Re: Safely disable firewalld [Ovirt 4.3]
by Strahil Nikolov
On April 22, 2020 6:33:40 PM GMT+03:00, Edson Richter <edsonrichter(a)hotmail.com> wrote:
>I'm in no way a ovirt expert. But as Linux administrator, I would say
>that firewalld and iptables are "front-end" to kernel internal security
>tables, so, in the final of the day, will provide *almost* same
>functionality.
>
>Seems that firewalld is able to activate modules without restarting
>entire firewall infra-structure, which iptables is not capable of. This
>leverage an advantage for firewalld, specially where you would not have
>interruptions in existing stateful connections.
>
>I've used iptables *always* as replacement for firewalld because of
>almost 20 yrs using iptables - this is the first step in all about
>hundred Centos7 installations I've done past few years. I just can't
>throw away all my scripts that block hackers, provide 2 and 3 way
>"knock-knock" lockers, fail2ban customizations, nat rules, DMZ, and
>all, everytime a new "firewall" front end appears. I've seen at least
>two or three "iptables killers tech" in the past, and iptables still is
>the king - at least for me.
>
>Again, repeating myself, I'm no ovirt specialist. Just a sazonal linux
>admin which will not jump from iptables train yet.
>
>Perhaps, I would not reccomend to completely deactivate all firewall in
>any server! If it is the case, I would instead to advice to just
>replace firewalld with iptables-service (at least, in Centos7) - but
>only in case you have too much to loose without iptables (as am I).
>
>Regards,
>
>Edson
>
>
>________________________________
>De: eevans(a)digitaldatatechs.com <eevans(a)digitaldatatechs.com>
>Enviado: quarta-feira, 22 de abril de 2020 12:18
>Para: francesco(a)shellrent.com <francesco(a)shellrent.com>;
>users(a)ovirt.org <users(a)ovirt.org>
>Assunto: [ovirt-users] Re: Safely disable firewalld [Ovirt 4.3]
>
>If you log in to the cockpit, you can add services or custom ports
>easily. I would not disable the firewall.
><hostname:9090> for the cockpit.
>
>Eric Evans
>Digital Data Services LLC.
>304.660.9080
>
>
>-----Original Message-----
>From: francesco(a)shellrent.com <francesco(a)shellrent.com>
>Sent: Tuesday, April 21, 2020 12:54 PM
>To: users(a)ovirt.org
>Subject: [ovirt-users] Safely disable firewalld [Ovirt 4.3]
>
>Hi all,
>
>I was wondering if it's "safe" disabling entirely the firewalld service
>and manage the firewall only via iptables, on the host and on the
>hosted engine (a self-hosted engine). It would make a lot easier the
>managing the firewall rules for me because of many automatisms I
>created based on iptables. Did anyone manage to do this? Any
>contraindication for doing this or precaution that I have to take care
>of?
>
>Thanks for your time and help,
>Francesco
>_______________________________________________
>Users mailing list -- users(a)ovirt.org
>To unsubscribe send an email to users-leave(a)ovirt.org Privacy
>Statement:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
>oVirt Code of Conduct:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
>List Archives:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.o...
>_______________________________________________
>Users mailing list -- users(a)ovirt.org
>To unsubscribe send an email to users-leave(a)ovirt.org
>Privacy Statement:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
>oVirt Code of Conduct:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ovi...
>List Archives:
>https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.o...
Keep in mind that I had some issues with oVirt (was more than a year ago - so don't ask for details) when either firewalld or SELINUX were down.
With so much experience in IPTABLES - it's understandable, but keep in mind that in CentOS/RHEL 8 iptables command is just a translator to nftables - with limited capability and I don't think that it was a coincidence . With firewalld you can still achive 90-95% of what you could do in IPTABLES while the rules are quite clear even for a new admin.
What I really like is that you can predefine the ports and protos for a specific service and easily deploy it via salt or ansible.
Best Regards,
Strahil Nikolov
4 years
Safely disable firewalld [Ovirt 4.3]
by francesco@shellrent.com
Hi all,
I was wondering if it's "safe" disabling entirely the firewalld service and manage the firewall only via iptables, on the host and on the hosted engine (a self-hosted engine). It would make a lot easier the managing the firewall rules for me because of many automatisms I created based on iptables. Did anyone manage to do this? Any contraindication for doing this or precaution that I have to take care of?
Thanks for your time and help,
Francesco
4 years
Re: oVirt and KeyCloak intergration
by Artur Socha
On Wed, 2020-04-22 at 10:42 +0000, Anton Louw wrote:
>
>
> Ok so this is definitely looking better. I get an error, but at least now it
> is saying : “The user admin@openidchttp is not authorized to perform login”
>
> This is strange though, because admin in by default should be allowed access?
Well, yes and no :)
In order for user to be considered admin (for ovirt engine) it must belong to
keycloak's ovirt-administrator group (in keycloak admin panel see Manage-
>Groups->Members)
I think you are very close to have it up-and-running.
