Issue with oVirt aaa-ldap connector on fresh install of 4.3.3
by Vrgotic, Marko
________________________________
From: Vrgotic, Marko
Sent: Tuesday, June 4, 2019 4:44:08 PM
To: users(a)ovirt.org
Cc: Stojchev, Darko
Subject: Issue with aaa-ldap connector on fresh install of 4.3.3
Dear oVIrt,
We are running 4.3.3 latest with SHE.
Tried to connect our domain users using aaa-ldap extension tool provided.
We tried multiple different accounts, with multiple dn search tree syntaxes and verified the passwords.
The error is always the same:
`2019-06-04 14:03:30,763+0000 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:835 Cannot authenticate using 'uid=**FILTERED**,ou=ABC Users,dc=example,dc=com': {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}`
The log file is showing the following:
2019-06-04 14:02:31,666+0000 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._getURLs:283 URLs: [u'ldap://hqdc2.example.com:389', u'ldap://eudc1.example.com:389', u'ldap://eudc2.example.com:389', u'ldap://hqdc1.example.com:389']
2019-06-04 14:02:31,666+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:393 Connecting to LDAP using 'ldap://hqdc2.example.com:389'
2019-06-04 14:02:31,675+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:444 Executing startTLS
2019-06-04 14:02:32,420+0000 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:447 Perform search
2019-06-04 14:02:32,567+0000 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:455 Result: [('', {'supportedLDAPVersion': ['3', '2']})]
2019-06-04 14:02:32,568+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:457 Connection succeeded
2019-06-04 14:02:32,568+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_USER
2019-06-04 14:02:32,568+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):
2019-06-04 14:02:57,540+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE uid=da-dstojchev,ou=Users,dc=example,dc=com
2019-06-04 14:02:57,541+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_PASSWORD
2019-06-04 14:02:57,541+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user password:
2019-06-04 14:03:00,713+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._bindLDAP:478 Attempting to bind using 'uid=da-dstojchev,ou=Users,dc=example,dc=com'
2019-06-04 14:03:00,862+0000 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:835 Cannot authenticate using 'uid=da-dstojchev,ou=Users,dc=example,dc=com': {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}
2019-06-04 14:03:00,863+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_USER
2019-06-04 14:03:00,863+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):
2019-06-04 14:03:27,376+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE uid=openstack-test,ou=ABC Users,dc=example,dc=com
2019-06-04 14:03:27,376+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_PASSWORD
2019-06-04 14:03:27,377+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user password:
2019-06-04 14:03:30,616+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._bindLDAP:478 Attempting to bind using 'uid=**FILTERED**,ou=ABC Users,dc=example,dc=com'
2019-06-04 14:03:30,763+0000 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:835 Cannot authenticate using 'uid=**FILTERED**,ou=ABC Users,dc=example,dc=com': {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}
2019-06-04 14:03:30,764+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_USER
2019-06-04 14:03:30,764+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):
2019-06-04 14:03:41,055+0000 DEBUG otopi.context context._executeMethod:145 method exception
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/otopi/context.py", line 132, in _executeMethod
method['method']()
File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 812, in _customization_late
default='',
File "/usr/share/otopi/plugins/otopi/dialog/human.py", line 211, in queryString
value = self._readline(hidden=hidden)
File "/usr/lib/python2.7/site-packages/otopi/dialog.py", line 246, in _readline
value = self.__input.readline()
File "/usr/lib/python2.7/site-packages/otopi/main.py", line 53, in _signal
raise RuntimeError("SIG%s" % signum)
RuntimeError: SIG2
2019-06-04 14:03:41,057+0000 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Environment customization': SIG2
2019-06-04 14:03:41,057+0000 DEBUG otopi.context context.dumpEnvironment:731 ENVIRONMENT DUMP – BEGIN
This is fresh install of oVIrt 4.3.3 latest, assigned for our prod env.
