alonbl(a)redhat.com>
>>> >> >>> >>> >> wrote:
>>> >> >>> >>> >> > How exactly did you upgrade?
>>> >> >>> >>> >> >
>>> >> >>> >>> >> > Usually yum upgrade will not touch ovirt-engine packages as
>>> >> >>> >>> >> > it
>>> >> >>> >>> >> > is in
>>> >> >>> >>> >> > yum
>>> >> >>> >>> >> > version lock.
>>> >> >>> >>> >> > From which version to which version have you upgraded?
>>> >> >>> >>> >> > Have you run engine-upgrade utility?
>>> >> >>> >>> >> > If you did not, please run it.
>>> >> >>> >>> >> > If you did, please attach logs from
>>> >> >>> >>> >> > /var/log/ovirt-engine/ovirt-engine-upgrade*
>>> >> >>> >>> >> >
>>> >> >>> >>> >> > Thanks!
>>> >> >>> >>> >> >
>>> >> >>> >>> >> > ----- Original Message -----
>>> >> >>> >>> >> >> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> >> >>> >>> >> >> To: Users(a)ovirt.org
>>> >> >>> >>> >> >> Sent: Sunday, April 7, 2013 5:09:46 AM
>>> >> >>> >>> >> >> Subject: [Users] Certificates and PKI seem to be broken
>>> >> >>> >>> >> >> after
>>> >> >>> >>> >> >> yum
>>> >> >>> >>> >> >> update
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> I have lost the ability to manage the hosts or VM's using
>>> >> >>> >>> >> >> ovirt
>>> >> >>> >>> >> >> engine web interface after performing yum update on the
>>> >> >>> >>> >> >> ovirt-engine
>>> >> >>> >>> >> >> host, and on one Fedora 17 host. The data center is
>>> >> >>> >>> >> >> offline,
>>> >> >>> >>> >> >> and I
>>> >> >>> >>> >> >> can't place the hosts into maintenance mode. I don't think
>>> >> >>> >>> >> >> that
>>> >> >>> >>> >> >> there
>>> >> >>> >>> >> >> are any actions I can perform in the web interface at all.
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> From the logs it seems that PKI is broken between the engine
>>> >> >>> >>> >> >> and
>>> >> >>> >>> >> >> the
>>> >> >>> >>> >> >> hosts.
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> I am wondering how I can restore or re-generate all of the
>>> >> >>> >>> >> >> certificates and get the hosts communicating with the
>>> >> >>> >>> >> >> ovirt-engine
>>> >> >>> >>> >> >> again so that I can bring the data center back online.
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> I found this page which deals with changing the engine
>>> >> >>> >>> >> >> hostname,
>>> >> >>> >>> >> >> and
>>> >> >>> >>> >> >> thus re-creating the certificates and keystore on the
>>> >> >>> >>> >> >> ovirt-engine
>>> >> >>> >>> >> >> node, and was wondering if this could help. Could I follow
>>> >> >>> >>> >> >> this
>>> >> >>> >>> >> >> process but keep the same hostname for the ovirt-engine
>>> >> >>> >>> >> >> node?
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> http://wiki.ovirt.org/How_to_change_engine_host_name
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> Currently I have 3 VM's running on two hosts. The VM's are
>>> >> >>> >>> >> >> up,
>>> >> >>> >>> >> >> but
>>> >> >>> >>> >> >> I
>>> >> >>> >>> >> >> can't do anything with them in ovirt-engine.
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> Here's the latest activity from engine.log from the
>>> >> >>> >>> >> >> ovirt-engine
>>> >> >>> >>> >> >> node:
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> 2013-04-06 21:58:47,472 ERROR
>>> >> >>> >>> >> >> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>> >> >>> >>> >> >> (QuartzScheduler_Worker-61) Failed to
>>> >> >>> >>> >> >> decryptjava.io.FileNotFoundException:
>>> >> >>> >>> >> >> /etc/pki/ovirt-engine/.keystore
>>> >> >>> >>> >> >> (Permission denied)
>>> >> >>> >>> >> >> 2013-04-06 21:58:47,478 ERROR
>>> >> >>> >>> >> >> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>> >> >>> >>> >> >> (QuartzScheduler_Worker-62) Can't load keystore from file
>>> >> >>> >>> >> >> "/etc/pki/ovirt-engine/.keystore".:
>>> >> >>> >>> >> >> java.io.FileNotFoundException:
>>> >> >>> >>> >> >> /etc/pki/ovirt-engine/.keystore (Permission denied)
>>> >> >>> >>> >> >> at java.io.FileInputStream.open(Native Method)
>>> >> >>> >>> >> >> [rt.jar:1.7.0_09-icedtea]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> java.io.FileInputStream.<init>(FileInputStream.java:138)
>>> >> >>> >>> >> >> [rt.jar:1.7.0_09-icedtea]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.engineencryptutils.EncryptionUtils.getKeyStore(EncryptionUtils.java:214)
>>> >> >>> >>> >> >> [engine-encryptutils.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.engineencryptutils.EncryptionUtils.decrypt(EncryptionUtils.java:139)
>>> >> >>> >>> >> >> [engine-encryptutils.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dao.VdsStaticDAODbFacadeImpl.decryptPassword(VdsStaticDAODbFacadeImpl.java:139)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:253)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:169)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:92)
>>> >> >>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:653)
>>> >> >>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:591)
>>> >> >>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:641)
>>> >> >>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:670)
>>> >> >>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:702)
>>> >> >>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.executeCallInternal(PostgresDbEngineDialect.java:155)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.doExecute(PostgresDbEngineDialect.java:121)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.springframework.jdbc.core.simple.SimpleJdbcCall.execute(SimpleJdbcCall.java:164)
>>> >> >>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeImpl(SimpleJdbcCallsHandler.java:124)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadAndReturnMap(SimpleJdbcCallsHandler.java:75)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadList(SimpleJdbcCallsHandler.java:66)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeRead(SimpleJdbcCallsHandler.java:58)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(VdsDAODbFacadeImpl.java:36)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(VdsDAODbFacadeImpl.java:31)
>>> >> >>> >>> >> >> [engine-dal.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.vdsbroker.VdsManager$1.runInTransaction(VdsManager.java:219)
>>> >> >>> >>> >> >> [engine-vdsbroker.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInSuppressed(TransactionSupport.java:168)
>>> >> >>> >>> >> >> [engine-utils.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInScope(TransactionSupport.java:107)
>>> >> >>> >>> >> >> [engine-utils.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.vdsbroker.VdsManager.OnTimer(VdsManager.java:215)
>>> >> >>> >>> >> >> [engine-vdsbroker.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> sun.reflect.GeneratedMethodAccessor13.invoke(Unknown
