11:02 a.m.
On 23.05.2015 15:04, Martin Perina wrote:
----- Original Message -----
> From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de>
> To: "Martin Perina" <mperina(a)redhat.com>
> Cc: users(a)ovirt.org, "Eli Mesika" <emesika(a)redhat.com>
> Sent: Thursday, May 21, 2015 9:31:50 PM
> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
>
>
>
> On 21.05.2015 21:07, Martin Perina wrote:
>> Hi Daniel,
>>
>> I'm cc'ing Eli as we are currently facing issue with fence agents
>> regression for passing boolean flags to fence agents.
> Thanks for getting back to me so quickly.
>>
>> I looked at man page of fence_ilo2 again and I haven't found
>> --tls1.0 option at all.
> Strange? FYI I am running CentOS7.1 hosts; installed fence:
> fence-agents-ilo2-4.0.11-11.el7_1.x86_64
>
> Here, clearly I have this option. The fence agent itself seems to use
> gnutls successfully:
>
> # fence_ilo2 -a 10.11.0.212 --username=ovirt -p ****** -v -o status
> --ssl-insecure --tls1.0
>
> Running command: /usr/bin/gnutls-cli --priority
> "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION"
> --insecure --crlf -p 443 10.11.0.212
>
Ahh, I looked at older version on F20. But I can't find --tls1.0 option
even on man page for fence-agents-ilo2-4.0.11-11.el7_1.x86_64 :-(
So if you really see this option, please take a look at the end of man
page, where you can find STDIN format options names and add it along
with ssl_insecure to options in Power Management tab of the hosts (instead
of "tls1_0 use what you find in your man page):
Many thanks! Using the STDIN
options solved this issue. I finally get:
Test succeeded: on
I am using these options in the options field for the ilo2 fencing module:
ssl_insecure=1,tls1.0=1
Also working:
ssl_insecure=1,notls=1
ssl_insecure=1,tls1_0=1
True. What still puzzles me is the tls1.0 option. In the
my man pages
the STDIN option ins called 'tls1.0'. Also, can you check wherever you
have a 'notls' option to force SSL3.0? This also works for me.
I think all the info you gave here, esp. using the stdin binary options
in a way 'option=0|1' is quite essential to get fenceing working. I had
a quick look over some man pages and I think all the standard fence
agents are used in the same manner.
Also, a hint might be in order that old ilo boards can't cope with TLS
and need it disabled. I think here [1] [2]?
[1] http://www.ovirt.org/Automatic_Fencing
[2]
http://www.ovirt.org/OVirt_Administration_Guide#Host_Power_Management_Set...
Thanks!
Thanks
Martin Perina
> I put the whole command output below [1]
>
>
> To specify --ssl-insecure please add following
>> into options in Power Management tab of the host:
>>
>> ssl_insecure=1
> Thanks for pointing out how to actually use these options.
>>
>>
>> Martin Perina
>>
>> ----- Original Message -----
>>> From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de>
>>> To: "Martin Perina" <mperina(a)redhat.com>
>>> Cc: users(a)ovirt.org
>>> Sent: Thursday, May 21, 2015 8:11:40 PM
>>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
>>>
>>>
>>>
>>> On 12.05.2015 09:16, Martin Perina wrote:
>>>> Hi Daniel,
>>> Hello Martin,
>>>
>>> sorry for answering that late. And thanks for pointing me to the man
>>> page! I always seem to forget that.
>>>>
>>>> options defined in PM tab are used to pass custom settings
>>>> of specific fence agent. In you case please take a look
>>>> at man page for fence_ilo2. I looked there briefly and
>>>> I'm afraid that your parameter is not supported.
>>>
>>> Ok, this command runs fine and uses XML:
>>> fence_ilo2 -a 10.11.0.212 --username=ovirt -p secret -v -o status
>>> --ssl-insecure --tls1.0
>>>
>>> However, using options --tls1.0 and --ssl-insecure does not work in the
>>> engine. What puzzles me: the fence agent seems to use an SSL connection
>>> and XML; while the GUI wants an SSH port form me?
>>>
>>> There I get the error:
>>> Unknown options ..
>>>
>>> now I only get
>>> Test succeeded - unknown (witch actually is not successful)
>>>
>>>
>>> Thanks!
>>>>
>>>> I see that fence_ilo3_ssh and fence_ilo4_ssh should support
>>>> passing that option for SSH connection, so you could try them
>>>> if they work with you fence device.