Kindly awaiting your reply,
Marko Vrgotic
ActiveVideo
6 years
Planned restart of production services
by Evgheni Dereveanchin
Hi everyone,
I will be restarting several production systems within the following hour
to apply updates.
The following services may be unreachable for some period of time:
- resources.ovirt.org - package repositories
- jenkins.ovirt.org - CI master
- glance.ovirt.org - Glance image repository
Package repositories will be unreachable for a short period of time.
No new CI jobs will be started during this period.
I will announce you once maintenance is complete.
--
Regards,
Evgheni Dereveanchin
6 years
fence_rhevm not working with ovirt 4.3.4.2-1.el7 (RC2)
by Strahil Nikolov
Hello Community,
I'm sending this e-mail just to notify you that I have raised a bug for the fence_rhevm (RHEL 8) which has problems parsing the response from the oVirt's API.
The bug is : 1717179 – fence_rhevm cannot obtain plug status on oVirt 4.3.4.2-1.el7 (RC2)
|
|
| |
1717179 – fence_rhevm cannot obtain plug status on oVirt 4.3.4.2-1.el7 (...
|
|
|
I guess the package won't work also with RHV (unless the changes in the API are in a recent version).
Best Regards,Strahil Nikolov
6 years
Error importing kvm vm to oVirt 4.3.3: https://bugzilla.redhat.com/show_bug.cgi?id=1667488
by adrianquintero@gmail.com
Has a resolution for https://bugzilla.redhat.com/show_bug.cgi?id=1667488 been provided somewhere? I cant seem to find a work around except to create an empty ISO domain.
Engine logs:
2019-06-04 14:17:45,364-04 INFO [org.ovirt.engine.core.bll.exportimport.ImportVmFromExternalProviderCommand] (default task-223) [f65d3feb-e76b-4e76-98f2-852152032a48] Lock Acquired to object 'EngineLock:{exclusiveLocks='[11553d4c-e084-4dfa-8ceb-6b00d62da19f=VM, testvm.mydomain.com=VM_NAME]', sharedLocks=''}'
2019-06-04 14:17:45,421-04 WARN [org.ovirt.engine.core.bll.exportimport.ImportVmFromExternalProviderCommand] (default task-223) [] Validation of action 'ImportVmFromExternalProvider' failed for user admin@internal-authz. Reasons: VAR__ACTION__IMPORT,VAR__TYPE__VM,ERROR_CANNOT_FIND_ISO_IMAGE_PATH
2019-06-04 14:17:45,422-04 INFO [org.ovirt.engine.core.bll.exportimport.ImportVmFromExternalProviderCommand] (default task-223) [] Lock freed to object 'EngineLock:{exclusiveLocks='[11553d4c-e084-4dfa-8ceb-6b00d62da19f=VM, testvm.mydomain.com=VM_NAME]', sharedLocks=''}'
Thanks,
AQ
6 years
VM import doesn't see VMs on storage
by Dmitry Filonov
Hi,
I have 2 independent oVirt datacenters. Need to move some of the VMs from
DC1 to DC2.
So far the strategy was as simple as this -
1) connect new storage domain (NFS) to DC1
2) move VM disks to that storage
3) shut down VMs
4) disconnect storage from DC1
5) import same storage into DC2
6) import VMs from that storage and optionally move VM disks to storage
local to DC2.
Works fine for a dozen VMs until last Friday when I tried to import another
13 VMs into DC2 and VM import shows only 6. I can see disks in Disk import
tab, but not VMs.
I guess this is related to the fact that some of the VMs to be moved are
based on a template that is still on DC1. But how do I move these VMs then?
I can't move the template as
1) I still need it in DC1
2) it doesn't have any disks attached, so I can't really do the same steps
to move it.
Any ideas are very welcome here.
Thanks a lot.
--
Dmitry Filonov
Linux Administrator
SBGrid Core | Harvard Medical School
250 Longwood Ave, SGM-114
Boston, MA 02115
6 years
Feature Request: oVirt to warn when VDO is getting full
by Strahil
Hello All,
I would like to ask how many of you use VDO before asking the oVirt Devs to assess a feature in oVirt for monitoring the size of the VDOs on hyperconverged systems.