>>> >> >>> >>> >> >> Source) [:1.7.0_09-icedtea]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> >> >>> >>> >> >> [rt.jar:1.7.0_09-icedtea]
>>> >> >>> >>> >> >> at java.lang.reflect.Method.invoke(Method.java:601)
>>> >> >>> >>> >> >> [rt.jar:1.7.0_09-icedtea]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.ovirt.engine.core.utils.timer.JobWrapper.execute(JobWrapper.java:64)
>>> >> >>> >>> >> >> [engine-scheduler.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.quartz.core.JobRunShell.run(JobRunShell.java:213)
>>> >> >>> >>> >> >> [quartz.jar:]
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
>>> >> >>> >>> >> >> [quartz.jar:]
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> 2013-04-06 21:58:47,576 ERROR
>>> >> >>> >>> >> >> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
>>> >> >>> >>> >> >> (QuartzScheduler_Worker-61) XML RPC error in command
>>> >> >>> >>> >> >> GetCapabilitiesVDS ( Vds: defiant ), the error was:
>>> >> >>> >>> >> >> java.util.concurrent.ExecutionException:
>>> >> >>> >>> >> >> java.lang.reflect.InvocationTargetException,
>>> >> >>> >>> >> >> SSLPeerUnverifiedException: peer not authenticated
>>> >> >>> >>> >> >> 2013-04-06 21:58:47,606 ERROR
>>> >> >>> >>> >> >> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>> >> >>> >>> >> >> (QuartzScheduler_Worker-62) Failed to
>>> >> >>> >>> >> >> decryptjava.io.FileNotFoundException:
>>> >> >>> >>> >> >> /etc/pki/ovirt-engine/.keystore
>>> >> >>> >>> >> >> (Permission denied)
>>> >> >>> >>> >> >> 2013-04-06 21:58:47,671 ERROR
>>> >> >>> >>> >> >> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
>>> >> >>> >>> >> >> (QuartzScheduler_Worker-62) XML RPC error in command
>>> >> >>> >>> >> >> GetCapabilitiesVDS ( Vds: transporter ), the error was:
>>> >> >>> >>> >> >> java.util.concurrent.ExecutionException:
>>> >> >>> >>> >> >> java.lang.reflect.InvocationTargetException,
>>> >> >>> >>> >> >> SSLPeerUnverifiedException: peer not authenticated
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> Here's the message I seem to get over and over on the fedora
>>> >> >>> >>> >> >> 17
>>> >> >>> >>> >> >> host in
>>> >> >>> >>> >> >> vdsm.log
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
>>> >> >>> >>> >> >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>> >> >>> >>> >> >> Thread-562520::ERROR::2013-04-06
>>> >> >>> >>> >> >> 22:08:44,268::SecureXMLRPCServer::73::root::(handle_error)
>>> >> >>> >>> >> >> client
>>> >> >>> >>> >> >> ('172.16.23.8', 36127)
>>> >> >>> >>> >> >> Traceback (most recent call last):
>>> >> >>> >>> >> >> File "/usr/lib64/python2.7/SocketServer.py", line 582, in
>>> >> >>> >>> >> >> process_request_thread
>>> >> >>> >>> >> >> self.finish_request(request, client_address)
>>> >> >>> >>> >> >> File
>>> >> >>> >>> >> >> "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py",
>>> >> >>> >>> >> >> line 66, in finish_request
>>> >> >>> >>> >> >> request.do_handshake()
>>> >> >>> >>> >> >> File "/usr/lib64/python2.7/ssl.py", line 305, in
>>> >> >>> >>> >> >> do_handshake
>>> >> >>> >>> >> >> self._sslobj.do_handshake()
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> I'm also wondering about the permission denied on the
>>> >> >>> >>> >> >> .keystore
>>> >> >>> >>> >> >> directory. What should the permissions be? Here's what
>>> >> >>> >>> >> >> they
>>> >> >>> >>> >> >> are
>>> >> >>> >>> >> >> currently.
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> [root@reliant pki]# ls -ldZ /etc/pki/ovirt-engine/.keystore
>>> >> >>> >>> >> >> -rwxr-x---. root root unconfined_u:object_r:cert_t:s0
>>> >> >>> >>> >> >> /etc/pki/ovirt-engine/.keystore
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> I also seem to have a backup of the ovirt-engine directory
>>> >> >>> >>> >> >> at
>>> >> >>> >>> >> >> the
>>> >> >>> >>> >> >> time
>>> >> >>> >>> >> >> the update was performed, but replacing ovirt-engine with
>>> >> >>> >>> >> >> the
>>> >> >>> >>> >> >> backup
>>> >> >>> >>> >> >> does no good.
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> I appreciate any assistance, and please let me know what
>>> >> >>> >>> >> >> other
>>> >> >>> >>> >> >> information I can post to help with this.
>>> >> >>> >>> >> >>
>>> >> >>> >>> >> >> Thanks
>>> >> >>> >>> >> >> _______________________________________________
>>> >> >>> >>> >> >> Users mailing list
>>> >> >>> >>> >> >> Users(a)ovirt.org
>>> >> >>> >>> >> >> http://lists.ovirt.org/mailman/listinfo/users
>>> >> >>> >>> >> >>
>>> >> >>> >>> >>
>>> >> >>> >>>
>>> >> >>>
>>> >>
>>>
11 years, 7 months
- 2
- 1
Re: [Users] Certificates and PKI seem to be broken after yum update
by Chris Smith
On Thu, Apr 18, 2013 at 6:44 PM, Chris Smith <whitehat237(a)gmail.com> wrote:
> I made a backup of the .truststore, and then followed the steps and
> then rebooted both the ovirt-engine and one of the hosts, and
> everything worked properly.
>
> If I run it again, or enter the wrong password it throws an error
> about the key store already existing, or that the password was wrong
> so I'm pretty sure it's good.
>
> vdsm.log on the host still shows:
>
> Traceback (most recent call last):
> File "/usr/lib64/python2.7/SocketServer.py", line 582, in
> process_request_thread
> self.finish_request(request, client_address)
> File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py",
> line 66, in finish_request
> request.do_handshake()
> File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
> self._sslobj.do_handshake()
> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>
> engine.log on the host shows:
>
> 2013-04-18 18:42:43,632 ERROR
> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> (QuartzScheduler_Worker-68) Failed to decryptData must start with zero
> 2013-04-18 18:42:43,642 ERROR
> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
> (QuartzScheduler_Worker-68) XML RPC error in command
> GetCapabilitiesVDS ( Vds: transporter ), the error was:
> java.util.concurrent.ExecutionException:
> java.lang.reflect.InvocationTargetException,
> SunCertPathBuilderException: unable to find valid certification path
> to requested target
>
>
> On Thu, Apr 18, 2013 at 4:06 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>>
>> You should ask these question in separate thread so people may pick them up.
>>
>> For the .truststore, try to remove it and then execute:
>>
>> # rm -f /etc/pki/ovirt-engine/.truststore
>> # keytool -import -noprompt -trustcacerts -alias cacert -keypass mypass -file /etc/pki/ovirt-engine/certs/ca.der -keystore /etc/pki/ovirt-engine/.truststore -storepass mypass
>> # chown ovirt:ovirt /etc/pki/ovirt-engine/.truststore
>>
>> It should recreate the truststore with the ca certificate you have.