>
> From: Anton Louw
> Sent: 22 April 2020 12:38
> To: Artur Socha <asocha(a)redhat.com>; users(a)ovirt.org
> Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>
> Perfect, I’ll test and let you know.
>
> Thanks
>
> From: Artur Socha <asocha(a)redhat.com>
> Sent: 22 April 2020 12:32
> To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; users(a)ovirt.org
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> + users(a)ovirt.org
>
> On Wed, 2020-04-22 at 09:57 +0000, Anton Louw wrote:
> >
> >
> > Hi Artur,
> >
> > I would just like to make sure I am following correctly, comparing your
> > entries against mine.
> >
> > Your setup:
> > ...
> > config.mapAuthRecord.regex.pattern =
> > ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
> > ...
> >
> >
> > My setup:
> > …
> > config.mapAuthRecord.regex.pattern =
> > ^(?<user>.*?)((\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
> > …
> >
> > Should I add the additional 2 “\\” in on my side?
>
>
> Yes, please try adding it. In my case I learned about this issue by debugging
> the code because the real exception generated by incorrect regexp syntax was
> hidden behind generic error message giving no clues about the true cause.
>
> >
> > Your setup:
> > ...
> > <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-
> > http-auth)|^/ovirt-engine/callback>
> > <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> >
> > Require valid-user
> > AuthType openid-connect
> >
> > ErrorDocument 401 "<html><meta http-equiv=\"refresh\"content=\"0;
> > url=/ovirt-engine/sso/login-unauthorized\"/><body><ahref=\"/ovirt-
> > engine/sso/login-unauthorized\">Here</a></body></html>"
> > </If>
> > </LocationMatch>
> > …
> >
> > My setup:
> > …
> > <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-
> > http-auth)|^/ovirt-engine/callback>
> > <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> >
> > Require valid-user
> > AuthType openid-connect
> >
> > ErrorDocument 401 "<html><meta http-equiv='refresh' content='0;
> > url=/ovirt-engine/sso/login-unauthorized'/><body><a href='/ovirt-
> > engine/sso/login-unauthorized'>Here</a></body></html>"
> > </If>
> > </LocationMatch>
> > …
> >
> > I remember I had syntax errors, but mine was changed.
> >
> > Does this look fine to you?
>
>
> Yeah, your version looks good too. You have ' instead of " so that is ok.
>
>
> Anton Louw
> Cloud Engineer: Storage and Virtualization at Vox
> T: 087 805 0000 | D: 087 805 1572
> M: N/A
> E: anton.louw(a)voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
> > Thanks
> >
> >
> >
> > Anton Louw
> > Cloud Engineer: Storage and Virtualization at Vox
> > T: 087 805 0000 | D: 087 805 1572
> > M: N/A
> > E: anton.louw(a)voxtelecom.co.za
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > www.vox.co.za
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > From: Anton Louw
> > Sent: 22 April 2020 10:07
> > To: Artur Socha <asocha(a)redhat.com>
> > Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
> >
> > Hi Artur,
> >
> > Great, I will try the below and let you know. I appreciate your efforts.
> >
> > Sure, you may report it, I was in such a rush that I only hit “reply” and
> > not “Reply All”
> >
> > I do recall that I had to make some changes to the below as the it
> > complained about syntax errors:
> >
> > ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
> > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
> > href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
> > </If>
> > </LocationMatch>
> >
> > I will let you know the outcome when I change the below as you suggested.
> >
> > Cheers
> >
> > From: Artur Socha <asocha(a)redhat.com>
> > Sent: 22 April 2020 09:51
> > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> >
> > I checked your logs and I did not notice anything suspicious.
> > However, now I recall I made some changes compared to blog post
> > example:
> >
> > 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties
> > I added escaping in regexp for '\'
> > ...
> > config.mapAuthRecord.regex.pattern =
> > ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
> > ...
> >
> > 2) /etc/httpd/ovirt-openidc.conf
> > Escaping for '"' in error document snippet
> > ...
> > <LocationMatch ^/ovirt-engine/sso/(interactive-login-
> > negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
> > <If "req('Authorization') !~ /^(Bearer|Basic)/i">
> >
> > Require valid-user
> > AuthType openid-connect
> >
> > ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
> > content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
> > href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
> > </If>
> > </LocationMatch>
> >
> > ...
> >
> > These two issues were most probably caused by the blog site rendering.
> >
> >
> > You might want to check engine.log (or server.log not really sure which
> > one was that) for aaa extension initialization logs. They should
> > appear at the beginning just after restarting engine.
> >
> > Unfortunately, at the moment I do not have running keycloak setup (I
> > used to have a local VM) but I will try to find some time to set it up
> > again once I'm done with another work item that actually consumes
> > almost entire disk space for my 2 machines)
> >
> > Please let me know if anything changes after applying these config
> > changes. It this works for you then I will request the blog post to be
> > updated.
> >
> > Do you mind if I keep(re-post) this discussion back to users@ovirt in
> > case other might have similar issues with keycloak integration?
