----- Original Message -----
From: "Daniel Helgenberger"
<daniel.helgenberger(a)m-box.de>
To: "Martin Perina" <mperina(a)redhat.com>
Cc: users(a)ovirt.org, "Eli Mesika" <emesika(a)redhat.com>
Sent: Sunday, May 24, 2015 10:02:34 AM
Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
On 23.05.2015 15:04, Martin Perina wrote:
>
>
> ----- Original Message -----
>> From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de>
>> To: "Martin Perina" <mperina(a)redhat.com>
>> Cc: users(a)ovirt.org, "Eli Mesika" <emesika(a)redhat.com>
>> Sent: Thursday, May 21, 2015 9:31:50 PM
>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
>>
>>
>>
>> On 21.05.2015 21:07, Martin Perina wrote:
>>> Hi Daniel,
>>>
>>> I'm cc'ing Eli as we are currently facing issue with fence agents
>>> regression for passing boolean flags to fence agents.
>> Thanks for getting back to me so quickly.
>>>
>>> I looked at man page of fence_ilo2 again and I haven't found
>>> --tls1.0 option at all.
>> Strange? FYI I am running CentOS7.1 hosts; installed fence:
>> fence-agents-ilo2-4.0.11-11.el7_1.x86_64
>>
>> Here, clearly I have this option. The fence agent itself seems to use
>> gnutls successfully:
>>
>> # fence_ilo2 -a 10.11.0.212 --username=ovirt -p ****** -v -o status
>> --ssl-insecure --tls1.0
>>
>> Running command: /usr/bin/gnutls-cli --priority
>>
"NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION"
>> --insecure --crlf -p 443 10.11.0.212
>>
>
> Ahh, I looked at older version on F20. But I can't find --tls1.0 option
> even on man page for fence-agents-ilo2-4.0.11-11.el7_1.x86_64 :-(
>
> So if you really see this option, please take a look at the end of man
> page, where you can find STDIN format options names and add it along
> with ssl_insecure to options in Power Management tab of the hosts (instead
> of "tls1_0 use what you find in your man page):
Many thanks! Using the STDIN options solved this issue. I finally get:
Test succeeded: on
I am using these options in the options field for the ilo2 fencing module:
ssl_insecure=1,tls1.0=1
Also working:
ssl_insecure=1,notls=1
>
> ssl_insecure=1,tls1_0=1
True. What still puzzles me is the tls1.0 option. In the my man pages
the STDIN option ins called 'tls1.0'. Also, can you check wherever you
have a 'notls' option to force SSL3.0? This also works for me.
Ahh, sorry for the confusion. By mistake I looked at older fence-agents
RPM :-(
I looked again and now I also have "tls1.0". The "notls" options is
contained
also in the older version (like the one I have in my F20).
I think all the info you gave here, esp. using the stdin binary options
in a way 'option=0|1' is quite essential to get fenceing working. I had
a quick look over some man pages and I think all the standard fence
agents are used in the same manner.
Yes, this is the regression I wrote you about. Latest fence-agents dropped
the support for passing boolean options without value (just sending "notls"
was ok in prior versions), but the last version requires to send "notls=1"
or "notls=true", otherwise the option is not used. We are currenlty preparing
patches to handle it.
Also, a hint might be in order that old ilo boards can't cope
with TLS
and need it disabled. I think here [1] [2]?
[1]
http://www.ovirt.org/Automatic_Fencing
[2]
http://www.ovirt.org/OVirt_Administration_Guide#Host_Power_Management_Set...
Hmm, thanks for the input, I will talk with Eli and Oved how to make
the documentation more understandable.
Thanks
Martin Perina
Thanks!
>
> Thanks
>
> Martin Perina
>
>> I put the whole command output below [1]
>>
>>
>> To specify --ssl-insecure please add following
>>> into options in Power Management tab of the host:
>>>
>>> ssl_insecure=1
>> Thanks for pointing out how to actually use these options.
>>>
>>>
>>> Martin Perina
>>>
>>> ----- Original Message -----
>>>> From: "Daniel Helgenberger"
<daniel.helgenberger(a)m-box.de>
>>>> To: "Martin Perina" <mperina(a)redhat.com>
>>>> Cc: users(a)ovirt.org
>>>> Sent: Thursday, May 21, 2015 8:11:40 PM
>>>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
>>>>
>>>>
>>>>
>>>> On 12.05.2015 09:16, Martin Perina wrote:
>>>>> Hi Daniel,
>>>> Hello Martin,
>>>>
>>>> sorry for answering that late. And thanks for pointing me to the man
>>>> page! I always seem to forget that.
>>>>>
>>>>> options defined in PM tab are used to pass custom settings
>>>>> of specific fence agent. In you case please take a look
>>>>> at man page for fence_ilo2. I looked there briefly and
>>>>> I'm afraid that your parameter is not supported.
>>>>
>>>> Ok, this command runs fine and uses XML:
>>>> fence_ilo2 -a 10.11.0.212 --username=ovirt -p secret -v -o status
>>>> --ssl-insecure --tls1.0
>>>>
>>>> However, using options --tls1.0 and --ssl-insecure does not work in the
>>>> engine. What puzzles me: the fence agent seems to use an SSL connection
>>>> and XML; while the GUI wants an SSH port form me?
