3:49 p.m.
Il 04/02/2014 12:55, Yedidyah Bar David ha scritto:
*From: *"Alessandro Bianchi" <a.bianchi(a)skynet.it>
*To: *"Gianluca Cecchi" <gianluca.cecchi(a)gmail.com>
*Cc: *"Yedidyah Bar David" <didi(a)redhat.com>, "users"
<users(a)ovirt.org>
*Sent: *Tuesday, February 4, 2014 1:19:43 PM
*Subject: *Re: [Users] ovirt-report Forbidden access error
Il 04/02/2014 11:30, Gianluca Cecchi ha scritto:
On Tue, Feb 4, 2014 at 11:10 AM, Alessandro Bianchi<a.bianchi(a)skynet.it>
wrote:
Il 04/02/2014 09:55, Gianluca Cecchi ha scritto:
On Tue, Feb 4, 2014 at 9:10 AM, Alessandro Bianchi wrote:
in working directory '/usr/share/ovirt-engine-dwh/db-scripts'
2014-02-04 09:01:26::DEBUG::common_utils::962::root:: output =
2014-02-04 09:01:26::DEBUG::common_utils::963::root:: stderr = psql: FATALE:
autenticazione con password fallita per l'utente
"engine_history"
password retrieved from file "/tmp/pgpassNkKGNp.tmp"
(autenticazione con password fallita per l'utente
"engine_history" =
authentication failed for user "engine_history" system language is
italian)
so it seems a user creation permission problem on the database
since I'm not too familiar with pgsql how is it supposed to fix this?
It look like it misses the password in some ovirt configuration file but
where to edit and how o fix it?
Any hint?
Thank you
See this thread of mine if you want to start from scratch and you
don't have any previous reports/dwh data or you don't mind to loose
them. Engine and its data is not impacted at all.
Eventually I'm going to open a bug for bad mgmt of pre-existing DB
user during setup (eg due to a previously failed in the middle
install).
http://lists.ovirt.org/pipermail/users/2014-February/020740.html
Let us know how it goes.
Gianluca
Ok with this 2b extra step it works
I have installed everything with no errors, but still have Forbidden access
right clicking on Vms -> reports
If I click on the "reports portal" I see this link
*ATTENZIONE: i link numerici sono spesso utilizzati da malintenzionati*
http://10.0.0.5/OvirtEngineWeb/ReportsRedirectServlet
I suspect this is something related to apache configuration
access.log shows nothing so were may I see a log of what's happening?
Thank you
Alessandro
I too see that redirect and then when I click I land to
https://my-engine/ovirt-engine-reports/login.html
and then after login/pwd :
https://my-engine/ovirt-engine-reports/flow.html?_flowId=searchFlow
I have SpiceProxy configured.
Don't know if this impacts apache configuration.
In my case it works and in /etc/httpd/conf.d
Ihave
# ls -lrt
total 68
-rw-r--r--. 1 root root 926 Mar 31 2013 BackupPC.conf
-rw-r--r--. 1 root root 298 Jul 23 2013 squid.conf
-rw-r--r--. 1 root root 516 Jul 31 2013 welcome.conf
-rw-r--r--. 1 root root 1252 Jul 31 2013 userdir.conf
-rw-r--r--. 1 root root 9426 Jul 31 2013 ssl.conf.20131003112151
-rw-r--r--. 1 root root 2893 Jul 31 2013 autoindex.conf
-rw-r--r--. 1 root root 366 Jul 31 2013 README
-rw-r--r--. 1 root root 2778 Oct 3 11:21
z-ovirt-engine-proxy.conf.20131119125706
-rw-r--r--. 1 root root 33 Oct 3 11:21 ovirt-engine-root-redirect.conf
-rw-r--r--. 1 root root 9444 Oct 3 11:21 ssl.conf
-rw-r--r--. 1 root root 2775 Nov 19 12:57
z-ovirt-engine-proxy.conf.20140115003015
-rw-r--r--. 1 root root 1251 Jan 7 15:54 z-ovirt-engine-reports-proxy.conf
-rw-r--r--. 1 root root 2788 Jan 15 00:30 z-ovirt-engine-proxy.conf
z-ovirt-engine-reports-proxy.conf:
<IfModule proxy_ajp_module>
<Proxy ajp://localhost:8702>
# This is needed to make sure that connections to the application
server
# are recovered in a short time interval (5 seconds at the moment)
# otherwise when the application server is restarted the web server
will
# refuse to connect during 60 seconds.
ProxySet retry=5
# This is needed to make sure that long RESTAPI requests have time to
# finish before the web server aborts the request as the default
timeout
# (controlled by the Timeout directive in httpd.conf) is 60 seconds.
ProxySet timeout=3600
</Proxy>
<Location /ovirt-engine-reports>
ProxyPass ajp://localhost:8702/ovirt-engine-reports
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</Location>
</IfModule>
Uuuuuuh
enterig the URL you showed directely I can login and see reports ok
so it looks link in ovirt main page is somehow wrong!