> >
> > A.
> >
> > On Wed, 2020-04-22 at 06:35 +0000, Anton Louw wrote:
> > >
> > >
> > > Hi Artru,
> > >
> > > Thank you for the reply. The post [1] is actually the main source of
> > > information I worked from in order top get everything configured. In
> > > the post[1] I ran through the whole testing section, and everything
> > > works as expected. I can see the VMs etc when using the python
> > > script.
> > >
> > > In my case we are not using ldap as a provider, I tried using
> > > keycloak directly as a provider, I am not sure if that is where I am
> > > going wrong?
> > >
> > > I have attached the last part of the apache ssl_access_log when I
> > > tried logging in this morning. I have also attached the engine log.
> > >
> > > Thanks
> > >
> > >
> > > Anton Louw
> > > Cloud Engineer: Storage and Virtualization at Vox
> > > T: 087 805 0000 | D: 087 805 1572
> > > M: N/A
> > > E: anton.louw(a)voxtelecom.co.za
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > > www.vox.co.za
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Artru Socha <asocha(a)redhat.com>
> > > Sent: 21 April 2020 15:20
> > > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>; users(a)ovirt.org
> > > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
> > >
> > > On Tue, 2020-04-21 at 12:48 +0000, Anton Louw wrote:
> > > >
> > > >
> > > > Hi Everybody,
> > > >
> > > >
> > > Hi Anton,
> > >
> > > > Has anybody gone the route of using KeyCloak to login to oVirt?
> > > > KeyCloak has been configured and the neccesary configs have also
> > > been
> > > > done on the engine. It redirects perfectly from the oVirt Web Login
> > > > page to KeyCloak, but after logging into KeyCloak, I get redirected
> > > > back to the oVirt Web Login. When trying to login again, I get the
> > > > below error:
> > > >
> > > >
> > > >
> > > > server_error: Missing parameter: 'params'
> > > >
> > >
> > > Not so long ago I managed to setup ovirt engine with keyloack (using
> > > ldap as users provider). Hopefully, I would be able to help you with
> > > it.
> > >
> > > There is excellent blog post[1] available. You might also check
> > > keycloak+ldap post [2], however, when I was working on the
> > > integration
> > > I was not aware of if and did not test it.
> > >
> > > The error you mentioned does not really indicate what exactly is
> > > wrong
> > > but it might suggest that there is some sort of misconfiguration with
> > > apache (you need to install and configure mod_auth_openidc as
> > > described
> > > at [1]). At least that happened in my case.
> > >
> > > In case you have already gone through it you could probably check
> > > apache logs.
> > >
> > > Under [1] there is a python script that can be used to check api
> > > calls,
> > > please update username/password and test it against your environment.
> > >
> > >
> > > Would it be possible post relevant piece of apache logs together with
> > > engine.log ?
> > >
> > >
> > > [1]
> > >
> > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o...
> > > [2]
> > >
> > https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-user-...
> > >
> > > Artur
> > >
> > >
> > >
> > > > I have checked all the logs, but nothing is telling me what exactly
> > > > the issue is.
> > > >
> > > > If anybody has any idea, please let me know.
> > > >
> > > > Thanks
> > > >
> > > > Anton Louw
> > > > Cloud Engineer: Storage and Virtualization at Vox
> > > > T: 087 805 0000 | D: 087 805 1572
> > > > M: N/A
> > > > E: anton.louw(a)voxtelecom.co.za
> > > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > > > www.vox.co.za
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Disclaimer
> > > > The contents of this email are confidential to the sender and the
> > > > intended recipient. Unless the contents are clearly and entirely of
> > > a
> > > > personal nature, they are subject to copyright in favour of the
> > > > holding company of the Vox group of companies. Any recipient who
> > > > receives this email in error should immediately report the error to
> > > > the sender and permanently delete this email from all storage
> > > > devices.
> > > >
> > > > This email has been scanned for viruses and malware, and may have
> > > > been automatically archived by Mimecast Ltd, an innovator in
> > > Software
> > > > as a Service (SaaS) for business. Providing a safer and more useful
> > > > place for your human generated data. Specializing in; Security,
> > > > archiving and compliance. To find out more Click Here.
> > > >
> > > >
> > > > _______________________________________________
> > > > Users mailing list -- users(a)ovirt.org
> > > > To unsubscribe send an email to users-leave(a)ovirt.org
> > > > Privacy Statement: https://www.ovirt.org/privacy-policy.html
> > > > oVirt Code of Conduct:
> > > > https://www.ovirt.org/community/about/community-guidelines/
> > > > List Archives:
> > > >
> > >
> > https://lists.ovirt.org/archives/list/users@ovirt.org/message/S4I2I3MID4A...
> > >
> >
>
>
4 years
Re: oVirt and KeyCloak intergration
by Anton Louw
Ok so this is definitely looking better. I get an error, but at least now it is saying : “The user admin@openidchttp is not authorized to perform login”
This is strange though, because admin in by default should be allowed access?
