Info about openstack staging-ovirt driver connection not released
by Gianluca Cecchi
Hello,
I'm setting up an Openstack Queens lab ( to best match OSP 13) using oVirt
VMs as nodes.
At this time only undercloud configured and 8 Openstack nodes (VMs) set as
available for provisioning.
I'm using staging-ovirt driver on director node in similar way as the vbmc
one.
I see from oVirt active user sessions page that every minute I have one
connection for node (in my case 8) of the designated user (in my case
ostackpm).
But it seems they are never released.
How can I check the problem?
Director is CentOS 7 server and the staging-ovirt driver is provided by the
package:
[root@director ~]# rpm -q python-ovirt-engine-sdk4
python-ovirt-engine-sdk4-4.3.2-2.el7.x86_64
[root@director ~]#
I didn't configure the oVirt repo but only installed the latest stable
available for 4.3.9:
wget
https://resources.ovirt.org/pub/ovirt-4.3/rpm/el7/x86_64/python-ovirt-eng...
sudo yum localinstall python-ovirt-engine-sdk4-4.3.2-2.el7.x86_64.rpm
Anyone with experience on this?
In the mean time any way to use a command using api to kill the stale (I
think) sessions?
Thanks,
Gianluca
4 years, 7 months
Virtual machine replica - DR
by ccesario@blueit.com.br
Hello,
Does someone know any tool/method to replicate the VMS from a "Production" Cluster to "Secondary" Cluster, to provide a DR solution without Storage replication dependency or Gluster Storage.
Like Veeam, Zerto toosl do with other hypervisors.
Is there anyway, tool, product to do it!?
Regards
Carlos
4 years, 7 months
Custom ignition in cloud-init?
by Wesley Stewart
Before anyone tells me this is now included in 4.4.0, I saw this, but I
don't think I'm willing to update my centos7 host to centos8 yet. (But
perhaps that will be the answer). Currently on 4.3.9/Centos 7
I am trying to run fedora core is to test it out, and the ISO installer
hangs on:
"failed to isolate default target freezing"
So I tried the QCOW2 image, but I'm looking at ways of running the ignition
file. I see in the "run once" section i can deploy a custom unit script,
and I was wondering is this filetype agnostic? If I generate a JSON
ignition script and put it in there will it get passed through correctly ?
Or will I need to update to 4.4.0?
I also found:
https://gerrit.ovirt.org/#/c/100008/
This was abondoned for a "better solution" last September. Was this
referring to the changes in 4.4.0?
Lastly has anyone who was running 4.3.9 upgrade their centos host to
centos8 and then upgrade ovirt without any issues? I usually try and wait
at least a couple of minor version changes before switching to a new major
version.
Thanks guys!
4 years, 7 months
Ovirt vs lvm?
by csabany@freemail.hu
Hi,
Our production ovirt system looks like: standalone management server, vesion 4.3.9, 6 clusters, 28 nodes (v4.2, v4.3) , one storage domain, (FC SAN Storages), centos7 vm-s , and some windows vms.
I have a returning problem. Sometime when i power off a vm and power on again , i get an error message our linux vm (when we use lvm of course): dracut: Read-only locking type set. Write locks are prohibited., dracut: Can't get lock for vg.
I can repair only 70% of damaged vm.
I tried to localize the problem, but a can`t. The error occured randomly every cluster, every storage on last 2 years.
Has anyone ever encountered such a problem?
4 years, 7 months
How to force removal of old host from Engine
by Shareef Jalloq
Hi,
I seem to have got a stale host in my engine that I can't remove. I
recently reinstalled oVirt Node on this host and while trying to refresh
the host in the engine, have got it in some state where I can't do anything.
The host is listed as Status=Unassigned. Under the Management pull down I
only have Restart and Stop options, both of which error if selected. The
Remove button is not available.
How do I force a removal of this host from the view so I can reload it?
Shareef.
4 years, 7 months
Move Hosted Engine VM to a different storage domain
by Anton Louw
Hi All,
I know this question has been asked before, by myself included. I was hoping that someone has run through the exercise of moving the hosted engine VM to a different storage domain. I have tried many routes, but the backup and restore does not work for me.