>>
>> ----- Original Message -----
>>> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> Cc: Users(a)ovirt.org
>>> Sent: Thursday, April 18, 2013 7:18:27 AM
>>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum update
>>>
>>> If it would be easier than re-setting up the certificates, I'm also
>>> willing to just start over and rebuild, but I would like to export the
>>> VM's I have first.
>>> One of them is a spacewalk server, another runs DNS, and DHCP for my
>>> test network, and I have an asterisk server. I would like to avoid
>>> having to re-create all of them.
>>>
>>> The VM's are up and running now, so I could export all of the
>>> configurations / backup the file systems, etc.
>>>
>>> Preferably I could export the VM's to an NFS export domain, or a
>>> mounted NFS share so that I can import them to the new storage domain,
>>> after I run engine-cleanup and get everything set back up. Is there
>>> an easy way to do this? Is it possible to create and attach an NFS
>>> export domain directly from the CLI without access to the ovirt
>>> manager without communication between the manager and hosts due to the
>>> pki issue? Can I export the VM's directly from the hosts to a
>>> standard NFS share?
>>>
>>> Is there an equivalent xml and image file for the VM?
>>>
>>> My storage domain is iscsi and is served out from another server over
>>> 4 bonded 1 Gbps copper links.
>>>
>>>
>>>
>>> On Wed, Apr 17, 2013 at 11:46 PM, Chris Smith <whitehat237(a)gmail.com> wrote:
>>> > I checked the .truststore on the ovirt engine, and it seems fine.
>>> >
>>> > [root@reliant ovirt-engine]# ls -l .truststore
>>> > -rwxr-x---. 1 ovirt ovirt 918 Apr 6 21:56 .truststore
>>> >
>>> > It's not zero bytes anyway.
>>> >
>>> > It's also the same size as the .truststore in the ovirt engine backups.
>>> >
>>> > [root@reliant ovirt-engine-backups]# find ./ -name .truststore -exec ls -l
>>> > {} \;
>>> > -rwxr-x---. 1 ovirt ovirt 918 Aug 26 2012
>>> > ./ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore
>>> > -rwxr-x---. 1 root root 918 Mar 24 12:42
>>> > ./ovirt-engine-2013_03_24_11_15_19/ovirt-engine-2013_03_23_03_09_09/ovirt-engine/.truststore
>>> >
>>> > I haven't looked at the installCA.sh script yet.
>>> >
>>> > On Mon, Apr 8, 2013 at 2:58 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>>> >> This error means that the /etc/pki/ovirt-engine/.truststore is unreadable
>>> >> or does not contain the /etc/pki/ovirt-engine/ca.pem certificate.
>>> >>
>>> >> Unfortunately, the pki administration is weak in current implementation,
>>> >> you can trace the installation script and checkout the calls to
>>> >> installCA.sh to how to reproduce, please note that password are encrypted
>>> >> in database using the private key locate in .keystore so if you are to
>>> >> re-generate anything remember to keep the engine private key.
>>> >>
>>> >> However, if you succeed in login, the remaining problem you have is the
>>> >> .truststore permissions and/or content.
>>> >>
>>> >> Regards,
>>> >> Alon Bar-Lev.
>>> >>
>>> >> ----- Original Message -----
>>> >>> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> >>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> >>> Cc: Users(a)ovirt.org
>>> >>> Sent: Monday, April 8, 2013 9:46:46 AM
>>> >>> Subject: Re: [Users] Certificates and PKI seem to be broken after yum
>>> >>> update
>>> >>>
>>> >>> After setting the .keystore owner and group owner to ovirt, and
>>> >>> rebooting, I now have a new error in engine.log
>>> >>>
>>> >>> 2013-04-08 02:39:16,787 ERROR
>>> >>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>> >>> (QuartzScheduler_Worker-95) Failed to decryptData must start with zero
>>> >>> 2013-04-08 02:39:16,845 ERROR
>>> >>> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
>>> >>> (QuartzScheduler_Worker-95) XML RPC error in command
>>> >>> GetCapabilitiesVDS ( Vds: transporter ), the error was:
>>> >>> java.util.concurrent.ExecutionException:
>>> >>> java.lang.reflect.InvocationTargetException,
>>> >>> SunCertPathBuilderException: unable to find valid certification path
>>> >>> to requested target
>>> >>>
>>> >>> Are there other files that may have been affected that I can also
>>> >>> correct ownership or permissions on?
>>> >>>
>>> >>> On the host side, I get certificate unknown in vdsm.log
>>> >>>
>>> >>> File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
>>> >>> self._sslobj.do_handshake()
>>> >>> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
>>> >>> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>> >>> Thread-757809::ERROR::2013-04-08
>>> >>> 02:44:05,424::SecureXMLRPCServer::73::root::(handle_error) client
>>> >>> ('172.16.23.8', 54489)
>>> >>> Traceback (most recent call last):
>>> >>> File "/usr/lib64/python2.7/SocketServer.py", line 582, in
>>> >>> process_request_thread
>>> >>> self.finish_request(request, client_address)
>>> >>> File "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py",
>>> >>> line 66, in finish_request
>>> >>> request.do_handshake()
>>> >>> File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
>>> >>> self._sslobj.do_handshake()
>>> >>> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
>>> >>> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>> >>>
>>> >>> Is there a procedure for just re-establishing PKI and certs for the
>>> >>> engine and hosts?
>>> >>>
>>> >>> On Sun, Apr 7, 2013 at 4:58 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>>> >>> >
>>> >>> > OK... you are running a very old version of engine (3.1).
>>> >>> >
>>> >>> > The upgrade did not upgraded into 3.2, so nothing as far as I know
>>> >>> > should
>>> >>> > have been changed.
>>> >>> >
>>> >>> > But the .keystore permissions is owned by root now, so some other
>>> >>> > package
>>> >>> > (maybe selinux-policy) changed permissions...
>>> >>> >
>>> >>> > The simplest way to test is to:
>>> >>> > # cp -a /etc/pki/ovirt-engine /etc/pki/ovirt-engine.backup1
>>> >>> > # chown -R ovirt:ovirt /etc/pki/ovirt-engine
>>> >>> >
>>> >>> > But if that file permissions was changed, I can only assume other files
>>> >>> > were also changes...
>>> >>> >
>>> >>> > Regards,
>>> >>> > Alon
>>> >>> >
>>> >>> > ----- Original Message -----
>>> >>> >> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> >>> >> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> >>> >> Cc: Users(a)ovirt.org
>>> >>> >> Sent: Sunday, April 7, 2013 11:51:17 AM
>>> >>> >> Subject: Re: [Users] Certificates and PKI seem to be broken after yum
>>> >>> >> update
>>> >>> >>
>>> >>> >> I did a yum update and rebooted.
>>> >>> >>
>>> >>> >> engine-upgrade was run on 24-March
>>> >>> >>
>>> >>> >> When run now, it states that there are no updates available.