Anton Louw
Cloud Engineer: Storage and Virtualization
______________________________________
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.louw(a)voxtelecom.co.za
www.vox.co.za
From: Anton Louw
Sent: 22 April 2020 12:38
To: Artur Socha <asocha(a)redhat.com>; users(a)ovirt.org
Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
Perfect, I’ll test and let you know.
Thanks
From: Artur Socha <asocha(a)redhat.com<mailto:asocha@redhat.com>>
Sent: 22 April 2020 12:32
To: Anton Louw <Anton.Louw(a)voxtelecom.co.za<mailto:Anton.Louw@voxtelecom.co.za>>; users(a)ovirt.org<mailto:users@ovirt.org>
Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
+ users(a)ovirt.org<mailto:users@ovirt.org>
On Wed, 2020-04-22 at 09:57 +0000, Anton Louw wrote:
Hi Artur,
I would just like to make sure I am following correctly, comparing your entries against mine.
Your setup:
...
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$<file://(%3f%3cat%3e@)(%3f%3csuffix%3e.*%3f)@.*)(%3f%3crealm%3e@.*))$)$>
...
My setup:
…
config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$<file://(%3f%3cat%3e@)(%3f%3csuffix%3e.*%3f)@.*)(%3f%3crealm%3e@.*))$)$>
…
Should I add the additional 2 “\\” in on my side?
Yes, please try adding it. In my case I learned about this issue by debugging the code because the real exception generated by incorrect regexp syntax was hidden behind generic error message giving no clues about the true cause.
Your setup:
...
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
<If "req('Authorization') !~ /^(Bearer|Basic)/i">
Require valid-user
AuthType openid-connect
ErrorDocument 401 "<html><meta http-equiv=\"refresh\"content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><ahref=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</If>
</LocationMatch>
…
My setup:
…
<LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
<If "req('Authorization') !~ /^(Bearer|Basic)/i">
Require valid-user
AuthType openid-connect
ErrorDocument 401 "<html><meta http-equiv='refresh' content='0; url=/ovirt-engine/sso/login-unauthorized'/><body><a href='/ovirt-engine/sso/login-unauthorized'>Here</a></body></html>"
</If>
</LocationMatch>
…
I remember I had syntax errors, but mine was changed.
Does this look fine to you?
Yeah, your version looks good too. You have ' instead of " so that is ok.
Thanks
Anton Louw
Cloud Engineer: Storage and Virtualization at Vox
________________________________
T: 087 805 0000 | D: 087 805 1572
M: N/A
E: anton.louw(a)voxtelecom.co.za<mailto:anton.louw@voxtelecom.co.za>
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
www.vox.co.za<http://www.vox.co.za>
[F]<https://www.facebook.com/voxtelecomZA>
[T]<https://www.twitter.com/voxtelecom>
[I]<https://www.instagram.com/voxtelecomza>
[L]<https://www.linkedin.com/company/voxtelecom>
[Y]<https://www.youtube.com/user/VoxTelecom>
From: Anton Louw
Sent: 22 April 2020 10:07
To: Artur Socha <asocha(a)redhat.com<mailto:asocha@redhat.com>>
Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
Hi Artur,
Great, I will try the below and let you know. I appreciate your efforts.
Sure, you may report it, I was in such a rush that I only hit “reply” and not “Reply All”
I do recall that I had to make some changes to the below as the it complained about syntax errors:
ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</If>
</LocationMatch>
I will let you know the outcome when I change the below as you suggested.
Cheers
From: Artur Socha <asocha(a)redhat.com<mailto:asocha@redhat.com>>
Sent: 22 April 2020 09:51
To: Anton Louw <Anton.Louw(a)voxtelecom.co.za<mailto:Anton.Louw@voxtelecom.co.za>>
Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
I checked your logs and I did not notice anything suspicious.
However, now I recall I made some changes compared to blog post
example:
1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties
I added escaping in regexp for '\'
...
config.mapAuthRecord.regex.pattern =
^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$<file://(%3f%3cat%3e@)(%3f%3csuffix%3e.*%3f)@.*)(%3f%3crealm%3e@.*))$)$>
...
2) /etc/httpd/ovirt-openidc.conf
Escaping for '"' in error document snippet
...
<LocationMatch ^/ovirt-engine/sso/(interactive-login-
negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
<If "req('Authorization') !~ /^(Bearer|Basic)/i">
Require valid-user
AuthType openid-connect
ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
</If>
</LocationMatch>
...
These two issues were most probably caused by the blog site rendering.
You might want to check engine.log (or server.log not really sure which
one was that) for aaa extension initialization logs. They should
appear at the beginning just after restarting engine.
Unfortunately, at the moment I do not have running keycloak setup (I
used to have a local VM) but I will try to find some time to set it up
again once I'm done with another work item that actually consumes
almost entire disk space for my 2 machines)
Please let me know if anything changes after applying these config
changes. It this works for you then I will request the blog post to be
updated.