Is there anybody that can perhaps give me some guidelines or a process I can follow?
The reason I need to move the HE VM is because we are decommissioning the current storage array where the HE VM is located.
Thank you very much
Anton Louw
Cloud Engineer: Storage and Virtualization
______________________________________
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.louw(a)voxtelecom.co.za
www.vox.co.za
4 years, 7 months
VM disk I/O
by ozmen62@hotmail.com
On oVirt 4.3. i installed w10_64 with q35 cpu.
i've used vm optimizer for better performans for end-users. it seams good.
But i need more performance guidelines.
Ex.
Our system has FC storage, is tere any options for better read/write performans, Hugepage, write through
Like this, if you have any suggestions, could you share
Thanks
4 years, 7 months
Re: Safely disable firewalld [Ovirt 4.3]
by Strahil Nikolov
On April 22, 2020 10:45:49 PM GMT+03:00, Edson Richter <edsonrichter(a)hotmail.com> wrote:
>De: Strahil Nikolov <hunter86_bg(a)yahoo.com>
>Enviado: quarta-feira, 22 de abril de 2020 15:45
>Para: users(a)ovirt.org <users(a)ovirt.org>; Edson Richter
><edsonrichter(a)hotmail.com>; eevans(a)digitaldatatechs.com
><eevans(a)digitaldatatechs.com>; francesco(a)shellrent.com
><francesco(a)shellrent.com>
>Assunto: Re: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
>
>On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter
><edsonrichter(a)hotmail.com> wrote:
>>I'm in no way a ovirt expert. But as Linux administrator, I would say
>>that firewalld and iptables are "front-end" to kernel internal
>security
>>tables, so, in the final of the day, will provide *almost* same
>>functionality.
>>
>>Seems that firewalld is able to activate modules without restarting
>>entire firewall infra-structure, which iptables is not capable of.
>This
>>leverage an advantage for firewalld, specially where you would not
>have
>>interruptions in existing stateful connections.
>>
>>I've used iptables *always* as replacement for firewalld because of
>>almost 20 yrs using iptables - this is the first step in all about
>>hundred Centos7 installations I've done past few years. I just can't
>>throw away all my scripts that block hackers, provide 2 and 3 way
>>"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and
>>all, everytime a new "firewall" front end appears. I've seen at least
>>two or three "iptables killers tech" in the past, and iptables still
>is
>>the king - at least for me.
>>
>>Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux
>>admin which will not jump from iptables train yet.
>>
>>Perhaps, I would not reccomend to completely deactivate all firewall
>in
>>any server! If it is the case, I would instead to advice to just
>>replace firewalld with iptables-service (at least, in Centos7) - but
>>only in case you have too much to loose without iptables (as am I).
>>
>>Regards,
>>
>>Edson
>>
>>
>>________________________________
>>De: eevans(a)digitaldatatechs.com <eevans(a)digitaldatatechs.com>
>>Enviado: quarta-feira, 22 de abril de 2020 12:18
>>Para: francesco(a)shellrent.com <francesco(a)shellrent.com>;
>>users(a)ovirt.org <users(a)ovirt.org>
>>Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
>>
>>If you log in to the cockpit, you can add services or custom ports
>>easily. I would not disable the firewall.
>><hostname:9090> for the cockpit.
>>
>>Eric Evans
>>Digital Data Services LLC.
>>304.660.9080
>>
>>
>>-----Original Message-----
>>From: francesco(a)shellrent.com <francesco(a)shellrent.com>
>>Sent: Tuesday, April 21, 2020 12:54 PM
>>To: users(a)ovirt.org
>>Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3]
>>
>>Hi all,
>>
>>I was wondering if it's "safe" disabling entirely the firewalld
>service
>>and manage the firewall only via iptables, on the host and on the
>>hosted engine (a self-hosted engine). It would make a lot easier the
>>managing the firewall rules for me because of many automatisms I
>>created based on iptables. Did anyone manage to do this? Any
>>contraindication for doing this or precaution that I have to take care
>>of?