>>> >>> >>
>>> >>> >> [root@reliant ~]# engine-upgrade
>>> >>> >> Loaded plugins: versionlock
>>> >>> >> Checking for updates... (This may take several minutes)
>>> >>> >> No updates available
>>> >>> >>
>>> >>> >>
>>> >>> >> [root@reliant ovirt-engine]# cat
>>> >>> >> ovirt-engine-upgrade_2013_03_24_12_04_06.log
>>> >>> >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing
>>> >>> >> pgpass file, fetching DB host value
>>> >>> >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing
>>> >>> >> pgpass file, fetching DB port value
>>> >>> >> 2013-03-24 12:04:06::DEBUG::common_utils::585::root:: found existing
>>> >>> >> pgpass file, fetching DB admin value
>>> >>> >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::302::root:: Yum list
>>> >>> >> updates
>>> >>> >> started
>>> >>> >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::273::root:: Yum unlock
>>> >>> >> started
>>> >>> >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::285::root:: Yum unlock
>>> >>> >> completed successfully
>>> >>> >> 2013-03-24 12:04:07::DEBUG::engine-upgrade::308::root:: Getting list
>>> >>> >> of packages to upgrade
>>> >>> >> 2013-03-24 12:04:27::DEBUG::engine-upgrade::260::root:: Yum lock
>>> >>> >> started
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >>> >> command --> '/bin/rpm -q ovirt-engine'
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >>> >> ovirt-engine-3.1.0-4.fc17.noarch
>>> >>> >>
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >>> >> command --> '/bin/rpm -q ovirt-engine-backend'
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >>> >> ovirt-engine-backend-3.1.0-4.fc17.noarch
>>> >>> >>
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >>> >> command --> '/bin/rpm -q ovirt-engine-config'
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >>> >> ovirt-engine-config-3.1.0-4.fc17.noarch
>>> >>> >>
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >>> >> command --> '/bin/rpm -q ovirt-engine-genericapi'
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >>> >> ovirt-engine-genericapi-3.1.0-4.fc17.noarch
>>> >>> >>
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >>> >> command --> '/bin/rpm -q ovirt-engine-notification-service'
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >>> >> ovirt-engine-notification-service-3.1.0-4.fc17.noarch
>>> >>> >>
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >>> >> command --> '/bin/rpm -q ovirt-engine-restapi'
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >>> >> ovirt-engine-restapi-3.1.0-4.fc17.noarch
>>> >>> >>
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >>> >> command --> '/bin/rpm -q ovirt-engine-tools-common'
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >>> >> ovirt-engine-tools-common-3.1.0-4.fc17.noarch
>>> >>> >>
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >>> >> command --> '/bin/rpm -q ovirt-engine-userportal'
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >>> >> ovirt-engine-userportal-3.1.0-4.fc17.noarch
>>> >>> >>
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::309::root:: Executing
>>> >>> >> command --> '/bin/rpm -q ovirt-engine-webadmin-portal'
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::335::root:: output =
>>> >>> >> ovirt-engine-webadmin-portal-3.1.0-4.fc17.noarch
>>> >>> >>
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::336::root:: stderr =
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::337::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:27::DEBUG::common_utils::286::root:: cmd = /bin/rpm
>>> >>> >> -q ovirt-engine ovirt-engine-backend ovirt-engine-config
>>> >>> >> ovirt-engine-genericapi ovirt-engine-notification-service
>>> >>> >> ovirt-engine-restapi ovirt-engine-tools-common ovirt-engine-userportal
>>> >>> >> ovirt-engine-webadmin-portal >> /etc/yum/pluginconf.d/versionlock.list
>>> >>> >> 2013-03-24 12:04:28::DEBUG::common_utils::291::root:: output =
>>> >>> >> 2013-03-24 12:04:28::DEBUG::common_utils::292::root:: stderr =
>>> >>> >> 2013-03-24 12:04:28::DEBUG::common_utils::293::root:: retcode = 0
>>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::270::root:: Yum lock
>>> >>> >> completed successfully
>>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::320::root:: No packages
>>> >>> >> marked for update
>>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::324::root:: Installed
>>> >>> >> packages:
>>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::325::root::
>>> >>> >> ['ovirt-engine-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-backend-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-config-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-dbscripts-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-genericapi-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-notification-service-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-restapi-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-setup-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-tools-common-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-userportal-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-engine-webadmin-portal-3.1.0-4.fc17.noarch',
>>> >>> >> 'ovirt-image-uploader-3.1.0-0.git9c42c8.fc17.noarch',
>>> >>> >> 'ovirt-iso-uploader-3.1.0-0.git1841d9.fc17.noarch',
>>> >>> >> 'ovirt-log-collector-3.1.0-0.git10d719.fc17.noarch',
>>> >>> >> 'vdsm-bootstrap-4.10.0-13.fc17.noarch']
>>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::327::root:: Yum list
>>> >>> >> updated completed successfully
>>> >>> >> 2013-03-24 12:04:28::DEBUG::engine-upgrade::609::root:: No updates
>>> >>> >> available
>>> >>> >>
>>> >>> >>
>>> >>> >> Here's what's installed.
>>> >>> >>
>>> >>> >> [root@reliant yum.repos.d]# yum list installed | grep ovirt
>>> >>> >> ovirt-engine.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-backend.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-cli.noarch 3.2.0.5-1.fc17
>>> >>> >> @updates
>>> >>> >> ovirt-engine-config.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-dbscripts.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-genericapi.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-notification-service.noarch
>>> >>> >> 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-restapi.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-sdk.noarch 3.2.0.2-1.fc17
>>> >>> >> @updates
>>> >>> >> ovirt-engine-setup.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-tools-common.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-userportal.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-engine-webadmin-portal.noarch 3.1.0-4.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-image-uploader.noarch 3.1.0-0.git9c42c8.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-iso-uploader.noarch 3.1.0-0.git1841d9.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-log-collector.noarch 3.1.0-0.git10d719.fc17
>>> >>> >> @ovirt-stable
>>> >>> >> ovirt-release-fedora.noarch 4-2
>>> >>> >> @/ovirt-release-fedora.noarch
>>> >>> >>
>>> >>> >> On Sun, Apr 7, 2013 at 2:16 AM, Alon Bar-Lev <alonbl(a)redhat.com>
>>> >>> >> wrote:
>>> >>> >> > How exactly did you upgrade?
>>> >>> >> >
>>> >>> >> > Usually yum upgrade will not touch ovirt-engine packages as it is in
>>> >>> >> > yum
>>> >>> >> > version lock.
>>> >>> >> > From which version to which version have you upgraded?
>>> >>> >> > Have you run engine-upgrade utility?
>>> >>> >> > If you did not, please run it.
>>> >>> >> > If you did, please attach logs from
>>> >>> >> > /var/log/ovirt-engine/ovirt-engine-upgrade*
>>> >>> >> >
>>> >>> >> > Thanks!
