April 2016 - Users - oVirt List Archives

advanced users authentication, using kerberos, CAS SSO and Active Directory
by Fabrice Bacchella 25 Apr '16

25 Apr '16

--Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I have a production were hard coded password are avoided. We prefer to = use kerberos. We also provided a SSO for Web UI using CAS = <http://jasig.github.io/cas/4.2.x/index.html>. We use ActiveDirectory = for user backend. So I wanted a oVirt installation that will use kerberos for API = authentication. For the web ui, kerberos is not always the best = solution, so I wanted to integrated it in our CAS. The Apache part was easy to setup. I will show only subpart of the whole Apache setup and only = authentication related part # The CAS modules LoadModule authz_user_module = /usr/lib64/httpd/modules/mod_authz_user.so # Needed because auth_cas_module forget to link openssl LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so LoadModule auth_cas_module = /usr/lib64/httpd/modules/mod_auth_cas.so # For the kerberos authentication on the API LoadModule auth_gssapi_module = /usr/lib64/httpd/modules/mod_auth_gssapi.so LoadModule session_module /usr/lib64/httpd/modules/mod_session.so LoadModule session_cookie_module = /usr/lib64/httpd/modules/mod_session_cookie.so CASLoginURL https://sso/cas/login CASValidateSAML On CASValidateURL https://sso/cas/samlValidate <VirtualHost *:443> RequestHeader unset X-Remote-User early <LocationMatch ^/api($|/)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*@DOMAIN)$ RewriteRule ^(.*)$ - [L,P,E=3DREMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiCredStore keytab:.../httpd.keytab Require valid-user GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session = path=3D/private;httponly;secure; </LocationMatch> <LocationMatch = ^/(ovirt-engine($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.ke= y.txt$|rhevm.ssh.key.txt$)> AuthType CAS Require valid-user CASAuthNHeader X-Remote-User </LocationMatch> </VirtualHost> The authn file /etc/ovirt-engine/extensions.d/apachesso-authn.properties = is : ovirt.engine.extension.name =3D apachesso-authn ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides =3D = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name =3D apachesso ovirt.engine.aaa.authn.authz.plugin =3D DOMAIN-authz config.artifact.name =3D HEADER config.artifact.arg =3D X-Remote-User And the authz file = /etc/ovirt-engine/extensions.d/DOMAIN-authz.properties is: ovirt.engine.extension.name =3D DOMAIN-authz ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class =3D = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides =3D = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 =3D ../aaa/DOMAIN.properties I had some difficulties with AD backend. A straightforward solution = would have been : include =3D <ad.properties> vars.domain =3D DOMAIN vars.user =3D BINDDN vars.password =3D BINDPWD vars.forest =3D domain.com pool.default.auth.simple.bindDN =3D ${global:vars.user} pool.default.auth.simple.password =3D ${global:vars.password} pool.default.serverset.type =3D srvrecord pool.default.serverset.srvrecord.domain =3D ${global:vars.domain} pool.default.ssl.startTLS =3D true pool.default.ssl.truststore.file =3D .../domain.jks pool.default.ssl.truststore.password =3D=20 # Only TLSv1.2 is secure nowadays pool.default.ssl.startTLSProtocol =3D TLSv1.2 # long time out should be avoided pool.default.connection-options.connectTimeoutMillis =3D 500 But if fails. We have a special setup with about 100 domain controlers = and only two of them can be reached from the ovirt engine. So my first = try was so defined them directly in the configuration file: pool.default.serverset.type =3D failover pool.default.serverset.failover.1.server =3D dcX.domain.com pool.default.serverset.failover.2.server =3D dcY.domain.com But that fails. Server-engine was still using a lot of unreachable = domain controler. After some digging I found that other part of the ldap = extension use a different serverset, I don=E2=80=99t know why it don=E2=80= =99t reuse the default pool. It=E2=80=99s called pool.default.dc-resolve = (it should be called pool.dc-resolve, as it=E2=80=99s not the default = but a custom one), so I added in my configuration: pool.default.dc-resolve.default.serverset.type =3D failover pool.default.dc-resolve.serverset.failover.1.server =3D dcX.domain.com pool.default.dc-resolve.serverset.failover.2.server =3D dcY.domain.com But there is a better solution. Ondra Machacek point it to me. In Active = Directory, there is something called a =E2=80=9Csite=E2=80=9D, with a = subset of all the domain controler in it. It can be found under = CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN,... To list them: ldapsearch -H ldap://somedc -b CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN = -s one -o ldif-wrap=3Dno cn The information to write down is the cn returned You get a list of all domain, just pick the right one, remove all the = serverset configuration and add : pool.default.serverset.srvrecord.domain-conversion.type =3D regex pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D = ^(?