>>
>>Thanks for your time and help,
>>Francesco
>>_______________________________________________
>>Users mailing list -- users(a)ovirt.org
>>To unsubscribe send an email to users-leave(a)ovirt.org Privacy
>>Statement:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
>>oVirt Code of Conduct:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
>>List Archives:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.o...
>>_______________________________________________
>>Users mailing list -- users(a)ovirt.org
>>To unsubscribe send an email to users-leave(a)ovirt.org
>>Privacy Statement:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
>>oVirt Code of Conduct:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
>>List Archives:
>>https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.o...
>
>Keep in mind that I had some issues with oVirt (was more than a year
>ago - so don't ask for details) when either firewalld or SELINUX were
>down.
>
>With so much experience in IPTABLES - it's understandable, but keep in
>mind that in CentOS/RHEL 8 iptables command is just a translator to
>nftables - with limited capability and I don't think that it was a
>coincidence . With firewalld you can still achive 90-95% of what you
>could do in IPTABLES while the rules are quite clear even for a new
>admin.
>
>What I really like is that you can predefine the ports and protos for
>a specific service and easily deploy it via salt or ansible.
>
>Best Regards,
>Strahil Nikolov
>
>
>Good to know!
>When I have time to return to my oVirt tests, I"ll take a careull look
>at it.
>I'll also add a note into our Centos 8 migration plans that all
>iptables scripts will have to be rewriten.
>
>Thanks,
>
>Edson Richter
As you are not the only one with zillions of iptables rules - check the CentOS mailing list.
Maybe they got a way to keep you on iptables.
Best Regards,
Sttrahil Nikolov
4 years, 7 months
Re: oVirt and KeyCloak intergration
by Artur Socha
On Wed, 2020-04-22 at 12:28 +0000, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> You are a champion! I can access oVirt now. Thank you so much.
>
You're welcome!I am happy it worked because I had no more ideas what to check
next :)
> One last question, can I create additional groups in ie. Read Only, etc? And
> then will this be done in KeyCloak or in the oVIrt UI?
This ovirt-administrator group is only for accessing(authentication & sso) ovirt
engine admin panel and, as far as I understand it, it does restrict access
to particular engine's admin functions. I think that proper authorization is
done only at the engine's UI level. See 'User Authorization' under
https://ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html
>
>
> Thank you
>
>
>
>
>
> Anton Louw
>
>
> Cloud Engineer: Storage and Virtualization at Vox
>
>
>
>
>
>
> T: 087 805 0000 | D: 087 805 1572
> M: N/A
>
> E: anton.louw(a)voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> From: Artur Socha <asocha(a)redhat.com>
>
>
> Sent: 22 April 2020 13:21
>
> To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; users(a)ovirt.org
>
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
>
>
> On Wed, 2020-04-22 at 13:09 +0200, Artur Socha wrote:
>
> > On Wed, 2020-04-22 at 10:42 +0000, Anton Louw wrote:
>
> > >
>
> > > Ok so this is definitely looking better. I get an error, but at least now
> it
>
> > > is saying : “The user admin@openidchttp is not authorized to perform
> login”
>
> > >
>
> > > This is strange though, because admin in by default should be allowed
>
> > > access?
>
> >
>
> > Well, yes and no :)
>
> >
>
> > In order for user to be considered admin (for ovirt engine) it must belong
> to
>
> > keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
>
> > > Groups->Members)
>
>
>
> Small clarification:
>
>
>
> In keycloak admin panel see Manage-> Groups-> 'ovirt-administrator' -> Members
>
>
>
> Note that the group must have the exact name: ovirt-administrator
>
>
>
>
>
> >
>
> > I think you are very close to have it up-and-running.
>
> >
>
> >
>
> > >
>
> > > From: Anton Louw
>
> > > Sent: 22 April 2020 12:38
>
> > > To: Artur Socha <asocha(a)redhat.com>;
> users(a)ovirt.org
>
> > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>
> > >
>
> > > Perfect, I’ll test and let you know.