Do you mind if I keep(re-post) this discussion back to users@ovirt in
case other might have similar issues with keycloak integration?
A.
On Wed, 2020-04-22 at 06:35 +0000, Anton Louw wrote:
>
>
> Hi Artru,
>
> Thank you for the reply. The post [1] is actually the main source of
> information I worked from in order top get everything configured. In
> the post[1] I ran through the whole testing section, and everything
> works as expected. I can see the VMs etc when using the python
> script.
>
> In my case we are not using ldap as a provider, I tried using
> keycloak directly as a provider, I am not sure if that is where I am
> going wrong?
>
> I have attached the last part of the apache ssl_access_log when I
> tried logging in this morning. I have also attached the engine log.
>
> Thanks
>
>
> Anton Louw
> Cloud Engineer: Storage and Virtualization at Vox
> T: 087 805 0000 | D: 087 805 1572
> M: N/A
> E: anton.louw(a)voxtelecom.co.za<mailto:anton.louw@voxtelecom.co.za>
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za<http://www.vox.co.za>
>
>
>
>
>
>
>
>
>
>
>
>
> From: Artru Socha <asocha(a)redhat.com<mailto:asocha@redhat.com>>
> Sent: 21 April 2020 15:20
> To: Anton Louw <Anton.Louw(a)voxtelecom.co.za<mailto:Anton.Louw@voxtelecom.co.za>>; users(a)ovirt.org<mailto:users@ovirt.org>
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> On Tue, 2020-04-21 at 12:48 +0000, Anton Louw wrote:
> >
> >
> > Hi Everybody,
> >
> >
> Hi Anton,
>
> > Has anybody gone the route of using KeyCloak to login to oVirt?
> > KeyCloak has been configured and the neccesary configs have also
> been
> > done on the engine. It redirects perfectly from the oVirt Web Login
> > page to KeyCloak, but after logging into KeyCloak, I get redirected
> > back to the oVirt Web Login. When trying to login again, I get the
> > below error:
> >
> >
> >
> > server_error: Missing parameter: 'params'
> >
>
> Not so long ago I managed to setup ovirt engine with keyloack (using
> ldap as users provider). Hopefully, I would be able to help you with
> it.
>
> There is excellent blog post[1] available. You might also check
> keycloak+ldap post [2], however, when I was working on the
> integration
> I was not aware of if and did not test it.
>
> The error you mentioned does not really indicate what exactly is
> wrong
> but it might suggest that there is some sort of misconfiguration with
> apache (you need to install and configure mod_auth_openidc as
> described
> at [1]). At least that happened in my case.
>
> In case you have already gone through it you could probably check
> apache logs.
>
> Under [1] there is a python script that can be used to check api
> calls,
> please update username/password and test it against your environment.
>
>
> Would it be possible post relevant piece of apache logs together with
> engine.log ?
>
>
> [1]
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o...<https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o...>
> [2]
> https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-user-...<https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-user-...>
>
> Artur
>
>
>
> > I have checked all the logs, but nothing is telling me what exactly
> > the issue is.
> >
> > If anybody has any idea, please let me know.
> >
> > Thanks
> >
> > Anton Louw
> > Cloud Engineer: Storage and Virtualization at Vox
> > T: 087 805 0000 | D: 087 805 1572
> > M: N/A
> > E: anton.louw(a)voxtelecom.co.za<mailto:anton.louw@voxtelecom.co.za>
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> > www.vox.co.za<http://www.vox.co.za>
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Disclaimer
> > The contents of this email are confidential to the sender and the
> > intended recipient. Unless the contents are clearly and entirely of
> a
> > personal nature, they are subject to copyright in favour of the
> > holding company of the Vox group of companies. Any recipient who
> > receives this email in error should immediately report the error to
> > the sender and permanently delete this email from all storage
> > devices.
> >
> > This email has been scanned for viruses and malware, and may have
> > been automatically archived by Mimecast Ltd, an innovator in
> Software
> > as a Service (SaaS) for business. Providing a safer and more useful
> > place for your human generated data. Specializing in; Security,
> > archiving and compliance. To find out more Click Here.
> >
> >
> > _______________________________________________
> > Users mailing list -- users(a)ovirt.org<mailto:users@ovirt.org>
> > To unsubscribe send an email to users-leave(a)ovirt.org<mailto:users-leave@ovirt.org>
> > Privacy Statement: https://www.ovirt.org/privacy-policy.html<https://www.ovirt.org/privacy-policy.html>
> > oVirt Code of Conduct:
> > https://www.ovirt.org/community/about/community-guidelines/<https://www.ovirt.org/community/about/community-guidelines>
> > List Archives:
> >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/S4I2I3MID4A...<https://lists.ovirt.org/archives/list/users@ovirt.org/message/S4I2I3MID4A...>
>
4 years
Re: oVirt and KeyCloak intergration
by Artur Socha
+ users(a)ovirt.org
On Wed, 2020-04-22 at 09:57 +0000, Anton Louw wrote:
>
>
>
> Hi Artur,
>
>
>
> I would just like to make sure I am following correctly, comparing your
> entries against mine.