<domain>.*)$ pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D = GOOD_SITE._sites.${domain} The entry _sites.${domain} don=E2=80=99t exist in the DNS, so to check = that your regex is good, try instead: dig +short _ldap._tcp.GOOD_SITE._sites.${domain} srv It should return only reachable domain controlers. So the final /etc/ovirt-engine/aaa/DOMAIN.properties was : include =3D <ad.properties> vars.domain =3D DOMAIN vars.user =3D BINDDN vars.password =3D BINDPWD vars.forest =3D domain.com pool.default.auth.simple.bindDN =3D ${global:vars.user} pool.default.auth.simple.password =3D ${global:vars.password} pool.default.serverset.type =3D srvrecord pool.default.serverset.srvrecord.domain =3D ${global:vars.domain} pool.default.ssl.startTLS =3D true pool.default.ssl.truststore.file =3D .../domain.jks pool.default.ssl.truststore.password =3D=20 pool.default.ssl.startTLSProtocol =3D TLSv1.2 pool.default.connection-options.connectTimeoutMillis =3D 500 pool.default.serverset.srvrecord.domain-conversion.type =3D regex pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D = ^(?<domain>.*)$ pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D = GOOD_SITE._sites.${domain} With this setup, my python client = <https://github.com/fbacchella/ovirtcmd> can connect to ovirt-engine = using kerberos ticket, web users are authenticated using CAS. And there = is no need to duplicate user base. --Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" = class=3D"">I have a production were hard coded password are avoided. We = prefer to use kerberos. We also provided a SSO for Web UI using <a = href=3D"http://jasig.github.io/cas/4.2.x/index.html" style=3D"color: = rgb(104, 0, 148); text-decoration: none; margin-top: auto;" = class=3D"">CAS</a>. We use ActiveDirectory for user backend.<p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">So I wanted a oVirt installation that will use kerberos for = API authentication. For the web ui, kerberos is not always the best = solution, so I wanted to integrated it in our CAS.<p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">The Apache part was easy to setup.<p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">I will show only subpart of the whole Apache setup and only = authentication related part<pre style=3D"font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; = padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D""># The CAS modules LoadModule authz_user_module = /usr/lib64/httpd/modules/mod_authz_user.so # Needed because auth_cas_module forget to link openssl LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so LoadModule auth_cas_module = /usr/lib64/httpd/modules/mod_auth_cas.so # For the kerberos authentication on the API LoadModule auth_gssapi_module = /usr/lib64/httpd/modules/mod_auth_gssapi.so LoadModule session_module /usr/lib64/httpd/modules/mod_session.so LoadModule session_cookie_module = /usr/lib64/httpd/modules/mod_session_cookie.so CASLoginURL <a href=3D"https://sso/cas/login" = class=3D"">https://sso/cas/login</a> CASValidateSAML On CASValidateURL <a href=3D"https://sso/cas/samlValidate" = class=3D"">https://sso/cas/samlValidate</a> <VirtualHost *:443> RequestHeader unset X-Remote-User early <LocationMatch ^/api($|/)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*@DOMAIN)$ RewriteRule ^(.*)$ - [L,P,E=3DREMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiCredStore keytab:.../httpd.keytab Require valid-user GssapiUseSessions On Session On SessionCookieName ovirt_gssapi_session = path=3D/private;httponly;secure; </LocationMatch> <LocationMatch = ^/(ovirt-engine($|/)|RHEVManagerWeb/|OvirtEngineWeb/|ca.crt$|engine.ssh.ke= y.txt$|rhevm.ssh.key.txt$)> AuthType CAS Require valid-user CASAuthNHeader X-Remote-User </LocationMatch> </VirtualHost> </code></pre>The authn file <code style=3D"font-size: 12px; = font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: = break-word; white-space: pre-wrap; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: = inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">/etc/ovirt-engine/extensions.d/apachesso-authn.properties</code= > is :<pre style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em = 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">ovirt.engine.extension.name =3D apachesso-authn ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class =3D = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides =3D = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name =3D apachesso ovirt.engine.aaa.authn.authz.plugin =3D DOMAIN-authz