January 2025 - Users - Ovirt List Archives

Re: [EXT]Re: Re: [SOLVED] Re: Re: How to re-enroll (or renew) host certificates for a single-host hosted-engine deployment?

by Cosmin Cioranu

I have checked the solution and it works, apart from the console feature of the virtual machine. In my case, once a got control over the host, migrated all the vms and then Maintenance and then Enroll Certificate. So: an updated version ``` set -x ## Make the script echo everything out, so if it fails you know where set -e ## Make the script STOP on any error set my_date="$(date +"%Y%m%d%H%M%S")" # Backup the existing CA files /bin/cp -p /etc/pki/ovirt-engine/private/ca.pem /etc/pki/ovirt-engine/private/ca.pem.$my_date /bin/cp -p /etc/pki/ovirt-engine/ca.pem{,.$my_date} /bin/mv /etc/pki/ovirt-engine/certs/ca.der{,.$my_date} # Sign the key openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in /etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new -days 3650 -sha256 openssl x509 -in /etc/pki/ovirt-engine/ca.pem.new -text > /etc/pki/ovirt-engine/ca.pem.new.full # Put the files into place /bin/mv -f /etc/pki/ovirt-engine/ca.pem.new.full /etc/pki/ovirt-engine/ca.pem /bin/cp -p /etc/pki/ovirt-engine/ca.pem.new /etc/pki/ovirt-engine/certs/ca.der ``` Now you need to copy the new CA file over to the host: Source: ENGINE `/etc/pki/ovirt-engine/ca.pem` Dest: HOST `/tmp/new-ca.pem` ########### On the oVirt Host ########### # Create a CSR using the information from the existing certificate and the existing key: openssl x509 -x509toreq -in /etc/pki/libvirt/clientcert.pem -out /tmp/HOST.csr -signkey /etc/pki/libvirt/private/clientkey.pem Now you need to copy the new CA file over to the host: Source: HOST `/tmp/HOST.csr` Dest: ENGINE `/etc/pki/ovirt-engine/requests/full.hostname.com.req` ########### On the ENGINE HOST ########### # Now sign it: /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=full.hostname.com # NB -- adding --san results in an error: --san=host.na.me (So no Subject Alternate Names) Now you need to copy the new Certificate file over to the host: Source: ENGINE /etc/pki/ovirt-engine/certs/full.hostname.com.cer Dest: HOST /tmp/new-cert.pem ########### On the oVirt Host ########### (see bellow the written script) #!/bin/bash #set -x set -e mydate="$(date +"%Y%m%d%H%M%S")" echo "[.] reference ${mydate}" for x in /tmp/new-ca.pem /tmp/new-cert.pem ; do echo -n "[.] checking $x" if [ ! -e "$x" ]; then echo "[not found]" exit else echo "[found]" fi done for x in /etc/pki/libvirt/clientcert.pem /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-migrate/server-cert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/vdsm/libvirt-vnc/server-cert.pem; do echo -n "copying $x to ${x}.${mydate}" /bin/mv -n $x ${x}.${mydate} echo "[done]"; echo -n "[.] copying /tmp/new-cert.pem to $x" /bin/cp /tmp/new-cert.pem ${x} echo "[done]" echo -n "[.] setting permissions to $x 644 root:kvm" chmod 644 ${x} chown root:kvm ${x} echo "[done]" done for x in /etc/pki/vdsm/libvirt-migrate/ca-cert.pem /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem /etc/pki/CA/cacert.pem; do echo -n "copying $x to ${x}.${mydate}" /bin/mv -n $x ${x}.${mydate} echo "[done]" echo -n "[.] copying /tmp/new-ca.pem to $x" /bin/cp /tmp/new-ca.pem ${x} echo "[done]"; echo -n "[.] setting permissions to $x 644 root:kvm" chmod 644 ${x} chown root:kvm ${x} echo "[done]" done for x in /etc/pki/vdsm/keys/vdsmkey.pem; do echo -n "copying $x to ${x}.${mydate}" /bin/mv -n $x ${x}.${mydate} echo "[done]" echo -n "[.] copying /etc/pki/libvirt/private/clientkey.pem to $x" /bin/cp /etc/pki/libvirt/private/clientkey.pem ${x} echo "[done]"; echo -n "[.] setting permissions to $x 644 root:kvm" chmod 644 ${x} chown root:kvm ${x} echo "[done]" done echo "[.] Checks " openssl x509 -in /etc/pki/libvirt/clientcert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/certs/cacert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-migrate/ca-cert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-migrate/client-cert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-migrate/server-cert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-spice/ca-cert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-spice/server-cert.pem -noout -dates ```` Note: I whould backup the entire pki folder on both node and engine.

