Error when deploy Ovirt4.4 Hosted Engine
by staybox@gmail.com
Hello, I get error, need help.
[ ERROR ] fatal: [localhost]: FAILED! => {"msg": "The conditional check 'not ipv6_deployment|bool and route_rules_ipv4.stdout | from_json | selectattr('priority', 'equalto', 100) | selectattr('dst', 'equalto', virbr_cidr_ipv4 | ipaddr('address') ) | list | length == 0' failed. The error was: error while evaluating conditional (not ipv6_deployment|bool and route_rules_ipv4.stdout | from_json | selectattr('priority', 'equalto', 100) | selectattr('dst', 'equalto', virbr_cidr_ipv4 | ipaddr('address') ) | list | length == 0): 'dict object' has no attribute 'dst'\n\nThe error appears to be in '/usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/tasks/bootstrap_local_vm/01_prepare_routing_rules.yml': line 81, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n changed_when: true\n - name: Add IPv4 inbound route rules\n ^ here\n"}
4 weeks
How to list all snapshots?
by jorgevisentini@gmail.com
Hello everyone!
First, I would like to thank everyone involved in this wonderful project. I leave here my sincere thanks!
Does anyone know if it is possible to list all snapshots automatically? It can be by ansible, python, shell... any way that helps to list them all without having to enter Domain by Domain.
Thank you all!
1 month
VM hangs when expanding direct LUN
by John Mortensen
Hi,
We have multible oVirt clusters (based on CentOS 9 Stream) with several nodes (based on the 4.5 el9 node image) in each and a great number of virtual machines (mainly RHEL 8).
The problem we encounter is random, it happens sometimes and other times not.
Backend storage consists of SAN attached IBM Storwize V7000.
Problem is when we expand a LUN on the storage system and wishes to expand it in oVirt for use in the VM, sometimes this process hangs the VM completely, it shows as running in oVirt GUI, it cannot be paused/shutdown from the GUI - only way to shut it down is to login to the node running the VM and from virsh run a destroy command.
Anyone else encountered this problem?
/John
1 month
Re: Help With CPU Type
by Jorge Visentini
Hi.
If you do this right, you will need downtime because the VM's processor
model will change, even though the VM's processor is only showing the
family.
Another thing that can happen is that you change the family and the host
becomes non-operational in the cluster, so you would have to test that at
least. But you can roll back to the original cluster family.
I have done this in the past and as far as I remember, the only thing that
causes a warning on the VM is that it is running on a different cluster,
that's all.
Please correct me if I'm wrong.
Cheers!
Em qui., 23 de jan. de 2025 às 02:13, Daniel Martins via Users <
users(a)ovirt.org> escreveu:
> Hi There,
>
>
>
> Please may you assist me with the below?
>
>
>
> I need to remove an oVirt host within a cluster that is using CPU Type
> Intel Westmere IBRS SSBD Family. Once the host is removed i need to change
> the CPU type to Intel Broadwell which the remaining hosts Use.
>
>
>
> So my question is will there need to be down time on the Virtual machines
> to change this?
>
>
>
> Regards,
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/IEJW5M6KUHW...
>
--
Att,
Jorge Visentini
+55 55 98432-9868
1 month, 2 weeks
oVirt does not get keycloak groups
by Christian Fischer
Hi everyone.
I have setup a oVirt Installation with Keycloak for a PoC-Evaluation
but i'm actually struggling with Keycloak Groups sync to oVirt.
I Added Active Directory Users and also a Group Mapper for LDAP Groups
-> in Keycloak i see all Users and also that they belong to Groups but
the Group-Membership is not populated to oVirt back. As a result i
can't grant Permissions groupwise - only per user.
For the initial group-sync i ticked the Option "Drop non-existing
groups during sync" which also deleted the ovirt-administrator group.
Maybe this is the main Problem here. I created this group again and
unchecked this option but it still does not sync the groups.
What do you recommend? Purge the system and do a clean install or is
there another easy fix out there?
Thanks,
have a nice weekend.
Greetings
Christian
1 month, 2 weeks
Questions and Suggestions for oVirt
by Daniel Gurgel
With the new leadership of the project, most users who admire and support oVirt would like to know the roadmap and future plans.
From my perspective, I understand that Red Hat discontinued its support purely for financial reasons. Therefore, this is probably one of the key areas where oVirt needs to strengthen. Wouldn't it be worth seeking support and collaboration with Veeam and Oracle, given its "OLVM"? Especially considering that, after the VMware/Broadcom licensing changes, Oracle has been aggressively offering OLVM to customers as a migration alternative.
A positive development was Veeam Backup & Replication recently adding support for OLVM. This has increased interest in the solution, but there are still limitations, such as migration/backup/restore between different hypervisors (interestingly, this feature is available for Proxmox/KVM, which uses similar technology).
These are some of the main questions from customers:
1. When will it be updated to Enterprise Linux 9 or 10?
2. What support will be available for new technologies?
3. How about a change in the Engine/Manager, allowing VMs to be managed even when the Engine is unavailable!
(Sorry, but this is one of oVirt's biggest bottlenecks, and inevitably, comparisons with VMware/VCenter arise.)