config.artifact.name =3D HEADER config.artifact.arg =3D X-Remote-User </code></pre>And the authz file <code style=3D"font-size: 12px; = font-family: Menlo, Monaco, 'Courier New', monospace; word-wrap: = break-word; white-space: pre-wrap; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: = inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">/etc/ovirt-engine/extensions.d/DOMAIN-authz.properties</code>&n= bsp;is:<pre style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em = 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">ovirt.engine.extension.name =3D DOMAIN-authz ovirt.engine.extension.bindings.method =3D jbossmodule ovirt.engine.extension.binding.jbossmodule.module =3D = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class =3D = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides =3D = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 =3D ../aaa/DOMAIN.properties </code></pre>I had some difficulties with AD backend. A straightforward = solution would have been :<pre style=3D"font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; = padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D"">include =3D = <ad.properties> vars.domain =3D DOMAIN vars.user =3D BINDDN vars.password =3D BINDPWD vars.forest =3D <a href=3D"http://domain.com" class=3D"">domain.com</a> pool.default.auth.simple.bindDN =3D ${global:vars.user} pool.default.auth.simple.password =3D ${global:vars.password} pool.default.serverset.type =3D srvrecord pool.default.serverset.srvrecord.domain =3D ${global:vars.domain} pool.default.ssl.startTLS =3D true pool.default.ssl.truststore.file =3D .../domain.jks pool.default.ssl.truststore.password =3D=20 # Only TLSv1.2 is secure nowadays pool.default.ssl.startTLSProtocol =3D TLSv1.2 # long time out should be avoided pool.default.connection-options.connectTimeoutMillis =3D 500 </code></pre>But if fails. We have a special setup with about 100 domain = controlers and only two of them can be reached from the ovirt engine. So = my first try was so defined them directly in the configuration = file:<pre style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre-wrap; padding: 0.6em = 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">pool.default.serverset.type =3D failover pool.default.serverset.failover.1.server =3D <a = href=3D"http://dcX.domain.com" class=3D"">dcX.domain.com</a> pool.default.serverset.failover.2.server =3D <a = href=3D"http://dcY.domain.com" class=3D"">dcY.domain.com</a> </code></pre>But that fails. Server-engine was still using a lot of = unreachable domain controler. After some digging I found that other part = of the ldap extension use a different serverset, I don=E2=80=99t know = why it don=E2=80=99t reuse the default pool. It=E2=80=99s = called <code style=3D"font-size: 12px; font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; = border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; display: inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">pool.default.dc-resolve</code> (it should be = called <code style=3D"font-size: 12px; font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; = border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; display: inline-block; padding: 1px 4px;" = class=3D"">pool.dc-resolve</code>, as it=E2=80=99s not the default but a = custom one), so I added in my configuration:<pre style=3D"font-family:= Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; = white-space: pre-wrap; padding: 0.6em 0.8em; = -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: = collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; box-sizing: border-box; overflow: auto; position: relative;" = class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre; border-top-left-radius: = 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">pool.default.dc-resolve.default.serverset.type =3D failover pool.default.dc-resolve.serverset.failover.1.server =3D <a = href=3D"http://dcX.domain.com" class=3D"">dcX.domain.com</a> pool.default.dc-resolve.serverset.failover.2.server =3D <a = href=3D"http://dcY.domain.com" class=3D"">dcY.domain.com</a> </code></pre>But there is a better solution. Ondra Machacek point it to = me. In Active Directory, there is something called a =E2=80=9Csite=E2=80=9D= , with a subset of all the domain controler in it. It can be found = under <code style=3D"font-size: 12px; font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: break-word; white-space: pre-wrap; = border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; display: inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN,...