This should work. To help debug this, please check/post these:
/etc/httpd/conf.d/z-ovirt-engine-proxy.conf
/etc/httpd/conf.d/z-ovirt-engine-reports-proxy.conf
/var/log/httpd/error_log
/var/log/httpd/ssl_error_log
/var/log/httpd/access_log
/var/log/httpd/ssl_access_log
As user postgres, output of:
psql engine -c "select * from vdc_options where
option_name='RedirectServletReportsPage';"
Thanks!
--
Didi
--
Il messaggio è stato analizzato alla ricerca di virus o
contenuti pericolosi da *SkyNet Srl <http://www.skynet.it/>*, ed è
risultato non infetto.
This message has been checked for virus or dangerous content
by *SkyNet SRL <http://www.skynet.it/>* and seems to be clean.
Ok let's
go
z-ovirt-engine-proxy.conf
#
# The name of this file name is very important, the "z-" prefix is used
# to force the web server to load this file after all the other
# configurations, in particular after the configuration of the required
# proxy modules, otherwise the "IfModule" directives fail.
#
<IfModule proxy_ajp_module>
#
# Remove the Expect headers from API requests (this is needed to fix a
# problem with some API clients):
#
# This is required because otherwise Expect header, which is hop-by-hop
# will be caught by the Apache and will NOT be forwared to the proxy.
#
# It currenly is used here, which means GLOBALLY for the server. It
is done
# this way because RequestHeader 'early' doesn't allow using in either
# 'Directory' or 'Location' nested clauses.
#
# TODO: find a way to filter Expect headers for /api name space only.
<IfModule headers_module>
RequestHeader unset Expect early
</IfModule>
<Proxy ajp://127.0.0.1:8702>
# This is needed to make sure that connections to the
application server
# are recovered in a short time interval (5 seconds at the moment)
# otherwise when the application server is restarted the web
server will
# refuse to connect during 60 seconds.
ProxySet retry=5
# This is needed to make sure that long RESTAPI requests have
time to
# finish before the web server aborts the request as the
default timeout
# (controlled by the Timeout directive in httpd.conf) is 60
seconds.
ProxySet timeout=3600
</Proxy>
Redirect /ovirt-engine /ovirt-engine/
<Location /ovirt-engine/>
ProxyPass ajp://127.0.0.1:8702/
</Location>
<LocationMatch
^/(UserPortal($|/)|RHEVManagerWeb($|/)|OvirtEngineWeb($|/)|webadmin($|/)|docs($|/)|ovirt-engine-theme/|ovirt-engine-theme-resource/|ca.crt$|engine.ssh.key.txt$|rhevm.ssh.key.txt$|ovirt-engine-files/|ovirt-engine-attachment/|ovirt-engine-novnc-main.html$|ovirt-engine-spicehtml5-main.html$)>
ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</LocationMatch>
<Location /api>
#
# The timeout has to be specified here again because versions of
# Apache older than 2.4 don't copy the setting from the Proxy
# directive:
#
ProxyPass ajp://127.0.0.1:8702/api timeout=3600
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</Location>
</IfModule>
z-ovirt-engine-reports-proxy.conf
#
# The name of this file name is very important, the "z-" prefix is used
# to force the web server to load this file after all the other
# configurations, in particular after the configuration of the required
# proxy modules, otherwise the "IfModule" directives fail.
#
<IfModule proxy_ajp_module>
#
# Remove the Expect headers from API requests (this is needed to fix a
# problem with some API clients):
#
# This is required because otherwise Expect header, which is hop-by-hop
# will be caught by the Apache and will NOT be forwared to the proxy.
#
# It currenly is used here, which means GLOBALLY for the server. It
is done
# this way because RequestHeader 'early' doesn't allow using in either
# 'Directory' or 'Location' nested clauses.
#
# TODO: find a way to filter Expect headers for /api name space only.
<IfModule headers_module>
RequestHeader unset Expect early
</IfModule>
<Proxy ajp://127.0.0.1:8702>
# This is needed to make sure that connections to the
application server
# are recovered in a short time interval (5 seconds at the moment)
# otherwise when the application server is restarted the web
server will
# refuse to connect during 60 seconds.
ProxySet retry=5
# This is needed to make sure that long RESTAPI requests have
time to
# finish before the web server aborts the request as the
default timeout
# (controlled by the Timeout directive in httpd.conf) is 60
seconds.