>>> >>> >> >
>>> >>> >> > ----- Original Message -----
>>> >>> >> >> From: "Chris Smith" <whitehat237(a)gmail.com>
>>> >>> >> >> To: Users(a)ovirt.org
>>> >>> >> >> Sent: Sunday, April 7, 2013 5:09:46 AM
>>> >>> >> >> Subject: [Users] Certificates and PKI seem to be broken after yum
>>> >>> >> >> update
>>> >>> >> >>
>>> >>> >> >> I have lost the ability to manage the hosts or VM's using ovirt
>>> >>> >> >> engine web interface after performing yum update on the
>>> >>> >> >> ovirt-engine
>>> >>> >> >> host, and on one Fedora 17 host. The data center is offline, and I
>>> >>> >> >> can't place the hosts into maintenance mode. I don't think that
>>> >>> >> >> there
>>> >>> >> >> are any actions I can perform in the web interface at all.
>>> >>> >> >>
>>> >>> >> >> From the logs it seems that PKI is broken between the engine and
>>> >>> >> >> the
>>> >>> >> >> hosts.
>>> >>> >> >>
>>> >>> >> >> I am wondering how I can restore or re-generate all of the
>>> >>> >> >> certificates and get the hosts communicating with the ovirt-engine
>>> >>> >> >> again so that I can bring the data center back online.
>>> >>> >> >>
>>> >>> >> >> I found this page which deals with changing the engine hostname,
>>> >>> >> >> and
>>> >>> >> >> thus re-creating the certificates and keystore on the ovirt-engine
>>> >>> >> >> node, and was wondering if this could help. Could I follow this
>>> >>> >> >> process but keep the same hostname for the ovirt-engine node?
>>> >>> >> >>
>>> >>> >> >> http://wiki.ovirt.org/How_to_change_engine_host_name
>>> >>> >> >>
>>> >>> >> >> Currently I have 3 VM's running on two hosts. The VM's are up, but
>>> >>> >> >> I
>>> >>> >> >> can't do anything with them in ovirt-engine.
>>> >>> >> >>
>>> >>> >> >>
>>> >>> >> >> Here's the latest activity from engine.log from the ovirt-engine
>>> >>> >> >> node:
>>> >>> >> >>
>>> >>> >> >> 2013-04-06 21:58:47,472 ERROR
>>> >>> >> >> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>> >>> >> >> (QuartzScheduler_Worker-61) Failed to
>>> >>> >> >> decryptjava.io.FileNotFoundException:
>>> >>> >> >> /etc/pki/ovirt-engine/.keystore
>>> >>> >> >> (Permission denied)
>>> >>> >> >> 2013-04-06 21:58:47,478 ERROR
>>> >>> >> >> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>> >>> >> >> (QuartzScheduler_Worker-62) Can't load keystore from file
>>> >>> >> >> "/etc/pki/ovirt-engine/.keystore".: java.io.FileNotFoundException:
>>> >>> >> >> /etc/pki/ovirt-engine/.keystore (Permission denied)
>>> >>> >> >> at java.io.FileInputStream.open(Native Method)
>>> >>> >> >> [rt.jar:1.7.0_09-icedtea]
>>> >>> >> >> at java.io.FileInputStream.<init>(FileInputStream.java:138)
>>> >>> >> >> [rt.jar:1.7.0_09-icedtea]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.engineencryptutils.EncryptionUtils.getKeyStore(EncryptionUtils.java:214)
>>> >>> >> >> [engine-encryptutils.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.engineencryptutils.EncryptionUtils.decrypt(EncryptionUtils.java:139)
>>> >>> >> >> [engine-encryptutils.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dao.VdsStaticDAODbFacadeImpl.decryptPassword(VdsStaticDAODbFacadeImpl.java:139)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:253)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dao.VdsDAODbFacadeImpl$VdsRowMapper.mapRow(VdsDAODbFacadeImpl.java:169)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:92)
>>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >>> >> >> at
>>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:653)
>>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >>> >> >> at
>>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:591)
>>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >>> >> >> at
>>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:641)
>>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >>> >> >> at
>>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:670)
>>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >>> >> >> at
>>> >>> >> >> org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:702)
>>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.executeCallInternal(PostgresDbEngineDialect.java:155)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall.doExecute(PostgresDbEngineDialect.java:121)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.springframework.jdbc.core.simple.SimpleJdbcCall.execute(SimpleJdbcCall.java:164)
>>> >>> >> >> [spring-jdbc-2.5.6.SEC02.jar:2.5.6.SEC02]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeImpl(SimpleJdbcCallsHandler.java:124)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadAndReturnMap(SimpleJdbcCallsHandler.java:75)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeReadList(SimpleJdbcCallsHandler.java:66)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dal.dbbroker.SimpleJdbcCallsHandler.executeRead(SimpleJdbcCallsHandler.java:58)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(VdsDAODbFacadeImpl.java:36)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.dao.VdsDAODbFacadeImpl.get(VdsDAODbFacadeImpl.java:31)
>>> >>> >> >> [engine-dal.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.vdsbroker.VdsManager$1.runInTransaction(VdsManager.java:219)
>>> >>> >> >> [engine-vdsbroker.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInSuppressed(TransactionSupport.java:168)
>>> >>> >> >> [engine-utils.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInScope(TransactionSupport.java:107)
>>> >>> >> >> [engine-utils.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.vdsbroker.VdsManager.OnTimer(VdsManager.java:215)
>>> >>> >> >> [engine-vdsbroker.jar:]
>>> >>> >> >> at sun.reflect.GeneratedMethodAccessor13.invoke(Unknown
>>> >>> >> >> Source) [:1.7.0_09-icedtea]
>>> >>> >> >> at
>>> >>> >> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> >>> >> >> [rt.jar:1.7.0_09-icedtea]
>>> >>> >> >> at java.lang.reflect.Method.invoke(Method.java:601)
>>> >>> >> >> [rt.jar:1.7.0_09-icedtea]
>>> >>> >> >> at
>>> >>> >> >> org.ovirt.engine.core.utils.timer.JobWrapper.execute(JobWrapper.java:64)
>>> >>> >> >> [engine-scheduler.jar:]
>>> >>> >> >> at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
>>> >>> >> >> [quartz.jar:]
>>> >>> >> >> at
>>> >>> >> >> org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
>>> >>> >> >> [quartz.jar:]
>>> >>> >> >>
>>> >>> >> >> 2013-04-06 21:58:47,576 ERROR
>>> >>> >> >> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
>>> >>> >> >> (QuartzScheduler_Worker-61) XML RPC error in command
>>> >>> >> >> GetCapabilitiesVDS ( Vds: defiant ), the error was:
>>> >>> >> >> java.util.concurrent.ExecutionException:
>>> >>> >> >> java.lang.reflect.InvocationTargetException,
>>> >>> >> >> SSLPeerUnverifiedException: peer not authenticated
>>> >>> >> >> 2013-04-06 21:58:47,606 ERROR
>>> >>> >> >> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
>>> >>> >> >> (QuartzScheduler_Worker-62) Failed to
>>> >>> >> >> decryptjava.io.FileNotFoundException:
>>> >>> >> >> /etc/pki/ovirt-engine/.keystore
>>> >>> >> >> (Permission denied)
>>> >>> >> >> 2013-04-06 21:58:47,671 ERROR
>>> >>> >> >> [org.ovirt.engine.core.vdsbroker.vdsbroker.VdsBrokerCommand]
>>> >>> >> >> (QuartzScheduler_Worker-62) XML RPC error in command
>>> >>> >> >> GetCapabilitiesVDS ( Vds: transporter ), the error was:
>>> >>> >> >> java.util.concurrent.ExecutionException:
>>> >>> >> >> java.lang.reflect.InvocationTargetException,
>>> >>> >> >> SSLPeerUnverifiedException: peer not authenticated
>>> >>> >> >>
>>> >>> >> >>
>>> >>> >> >> Here's the message I seem to get over and over on the fedora 17
>>> >>> >> >> host in
>>> >>> >> >> vdsm.log
>>> >>> >> >>
>>> >>> >> >> SSLError: [Errno 1] _ssl.c:504: error:14094416:SSL
>>> >>> >> >> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>>> >>> >> >> Thread-562520::ERROR::2013-04-06
>>> >>> >> >> 22:08:44,268::SecureXMLRPCServer::73::root::(handle_error) client
>>> >>> >> >> ('172.16.23.8', 36127)
>>> >>> >> >> Traceback (most recent call last):
>>> >>> >> >> File "/usr/lib64/python2.7/SocketServer.py", line 582, in
>>> >>> >> >> process_request_thread
>>> >>> >> >> self.finish_request(request, client_address)
>>> >>> >> >> File
>>> >>> >> >> "/usr/lib/python2.7/site-packages/vdsm/SecureXMLRPCServer.py",
>>> >>> >> >> line 66, in finish_request
>>> >>> >> >> request.do_handshake()
>>> >>> >> >> File "/usr/lib64/python2.7/ssl.py", line 305, in do_handshake
>>> >>> >> >> self._sslobj.do_handshake()
>>> >>> >> >>
>>> >>> >> >> I'm also wondering about the permission denied on the .keystore
>>> >>> >> >> directory. What should the permissions be? Here's what they are
>>> >>> >> >> currently.