</code><p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">To list them:<pre style=3D"font-family: Menlo, Monaco, = 'Courier New', monospace; word-wrap: normal; white-space: pre-wrap; = padding: 0.6em 0.8em; -webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; box-sizing: = border-box; overflow: auto; position: relative;" class=3D""><code = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D"">ldapsearch -H <a = href=3D"ldap://somedc" class=3D"">ldap://somedc</a> -b = CN=3DSites,CN=3DConfiguration,DC=3DDOMAIN -s one -o ldif-wrap=3Dno cn </code></pre>The information to write down is the cn returned<p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">You get a list of all domain, just pick the right one, remove = all the serverset configuration and add :<pre style=3D"font-family: = Menlo, Monaco, 'Courier New', monospace; word-wrap: normal; white-space: = pre-wrap; padding: 0.6em 0.8em; -webkit-margin-before-collapse: = collapse; -webkit-margin-after-collapse: collapse; = border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; box-sizing: border-box; overflow: auto; position: relative;" = class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre; border-top-left-radius: = 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" = class=3D"">pool.default.serverset.srvrecord.domain-conversion.type =3D = regex pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D = ^(?<domain>.*)$ pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D = GOOD_SITE._sites.${domain} </code></pre>The entry <code style=3D"font-size: 12px; font-family: = Menlo, Monaco, 'Courier New', monospace; word-wrap: break-word; = white-space: pre-wrap; border-top-left-radius: 3px; = border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: white; = -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; = box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px 0px; display: = inline-block; padding: 1px 4px; margin-top: auto;" = class=3D"">_sites.${domain}</code> don=E2=80=99t exist in the DNS, = so to check that your regex is good, try instead:<pre = style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; = -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: = collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; box-sizing: border-box; overflow: auto; position: relative;" = class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre; border-top-left-radius: = 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D"">dig +short = _ldap._tcp.GOOD_SITE._sites.${domain} srv </code></pre>It should return only reachable domain controlers.<p = style=3D"-webkit-margin-before-collapse: collapse; = -webkit-margin-after-collapse: collapse; margin-top: 15px; = margin-bottom: 15px; font-family: caption, sans-serif; font-size: 13px;" = class=3D"">So the final /etc/ovirt-engine/aaa/DOMAIN.properties was = :<pre style=3D"font-family: Menlo, Monaco, 'Courier New', monospace; = word-wrap: normal; white-space: pre-wrap; padding: 0.6em 0.8em; = -webkit-margin-before-collapse: collapse; -webkit-margin-after-collapse: = collapse; border-top-left-radius: 3px; border-top-right-radius: 3px; = border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; = background-color: white; -webkit-box-shadow: rgba(0, 0, 0, 0.0980392) = 0px 0.5px 1px 0px; box-shadow: rgba(0, 0, 0, 0.0980392) 0px 0.5px 1px = 0px; box-sizing: border-box; overflow: auto; position: relative;" = class=3D""><code style=3D"font-family: Menlo, Monaco, 'Courier New', = monospace; word-wrap: normal; white-space: pre; border-top-left-radius: = 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; = border-bottom-left-radius: 3px; background-color: transparent; = -webkit-box-shadow: none; box-shadow: none; display: inline; padding: = 0px; border: none; margin-top: auto;" class=3D"">include =3D = <ad.properties> vars.domain =3D DOMAIN vars.user =3D BINDDN vars.password =3D BINDPWD vars.forest =3D <a href=3D"http://domain.com" class=3D"">domain.com</a> pool.default.auth.simple.bindDN =3D ${global:vars.user} pool.default.auth.simple.password =3D ${global:vars.password} pool.default.serverset.type =3D srvrecord pool.default.serverset.srvrecord.domain =3D ${global:vars.domain} pool.default.ssl.startTLS =3D true pool.default.ssl.truststore.file =3D .../domain.jks pool.default.ssl.truststore.password =3D=20 pool.default.ssl.startTLSProtocol =3D TLSv1.2 pool.default.connection-options.connectTimeoutMillis =3D 500 pool.default.serverset.srvrecord.domain-conversion.type =3D regex pool.default.serverset.srvrecord.domain-conversion.regex.pattern =3D = ^(?<domain>.*)$ pool.default.serverset.srvrecord.domain-conversion.regex.replacement =3D = GOOD_SITE._sites.${domain} </code></pre>With this setup, my <a = href=3D"https://github.com/fbacchella/ovirtcmd" style=3D"color: rgb(104, = 0, 148); text-decoration: none; margin-top: auto;" class=3D"">python = client</a> can connect to ovirt-engine using kerberos ticket, web = users are authenticated using CAS. And there is no need to duplicate = user base.<div class=3D""> </div></body></html>= --Apple-Mail=_835E50DB-6781-44B0-B308-2F94E2910205--