>
>
>
>
> Your setup:
>
> ...
>
> config.mapAuthRecord.regex.pattern =
> ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> ...
>
>
>
>
>
> My setup:
>
> …
>
> config.mapAuthRecord.regex.pattern =
> ^(?<user>.*?)((\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> …
>
>
>
> Should I add the additional 2 “\\” in on my side?
Yes, please try adding it. In my case I learned about this issue by debugging
the code because the real exception generated by incorrect regexp syntax was
hidden behind generic error message giving no clues about the true cause.
>
>
> Your setup:
>
> ...
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-
> http-auth)|^/ovirt-engine/callback>
>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>
>
>
> Require valid-user
>
> AuthType openid-connect
>
>
>
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\"content=\"0; url=/ovirt-
> engine/sso/login-unauthorized\"/><body><ahref=\"/ovirt-engine/sso/login-
> unauthorized\">Here</a></body></html>"
>
> </If>
>
> </LocationMatch>
>
> …
>
>
>
> My setup:
>
> …
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-
> http-auth)|^/ovirt-engine/callback>
>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>
>
>
> Require valid-user
>
> AuthType openid-connect
>
>
>
> ErrorDocument 401 "<html><meta http-equiv='refresh' content='0;
> url=/ovirt-engine/sso/login-unauthorized'/><body><a href='/ovirt-
> engine/sso/login-unauthorized'>Here</a></body></html>"
>
> </If>
>
> </LocationMatch>
>
> …
>
>
>
> I remember I had syntax errors, but mine was changed.
>
>
>
> Does this look fine to you?
>
Yeah, your version looks good too. You have ' instead of " so that is ok.
> Thanks
>
>
>
>
>
>
>
> Anton Louw
>
>
> Cloud Engineer: Storage and Virtualization at Vox
>
>
>
>
>
>
> T: 087 805 0000 | D: 087 805 1572
> M: N/A
>
> E: anton.louw(a)voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> From: Anton Louw
>
>
> Sent: 22 April 2020 10:07
>
> To: Artur Socha <asocha(a)redhat.com>
>
> Subject: RE: [ovirt-users] oVirt and KeyCloak intergration
>
>
>
> Hi Artur,
>
> Great, I will try the below and let you know. I appreciate your efforts.
>
>
> Sure, you may report it, I was in such a rush that I only hit “reply” and not
> “Reply All”
>
> I do recall that I had to make some changes to the below as the it complained
> about syntax errors:
>
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
>
> content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
>
> href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>
> </If>
>
> </LocationMatch>
>
> I will let you know the outcome when I change the below as you suggested.
>
> Cheers
>
>
>
> From: Artur Socha <asocha(a)redhat.com>
>
>
> Sent: 22 April 2020 09:51
>
> To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>
>
> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
>
>
> I checked your logs and I did not notice anything suspicious.
>
>
> However, now I recall I made some changes compared to blog post
>
> example:
>
>
>
> 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties
>
> I added escaping in regexp for '\'
>
> ...
>
> config.mapAuthRecord.regex.pattern =
>
> ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
>
> ...
>
>
>
> 2) /etc/httpd/ovirt-openidc.conf
>
> Escaping for '"' in error document snippet
>
> ...
>
> <LocationMatch ^/ovirt-engine/sso/(interactive-login-
>
> negotiate|oauth/token-http-auth)|^/ovirt-engine/callback>
>
> <If "req('Authorization') !~ /^(Bearer|Basic)/i">
>
>
>
> Require valid-user
>
> AuthType openid-connect
>
>
>
> ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
>
> content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a
>
> href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>"
>
> </If>
>
> </LocationMatch>
>
>
>
> ...
>
>
>
> These two issues were most probably caused by the blog site rendering.
>
>
>
>
>
> You might want to check engine.log (or server.log not really sure which
>
> one was that) for aaa extension initialization logs. They should
>
> appear at the beginning just after restarting engine.
>
>
>
> Unfortunately, at the moment I do not have running keycloak setup (I
>
> used to have a local VM) but I will try to find some time to set it up
>
> again once I'm done with another work item that actually consumes
>
> almost entire disk space for my 2 machines)
>
>
>
> Please let me know if anything changes after applying these config
>
> changes. It this works for you then I will request the blog post to be
>
> updated.
>
>
>
> Do you mind if I keep(re-post) this discussion back to users@ovirt in
>
> case other might have similar issues with keycloak integration?
>
>
>
> A.
>
>
>
> On Wed, 2020-04-22 at 06:35 +0000, Anton Louw wrote:
>
> >
>
> >
>
> > Hi Artru,
>
> >
>
> > Thank you for the reply. The post [1] is actually the main source of
>
> > information I worked from in order top get everything configured. In
>
> > the post[1] I ran through the whole testing section, and everything
>
> > works as expected. I can see the VMs etc when using the python
>
> > script.
