On Mon, Aug 8, 2022 at 9:47 AM Yedidyah Bar David <didi(a)redhat.com> wrote:
On Sun, Aug 7, 2022 at 6:34 AM P F <pat(a)patfruth.com> wrote:
>
> I'm unable to recreate the original problem.
>
> The good news is, the process moves past the engine_setup now.
> The ovirt-engine server actually starts, and is exposed on
https://<ovirthost>:6900/ovirt-engine
>
> The bad news is, when I try to access the engine Web UI at that URL, I get a
'500 Internal Server Error'.
> I don't see any obvious errors in the log files in /var/log/ovirt-engine
Can you check/share all of /var/log/ovirt-engine and /var/log/httpd?
>
> I'm able to access the URL https://<ovirthost>:6900/ovirt-engine
> However, as soon as I click the "Administration Portal" link on the main
page, I see the '500 Internal Server Error'
>
> I do notice the following error in /var/log/httpd/ssl_error_log;
>
> [Sat Aug 06 18:45:32.106641 2022] [auth_openidc:error] [pid 1648:tid
139896547178240] [client 192.168.222.3:58098] oidc_authenticate_user: the URL hostname
(
ovirt-engine.internal.net) of the configured OIDCRedirectURI does not match the URL
hostname of the URL being accessed (
ovirt-node04.internal.net): the "state" and
"session" cookies will not be shared between the two!, referer:
https://ovirt-node04.internal.net:6900/ovirt-engine/
I am not an expert on how this should work. Adding Martin. In any
case, this sounds like a bug to me, even though not sure it's
possible/easy to fix - would you like to create one?
>
> The error above would suggest that it will not be possible to access the engine Web
UI which is temporarily exposed on port 6900.
Seems so.
> How has this ever been possible in the past?
Most likely this is a result of enabling keycloak integration. Perhaps
you can try again and answer 'No' to 'Configure Keycloak integration
on the engine'. If this works, it might be the simplest way for now -
you can enable keycloak integration later if you want.
> What do I need to do in order to access the engine Web UI, since I need to configure
the hosts's network to include several VLANs necessary to complete the restore of the
engine DB?
I am just guessing here, not knowing anything about openidc. Perhaps
it does not like being accessed as a different hostname and/or port.
The engine does not like this either, but we "convince" it:
[1]
https://github.com/oVirt/ovirt-ansible-collection/blob/master/roles/hoste...
- name: Allow the webadmin UI to be accessed over the first host
block:
- name: Saving original value
ansible.builtin.replace:
path: /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf
regexp: '^(SSO_ALTERNATE_ENGINE_FQDNS=.*)'
replace: '#\1 # pre hosted-engine-setup'
- name: Adding new SSO_ALTERNATE_ENGINE_FQDNS line
ansible.builtin.lineinfile:
path: /etc/ovirt-engine/engine.conf.d/11-setup-sso.conf
line: 'SSO_ALTERNATE_ENGINE_FQDNS="{{ he_host_address }}" #
hosted-engine-setup'
But this isn't mandatory, it's just a convenience we added at some point.
Instead, you can do something similar to what we do to allow access on
port 6900:
[2]
https://github.com/oVirt/ovirt-ansible-collection/blob/master/roles/hoste...
- name: Open a port on firewalld
ansible.builtin.command: firewall-cmd --zone=public --add-port {{
he_webui_forward_port }}/tcp
changed_when: true
- name: Expose engine VM webui over a local port via ssh port forwarding
ansible.builtin.command: >-
sshpass -e ssh -tt -o ServerAliveInterval=5 -o
StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -g -L
{{ he_webui_forward_port }}:{{ he_fqdn }}:443 {{ he_fqdn }}
environment:
"{{ he_cmd_lang | combine( { 'SSHPASS': he_appliance_password } )
}}"
changed_when: true
async: 86400
poll: 0
register: sshpf
But instead of opening the port on firewalld from the host, do the
entire tunnelling from your laptop (or where you run the web browser):
1. Add the engine VM's name to your /etc/hosts, to the line of '127.0.0.1'
2. Find the (temporary, local) IP address of the engine VM, in your
case that's '192.168.222.3'
3. Create an ssh tunnel - something like:
# ssh -L443:192.168.222.3:443 root(a)ovirt-node04.internal.net
Forgot to mention:
You should do this as root - can use sudo.
This is inconvenient, because you quite likely already have your local
account's public ssh key in the authorized_keys of the host, but with
root/sudo you can't use it - not easily, anyway. I personally simply
type in root's password and forget about it. Maybe one day I'll learn
how to make ssh running as root use my own key (likely requires some
selinux tricks) or even how to make my account be able to listen on 443...
Then you can access the engine (and keycloak) web UI via the "real" FQDN:
https://ovirt-engine.internal.net/ovirt-engine/
Good luck and best regards,
--
Didi