Disaster recovery failed with direct lun 4.4.10
by jaime luque
Good night
I am configuring the disaster recovery with the following environment
Ovirt 4.4.10
Site A
An external manager
A hypervisor server
Site B
An external manager
A hypervisor server
*Mons are being replicated from one storage to another with the conditions mentioned in the active passive guide.
In the File
disaster_recovery_vars.yml
**** The mapping of the virtual machines is carried out, one of these has direct luns
When I execute the failover the virtual machines are not importing in the secondary site.
If I comment on the mapping of the direct luns, it is possible to import the virtual machines and they remain working correctly.
NOTE: The direct lun that the vm has is without format or partition, since I am in the testing phase.
Can you please give me ideas of what to check.
2 years, 2 months
pass-through CPU
by duparchy@esrf.fr
Hi,
What are the pro and cons of enabling pass-through CPU ?
It is a greyed option for a VM, unless specific host(s) is/are selected.
That's the thing : it's possible to select all hosts..., so, it does not make difference w/ "Start on any host" option
2 years, 2 months
VM backup issue on oVirt 4.4.7
by Don Dupuis
Hello,
I am having an issue backing up vms using the backup_vm.py example script.
The error I get is below:
[ 0.0 ] Starting full backup for VM 'c656db00-065c-4fd0-b8b9-74a86dc864fc'
Traceback (most recent call last):
File "/opt/riva-config/backup_vm.py", line 547, in <module>
main()
File "/opt/riva-config/backup_vm.py", line 146, in main
args.command(args)
File "/opt/riva-config/backup_vm.py", line 160, in cmd_full
backup = start_backup(connection, args)
File "/opt/riva-config/backup_vm.py", line 348, in start_backup
description=args.description
File "/usr/lib64/python3.6/site-packages/ovirtsdk4/services.py", line
34151, in add
return self._internal_add(backup, headers, query, wait)
File "/usr/lib64/python3.6/site-packages/ovirtsdk4/service.py", line 232,
in _internal_add
return future.wait() if wait else future
File "/usr/lib64/python3.6/site-packages/ovirtsdk4/service.py", line 55,
in wait
return self._code(response)
File "/usr/lib64/python3.6/site-packages/ovirtsdk4/service.py", line 229,
in callback
self._check_fault(response)
File "/usr/lib64/python3.6/site-packages/ovirtsdk4/service.py", line 132,
in _check_fault
self._raise_error(response, body)
File "/usr/lib64/python3.6/site-packages/ovirtsdk4/service.py", line 118,
in _raise_error
raise error
ovirtsdk4.Error: Fault reason is "Operation Failed". Fault detail is
"[Cannot backup VM. Host (vsh001) is running on a version lower than 4.4.5.
Please upgrade the host in order to use incremental backup.]". HTTP
response code is 409.
The strange this is that I am running oVirt 4.4.7. What component is it
complaining about that is not up to version needed? Any help on this would
be appreciated. oVirt rpm is ovirt-host-4.4.7-1.el8.x86_64. I plan on
upgrading to version 4.4.10 but want to get this fixed first. I also can't
got to 4.5.x because I have problems with Windows 10 vms and vGPUs.
Thanks
Don
2 years, 2 months
Hosted-Engine Down VSDM Cert Expired
by jarredm@ecboces.org
Hey all,
I'm looking to get a bit of guidance here. As the subject suggests, we have a hosted-engine ovirt cluster. I ran into an issue trying to login to the web interface. I was seeing errors about certificate expiration, although I didn't know what cert it was referring to at the time. I ssh'd to the hosted-engine and restarted it. However, once it shutdown, it was unable to start again.
What I've discovered so far is that the hosted-engine is currently residing on node 33 (storage is on a gluster volume) and the vdsm certificate for that node has expired. There are three nodes in total, and two of them have expired certs. However, one of them has a valid cert still. I'm able to run vdsm-client commands on that node. Although I haven't done anything with that yet other than to verify that I'm able to do some of the Host get* commands successfully. I'm wondering if it is possible to "pull" the hosted-engine onto this host and fire it back up there.
Thanks in advance for your help!
I'm gathering log info etc as described and it will be available here: https://drive.google.com/drive/folders/1cBPrN8SuIR-dgnpRKe1eKXRZZTPPshyJ?...
Version info:
Installed Packages
centos-release-gluster8.noarch 1.0-1.el8 @extras
centos-release-storage-common.noarch 2-2.el8 @extras
glusterfs.x86_64 8.6-2.el8 @centos-gluster8
ovirt-release44.noarch 4.4.8.3-1.el8 @@commandline
vdsm.x86_64 4.40.80.6-1.el8 @ovirt-4.4
2 years, 2 months
Re: Cannot prepare internal mirrorlist
by ahmad.hidayat@singtel.com
Good day Nathan!