1 0

Re: [ovirt-users] Unable to install CentOS 6.7 on ovirt 3.5/.6
by Yaniv Kaul 25 Apr '16

25 Apr '16

The checksum looks correct. From a bit of Googling around, might be a (known?) issue - can you try the workaround mentioned @ https://bugzilla.redhat.com/show_bug.cgi?id=632811 ? Y. On Fri, Apr 22, 2016 at 6:37 AM, Gene Fontanilla <ginofontanilla(a)gmail.com> wrote: > follow up attachment. > > everything freezes here. > > regards, > Gene > > On Fri, Apr 22, 2016 at 10:57 AM, Gene Fontanilla < > ginofontanilla(a)gmail.com> wrote: > >> Hi, >> >> md5sum: 9381a24b8bee2fed0c26896141a64b69 >> >> please see attached screenshots, i didn't find any error logs on >> engine.log. >> >> weird thing is that windows installations work like a charm. >> >> regards, >> Gene >> >> >> >> On Thu, Apr 21, 2016 at 8:12 PM, Yaniv Kaul <ykaul(a)redhat.com> wrote: >> >>> >>> >>> On Thu, Apr 21, 2016 at 5:18 AM, Gene Fontanilla < >>> ginofontanilla(a)gmail.com> wrote: >>> >>>> Hi, >>>> >>>> Anyone having issues on using CentOS 6.6 iso on oVirt 3.5 and 3.6? >>>> >>>> I have two environments for testing (oVirt 3.5 and 3.6) and I can't >>>> install centos 6.6 iso on the vms. >>>> >>>> it after anaconda installer starts. >>>> >>> >>> Can you provide a bit more information? Can you ensure the ISO is not >>> corrupted (check its MD5/SHA sum) ? >>> Y. >>> >>> >>>> >>>> regards. >>>> Gene >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>>> >>> >> >

2 3

Hosted Engine installation fails while deploying in hyper-converged configuration
by Stefano Stagnaro 24 Apr '16

24 Apr '16

Hi, while deploying Hosted Engine in hyper-converged configuration, installation fails with following error: [ ERROR ] Failed to execute stage 'Environment customization': <Fault 1: "<type 'exceptions.TypeError'>:cannot marshal None unless allow_none is enabled"> I followed Ramesh post: http://blogs-ramesh.blogspot.it/2016/01/ovirt-and-gluster-hyperconvergence.… My setup includes 3 hosts with: - ovirt 3.6.3 - glusterfs 3.7.8 - vdsm 4.17.23.2 - replica 3 gluster volume - no firewall - selinux enforcing - 1 network for management, 1 network for gluster I've uploaded logs on pastebin: - hosted-engine --deploy http://pastebin.com/aZwwdt51 - ovirt-hosted-engine-setup.log http://pastebin.com/114zfbAB - rhev-data-center-mnt-glusterSD-h4gfs.newvirt:_engine.log http://pastebin.com/GL4yyT95 - vdsm.log http://pastebin.com/WjSm0cHQ Thank you very much for your help. -- Stefano Stagnaro Prisma Telecom Testing S.r.l. Via Petrocchi, 4 20127 Milano – Italy Tel. 02 26113507 int 339 e-mail: stefanos(a)prismatelecomtesting.com skype: stefano.stagnaro

3 7

Procedure to upgrade single-host datacenter from el6 to el7
by Rik Theys 24 Apr '16

24 Apr '16

Hi, I'm looking for the best procedure to upgrade a host from CentOS 6 to CentOS 7. The host is the only host in the oVirt data center (the engine is running on another machine and manages multiple data centers). For datacenters with multiple hosts I followed the following steps: - Add new cluster - Put host in maintenance - Remove host from old cluster - Reinstall host - Add host to new cluster - repeat for all hosts until old cluster is empty This worked OK and the data center was never "non operational". Is the procedure identical for a data center with only one host? Should I also remove the host from the (only) cluster in the data center, or should I reinstall it and select the "reinstall" option in the oVirt web interface? Since there is only one host in the cluster there's no need to create a new cluster? Is there any state on the host that I should keep when performing the reinstall with CentOS 7? The host is using FC storage (local disks configured as FC through multipath). Regards, Rik -- Rik Theys System Engineer KU Leuven - Dept. Elektrotechniek (ESAT) Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee +32(0)16/32.11.07 ---------------------------------------------------------------- <<Any errors in spelling, tact or fact are transmission errors>>