I think such warning, will save a lot of headaches, but it will not be usefull if most of the community is not using VDO at all.
Best Regards,
Strahil Nikolov
6 years
SSO problem for Window 7 VM (64)
by Harry Conings
Hi i am new to oVirt so i think i am missing something.
I my case ovirt-engine-extension-aaa-ldap-setup did not work and i am not a domain administrator so i had to set it up by hand
I can login with my AD user into the VM portal but SSO to a windows 7 machine does not happen
Thks for your help
rgds
Harry
my files:
in /etc/ovirt-engine/aaa/zkf200mut.prd.properties
vars.user = CN=HARRY (Adm),OU=Administrative Accounts,OU=Operations,OU=203,DC=zkf200mut,DC=prd
vars.password = password
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = single
pool.default.serverset.single.server = 10.63.123.22
pool.default.dc-resolve.default.serverset.type = single
pool.default.dc-resolve.serverset.single.server = 10.63.123.22
pool.default.socketfactory.type = java
/etc/ovirt-engine/extensions.d/zkf200mut.prd-authn.properties
ovirt.engine.extension.name = zkf200mut.prd-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = zkf200mut.prd
ovirt.engine.aaa.authn.authz.plugin = zkf200mut.prd
config.profile.file.1 = ../aaa/zkf200mut.prd.properties
/etc/ovirt-engine/extensions.d/zkf200mut.prd.properties
ovirt.engine.extension.name = zkf200mut.prd
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/zkf200mut.prd.properties
engine.log -> when i login and click on the console of the VM
2019-06-04 12:24:30,442+02 INFO [org.ovirt.engine.core.bll.aaa.TerminateSessionsForTokenCommand] (default task-8) [354a4756] Running command: TerminateSessionsForTokenCommand internal: true.
2019-06-04 12:24:46,247+02 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-7) [] User m203hcon(a)zkf200mut.prd successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
2019-06-04 12:24:46,316+02 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-7) [d7805c4] Running command: CreateUserSessionCommand internal: false.
2019-06-04 12:24:46,331+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-7) [d7805c4] EVENT_ID: USER_VDC_LOGIN(30), User m203hcon@zkf200mut.prd(a)zkf200mut.prd connecting from '10.63.120.199' using session 'CGIKs/CP4HQdLoUhWAzsq996BKkMcKDrqdfHT1x/kIBzixxbNl/hle8BZCZmS2L/ehVZdoStH2JByXragQxeqw==' logged in.
2019-06-04 12:24:47,015+02 ERROR [org.ovirt.engine.core.bll.GetPermissionsForObjectQuery] (default task-3) [1e271632-b9f4-4bcc-8205-ccd8ff1421f6] Query execution failed due to insufficient permissions.
2019-06-04 12:24:47,017+02 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-3) [] Operation Failed: query execution failed due to insufficient permissions.
2019-06-04 12:24:50,106+02 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (default task-8) [6f85887f] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 3985528e-5bd3-4d87-b766-361c7985788f Type: VMAction group CONNECT_TO_VM with role type USER
2019-06-04 12:24:50,118+02 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-8) [6f85887f] START, SetVmTicketVDSCommand(HostName = ovirtServer1.zkf200mut.prd, SetVmTicketVDSCommandParameters:{hostId='d28491ac-2c3b-4462-b24b-1c673155c644', vmId='3985528e-5bd3-4d87-b766-361c7985788f', protocol='SPICE', ticket='PzMAJhjN75ij', validTime='120', userName='m203hcon(a)zkf200mut.prd', userId='12f092ed-db4c-4ed0-b4bb-f3051c4fc677', disconnectAction='LOCK_SCREEN'}), log id: 103ea2
2019-06-04 12:24:50,150+02 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default task-8) [6f85887f] FINISH, SetVmTicketVDSCommand, return: , log id: 103ea2
2019-06-04 12:24:50,168+02 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default task-8) [6f85887f] EVENT_ID: VM_SET_TICKET(164), User m203hcon@zkf200mut.prd(a)zkf200mut.prd initiated console session for VM W203YZ001V
6 years
Re: [External] Re: ovirt metrics - vm dashboard not working
by Jayme
I just get a blank output from that command. I'm running oVirt Node NG
4.3.3.1 hosts
On Mon, Jun 3, 2019 at 3:48 PM Morris, Roy <roy.morris(a)ventura.org> wrote:
> Jayme,
>
>
>
> Can you run the following command and report back with the results?