Firstly, it's polite for me to thank the moderators for approving my post..
Thank you for guiding me on this. I have configured the /etc/environment and /etc/yum.conf with the proxy configurations then curl the mirrorlist site and it was successful.
Our KVM is behind a firewall, do we need to allow the traffic for a specific range of IP addresses for this?
Regards,
Hidayat
2 years, 2 months
ovirtsdk4 python - global maintenance
by yevhen.kyrylchenko@gmail.com
Hi!
I know how to set global maintenance mode using python SDK, something like
vms_service.vm_service(vm.id).maintenance(maintenance_enabled=True)
on HostedEngine.
But now I try to find if global maintenance is enabled.
And I'm going to give up - I can't find how to do it in documentation...
Is there a way to get this info?
Regards!
2 years, 3 months
remote-viewer, vnc console, error certificate's owner does not match hostname
by Jiří Sléžka
Hello,
I have recently enrolled new certificates on all hosts in our RHV
(4.5.3.5-1.el8ev) cluster but now I cannot connect to VNC or SPICE+VNC
console via remote-viewer (virt-viewer-11.0-2.fc36.x86_64) because of error
The certificate's owner does not match hostname '10.224.102.72'
10.224.102.72 is host's ip address
Connection through spice protocol works fine
.vv file looks like
[virt-viewer]
type=vnc
host=10.224.102.72
port=5910
password=*******
# Password is valid for 120 seconds.
delete-this-file=1
fullscreen=0
title=srv.example.com:%d
toggle-fullscreen=shift+f11
release-cursor=shift+f12
secure-attention=ctrl+alt+end
versions=rhev-win64:2.0-160;rhev-win32:2.0-160;rhel8:7.0-3;rhel7:2.0-6;rhel6:99.0-1
newer-version-url=https://rhv.example.com/ovirt-engine/rhv/client-resources
[ovirt]
host=rhv.example.com:443
vm-guid=d9f1e9f8-1111-2222-3333-1c1db6704f21
sso-token=K9r1tHadO7H8oB........JMCSwtcwyD0syaENFA
admin=1
I also tried to copy oVirt's CA cert to ~/.pki/CA/cacert.pem as
mentioned in https://access.redhat.com/solutions/6217601 but error persists.
Debug log looks like
remote-viewer --debug Downloads/console.vv --gtk-vnc-debug
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.160:
../src/vncdisplay.c Connected to VNC server
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.160:
../src/vncconnection.c Protocol initialization
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.160:
../src/vncconnection.c Schedule greeting timeout 0x5621f9d53478
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.161:
../src/vncconnection.c Remove timeout 0x5621f9d53478
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.161:
../src/vncconnection.c Server version: 3.8
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.161:
../src/vncconnection.c Sending full greeting
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.161:
../src/vncconnection.c Using version: 3.8
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.190:
../src/vncconnection.c Possible auth 19
(remote-viewer:2445675): virt-viewer-DEBUG: 14:36:54.191: Allocated 1024x768
(remote-viewer:2445675): virt-viewer-DEBUG: 14:36:54.191: Child allocate
1024x768
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192:
../src/vncconnection.c Emit main context 14
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192:
../src/vncconnection.c Thinking about auth type 19
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192:
../src/vncconnection.c Decided on auth type 19
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192:
../src/vncconnection.c Waiting for auth type
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192:
../src/vncconnection.c Choose auth 19
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192:
../src/vncconnection.c Checking if credentials are needed
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.192:
../src/vncconnection.c No credentials required
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194:
../src/vncconnection.c Possible VeNCrypt sub-auth 261
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194:
../src/vncconnection.c Emit main context 15
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194:
../src/vncconnection.c Requested auth subtype 261
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194:
../src/vncconnection.c Waiting for VeNCrypt auth subtype
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194:
../src/vncconnection.c Choose auth subtype 261
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194:
../src/vncconnection.c Checking if credentials are needed
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194:
../src/vncconnection.c No credentials required
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.194:
../src/vncconnection.c Do TLS handshake
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Checking if credentials are needed
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Want a TLS clientname
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Requesting missing credentials
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Emit main context 13
(remote-viewer:2445675): virt-viewer-DEBUG: 14:36:54.195: Got VNC
credential request for 1 credential(s)
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Set credential 2 libvirt
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Searching for certs in /etc/pki
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Searching for certs in /home/user/.pki
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Failed to find certificate CA/cacrl.pem
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Failed to find certificate
libvirt/private/clientkey.pem
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Failed to find certificate libvirt/clientcert.pem
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Waiting for missing credentials
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Got all credentials
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c No client cert or key provided
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c No CA revocation list provided
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.195:
../src/vncconnection.c Handshake was blocking
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.197:
../src/vncconnection.c Handshake was blocking
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.199:
../src/vncconnection.c Handshake was blocking
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200:
../src/vncconnection.c Handshake was blocking
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200:
../src/vncconnection.c Handshake done
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200:
../src/vncconnection.c Validating
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200:
../src/vncconnection.c Certificate is valid.