2 3

ovirt 3.6 hosted engine vm not displaying in vms tab
by Dobó László 24 Apr '16

24 Apr '16

Hi, I just upgraded from 3.6.3 to 3.6.5, but the hosted engine vm still not visible in vms list. Its running on iscsi storage domain. The hosted_storage status is "Inactive", cross data center status is "Locked". I didn't find anything interesting in engine or vdsm log file. Is there any workaround or idea for this problem? engine os: CentOS Linux release 7.2.1511 (Core) pkg list: ebay-cors-filter.noarch 1.0.1-3.el7 @centos-ovirt36 jasperreports-server.noarch 6.0.1-1.el7 @ovirt-3.6 novnc.noarch 0.5.1-2.el7 @ovirt-3.6-epel otopi.noarch 1.4.1-1.el7.centos @ovirt-3.6 otopi-java.noarch 1.4.1-1.el7.centos @ovirt-3.6 ovirt-engine.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-backend.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-cli.noarch 3.6.2.0-1.el7.centos @ovirt-3.6 ovirt-engine-dbscripts.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-extension-aaa-jdbc.noarch 1.0.6-1.el7 @ovirt-3.6 ovirt-engine-extensions-api-impl.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-jboss-as.x86_64 7.1.1-1.el7.centos @ovirt-3.6 ovirt-engine-lib.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-restapi.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-sdk-java.noarch 3.6.5.0-1.el7 @ovirt-3.6 ovirt-engine-sdk-python.noarch 3.6.5.0-1.el7.centos @ovirt-3.6 ovirt-engine-setup.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-setup-base.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-setup-plugin-ovirt-engine.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-setup-plugin-ovirt-engine-common.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-setup-plugin-vmconsole-proxy-helper.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-setup-plugin-websocket-proxy.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-tools.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-tools-backup.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-userportal.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-vmconsole-proxy-helper.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-webadmin-portal.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-websocket-proxy.noarch 3.6.5.3-1.el7.centos @ovirt-3.6 ovirt-engine-wildfly.x86_64 8.2.1-1.el7 @ovirt-3.6 ovirt-engine-wildfly-overlay.noarch 8.0.5-1.el7 @ovirt-3.6 ovirt-host-deploy.noarch 1.4.1-1.el7.centos @ovirt-3.6 ovirt-host-deploy-java.noarch 1.4.1-1.el7.centos @ovirt-3.6 ovirt-image-uploader.noarch 3.6.0-1.el7.centos @ovirt-3.6 ovirt-iso-uploader.noarch 3.6.0-1.el7.centos @ovirt-3.6 ovirt-optimizer.noarch 0.9.1-2.el7.centos @ovirt-3.6 ovirt-optimizer-ui.noarch 0.9.1-2.el7.centos @ovirt-3.6 ovirt-release36.noarch 007-1 @ovirt-3.6 ovirt-setup-lib.noarch 1.0.1-1.el7.centos @ovirt-3.6 ovirt-vmconsole.noarch 1.0.0-1.el7.centos @ovirt-3.6 ovirt-vmconsole-proxy.noarch 1.0.0-1.el7.centos @ovirt-3.6 patternfly1.noarch 1.3.0-1.el7.centos @ovirt-3.6-patternfly1-noarch-epel python-daemon.noarch 1.6-4.el7 @ovirt-3.6-epel python-paramiko.noarch 1.15.1-1.el7 @ovirt-3.6-epel python-websockify.noarch 0.6.0-2.el7 @ovirt-3.6-epel spice-html5.noarch 0.1.6-1.el7 @ovirt-3.6-epel vdsm-jsonrpc-java.noarch 1.1.9-1.el7.centos @ovirt-3.6 nodes : oVirt Node Hypervisor release 3.6 (0.999.201603090756.el7.centos) vdsm.noarch 4.17.24-0.el7.centos vdsm-cli.noarch 4.17.24-0.el7.centos vdsm-hook-ethtool-options.noarch 4.17.24-0.el7.centos vdsm-hook-vmfex-dev.noarch 4.17.24-0.el7.centos vdsm-infra.noarch 4.17.24-0.el7.centos vdsm-jsonrpc.noarch 4.17.24-0.el7.centos vdsm-python.noarch 4.17.24-0.el7.centos vdsm-xmlrpc.noarch 4.17.24-0.el7.centos vdsm-yajsonrpc.noarch 4.17.24-0.el7.centos greetings, enax

2 1

Second DataCenter isn't available to attach Export Storage Domain
by Joshua Adkisson 24 Apr '16

24 Apr '16

I have put the export domain into maintenance, detach from Datacenter 1, and when I try to attach it to Datacenter 2, attached to the same engine, when the Attach to Data Center dialog pops up, it only shows Datacenter 1. What am I missing here? Please be kind, I’m very new to oVirt… Version 3.6 CONFIDENTIALITY NOTICE: This email, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you received this email and are not the intended recipient, please inform the sender by email reply and destroy all copies of the original message.