ProxySet timeout=3600
</Proxy>
Redirect /ovirt-engine /ovirt-engine/
<Location /ovirt-engine/>
ProxyPass ajp://127.0.0.1:8702/
</Location>
<LocationMatch
^/(UserPortal($|/)|RHEVManagerWeb($|/)|OvirtEngineWeb($|/)|webadmin($|/)|docs($|/)|ovirt-engine-theme/|ovirt-engine-theme-resource/|ca.crt$|engine.ssh.key.txt$|rhevm.ssh.key.txt$|ovirt-engine-files/|ovirt-engine-attachment/|ovirt-engine-novnc-main.html$|ovirt-engine-spicehtml5-main.html$)>
ProxyPassMatch ajp://127.0.0.1:8702 timeout=3600
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</LocationMatch>
<Location /api>
#
# The timeout has to be specified here again because versions of
# Apache older than 2.4 don't copy the setting from the Proxy
# directive:
#
ProxyPass ajp://127.0.0.1:8702/api timeout=3600
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</Location>
</IfModule>
[root@hypervisor conf.d]# :q
-bash: :q: command not found
[root@hypervisor conf.d]# cat z-ovirt-engine-reports-proxy.conf
#
# The name of this file name is very important, the "z-" prefix is used
# to force the web server to load this file after all the other
# configurations, in particular after the configuration of the required
# proxy modules, otherwise the "IfModule" directives fail.
#
<IfModule proxy_ajp_module>
<Proxy ajp://localhost:8702>
# This is needed to make sure that connections to the
application server
# are recovered in a short time interval (5 seconds at the moment)
# otherwise when the application server is restarted the web
server will
# refuse to connect during 60 seconds.
ProxySet retry=5
# This is needed to make sure that long RESTAPI requests have
time to
# finish before the web server aborts the request as the
default timeout
# (controlled by the Timeout directive in httpd.conf) is 60
seconds.
ProxySet timeout=3600
</Proxy>
<Location /ovirt-engine-reports>
ProxyPass ajp://localhost:8702/ovirt-engine-reports
<IfModule deflate_module>
AddOutputFilterByType DEFLATE text/javascript text/css
text/html text/xml text/json application/xml application/json
application/x-yaml
</IfModule>
</Location>
</IfModule>
ssl_error_log
[Tue Feb 04 10:50:46.221639 2014] [proxy_ajp:error] [pid 7533] [client
192.168.0.17:48201] AH00896: failed to make connection to backend:
127.0.0.1, referer:
https://10.0.0.5/webadmin/webadmin/WebAdmin.html?locale=en_US
[Tue Feb 04 10:50:51.221036 2014] [proxy:error] [pid 7532]
(111)Connection refused: AH00957: AJP: attempt to connect to
127.0.0.1:8702 (127.0.0.1) failed
[Tue Feb 04 10:50:51.221057 2014] [proxy:error] [pid 7532] AH00959:
ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Tue Feb 04 10:50:51.221062 2014] [proxy_ajp:error] [pid 7532] [client
192.168.0.17:48202] AH00896: failed to make connection to backend:
127.0.0.1, referer:
https://10.0.0.5/webadmin/webadmin/WebAdmin.html?locale=en_US
[Tue Feb 04 10:50:56.220894 2014] [proxy:error] [pid 7607]
(111)Connection refused: AH00957: AJP: attempt to connect to
127.0.0.1:8702 (127.0.0.1) failed
[Tue Feb 04 10:50:56.220915 2014] [proxy:error] [pid 7607] AH00959:
ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Tue Feb 04 10:50:56.220920 2014] [proxy_ajp:error] [pid 7607] [client
192.168.0.17:48203] AH00896: failed to make connection to backend:
127.0.0.1, referer:
https://10.0.0.5/webadmin/webadmin/WebAdmin.html?locale=en_US
[Tue Feb 04 10:54:58.223880 2014] [proxy:error] [pid 7611]
(111)Connection refused: AH00957: AJP: attempt to connect to
127.0.0.1:8702 (127.0.0.1) failed
[Tue Feb 04 10:54:58.223901 2014] [proxy:error] [pid 7611] AH00959:
ap_proxy_connect_backend disabling worker for (127.0.0.1) for 5s
[Tue Feb 04 10:54:58.223906 2014] [proxy_ajp:error] [pid 7611] [client
192.168.0.17:48210] AH00896: failed to make connection to backend: 127.0.0.1
ssl_access_log
