9:47 a.m.
On Sun, Aug 7, 2022 at 6:34 AM P F <pat(a)patfruth.com> wrote:
I'm unable to recreate the original problem.
The good news is, the process moves past the engine_setup now.
The ovirt-engine server actually starts, and is exposed on
https://<ovirthost>:6900/ovirt-engine
The bad news is, when I try to access the engine Web UI at that URL, I get a '500
Internal Server Error'.
I don't see any obvious errors in the log files in /var/log/ovirt-engine
Can you check/share all of /var/log/ovirt-engine and /var/log/httpd?
I'm able to access the URL https://<ovirthost>:6900/ovirt-engine
However, as soon as I click the "Administration Portal" link on the main page,
I see the '500 Internal Server Error'
I do notice the following error in /var/log/httpd/ssl_error_log;
[Sat Aug 06 18:45:32.106641 2022] [auth_openidc:error] [pid 1648:tid 139896547178240]
[client 192.168.222.3:58098] oidc_authenticate_user: the URL hostname
(ovirt-engine.internal.net) of the configured OIDCRedirectURI does not match the URL
hostname of the URL being accessed (ovirt-node04.internal.net): the "state" and
"session" cookies will not be shared between the two!, referer:
https://ovirt-node04.internal.net:6900/ovirt-engine/
I am not an expert on how this should work. Adding Martin. In any
case, this sounds like a bug to me, even though not sure it's
possible/easy to fix - would you like to create one?
The error above would suggest that it will not be possible to access the engine Web UI
which is temporarily exposed on port 6900.
Seems so.
How has this ever been possible in the past?
Most likely this is a result of enabling keycloak integration. Perhaps
you can try again and answer 'No' to 'Configure Keycloak integration
on the engine'. If this works, it might be the simplest way for now -
you can enable keycloak integration later if you want.
What do I need to do in order to access the engine Web UI, since I
need to configure the hosts's network to include several VLANs necessary to complete
the restore of the engine DB?
I am just guessing here, not knowing anything about openidc. Perhaps
it does not like being accessed as a different hostname and/or port.
The engine does not like this either, but we "convince" it:
[1]
https://github.com/oVirt/ovirt-ansible-collection/blob/master/roles/hoste...
- name: Allow the webadmin UI to be accessed over the first host
block:
- name: Saving original value
ansible.builtin.replace:
path: /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf
regexp: '^(SSO_ALTERNATE_ENGINE_FQDNS=.*)'
replace: '#\1 # pre hosted-engine-setup'
- name: Adding new SSO_ALTERNATE_ENGINE_FQDNS line
ansible.builtin.lineinfile:
path: /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf
line: 'SSO_ALTERNATE_ENGINE_FQDNS="{{ he_host_address }}" #
hosted-engine-setup'
But this isn't mandatory, it's just a convenience we added at some point.
Instead, you can do something similar to what we do to allow access on
port 6900:
[2]
https://github.com/oVirt/ovirt-ansible-collection/blob/master/roles/hoste...
- name: Open a port on firewalld
ansible.builtin.command: firewall-cmd --zone=public --add-port {{
he_webui_forward_port }}/tcp
changed_when: true
- name: Expose engine VM webui over a local port via ssh port forwarding
ansible.builtin.command: >-
sshpass -e ssh -tt -o ServerAliveInterval=5 -o
StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -g -L
{{ he_webui_forward_port }}:{{ he_fqdn }}:443 {{ he_fqdn }}
environment:
"{{ he_cmd_lang | combine( { 'SSHPASS': he_appliance_password } )
}}"
changed_when: true
async: 86400
poll: 0
register: sshpf
But instead of opening the port on firewalld from the host, do the
entire tunnelling from your laptop (or where you run the web browser):
1. Add the engine VM's name to your /etc/hosts, to the line of '127.0.0.1'
2. Find the (temporary, local) IP address of the engine VM, in your
case that's '192.168.222.3'
3. Create an ssh tunnel - something like:
# ssh -L443:192.168.222.3:443 root(a)ovirt-node04.internal.net
Then you can access the engine (and keycloak) web UI via the "real" FQDN:
https://ovirt-engine.internal.net/ovirt-engine/
Good luck and best regards,
--
Didi