>
> >
>
> > In my case we are not using ldap as a provider, I tried using
>
> > keycloak directly as a provider, I am not sure if that is where I am
>
> > going wrong?
>
> >
>
> > I have attached the last part of the apache ssl_access_log when I
>
> > tried logging in this morning. I have also attached the engine log.
>
> >
>
> > Thanks
>
> >
>
> >
>
> > Anton Louw
>
> > Cloud Engineer: Storage and Virtualization at Vox
>
> > T: 087 805 0000 | D: 087 805 1572
>
> > M: N/A
>
> > E: anton.louw(a)voxtelecom.co.za
>
> > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> >
> www.vox.co.za
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > From: Artru Socha <asocha(a)redhat.com>
>
> > Sent: 21 April 2020 15:20
>
> > To: Anton Louw <Anton.Louw(a)voxtelecom.co.za>;
> users(a)ovirt.org
>
> > Subject: Re: [ovirt-users] oVirt and KeyCloak intergration
>
> >
>
> > On Tue, 2020-04-21 at 12:48 +0000, Anton Louw wrote:
>
> > >
>
> > >
>
> > > Hi Everybody,
>
> > >
>
> > >
>
> > Hi Anton,
>
> >
>
> > > Has anybody gone the route of using KeyCloak to login to oVirt?
>
> > > KeyCloak has been configured and the neccesary configs have also
>
> > been
>
> > > done on the engine. It redirects perfectly from the oVirt Web Login
>
> > > page to KeyCloak, but after logging into KeyCloak, I get redirected
>
> > > back to the oVirt Web Login. When trying to login again, I get the
>
> > > below error:
>
> > >
>
> > >
>
> > >
>
> > > server_error: Missing parameter: 'params'
>
> > >
>
> >
>
> > Not so long ago I managed to setup ovirt engine with keyloack (using
>
> > ldap as users provider). Hopefully, I would be able to help you with
>
> > it.
>
> >
>
> > There is excellent blog post[1] available. You might also check
>
> > keycloak+ldap post [2], however, when I was working on the
>
> > integration
>
> > I was not aware of if and did not test it.
>
> >
>
> > The error you mentioned does not really indicate what exactly is
>
> > wrong
>
> > but it might suggest that there is some sort of misconfiguration with
>
> > apache (you need to install and configure mod_auth_openidc as
>
> > described
>
> > at [1]). At least that happened in my case.
>
> >
>
> > In case you have already gone through it you could probably check
>
> > apache logs.
>
> >
>
> > Under [1] there is a python script that can be used to check api
>
> > calls,
>
> > please update username/password and test it against your environment.
>
> >
>
> >
>
> > Would it be possible post relevant piece of apache logs together with
>
> > engine.log ?
>
> >
>
> >
>
> > [1]
>
> >
> https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o...
>
> > [2]
>
> >
> https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-user-...
>
> >
>
> > Artur
>
> >
>
> >
>
> >
>
> > > I have checked all the logs, but nothing is telling me what exactly
>
> > > the issue is.
>
> > >
>
> > > If anybody has any idea, please let me know.
>
> > >
>
> > > Thanks
>
> > >
>
> > > Anton Louw
>
> > > Cloud Engineer: Storage and Virtualization at Vox
>
> > > T: 087 805 0000 | D: 087 805 1572
>
> > > M: N/A
>
> > > E: anton.louw(a)voxtelecom.co.za
>
> > > A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
>
> > >
> www.vox.co.za
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > >
>
> > > Disclaimer
>
> > > The contents of this email are confidential to the sender and the
>
> > > intended recipient. Unless the contents are clearly and entirely of
>
> > a
>
> > > personal nature, they are subject to copyright in favour of the
>
> > > holding company of the Vox group of companies. Any recipient who
>
> > > receives this email in error should immediately report the error to
>
> > > the sender and permanently delete this email from all storage
>
> > > devices.
>
> > >
>
> > > This email has been scanned for viruses and malware, and may have
>
> > > been automatically archived by Mimecast Ltd, an innovator in
>
> > Software
>
> > > as a Service (SaaS) for business. Providing a safer and more useful
>
> > > place for your human generated data. Specializing in; Security,
>
> > > archiving and compliance. To find out more Click Here.
>
> > >
>
> > >
>
> > > _______________________________________________
>
> > > Users mailing list -- users(a)ovirt.org
>
> > > To unsubscribe send an email to users-leave(a)ovirt.org
>
> > > Privacy Statement:
> https://www.ovirt.org/privacy-policy.html
>
> > > oVirt Code of Conduct:
>
> > >
> https://www.ovirt.org/community/about/community-guidelines/
>
> > > List Archives:
>
> > >
>
> >
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/S4I2I3MID4A...
>
> >
>
>
>
>
>
>
>
>
>
>
4 years
Mirror oVirt content
by adrianquintero@gmail.com
Hello oVirt Community / infrastructure team,
we would like to get guidance on how to mirror the oVirt content publicly. We replicate content using our own networks so we'd only be pulling the content from the oVirt content server from one location in Chicago.