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200:
../src/vncconnection.c Checking chain 0
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200:
../src/vncconnection.c Error: The certificate's owner does not match
hostname '10.224.102.72'
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200:
../src/vncconnection.c Emit main context 19
(remote-viewer:2445675): virt-viewer-WARNING **: 14:36:54.200:
vnc-session: got vnc error The certificate's owner does not match
hostname '10.224.102.72'
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200:
../src/vncdisplay.c VNC server error
(remote-viewer:2445675): gtk-vnc-DEBUG: 14:36:54.200:
../src/vncconnection.c Auth failed
Also noVNC client throws "Something went wrong, connection is closed"
Certificate on one of hosts looks like
[root@rhev01 ~]# openssl x509 -in
/etc/pki/vdsm/libvirt-vnc/server-cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 165 (0xa5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = SU Opava, CN = CA-rhv.example.com.51627
Validity
Not Before: Jan 11 12:06:21 2023 GMT
Not After : Jan 13 12:06:21 2028 GMT
Subject: O = SU Opava, CN = rhev01.net.slu.cz
...
X509v3 Subject Alternative Name:
DNS:rhev01.net.slu.cz
Yes, certificate has dns name of host inside, .vv file uses an ip
address. Is it a bug? Can I disable hostname checking in remote-viewer
somehow?
Thanks in advance,
Jiri
2 years, 3 months
Updating the DNS configuration for the Hosted Engine
by nathan.english@bt.com
Hi All,
I've had a look through the documentation and not been able to find any up to date information on how to do this.
We've now built a permanent DNS solution and need to update the Hosted Engine DNS server details. Luckily, I have managed to update the hosts configuration using the Data Center Settings so it's just the Hosted Engine to complete.
Any advice on where should I update? I didn't want to update the if config file, as I assumed it's controlled by ansible somewhere!
Kind Regards,
Nathan
2 years, 3 months
Cannot prepare internal mirrorlist
by ahmad.hidayat@singtel.com
Hi Everyone,
I am new here and hoping to get some advise on my issue that i'm encountering.
I am setting up ovirt self hosting engine 4.5.4 and require proxy to access the internet.
Below is the issue i encountered:
[localhost -> 192.168.222.66]: FAILED! => {"changed": false, "msg": "Failed to download metadata for repo 'centos-ceph-pacific': Cannot prepare internal mirrorlist: Curl error (6): Couldn't resolve host name for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-c... [Could not resolve host: mirrorlist.centos.org]", "rc": 1, "results": []}
Hoping to gain some information to solve it.
Thank you in advance!
2 years, 3 months
Ovirt 4.4.10 AD Integration Error
by hemak88@gmail.com
I am dong AD integration of the Ovirt 4.4 manager. The Insecure method with plain text password saved in /etc/ovirt-engine/aaa/uat.xxxx.com.properties works fine. I am using ovirt-engine-extension-aaa-ldap-setup utility
However this is a hard coding method and insecure way. Hence I wanted to use starttls with PEM encoded certificate file. I obtained a root and intermediate CA from the Ad server and used with starttls
I used below inputs for configuring AD auth with tool "ovirt-engine-extension-aaa-ldap-setup"
Available LDAP implementations:
3 - Active Directory
Please select: 3
Please enter Active Directory Forest name: uat.xxxx.com
Please select protocol to use (startTLS, ldaps, plain) [startTLS]: startTLS
Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): file
File path: /tmp/rootca.pem
Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): myself(a)uat.xxxx.com
Enter search user password:
Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: No
Please specify profile name that will be visible to users [uat.xxxx.com]:
Please provide credentials to test login flow:
Enter user name: myself(a)uat.xxxx.com
Enter user password:
But I am facing error. What could be the resolution
WARNING: Error while connecting to 'adserver.uat.xxxx.com': LDAPException(resultCode=82 (local error), errorMessage='The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(No trusted certificate found), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
I did verify the root and intemediate certificate:
# openssl verify -verbose -CAfile uatrootca.pem uatca.pem
uatca.pem: OK
1. What could be the reason for "No trusted certificate found" error?
2. Will this method also save the username and password of AD user as plain text in the file /etc/ovirt-engine/aaa/uat.xxxx.com.properties
2 years, 3 months
