On Fri, Mar 22, 2019 at 12:20 PM Dominik Holler <dholler(a)redhat.com> wrote:
[snip]
> > Tried also this as detailed by Dominik, renewing
certificates:
>
https://www.mail-archive.com/users@ovirt.org/msg53697.html
>
> Not understood what to do in step
> 2. Use the SSO_CLIENT_SECRET from the outfile produced by the previous
> command in
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> "Use" in which way???
>
use as <my_secret_omitted> in
[OVIRT]
ovirt-sso-client-secret=<my_secret_omitted>
OK.
I misunderstood/misread behavior of the command
/usr/share/ovirt-engine/bin/ovirt-register-sso-client-tool.sh
I thought it directly
wrote /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
Instead it writes a temporary/transient file such as
/var/tmp/ovirt-engine/99_sso_client_1553259220210.conf
now I put the value of this generated file "SSO_CLIENT_SECRET=" inside
my 10-setup-ovirt-provider-ovn.conf and follow the other steps and I'm able
to successfully test the OVN connection
> It seems I have not completely understood the link between SSO
and
> admin@internal as a user for OVN authentication....
>
The ovirt-sso-client-id and ovirt-sso-client-secret is required, to
allow the ovirt-provider-ovn to connect to Engine's SSO for checking to
user visible username, e.g. admin@internal, and password.
I guess you are already aware of the doc in
https://github.com/oVirt/ovirt-provider-ovn/#section-ovirt
ovirt-provider-ovn does not store neither the user, e.g. admin@internal
password nor the session token, it is just forwarded to Engine's SSO to
check for validity.
If you are interested in the details, the session token is generated
by _get_sso_token in
https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/auth/plu...
and validated by another method in
https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/auth/plu...
where the ovirt-sso-client-id and ovirt-sso-client-secret are
used as client_id, client_secret.
In your case _get_sso_token is already failing, which does not use the
ovirt-sso-client-secret.
To solve this praticular issue, the provider in oVirt web admin ui
should use the usual oVirt password for admin@internal.
Thanks for all the corollary information!
Now I was also able to create two ovn networks (ovn172 and ovn192) with one
subnet each and on engine I have:
[root@ovmgr1 log]# ovn-nbctl show
switch fc2fc4e8-ff71-4ec3-ba03-536a870cd483
(ovirt-ovn192-1e252228-ade7-47c8-acda-5209be358fcf)
port 84c78095-744c-4415-805f-5f739af3d4d3
addresses: ["00:1a:4a:17:01:53 dynamic"]
switch 9e77163a-c4e4-4abf-a554-0388e6b5e4ce
(ovirt-ovn172-4ac7ba24-aad5-432d-b1d2-672eaeea7d63)
port 899809f2-3ee8-4121-9fff-5e55bb0d5d8b
addresses: ["00:1a:4a:17:01:54 dynamic"]
[root@ovmgr1 log]#
I'm now able to create/attach an ovn based nic to a VM, but if I try to
power on this VM I get an error in web admin gui
Failed to run VM p2vorasvi11
and in engine.log:
2019-03-22 14:30:34,498+01 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ForkJoinPool-1-worker-5) [] EVENT_ID: VM_DOWN_ERROR(119), VM p2vorasvi11
is down with error. Exit message: Hook Error: ('',).
If I put a standard nic the VM is able to start without problem.
Full log in engine.log during startup here:
https://drive.google.com/file/d/1vDY64QaRkb8LWHJ9gD16bsJlyovISNwr/view?us...
BTW: one strange thing I see in dumped xml in engine.log during startup is:
<graphics type="spice" port="-1" autoport="yes"
passwd="*****"
passwdValidTo="1970-01-01T00:00:01" tlsPort="-1">
Gianluca