2 months, 2 weeks

1
0
0 / 0

snapshot solution: Existing snapshots that were taken after this one will be erased.

by dhanaraj.ramesh＠yahoo.com

Hi Team, when I want to commit the older snapshots I'm getting warning stating " Existing snapshots that were taken after this one will be erased.". is there any way we can retain the latest snapshots as is in the chain? I knew cloning and template export options are there to secure that latest snapshot data but these are will consume additional space in storage and take time.

2 months, 2 weeks

4
3
0 / 0

Re: [External] : Re: Unable to migrate vm with 4 (500g) disks from vmware to ovirt.

by dushyantk.sun＠gmail.com

Hi Marcos and Simon, Provided document was helpful. Thank you.

2 months, 3 weeks

1
0
0 / 0

Re: [External] : Re: Unable to migrate vm with 4 (500g) disks from vmware to ovirt.

by dushyantk.sun＠gmail.com

Currently linux vm which i am trying to migrate has 4 (500GB) disk. All disks on same datastore. It is iscsi datastore. Do we have any configuration where we can enabled verbose mode while migration is going on to see what is happening as currently unable to identify failure. Also is there any limitation if vms with multiple disk is not possible to migrate?

2 months, 3 weeks

2
2
0 / 0

Unable to migrate vm with 4 (500g) disks from vmware to ovirt.

by dushyantk.sun＠gmail.com

I have vm with multiple disk attached to it. While migrating vm from vmware to ovirt, it started but gets failed after 5-6 hours. However vms with single disk migrated successfully. Following ovirt UI to migrate vm. Please let me know if any one come across such scenario

2 months, 3 weeks

4
6
0 / 0

oVirt Translations & Future

by Jean-Louis Dupond

Hi, We've setup some alternative for the (dead) Zanata translation project for oVirt. You can find the Weblate setup on the following location: https://translate.ovirt.tech/projects/ovirt-engine/ So if somebody wants to add translations, feel free! :) Will try to add translations for the other projects the coming days. Next to that, we are working hard to get oVirt better! If you want to help, feel free to open PR's or send me an mail. A lot can be done, so you won't get bored. Some things that we are looking into: - Java updates - Wildfly update - AlmaLinux 10 / CentOS Stream 10 support Feel free to contact me if you have further questions. Jean-Louis

2 months, 3 weeks

6
7
1 / 0

Re: [External] : OLVM/ovirt 4.5 support for 5th Gen Intel Xeon Gold (Emerald Rapids)

by Simon Coter

Hi Hassan, we internally fixed it by reverting our patch and use the oVirt community one: <https://github.com/oVirt/ovirt-engine/pull/978> [978.png] core: Introduce new Intel, AMD and IBM CPU's by JasperB-TeamBlue · Pull Request #978 · oVirt/ovirt-engine<https://github.com/oVirt/ovirt-engine/pull/978> github.com<https://github.com/oVirt/ovirt-engine/pull/978> This will be released as part of the next Errata for OLVM. Simon On Jan 23, 2025, at 9:44 AM, Hassan Shabbir <hshabbir315(a)gmail.com> wrote: Hello Simon, Thank you for the response, what about 5th Gen Emerald Rapids? correct me if i'm wrong: support for 4th Gen Sapphire Rapids is already in place in OLVM. Regards, On Thu, Jan 23, 2025, 1:32 PM Simon Coter <simon.coter(a)oracle.com<mailto:simon.coter@oracle.com>> wrote: We introduced a patch to address the Sapphire Rapids family support on OLVM 4.5.5 We recently synced our patch with the one had been pushed by the oVirt community and should be out quite soon. Simon > On Jan 19, 2025, at 9:28 PM, hshabbir315(a)gmail.com<mailto:hshabbir315@gmail.com> wrote: > > Hi Guys, > > Can someone please confirm if 5th Gen Intel Gold (Emerald Rapids) CPUs are compatible with OLVM/ovirt 4.5.5.x? We have a OLVM/ovirt 4.5.5.x test lab setup cluster running on older hardware (Intel(R) Xeon(R) CPU E5-2660 v3 @ 2.60GHz - Haswell Family) with compatibility version 4.7. While going through the engine db backup we observed that there are no entries in the vdc_options table for Emerald Rapids family of Intel CPUs. Does this mean that these CPUs are not supported by ovirt 4.5.5.x? or these CPUs are supported but the extra features/instruction sets offered by these CPUs over Sapphire Rapids family of Intel CPUs will not be available to the VMs? > > Regards, > _______________________________________________ > Users mailing list -- users(a)ovirt.org<mailto:users@ovirt.org> > To unsubscribe send an email to users-leave(a)ovirt.org<mailto:users-leave@ovirt.org> > Privacy Statement: https://urldefense.com/v3/__https://www.ovirt.org/privacy-policy.html__;!... > oVirt Code of Conduct: https://urldefense.com/v3/__https://www.ovirt.org/community/about/communi... > List Archives: https://urldefense.com/v3/__https://lists.ovirt.org/archives/list/users@o...