Please advise.
Thank you,
Adrian
4 years
Re: oVirt and KeyCloak intergration
by Artru Socha
On Tue, 2020-04-21 at 12:48 +0000, Anton Louw wrote:
>
>
> Hi Everybody,
>
>
Hi Anton,
> Has anybody gone the route of using KeyCloak to login to oVirt?
> KeyCloak has been configured and the neccesary configs have also been
> done on the engine. It redirects perfectly from the oVirt Web Login
> page to KeyCloak, but after logging into KeyCloak, I get redirected
> back to the oVirt Web Login. When trying to login again, I get the
> below error:
>
>
>
> server_error: Missing parameter: 'params'
>
Not so long ago I managed to setup ovirt engine with keyloack (using
ldap as users provider). Hopefully, I would be able to help you with
it.
There is excellent blog post[1] available. You might also check
keycloak+ldap post [2], however, when I was working on the integration
I was not aware of if and did not test it.
The error you mentioned does not really indicate what exactly is wrong
but it might suggest that there is some sort of misconfiguration with
apache (you need to install and configure mod_auth_openidc as described
at [1]). At least that happened in my case.
In case you have already gone through it you could probably check
apache logs.
Under [1] there is a python script that can be used to check api calls,
please update username/password and test it against your environment.
Would it be possible post relevant piece of apache logs together with
engine.log ?
[1]
https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-o...
[2]
https://blogs.ovirt.org/2018/08/ovirt-saml-with-keyloak-using-389ds-user-...
Artur
> I have checked all the logs, but nothing is telling me what exactly
> the issue is.
>
> If anybody has any idea, please let me know.
>
> Thanks
>
> Anton Louw
> Cloud Engineer: Storage and Virtualization at Vox
> T: 087 805 0000 | D: 087 805 1572
> M: N/A
> E: anton.louw(a)voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> www.vox.co.za
>
>
>
>
>
>
>
>
>
>
>
>
>
> Disclaimer
> The contents of this email are confidential to the sender and the
> intended recipient. Unless the contents are clearly and entirely of a
> personal nature, they are subject to copyright in favour of the
> holding company of the Vox group of companies. Any recipient who
> receives this email in error should immediately report the error to
> the sender and permanently delete this email from all storage
> devices.
>
> This email has been scanned for viruses and malware, and may have
> been automatically archived by Mimecast Ltd, an innovator in Software
> as a Service (SaaS) for business. Providing a safer and more useful
> place for your human generated data. Specializing in; Security,
> archiving and compliance. To find out more Click Here.
>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
> https://lists.ovirt.org/archives/list/users@ovirt.org/message/S4I2I3MID4A...
4 years
oVirt and KeyCloak intergration
by Anton Louw
Hi Everybody,
Has anybody gone the route of using KeyCloak to login to oVirt? KeyCloak has been configured and the neccesary configs have also been done on the engine. It redirects perfectly from the oVirt Web Login page to KeyCloak, but after logging into KeyCloak, I get redirected back to the oVirt Web Login. When trying to login again, I get the below error:
[cid:ea1b2738-7e36-4cdb-8650-191d6992853c]
server_error: Missing parameter: 'params'
I have checked all the logs, but nothing is telling me what exactly the issue is.
If anybody has any idea, please let me know.
Thanks
Anton Louw
Cloud Engineer: Storage and Virtualization
______________________________________
D: 087 805 1572 | M: N/A
A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
anton.louw(a)voxtelecom.co.za
www.vox.co.za
4 years
Migrate engine to another storage domain without losing engine settings?
by Simon Nylund
Have been trying to figure out a simple way of migrating our hosted-engine to another storage domain, while keeping the data on the same domain.
Is there any safe way of doing this? Fortunately I've only tested this in a dev environment, where I ended up with not being to able to restore the backup I did.
The only way I got it to work was to deploy a fresh engine attached to the new storage domain, and then import the data storage domain containing the vms.
The problem with that is that I lose all the settings I had in my hosted engine, and the hosts.
4 years
spice options hook
by ozmen62@hotmail.com
Hi,
We're using oVirt 4.3 and want to use spice streaming to better user experience, for example youtube etc.
I've tried to use before_vm_start script, but lots of problems came out.
1 - on default environmet, hook script returns of no such file or directory, because python3 does not exist on the system
if i install python3, vdsm stops working
if change interpreter in the script, vdms retuns rc=0 error code hook=114 and it does not appear on the vm custom properties
So, could you help me to run this hook properly
we've tested
https://github.com/oVirt/vdsm/tree/master/vdsm_hooks/spiceoptions
Master and 4.3 branch returns same error code and nothing appeared on the "custom properties"
is there anyone who is use it successfully
2 - for this experince is GPU neccessery (not vGPU) , our server has standard 8mb onboard gpu
thanks
4 years