>
> > >
>
> > > Thanks
>
> > >
>
> > > From: Artur Socha <asocha(a)redhat.com>
>
> > > Sent: 22 April 2020 12:32
>
> > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>;
> users(a)ovirt.org
>
> > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> > >
>
> > > + users(a)ovirt.org
>
> > >
>
> > > On Wed, 2020-04-22 at 09:57 +0000, Anton Louw wrote:
>
> > > >
>
> > > >
>
> > > > Hi Artur,
>
> > > >
>
> > > > I would just like to make sure I am following correctly, comparing your
>
> > > > entries against mine.
>
> > > >
>
> > > > Your setup:
>
> > > > ...
>
> > > > config.mapAuthRecord.regex.pattern =
>
> > > > ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> > > > ...
>
> > > >
>
> > > >
>
> > > > My setup:
>
> > > > …
>
> > > > config.mapAuthRecord.regex.pattern =
>
> > > > ^(?<user>.*?)((\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> > > > …
>
> > > >
>
> > > > Should I add the additional 2 “\\” in on my side?
>
> > >
>
> > >
>
> > > Yes, please try adding it. In my case I learned about this issue by
>
> > > debugging
>
> > > the code because the real exception generated by incorrect regexp syntax
> was
>
> > > hidden behind generic error message giving no clues about the true cause.
>
> > >
>
> > > >
>
> > > > Your setup:
>
> > > > ...
>
> > > > <LocationMatch ^/ovirt-engine/sso/(interactive-login-
>
> > > > negotiate|oauth/token-
>
> > > > http-auth)|^/ovirt-engine/callback>
>
> > > > <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>
> > > >
>
> > > > Require valid-user
>
> > > > AuthType openid-connect
>
> > > >
>
> > > > ErrorDocument 401 "<html><meta http-equiv=\"refresh\"content=\"0;
>
> > > > url=/ovirt-engine/sso/login-unauthorized\"/><body><ahref=\"/ovirt-
>
> > > > engine/sso/login-unauthorized\">Here</a></body></html>"
>
> > > > </If>
>
> > > > </LocationMatch>
>
> > > > …
>
> > > >
>
> > > > My setup:
>
> > > > …
>
> > > > <LocationMatch ^/ovirt-engine/sso/(interactive-login-
>
> > > > negotiate|oauth/token-
>
> > > > http-auth)|^/ovirt-engine/callback>
>
> > > > <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>
> > > >
>
> > > > Require valid-user
>
> > > > AuthType openid-connect
>
> > > >
>
> > > > ErrorDocument 401 "<html><meta http-equiv='refresh' content='0;
>
> > > > url=/ovirt-engine/sso/login-unauthorized'/><body><a href='/ovirt-
>
> > > > engine/sso/login-unauthorized'>Here</a></body></html>"
>
> > > > </If>
>
> > > > </LocationMatch>
>
> > > > …
>
> > > >
>
> > > > I remember I had syntax errors, but mine was changed.
>
> > > >
>
> > > > Does this look fine to you?
>
> > >
>
> > >
>
> > > Yeah, your version looks good too. You have ' instead of " so that is ok.
>
> > >
>
> > >
>
> > > Anton Louw
>
> > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > T: 087 805 0000 | D: 087 805 1572
>
> > > M: N/A
>
> > > E: anton.louw(a)voxtelecom.co.za
>
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> > >
> www.vox.co.za
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > > > Thanks
>
> > > >
>
> > > >
>
> > > >
>
> > > > Anton Louw
>
> > > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > > T: 087 805 0000 | D: 087 805 1572
>
> > > > M: N/A
>
> > > > E: anton.louw(a)voxtelecom.co.za
>
> > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> > > >
> www.vox.co.za
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > > From: Anton Louw
>
> > > > Sent: 22 April 2020 10:07
>
> > > > To: Artur Socha <asocha(a)redhat.com>
>
> > > > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>
> > > >
>
> > > > Hi Artur,
>
> > > >
>
> > > > Great, I will try the below and let you know. I appreciate your efforts.