>>> >>> >> >>
>>> >>> >> >> [root@reliant pki]# ls -ldZ /etc/pki/ovirt-engine/.keystore
>>> >>> >> >> -rwxr-x---. root root unconfined_u:object_r:cert_t:s0
>>> >>> >> >> /etc/pki/ovirt-engine/.keystore
>>> >>> >> >>
>>> >>> >> >> I also seem to have a backup of the ovirt-engine directory at the
>>> >>> >> >> time
>>> >>> >> >> the update was performed, but replacing ovirt-engine with the
>>> >>> >> >> backup
>>> >>> >> >> does no good.
>>> >>> >> >>
>>> >>> >> >> I appreciate any assistance, and please let me know what other
>>> >>> >> >> information I can post to help with this.
>>> >>> >> >>
>>> >>> >> >> Thanks
>>> >>> >> >> _______________________________________________
>>> >>> >> >> Users mailing list
>>> >>> >> >> Users(a)ovirt.org
>>> >>> >> >> http://lists.ovirt.org/mailman/listinfo/users
>>> >>> >> >>
>>> >>> >>
>>> >>>
>>>
11 years, 7 months
- 2
- 3
[Users] unable to make a template from VM
by Alex Leonhardt
Hi All,
Anyone seen the attached error ? I'm suddenly unable to make a template
from a VM that has a pre-allocated disk. The VM is based on a different
template also still in the system, which I am also unable to remove.
The error in engine.log only says this:
2013-04-16 08:17:24,497 WARN
[org.ovirt.engine.core.bll.AddVmTemplateCommand] (ajp--0.0.0.0-8009-2)
[4021a4d2] CanDoAction of action AddVmTemplate failed.
Reasons:VAR__ACTION__ADD,VAR__TYPE__VM_TEMPLATE,ACTION_TYPE_FAILED_VM_HAS_NO_DISKS
There is nothing special coming up in the vdsm.log / to filter out debug
messages, i've changed log levels to INFO and higher earlier today - still,
when this error occurs, the only message I can see in vdsm.log are the
usual "can I write to the storage domain" ones ..
Thread-493::INFO::2013-04-16
08:17:42,873::logUtils::37::dispatcher::(wrapper) Run and protect:
getSpmStatus(spUUID='353b073e-dfb0-46e6-8ac5-344ff251ca91', options=None)
Thread-493::INFO::2013-04-16
08:17:42,874::logUtils::39::dispatcher::(wrapper) Run and protect:
getSpmStatus, Return response: {'spm_st': {'spmId': 1, 'spmStatus': 'SPM',
'spmLver': 19}}
Thread-494::INFO::2013-04-16
08:17:42,886::logUtils::37::dispatcher::(wrapper) Run and protect:
getStoragePoolInfo(spUUID='353b073e-dfb0-46e6-8ac5-344ff251ca91',
options=None)
Thread-494::INFO::2013-04-16
08:17:42,888::logUtils::39::dispatcher::(wrapper) Run and protect:
getStoragePoolInfo, Return response: {'info': {'spm_id': 1, 'master_uuid':
'7d0f78ff-aa25-4b64-a2ea-c8a65beda616', 'name': 'ALE-LAB', 'version': '2',
'domains':
u'35fd8ea5-8bbc-4343-881e-3f78626420e3:Active,55758a74-5c36-4364-bcb0-acae969acd64:Active,7d0f78ff-aa25-4b64-a2ea-c8a65beda616:Active,84e33e25-f4af-4b3c-9780-8a116a737236:Active,2c7fc39e-767c-4c97-946f-321468451c61:Active',
'pool_status': 'connected', 'isoprefix':
u'/rhev/data-center/353b073e-dfb0-46e6-8ac5-344ff251ca91/55758a74-5c36-4364-bcb0-acae969acd64/images/11111111-1111-1111-1111-111111111111',
'type': 'ISCSI', 'master_ver': 4, 'lver': 19}, 'dominfo':
{u'35fd8ea5-8bbc-4343-881e-3f78626420e3': {'status': u'Active', 'diskfree':
'163208757248', 'alerts': [], 'disktotal': '261858787328'},
u'55758a74-5c36-4364-bcb0-acae969acd64': {'status': u'Active', 'diskfree':
'318918098944', 'alerts': [], 'disktotal': '802458435584'},
u'7d0f78ff-aa25-4b64-a2ea-c8a65beda616': {'status': u'Active', 'diskfree':
'23756537856', 'alerts': [], 'disktotal': '73014444032'},
u'84e33e25-f4af-4b3c-9780-8a116a737236': {'status': u'Active', 'diskfree':
'49153048576', 'alerts': [], 'disktotal': '246076669952'},
u'2c7fc39e-767c-4c97-946f-321468451c61': {'status': u'Active', 'diskfree':
'26306674688', 'alerts': [], 'disktotal': '104555610112'}}}
Any help please ?
FWIW, I am able to export the host to the export domain.