2 months, 3 weeks

1
0
0 / 0

OLVM/ovirt 4.5 support for 5th Gen Intel Xeon Gold (Emerald Rapids)

by hshabbir315＠gmail.com

Hi Guys, Can someone please confirm if 5th Gen Intel Gold (Emerald Rapids) CPUs are compatible with OLVM/ovirt 4.5.5.x? We have a OLVM/ovirt 4.5.5.x test lab setup cluster running on older hardware (Intel(R) Xeon(R) CPU E5-2660 v3 @ 2.60GHz - Haswell Family) with compatibility version 4.7. While going through the engine db backup we observed that there are no entries in the vdc_options table for Emerald Rapids family of Intel CPUs. Does this mean that these CPUs are not supported by ovirt 4.5.5.x? or these CPUs are supported but the extra features/instruction sets offered by these CPUs over Sapphire Rapids family of Intel CPUs will not be available to the VMs? Regards,

2 months, 3 weeks

2
1
0 / 0

Re: [External] : The KVM Host Status Stucking in Connecting

by natchawi28＠gmail.com

Hi, What about the version differences between the Engine and the KVM host? Does it matter? Engine: Oracle Linux 8.10 Kernel 5.15.0-302.167.6.el8uek.x86_64 KVM Host: Oracle Linux 8.6 Kernel 5.4.17-2136.311.6.1.el8uek.x86_64 I checked the Cluster Compatibility Version, and it appears to be compatible. Thank you,

2 months, 3 weeks

2
1
0 / 0

ovirtmgmt claims no defroute after RHEL upgrade from 8.10 to 9.5

by Austin Coppock

First off apologies, I am unable to post log files as my oVirt servers have no access to the Internet. I have several oVirt clusters, all were running oVirt 4.5 on RHEL 8.10. I am in the process of upgrading them to RHEL 9.5. with a few minor updates of oVirt packages. The steps I used to do this are: • Backup up the standalone engine DB • Rebuild the engine to RHEL 9.5, reinstall oVirt, restore the DB • Log back in to the engine, place first hypervisor into maintenance and rebuild to RHEL 9.5. • Remove old hypervisor via the engine GUI and add back in to the cluster • Repeat for each hypervisor until all are upgraded. This has worked perfectly, everything seems to be normal, but I then noticed that if I select the “Network Interfaces” tab on a hypervisor it shows my bonded interface as “Out-of-sync”, clicking the “Sync All Networks” does nothing. If I click on “Setup Host Networks” and hover the mouse over the ovirtmgmt interface I see the message “Default Route. Host: false DC: true” If I run the command “vdsm-client Host getNetworkCapabilities” on the hypervisor, it shows that the {bridges: ovirtmgmt: ipv4defaultroute false} and {networks: ovirtmgmt: ipv4defaultroute false } on my clusters that are still on RHEL 8.10 the above command shows ipv4defaultroute true. Running the command “ip route show” shows that my default route IS on device ovirtmgmt I am not experiencing any network issues, but getting rid of this out-of-sync message would be nice. Is this a bug or a bad status issue? Or do I have some obscure setting not correct? For both RHEL 8.10 and RHEL 9.5 builds we have used Ansible to perform the tasks, (with minor tweaks). So, the same procedure has been used for both.

2 months, 3 weeks

1
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Users January 2025