>
> > > >
>
> > > > Sure, you may report it, I was in such a rush that I only hit “reply”
> and
>
> > > > not “Reply All”
>
> > > >
>
> > > > I do recall that I had to make some changes to the below as the it
>
> > > > complained about syntax errors:
>
> > > >
>
> > > > ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
>
> > > > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
>
> > > > href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>
> > > > </If>
>
> > > > </LocationMatch>
>
> > > >
>
> > > > I will let you know the outcome when I change the below as you
> suggested.
>
> > > >
>
> > > > Cheers
>
> > > >
>
> > > > From: Artur Socha <asocha(a)redhat.com>
>
>
> > > > Sent: 22 April 2020 09:51
>
> > > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>
>
> > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> > > >
>
> > > > I checked your logs and I did not notice anything suspicious.
>
> > > > However, now I recall I made some changes compared to blog post
>
> > > > example:
>
> > > >
>
> > > > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties
>
> > > > I added escaping in regexp for '\'
>
> > > > ...
>
> > > > config.mapAuthRecord.regex.pattern =
>
> > > > ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> > > > ...
>
> > > >
>
> > > > 2) /etc/httpd/ovirt-openidc.conf
>
> > > > Escaping for '"' in error document snippet
>
> > > > ...
>
> > > > <LocationMatch ^/ovirt-engine/sso/(interactive-login-
>
> > > > negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
>
> > > > <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>
> > > >
>
> > > > Require valid-user
>
> > > > AuthType openid-connect
>
> > > >
>
> > > > ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
>
> > > > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
>
> > > > href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>
> > > > </If>
>
> > > > </LocationMatch>
>
> > > >
>
> > > > ...
>
> > > >
>
> > > > These two issues were most probably caused by the blog site rendering.
>
> > > >
>
> > > >
>
> > > > You might want to check engine.log (or server.log not really sure which
>
> > > > one was that) for aaa extension initialization logs. They should
>
> > > > appear at the beginning just after restarting engine.
>
> > > >
>
> > > > Unfortunately, at the moment I do not have running keycloak setup (I
>
> > > > used to have a local VM) but I will try to find some time to set it up
>
> > > > again once I'm done with another work item that actually consumes
>
> > > > almost entire disk space for my 2 machines)
>
> > > >
>
> > > > Please let me know if anything changes after applying these config
>
> > > > changes. It this works for you then I will request the blog post to be
>
> > > > updated.
>
> > > >
>
> > > > Do you mind if I keep(re-post) this discussion back to users@ovirt in
>
> > > > case other might have similar issues with keycloak integration?
>
> > > >
>
> > > > A.
>
> > > >
>
> > > > On Wed, 2020-04-22 at 06:35 +0000, Anton Louw wrote:
>
> > > > >
>
> > > > > Hi Artru,
>
> > > > >
>
> > > > > Thank you for the reply. The post [1] is actually the main source of
>
> > > > > information I worked from in order top get everything configured. In
>
> > > > > the post[1] I ran through the whole testing section, and everything
>
> > > > > works as expected. I can see the VMs etc when using the python
>
> > > > > script.
>
> > > > >
>
> > > > > In my case we are not using ldap as a provider, I tried using
>
> > > > > keycloak directly as a provider, I am not sure if that is where I am
>
> > > > > going wrong?
>
> > > > >
>
> > > > > I have attached the last part of the apache ssl_access_log when I
>
> > > > > tried logging in this morning. I have also attached the engine log.
>
> > > > >
>
> > > > > Thanks
>
> > > > >
>
> > > > >
>
> > > > > Anton Louw
>
> > > > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > > > T: 087 805 0000 | D: 087 805 1572
>
> > > > > M: N/A
>
> > > > > E: anton.louw(a)voxtelecom.co.za
>
> > > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> > > > >
> www.vox.co.za
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > > From: Artru Socha <asocha(a)redhat.com>
>
>
> > > > > Sent: 21 April 2020 15:20
>
> > > > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>;
> users(a)ovirt.org
>
> > > > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> > > > >
>
> > > > > On Tue, 2020-04-21 at 12:48 +0000, Anton Louw wrote:
>
> > > > > >
>
> > > > > > Hi Everybody,
>
> > > > > >
>
> > > > > >
>
> > > > > Hi Anton,
>
> > > > >
>
> > > > > > Has anybody gone the route of using KeyCloak to login to oVirt?