Alex
--
| RHCE | Sen Sys Engineer / Platform Architect | www.vcore.co |
www.vsearchcloud.com |
11 years, 7 months
- 2
- 4
Re: [Users] [oss-security] CVE-2012-XXYY Request -- google-authenticator: Information disclosure due insecure requirement on the secrets file
by Michael Pasternak
FYI
On 04/18/2013 01:45 PM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, Alexander, vendors,
>
> as noted in [1]:
>
> An information disclosure file was found in the way google-authenticator,
> a pluggable authentication module (PAM) which allows login using one-time
> passcodes conforming to the open standards developed by the Initiative for
> Open Authentication (OATH), performed management of its secret / state file
> in certain configurations. Due the lack of 'user=' option the secret file
> was previously required to be user-readable, allowing (in certain cases)
> a local attacker to obtain the (pre)shared client-to-authentication-server
> secret, possibly leading to victim's account impersonation.
>
> A different vulnerability than CVE-2013-0258.
>
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10
> [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#20
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=953505
>
> Relevant upstream patch:
> [5] https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857...
>
> @Alexander - since I am not sure I have described the attack vector above
> properly, please correct me if / where required.
>
> @Kurt * the CVE-2012- identifier should be allocated to this issue, since
> the security implications of this problem are for the first time
> mentioned here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10 (2012-09-22),
>
> * from what I have looked, there doesn't seem to be:
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=authenticator
>
> a CVE identifier allocated to this issue yet (as noted above
> CVE-2013-0258 from that list is different issue).
>
> => could you allocate one?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
--
Michael Pasternak
RedHat, ENG-Virtualization R&D
11 years, 7 months
- 1
- 0
[Users] oVirt storage is down and doesn't come up
by Limor Gavish
Hi,
For some reason, without doing anything, all the storage domains became
down and restarting VDSM or the entire machine do not bring it up.
I am not using lvm
The following errors appear several times in vdsm.log (full logs are
attached):
Thread-22::WARNING::2013-04-12
19:00:08,597::lvm::378::Storage.LVM::(_reloadvgs) lvm vgs failed: 5 [] ['
Volume group "1083422e-a5db-41b6-b667-b9ef1ef244f0" not found']
Thread-22::DEBUG::2013-04-12
19:00:08,598::lvm::402::OperationMutex::(_reloadvgs) Operation 'lvm reload
operation' released the operation mutex
Thread-22::DEBUG::2013-04-12
19:00:08,681::resourceManager::615::ResourceManager::(releaseResource)
Trying to release resource 'Storage.5849b030-626e-47cb-ad90-3ce782d831b3'
Thread-22::DEBUG::2013-04-12
19:00:08,681::resourceManager::634::ResourceManager::(releaseResource)
Released resource 'Storage.5849b030-626e-47cb-ad90-3ce782d831b3' (0 active
users)
Thread-22::DEBUG::2013-04-12
19:00:08,681::resourceManager::640::ResourceManager::(releaseResource)
Resource 'Storage.5849b030-626e-47cb-ad90-3ce782d831b3' is free, finding
out if anyone is waiting for it.
Thread-22::DEBUG::2013-04-12
19:00:08,682::resourceManager::648::ResourceManager::(releaseResource) No
one is waiting for resource 'Storage.5849b030-626e-47cb-ad90-3ce782d831b3',
Clearing records.
Thread-22::ERROR::2013-04-12
19:00:08,682::task::850::TaskManager.Task::(_setError)
Task=`e35a22ac-771a-4916-851f-2fe9d60a0ae6`::Unexpected error
Traceback (most recent call last):
File "/usr/share/vdsm/storage/task.py", line 857, in _run
return fn(*args, **kargs)
File "/usr/share/vdsm/logUtils.py", line 45, in wrapper
res = f(*args, **kwargs)
File "/usr/share/vdsm/storage/hsm.py", line 939, in connectStoragePool
masterVersion, options)
File "/usr/share/vdsm/storage/hsm.py", line 986, in _connectStoragePool
res = pool.connect(hostID, scsiKey, msdUUID, masterVersion)
File "/usr/share/vdsm/storage/sp.py", line 695, in connect
self.__rebuild(msdUUID=msdUUID, masterVersion=masterVersion)
File "/usr/share/vdsm/storage/sp.py", line 1232, in __rebuild
masterVersion=masterVersion)
File "/usr/share/vdsm/storage/sp.py", line 1576, in getMasterDomain
raise se.StoragePoolMasterNotFound(self.spUUID, msdUUID)
StoragePoolMasterNotFound: Cannot find master domain:
'spUUID=5849b030-626e-47cb-ad90-3ce782d831b3,
msdUUID=1083422e-a5db-41b6-b667-b9ef1ef244f0'
Thread-22::DEBUG::2013-04-12
19:00:08,685::task::869::TaskManager.Task::(_run)
Task=`e35a22ac-771a-4916-851f-2fe9d60a0ae6`::Task._run:
e35a22ac-771a-4916-851f-2fe9d60a0ae6
('5849b030-626e-47cb-ad90-3ce782d831b3', 1,
'5849b030-626e-47cb-ad90-3ce782d831b3',
'1083422e-a5db-41b6-b667-b9ef1ef244f0', 3942) {} failed - stopping task
Thread-22::DEBUG::2013-04-12
19:00:08,685::task::1194::TaskManager.Task::(stop)
Task=`e35a22ac-771a-4916-851f-2fe9d60a0ae6`::stopping in state preparing
(force False)
Thread-22::DEBUG::2013-04-12
19:00:08,685::task::974::TaskManager.Task::(_decref)
Task=`e35a22ac-771a-4916-851f-2fe9d60a0ae6`::ref 1 aborting True
Thread-22::INFO::2013-04-12
19:00:08,686::task::1151::TaskManager.Task::(prepare)
Task=`e35a22ac-771a-4916-851f-2fe9d60a0ae6`::aborting: Task is aborted:
'Cannot find master domain' - code 304
*[wil@bufferoverflow ~]$ **sudo vgs --noheadings --units b --nosuffix
--separator \| -o
uuid,name,attr,size,free,extent_size,extent_count,free_count,tags,vg_mda_size,vg_mda_free
*
No volume groups found
*[wil@bufferoverflow ~]$ **mount*
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
devtmpfs on /dev type devtmpfs
(rw,nosuid,size=8131256k,nr_inodes=2032814,mode=755)
securityfs on /sys/kernel/security type securityfs
(rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup
(rw,nosuid,nodev,noexec,relatime,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/cpuset type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/memory type cgroup
(rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup
(rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup
(rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup
(rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/blkio type cgroup
(rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup
(rw,nosuid,nodev,noexec,relatime,perf_event)
/dev/sda3 on / type ext4 (rw,relatime,data=ordered)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
sunrpc on /proc/fs/nfsd type nfsd (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs
(rw,relatime,fd=34,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
mqueue on /dev/mqueue type mqueue (rw,relatime)
tmpfs on /tmp type tmpfs (rw)
configfs on /sys/kernel/config type configfs (rw,relatime)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)
/dev/sda5 on /home type ext4 (rw,relatime,data=ordered)
/dev/sda1 on /boot type ext4 (rw,relatime,data=ordered)
kernelpanic.home:/home/KP_Data_Domain on
/rhev/data-center/mnt/kernelpanic.home:_home_KP__Data__Domain type nfs
(rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,soft,nosharecache,proto=tcp,timeo=600,retrans=6,sec=sys,mountaddr=10.100.101.100,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=10.100.101.100)
bufferoverflow.home:/home/BO_ISO_Domain on
/rhev/data-center/mnt/bufferoverflow.home:_home_BO__ISO__Domain type nfs
(rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,soft,nosharecache,proto=tcp,timeo=600,retrans=6,sec=sys,mountaddr=10.100.101.108,mountvers=3,mountport=20048,mountproto=udp,local_lock=none,addr=10.100.101.108)
*[wil@bufferoverflow ~]$ **sudo find / -name
5849b030-626e-47cb-ad90-3ce782d831b3*
/run/vdsm/pools/5849b030-626e-47cb-ad90-3ce782d831b3
*[wil@bufferoverflow ~]$* *sudo find / -name
1083422e-a5db-41b6-b667-b9ef1ef244f0*
/home/BO_Ovirt_Storage/1083422e-a5db-41b6-b667-b9ef1ef244f0
I will extremely appreciate any help,
Limor Gavish
11 years, 7 months
- 4
- 7
[Users] Problem setting up spice
by Olivier Boulin
hi, i'm totally an Ovirt newbie. I've installed an all-in-one version to test and i've got a problem with spice.