>>>>
>>>> Martin Perina
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Daniel Helgenberger"
<daniel.helgenberger(a)m-box.de>
>>>>> To: users(a)ovirt.org
>>>>> Sent: Monday, May 11, 2015 5:53:10 PM
>>>>> Subject: [ovirt-users] Configuring ilo2 PM; passing ssh options
>>>>>
>>>>> Hello,
>>>>>
>>>>> to make this short - i need to pass ssh options to get the connection
to
>>>>> ilo2 working (MACs=hmac-sha1) [1].
>>>>>
>>>>> How can this be done? I think the 'options' field is clearly
for
>>>>> something else?
>>>>>
>>>>> Using this option in .ssh/config works btw.
>>>>>
>>>>> Thanks!
>>>>> --
>>>>> Daniel Helgenberger
>>>>> m box bewegtbild GmbH
>>>>>
>>>>> P: +49/30/2408781-22
>>>>> F: +49/30/2408781-10
>>>>>
>>>>> ACKERSTR. 19
>>>>> D-10115 BERLIN
>>>>>
>>>>>
>>>>> www.m-box.de www.monkeymen.tv
>>>>>
>>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users(a)ovirt.org
>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>>
>>>
>>> --
>>> Daniel Helgenberger
>>> m box bewegtbild GmbH
>>>
>>> P: +49/30/2408781-22
>>> F: +49/30/2408781-10
>>>
>>> ACKERSTR. 19
>>> D-10115 BERLIN
>>>
>>>
>>> www.m-box.de www.monkeymen.tv
>>>
>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>>
>>
>
> [1]
>
> Sent: <?xml version="1.0"?>
>
> Received: <?xml version="1.0"?>
>
> Processed 0 CA certificate(s).
> Resolving '10.11.0.212'...
> Connecting to '10.11.0.212:443'...
> - Certificate type: X.509
> - Got a certificate list of 1 certificates.
> - Certificate[0] info:
> - subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard
> Company,OU=ISS,CN=hv02', issuer
> `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', RSA
> key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05
> 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint
> `4db06bc1a74fe2894068d89ea76c0622b3e76bc1'
> Public Key ID:
> 428f85bc360c8778eb550e4b8ef1c65b111d7108
> Public key's random art:
> +--[ RSA 1024]----+
> | Eoo+. |
> | . o . .o. |
> | . = B + |
> | . & X . |
> | o # S |
> | . + = |
> | . . |
> | |
> | |
> +-----------------+
>
> - Status: The certificate is NOT trusted. The certificate issuer is
> unknown. The name in the certificate does not match the expected.
> *** PKI verification of server certificate failed...
> - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
> - Session ID:
>
AA:C9:08:8C:F5:E7:E6:19:7D:BC:20:D4:A0:C0:DA:E4:0E:C1:C0:2A:BC:93:8E:B3:5F:20:B0:38:67:F2:01:5C
> - Version: TLS1.0
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed
>
> - Simple Client Mode:
>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> </RIBCL>
> Sent: <RIBCL VERSION="2.0">
>
> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD =
"dJPVmJG64zMVD3d">
>
> Sent: <RIB_INFO MODE="read"><GET_FW_VERSION />
>
> Sent: </RIB_INFO>
>
> Received:
> <RIBCL VERSION="2.0">
>
> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
>
> <RIB_INFO MODE="read"><GET_FW_VERSION />
>
> </RIB_INFO>
>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> </RIBCL>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> </RIBCL>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> </RIBCL>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> <GET_FW_VERSION
>
> Received: FIRMWARE_VERSION = "2.25"
> FIRMWARE_DATE = "Apr 14 2014"
> MANAGEMENT_PROCESSOR = "iLO2"
> LICENSE_TYPE = "iLO 2 Advanced"
> />
> Sent: </LOGIN>
>
> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD =
"dJPVmJG64zMVD3d">
>
> Sent: <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
>
> Sent: </SERVER_INFO></LOGIN>
>
> Received:
> </RIBCL>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> </RIBCL>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> </RIBCL>
> </LOGIN>
>
> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "*********">
>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> </RIBCL>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> </RIBCL>
> <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> </RIBCL>
> <?xml version="1.0"?>
> <RIBCL VERSION="2.22">
> <RESPONSE
> STATUS="0x0000"
> MESSAGE='No error'
> />
> <GET_HOST_POWER
> HOST_POWER="ON"
> Status: ON
>
--
Daniel Helgenberger
m box bewegtbild GmbH
P: +49/30/2408781-22
F: +49/30/2408781-10
ACKERSTR. 19
D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767