>
> > > > > > KeyCloak has been configured and the neccesary configs have also
>
> > > > > been
>
> > > > > > done on the engine. It redirects perfectly from the oVirt Web Login
>
> > > > > > page to KeyCloak, but after logging into KeyCloak, I get redirected
>
> > > > > > back to the oVirt Web Login. When trying to login again, I get the
>
> > > > > > below error:
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > > server_error: Missing parameter: 'params'
>
> > > > > >
>
> > > > >
>
> > > > > Not so long ago I managed to setup ovirt engine with keyloack (using
>
> > > > > ldap as users provider). Hopefully, I would be able to help you with
>
> > > > > it.
>
> > > > >
>
> > > > > There is excellent blog post[1] available. You might also check
>
> > > > > keycloak+ldap post [2], however, when I was working on the
>
> > > > > integration
>
> > > > > I was not aware of if and did not test it.
>
> > > > >
>
> > > > > The error you mentioned does not really indicate what exactly is
>
> > > > > wrong
>
> > > > > but it might suggest that there is some sort of misconfiguration with
>
> > > > > apache (you need to install and configure mod_auth_openidc as
>
> > > > > described
>
> > > > > at [1]). At least that happened in my case.
>
> > > > >
>
> > > > > In case you have already gone through it you could probably check
>
> > > > > apache logs.
>
> > > > >
>
> > > > > Under [1] there is a python script that can be used to check api
>
> > > > > calls,
>
> > > > > please update username/password and test it against your environment.
>
> > > > >
>
> > > > >
>
> > > > > Would it be possible post relevant piece of apache logs together with
>
> > > > > engine.log ?
>
> > > > >
>
> > > > >
>
> > > > > [1]
>
> > > > >
>
> > > >
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o...
>
> > > > > [2]
>
> > > > >
>
> > > >
> https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-user-...
>
> > > > > Artur
>
> > > > >
>
> > > > >
>
> > > > >
>
> > > > > > I have checked all the logs, but nothing is telling me what exactly
>
> > > > > > the issue is.
>
> > > > > >
>
> > > > > > If anybody has any idea, please let me know.
>
> > > > > >
>
> > > > > > Thanks
>
> > > > > >
>
> > > > > > Anton Louw
>
> > > > > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > > > > T: 087 805 0000 | D: 087 805 1572
>
> > > > > > M: N/A
>
> > > > > > E: anton.louw(a)voxtelecom.co.za
>
> > > > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> > > > > >
> www.vox.co.za
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > >
>
> > > > > > Disclaimer
>
> > > > > > The contents of this email are confidential to the sender and the
>
> > > > > > intended recipient. Unless the contents are clearly and entirely of
>
> > > > > a
>
> > > > > > personal nature, they are subject to copyright in favour of the
>
> > > > > > holding company of the Vox group of companies. Any recipient who
>
> > > > > > receives this email in error should immediately report the error to
>
> > > > > > the sender and permanently delete this email from all storage
>
> > > > > > devices.
>
> > > > > >
>
> > > > > > This email has been scanned for viruses and malware, and may have
>
> > > > > > been automatically archived by Mimecast Ltd, an innovator in
>
> > > > > Software
>
> > > > > > as a Service (SaaS) for business. Providing a safer and more useful
>
> > > > > > place for your human generated data. Specializing in; Security,
>
> > > > > > archiving and compliance. To find out more Click Here.
>
> > > > > >
>
> > > > > >
>
> > > > > > _______________________________________________
>
> > > > > > Users mailing list -- users(a)ovirt.org
>
> > > > > > To unsubscribe send an email to
> users-leave(a)ovirt.org
>
> > > > > > Privacy Statement:
> https://www.ovirt.org/privacy-policy.html
>
> > > > > > oVirt Code of Conduct:
>
> > > > > >
> https://www.ovirt.org/community/about/community-guidelines/
>
> > > > > > List Archives:
>
> > > > > >
>
> > > >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/S4I2I3MID4A...
>
> > > >
>
>
>
>
>
>
>
>
>
>
4 years, 7 months