>
>
>
> #systemctl status selinux* -l
>
>
>
> Best regards,
>
> Roy Morris
>
> GSA Virtualization Systems Analyst
>
> County of Ventura
>
> (805) 654-3625
>
> (805) 603-9403
>
> [image: cid:7c03dd9d67a9cfb78447b56087323d91a66d7c29.camel@ventura.org]
>
>
>
> *From:* Jayme <jaymef(a)gmail.com>
> *Sent:* Monday, June 3, 2019 11:40 AM
> *To:* users <users(a)ovirt.org>
> *Subject:* [External] [ovirt-users] Re: ovirt metrics - vm dashboard not
> working
>
>
>
> *CAUTION: *This email contains links. If it looks suspicious or is not
> expected, DO NOT click and immediately forward to Spam.Manager(a)ventura.org
> .
>
>
>
>
> I'm seeing this in the journal for collectd on all of my hosts:
>
>
>
> collectd[18380]: write_syslog plugin: error with wr_send_message
> collectd[18380]: write_syslog plugin: Connecting to localhost:44514
> failed. The last error was: Connection refused
> collectd[18380]: write_syslog plugin: wr_callback_init failed.
> collectd[18380]: write_syslog plugin: error with wr_send_message
> collectd[18380]: write_syslog plugin: send failed with status -1
> (Connection reset by peer)
> collectd[18380]: write_syslog plugin: error with wr_send_message
> collectd[18380]: write_syslog plugin: send failed with status -1
> (Connection reset by peer)
>
>
>
> collectd and rsyslog are running, I tried restarting both. I can also
> telnet to port 44514 on localhost and it's responding.
>
>
>
>
>
> On Mon, Jun 3, 2019 at 3:12 PM Jayme <jaymef(a)gmail.com> wrote:
>
> I finally managed to get oVirt metrics store running. I loaded sample
> dashboards, searches and visualizations in to Kibana from
> /etc/ovirt-engine-metrics/dashboards-examples. When importing searches and
> visualizations there are warnings about missing index patterns.
>
>
>
> It appears that the "VM" dashboard is completely broken, no stats are
> showing on it at all including simple stats such as running VM count.
>
>
>
> The other two dashboards Hosts and System are working and showing all
> stats (sans VM count on the host dashboard).
>
>
>
> I believe I have a cash here of either missing indexes or potentially an
> issue with the example dashboards? I can see that collectd is running on
> all hosts and has the virt plugin loaded.
>
>
>
> What part of the config is responsible for suppling the VM
> information/indexes?
>
>
6 years
ovirt metrics - vm dashboard not working
by Jayme
I finally managed to get oVirt metrics store running. I loaded sample
dashboards, searches and visualizations in to Kibana from
/etc/ovirt-engine-metrics/dashboards-examples. When importing searches and
visualizations there are warnings about missing index patterns.
It appears that the "VM" dashboard is completely broken, no stats are
showing on it at all including simple stats such as running VM count.
The other two dashboards Hosts and System are working and showing all stats
(sans VM count on the host dashboard).
I believe I have a cash here of either missing indexes or potentially an
issue with the example dashboards? I can see that collectd is running on
all hosts and has the virt plugin loaded.
What part of the config is responsible for suppling the VM
information/indexes?
6 years