>>>>
>>>> There I get the error:
>>>> Unknown options ..
>>>>
>>>> now I only get
>>>> Test succeeded - unknown (witch actually is not successful)
>>>>
>>>>
>>>> Thanks!
>>>>>
>>>>> I see that fence_ilo3_ssh and fence_ilo4_ssh should support
>>>>> passing that option for SSH connection, so you could try them
>>>>> if they work with you fence device.
>>>>>
>>>>> Martin Perina
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Daniel Helgenberger"
<daniel.helgenberger(a)m-box.de>
>>>>>> To: users(a)ovirt.org
>>>>>> Sent: Monday, May 11, 2015 5:53:10 PM
>>>>>> Subject: [ovirt-users] Configuring ilo2 PM; passing ssh options
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> to make this short - i need to pass ssh options to get the
connection
>>>>>> to
>>>>>> ilo2 working (MACs=hmac-sha1) [1].
>>>>>>
>>>>>> How can this be done? I think the 'options' field is
clearly for
>>>>>> something else?
>>>>>>
>>>>>> Using this option in .ssh/config works btw.
>>>>>>
>>>>>> Thanks!
>>>>>> --
>>>>>> Daniel Helgenberger
>>>>>> m box bewegtbild GmbH
>>>>>>
>>>>>> P: +49/30/2408781-22
>>>>>> F: +49/30/2408781-10
>>>>>>
>>>>>> ACKERSTR. 19
>>>>>> D-10115 BERLIN
>>>>>>
>>>>>>
>>>>>>
www.m-box.de www.monkeymen.tv
>>>>>>
>>>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>>>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users(a)ovirt.org
>>>>>>
http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>>
>>>>
>>>> --
>>>> Daniel Helgenberger
>>>> m box bewegtbild GmbH
>>>>
>>>> P: +49/30/2408781-22
>>>> F: +49/30/2408781-10
>>>>
>>>> ACKERSTR. 19
>>>> D-10115 BERLIN
>>>>
>>>>
>>>>
www.m-box.de www.monkeymen.tv
>>>>
>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>>>
>>>
>>
>> [1]
>>
>> Sent: <?xml version="1.0"?>
>>
>> Received: <?xml version="1.0"?>
>>
>> Processed 0 CA certificate(s).
>> Resolving '10.11.0.212'...
>> Connecting to '10.11.0.212:443'...
>> - Certificate type: X.509
>> - Got a certificate list of 1 certificates.
>> - Certificate[0] info:
>> - subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard
>> Company,OU=ISS,CN=hv02', issuer
>> `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', RSA
>> key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05
>> 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint
>> `4db06bc1a74fe2894068d89ea76c0622b3e76bc1'
>> Public Key ID:
>> 428f85bc360c8778eb550e4b8ef1c65b111d7108
>> Public key's random art:
>> +--[ RSA 1024]----+
>> | Eoo+. |
>> | . o . .o. |
>> | . = B + |
>> | . & X . |
>> | o # S |
>> | . + = |
>> | . . |
>> | |
>> | |
>> +-----------------+
>>
>> - Status: The certificate is NOT trusted. The certificate issuer is
>> unknown. The name in the certificate does not match the expected.
>> *** PKI verification of server certificate failed...
>> - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
>> - Session ID:
>>
AA:C9:08:8C:F5:E7:E6:19:7D:BC:20:D4:A0:C0:DA:E4:0E:C1:C0:2A:BC:93:8E:B3:5F:20:B0:38:67:F2:01:5C
>> - Version: TLS1.0
>> - Key Exchange: RSA
>> - Cipher: AES-128-CBC
>> - MAC: SHA1
>> - Compression: NULL
>> - Handshake was completed
>>
>> - Simple Client Mode:
>>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> </RIBCL>
>> Sent: <RIBCL VERSION="2.0">
>>
>> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD =
"dJPVmJG64zMVD3d">
>>
>> Sent: <RIB_INFO MODE="read"><GET_FW_VERSION />
>>
>> Sent: </RIB_INFO>
>>
>> Received:
>> <RIBCL VERSION="2.0">
>>
>> <LOGIN USER_LOGIN = "ovirt" PASSWORD =
"dJPVmJG64zMVD3d">
>>
>> <RIB_INFO MODE="read"><GET_FW_VERSION />
>>
>> </RIB_INFO>
>>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> <GET_FW_VERSION
>>
>> Received: FIRMWARE_VERSION = "2.25"
>> FIRMWARE_DATE = "Apr 14 2014"
>> MANAGEMENT_PROCESSOR = "iLO2"
>> LICENSE_TYPE = "iLO 2 Advanced"
>> />
>> Sent: </LOGIN>
>>
>> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD =
"dJPVmJG64zMVD3d">
>>
>> Sent: <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
>>
>> Sent: </SERVER_INFO></LOGIN>
>>
>> Received:
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> </RIBCL>
>> </LOGIN>
>>
>> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "*********">
>>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> </RIBCL>
>> <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
>>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>> STATUS="0x0000"
>> MESSAGE='No error'
>> />
>> <GET_HOST_POWER
>> HOST_POWER="ON"
>> Status: ON
>>
>
--
Daniel Helgenberger
m box bewegtbild GmbH
P: +49/30/2408781-22
F: +49/30/2408781-10
ACKERSTR. 19
D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767