192.168.0.17 - - [04/Feb/2014:12:54:31 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:36 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:41 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:46 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:51 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:54:56 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:55:01 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:55:06 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 11852
192.168.0.17 - - [04/Feb/2014:12:55:11 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 177
192.168.0.17 - - [04/Feb/2014:12:55:11 +0100] "POST
/webadmin/webadmin/GenericApiGWTService HTTP/1.1" 200 260
access_log
::1 - - [04/Feb/2014:11:00:26 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
::1 - - [04/Feb/2014:11:01:48 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
192.168.0.17 - - [04/Feb/2014:11:02:10 +0100] "GET /pippo.htm HTTP/1.1"
404 207 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101
Firefox/27.0"
192.168.0.17 - - [04/Feb/2014:11:02:10 +0100] "GET /favicon.ico
HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:27.0)
Gecko/20100101 Firefox/27.0"
192.168.0.17 - - [04/Feb/2014:11:02:10 +0100] "GET /favicon.ico
HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:27.0)
Gecko/20100101 Firefox/27.0"
::1 - - [04/Feb/2014:11:54:16 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
192.168.0.17 - - [04/Feb/2014:12:17:42 +0100] "GET
/ovirt-engine-reports/login.html HTTP/1.1" 302 - "-" "Mozilla/5.0
(X11;
Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0"
::1 - - [04/Feb/2014:12:17:51 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
::1 - - [04/Feb/2014:12:17:52 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
::1 - - [04/Feb/2014:12:55:17 +0100] "OPTIONS * HTTP/1.0" 200 - "-"
"Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 (internal dummy
connection)"
the login you see is the one after entering
http://10.0.0.5/ovirt-engine-reports/login.html as url
error_log
[Tue Feb 04 10:55:04.198829 2014] [mpm_prefork:notice] [pid 9665]
AH00170: caught SIGWINCH, shutting down gracefully
[Tue Feb 04 10:55:05.284349 2014] [core:notice] [pid 11365] SELinux
policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Feb 04 10:55:05.285048 2014] [suexec:notice] [pid 11365] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Feb 04 10:55:05.315355 2014] [proxy:warn] [pid 11365] AH01146:
Ignoring parameter 'timeout=3600' for worker 'ajp://127.0.0.1:8702'
because of worker sharing
[Tue Feb 04 10:55:05.315381 2014] [proxy:warn] [pid 11365] AH01146:
Ignoring parameter 'timeout=3600' for worker 'ajp://127.0.0.1:8702'
because of worker sharing
AH00558: httpd: Could not reliably determine the server's fully
qualified domain name, using hypervisor.skynet.it. Set the 'ServerName'
directive globally to suppress this message
[Tue Feb 04 10:55:05.315826 2014] [auth_digest:notice] [pid 11365]
AH01757: generating secret for digest authentication ...
[Tue Feb 04 10:55:05.316461 2014] [lbmethod_heartbeat:notice] [pid
11365] AH02282: No slotmem from mod_heartmonitor
[Tue Feb 04 10:55:05.354876 2014] [mpm_prefork:notice] [pid 11365]
AH00163: Apache/2.4.6 (Fedora) OpenSSL/1.0.0-fips PHP/5.5.8 configured
-- resuming normal operations
[Tue Feb 04 10:55:05.354895 2014] [core:notice] [pid 11365] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
postgres-# select * from vdc_options where
option_name='RedirectServletReportsPage'
postgres-#
(no results)
Let me know if anything else may be useful
Thank you and best regards
--
SkyNet SRL
Via Maggiate 67/a - 28021 Borgomanero (NO) - tel. +39 0322-836487/834765
- fax +39 0322-836608
http://www.skynet.it <http://www.skynet.it/>
Autorizzazione Ministeriale n.197
Le informazioni contenute in questo messaggio sono riservate e
confidenziali ed è vietata la diffusione in qualunque modo eseguita.
Qualora Lei non fosse la persona a cui il presente messaggio è
destinato, La invitiamo ad eliminarlo ed a distruggerlo non
divulgandolo, dandocene gentilmente comunicazione.
Per qualsiasi informazione si prega di contattare info(a)skynet.it (e-mail
dell'azienda). Rif. D.L. 196/2003