I found this : http://www.ovirt.org/How_to_Connect_to_SPICE_Console_With_Portal
but the link to the spice.cab cabinet is down. Is this page obsolete ?
If yes, how do i open a console from a windows 7 client ?
Thanks in advance
11 years, 7 months
- 2
- 1
[Users] oVirt 3.2 and MD3600i
by martin.kralicek@accenture.com
--_000_A14EC602F2E1DD4984ABE308D49EA2D226D0A2B1048CH1MPN116204_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hello,
Has somebody experience with Dell MD3600i and oVirt 3.2.1?
Host and oVirt are deployed on Fedora 18.
My infrastructure contains: 2 x powerconnect 6224 and this storage with two=
controllers
Both switch are in stack mode and storage is connect with four 10Gb ports i=
n same subnet (is better to use it without stack as two subnet?)
So, where is problem...I can create iSCSI storage domain, everything seems =
to be OK but when I want to add next host they cannot access this iSCSI tar=
get (in storage management tools is already added to host group)
And during this process I can see only on host console IO error, buffer err=
or and kernel BUG: soft lockup - CPU stuck etc...
Exists recommended way how involved iSCSI?
Thanks for any suggestions
Martin
________________________________
This message is for the designated recipient only and may contain privilege=
d, proprietary, or otherwise confidential information. If you have received=
it in error, please notify the sender immediately and delete the original.=
Any other use of the e-mail by you is prohibited.
Where allowed by local law, electronic communications with Accenture and it=
s affiliates, including e-mail and instant messaging (including content), m=
ay be scanned by our systems for the purposes of information security and a=
ssessment of internal compliance with Accenture policy.
___________________________________________________________________________=
___________
www.accenture.com
--_000_A14EC602F2E1DD4984ABE308D49EA2D226D0A2B1048CH1MPN116204_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"CS" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Hello,<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Has somebody experience with Dell MD3600i and oVirt =
3.2.1?<o:p></o:p></p>
<p class=3D"MsoNormal">Host and oVirt are deployed on Fedora 18.<o:p></o:p>=
</p>
<p class=3D"MsoNormal">My infrastructure contains: 2 x powerconnect 6224 an=
d this storage with two controllers<o:p></o:p></p>
<p class=3D"MsoNormal">Both switch are in stack mode and storage is connect=
with four 10Gb ports in same subnet (is better to use it without stack as =
two subnet?)<o:p></o:p></p>
<p class=3D"MsoNormal">So, where is problem...I can create iSCSI storage do=
main, everything seems to be OK but when I want to add next host they canno=
t access this iSCSI target (in storage management tools is already added to=
host group)<o:p></o:p></p>
<p class=3D"MsoNormal">And during this process I can see only on host conso=
le IO error, buffer error and kernel BUG: soft lockup – CPU stuck etc=
...<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Exists recommended way how involved iSCSI?<o:p></o:p=
></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Thanks for any suggestions<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<p class=3D"MsoNormal">Martin<o:p></o:p></p>
</div>
<br>
<hr>
<font face=3D"Arial" color=3D"Gray" size=3D"1">This message is for the desi=
gnated recipient only and may contain privileged, proprietary, or otherwise=
confidential information. If you have received it in error, please notify =
the sender immediately and delete the
original. Any other use of the e-mail by you is prohibited.<br>
<br>
Where allowed by local law, electronic communications with Accenture and it=
s affiliates, including e-mail and instant messaging (including content), m=
ay be scanned by our systems for the purposes of information security and a=
ssessment of internal compliance
with Accenture policy.<br>
<br>
___________________________________________________________________________=
___________<br>
<br>
www.accenture.com<br>
</font>
</body>
</html>
--_000_A14EC602F2E1DD4984ABE308D49EA2D226D0A2B1048CH1MPN116204_--
11 years, 7 months
- 4
- 4
[Users] Fwd: Problem setting up spice
by Juan Jose
---------- Forwarded message ----------
From: Juan Jose <jj197005(a)gmail.com>
Date: Thu, Apr 18, 2013 at 12:53 PM
Subject: Re: [Users] Problem setting up spice
To: Olivier Boulin <olivier.boulin(a)dijon.iufm.fr>
Hello Olivier,
You need to install virt-viewer in you client platform, 32 or 64 bits, and
to be sure that host and engine are resolvable from your windows 7 client
system. I have tested this with IE 9.0 and it's work properly. You can
download virt-viewer from this page: http://spice-space.org/download.html.
I hope this help you.
Juanjo.
On Thu, Apr 18, 2013 at 11:06 AM, Olivier Boulin <
olivier.boulin(a)dijon.iufm.fr> wrote:
> hi, i'm totally an Ovirt newbie. I've installed an all-in-one version to
> test and i've got a problem with spice.
>
> I found this : http://www.ovirt.org/How_to_**
> Connect_to_SPICE_Console_With_**Portal<http://www.ovirt.org/How_to_Connect_to_SPICE_Console_With_Portal>
>
> but the link to the spice.cab cabinet is down. Is this page obsolete ?
>
> If yes, how do i open a console from a windows 7 client ?
>
> Thanks in advance
> ______________________________**_________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/**mailman/listinfo/users<http://lists.ovirt.org/mailman/listinfo/users>
>
11 years, 7 months
- 1
- 0
[Users] How to remove storage domain
by Gianluca Cecchi
Hello,
oVirt 3.2.1 on f18.
I have an FC datacenter where I have several storage domains.
I want to remove one storage domain, so I move all its disks to other ones
(disk --> move)
At the end its state is active, but the "remove" option is greyed out.
I can only do "destroy".
What to do to have the "delete" option possible?
Thanks,
Gianluca
11 years, 7 months
- 2
- 5