2 1

Re: [ovirt-users] Unable to add hosts in ovirt-engine 3.6
by Oved Ourfali 23 Apr '16

23 Apr '16

You should be able to add new hosts to 3.5 cluster assuming proper 3.5 repos are used on these hosts. Can you attach complete logs? (engine ones and host deploy). Regards, Oved On Apr 22, 2016 8:45 AM, "Sandvik Agustin" <agustinsandvik(a)gmail.com> wrote: does that mean that i have to downgrade my ovirt-engine from 3.6 to 3.5? Or is there anyway to install host which running CentOS 6.7 O.S on ovirt-engine 3.6? TIA Sandvik On Thu, Apr 21, 2016 at 2:04 PM, Yedidyah Bar David <didi(a)redhat.com> wrote: > On Thu, Apr 21, 2016 at 4:57 AM, Sandvik Agustin > <agustinsandvik(a)gmail.com> wrote: > > Hi, > > > > Thanks for the quick reply, my ovirt-engine is running on CentOS 6.7 and > my > > hypervisor is also CentOS 6.7. > > As I wrote before, el6 hosts are not supported in 3.6. > > Best, > -- > Didi > _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

2 1

ssh -t serial connection on Widows
by Nathanaël Blanchet 22 Apr '16

22 Apr '16

Concerning ovirt-serial connection : ssh -t -p 2222ovirt-vmconsole@engine Waiting for the closed officiel bash implementation on W10, does it exist a way to do the same with putty or other ssh client? As the spice/vnc console, could it be a good idea to get the same on the UI so as to be OS independant? Thank you. -- Nathanaël Blanchet Supervision réseau Pôle Infrastrutures Informatiques 227 avenue Professeur-Jean-Louis-Viala 34193 MONTPELLIER CEDEX 5 Tél. 33 (0)4 67 54 84 55 Fax 33 (0)4 67 54 84 14 blanchet(a)abes.fr

2 5

CentOS Virtualization SIG is not aligned with latest oVirt release
by Stefano Stagnaro 22 Apr '16

22 Apr '16

Hi, today oVirt 3.6.5 has been released and I tried to perform a fresh installation through the CentOS Virtualization SIG: # yum install centos-release-ovirt36 which has installed, for dependencies, also - centos-release-gluster37 - centos-release-virt-common - centos-release-qemu-ev - centos-release-storage-common I immediately noticed that oVirt is still at version 3.6.3 (instead of 3.6.5). This makes it difficult to move to CentOS Virtualization SIG. Besides that, glusterfs is still at version 3.7.8 (instead of 3.7.11). I understand this is a different SIG but oVirt is affected in some way. Thank you, -- Stefano Stagnaro Prisma Telecom Testing S.r.l. Via Petrocchi, 4 20127 Milano – Italy Tel. 02 26113507 int 339 e-mail: stefanos(a)prismatelecomtesting.com skype: stefano.stagnaro

2 2

[hosted-engine] engine failed to start after rebooted
by Wee Sritippho 22 Apr '16

22 Apr '16

Hi, I were upgrading oVirt from 3.6.4.1 to 3.6.5. The engine-vm was running on host02. These are the steps that I've done: 1. Set hosted engine maintenance mode to global 2. Accessed engine-vm and upgraded oVirt to latest version 3. Run 'reboot' in engine-vm 4. After about 10 minutes, the engine-vm still doesn't boot, so I set hosted engine maintenance mode back to none. 5. After another 10 minutes, the engine-vm still doesn't boot, so I restarted host02, host01 then host03 before the engine-vm would be accessible again. I then have to activate host01 and host03 again. Here are the log files from ovirt-hosted-engine-ha folder: - host01: https://gist.github.com/weeix/d73aa8506b296c27110747464ea33312 - host02: https://gist.github.com/weeix/c1b7033f07fb104fdd483cf7ea3a7852 How to correctly restart the engine-vm when we need to? -- Wee

2 3