4. Support for VM migration between Datacenters should also be carefully considered.
**Note**: The oVirt website needs to be more user-friendly for general users. I also suggest a fundraising campaign—I would be happy to contribute, and I believe the entire user base would as well!
1 month, 2 weeks
Re: [EXT]Re: Re: [SOLVED] Re: Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?
by Cosmin Cioranu
I have checked the solution and it works, apart from the console feature
of the virtual machine.
In my case, once a got control over the host, migrated all the vms and
then Maintenance and then Enroll Certificate.
So: an updated version
```
set -x ## Make the script echo everything out, so if it fails you
know where
set -e ## Make the script STOP on any error
set my_date="$(date +"%Y%m%d%H%M%S")"
# Backup the existing CA files
/bin/cp -p /etc/pki/ovirt-engine/private/ca.pem
/etc/pki/ovirt-engine/private/ca.pem.$my_date
/bin/cp -p /etc/pki/ovirt-engine/ca.pem{,.$my_date}
/bin/mv /etc/pki/ovirt-engine/certs/ca.der{,.$my_date}
# Sign the key
openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in
/etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new
-days 3650 -sha256
openssl x509 -in /etc/pki/ovirt-engine/ca.pem.new -text >
/etc/pki/ovirt-engine/ca.pem.new.full
# Put the files into place
/bin/mv -f /etc/pki/ovirt-engine/ca.pem.new.full
/etc/pki/ovirt-engine/ca.pem
/bin/cp -p /etc/pki/ovirt-engine/ca.pem.new
/etc/pki/ovirt-engine/certs/ca.der
```
Now you need to copy the new CA file over to the host:
Source: ENGINE `/etc/pki/ovirt-engine/ca.pem`
Dest: HOST `/tmp/new-ca.pem`
########### On the oVirt Host ###########
# Create a CSR using the information from the existing certificate
and the existing key:
openssl x509 -x509toreq -in /etc/pki/libvirt/clientcert.pem -out
/tmp/HOST.csr -signkey /etc/pki/libvirt/private/clientkey.pem
Now you need to copy the new CA file over to the host:
Source: HOST `/tmp/HOST.csr`
Dest: ENGINE `/etc/pki/ovirt-engine/requests/full.hostname.com.req`
########### On the ENGINE HOST ###########
# Now sign it:
/usr/share/ovirt-engine/bin/pki-enroll-request.sh
--name=full.hostname.com
# NB -- adding --san results in an error: --san=host.na.me (So no
Subject Alternate
Names)
Now you need to copy the new Certificate file over to the host:
Source: ENGINE /etc/pki/ovirt-engine/certs/full.hostname.com.cer
Dest: HOST /tmp/new-cert.pem
########### On the oVirt Host ########### (see bellow the written
script)
#!/bin/bash
#set -x
set -e
mydate="$(date +"%Y%m%d%H%M%S")"
echo "[.] reference ${mydate}"
for x in /tmp/new-ca.pem /tmp/new-cert.pem ; do
echo -n "[.] checking $x"
if [ ! -e "$x" ]; then
echo "[not found]"
exit
else
echo "[found]"
fi
done
for x in /etc/pki/libvirt/clientcert.pem
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-migrate/server-cert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
/etc/pki/vdsm/libvirt-vnc/server-cert.pem; do
echo -n "copying $x to ${x}.${mydate}"
/bin/mv -n $x ${x}.${mydate}
echo "[done]";
echo -n "[.] copying /tmp/new-cert.pem to $x"
/bin/cp /tmp/new-cert.pem ${x}
echo "[done]"
echo -n "[.] setting permissions to $x 644 root:kvm"
chmod 644 ${x}
chown root:kvm ${x}
echo "[done]"
done
for x in /etc/pki/vdsm/libvirt-migrate/ca-cert.pem
/etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem
/etc/pki/vdsm/libvirt-spice/ca-cert.pem /etc/pki/CA/cacert.pem; do
echo -n "copying $x to ${x}.${mydate}"
/bin/mv -n $x ${x}.${mydate}
echo "[done]"
echo -n "[.] copying /tmp/new-ca.pem to $x"
/bin/cp /tmp/new-ca.pem ${x}
echo "[done]";
echo -n "[.] setting permissions to $x 644 root:kvm"
chmod 644 ${x}
chown root:kvm ${x}
echo "[done]"
done
for x in /etc/pki/vdsm/keys/vdsmkey.pem; do
echo -n "copying $x to ${x}.${mydate}"
/bin/mv -n $x ${x}.${mydate}
echo "[done]"
echo -n "[.] copying /etc/pki/libvirt/private/clientkey.pem to $x"
/bin/cp /etc/pki/libvirt/private/clientkey.pem ${x}
echo "[done]";
echo -n "[.] setting permissions to $x 644 root:kvm"
chmod 644 ${x}
chown root:kvm ${x}
echo "[done]"
done
echo "[.] Checks "
openssl x509 -in /etc/pki/libvirt/clientcert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/certs/cacert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-migrate/ca-cert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-migrate/client-cert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-migrate/server-cert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-spice/ca-cert.pem -noout -dates
openssl x509 -in /etc/pki/vdsm/libvirt-spice/server-cert.pem -noout -dates
````
Note: I whould backup the entire pki folder on both node and engine.
1 month, 2 weeks
