----- Original Message -----
From: "Martin Perina" <mperina@redhat.com> To: "Daniel Helgenberger" <daniel.helgenberger@m-box.de> Cc: users@ovirt.org, "Eli Mesika" <emesika@redhat.com> Sent: Monday, May 25, 2015 11:23:29 AM Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
----- Original Message -----
From: "Daniel Helgenberger" <daniel.helgenberger@m-box.de> To: "Martin Perina" <mperina@redhat.com> Cc: users@ovirt.org, "Eli Mesika" <emesika@redhat.com> Sent: Sunday, May 24, 2015 10:02:34 AM Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
On 23.05.2015 15:04, Martin Perina wrote:
----- Original Message -----
From: "Daniel Helgenberger" <daniel.helgenberger@m-box.de> To: "Martin Perina" <mperina@redhat.com> Cc: users@ovirt.org, "Eli Mesika" <emesika@redhat.com> Sent: Thursday, May 21, 2015 9:31:50 PM Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
On 21.05.2015 21:07, Martin Perina wrote:
Hi Daniel,
I'm cc'ing Eli as we are currently facing issue with fence agents regression for passing boolean flags to fence agents. Thanks for getting back to me so quickly.
I looked at man page of fence_ilo2 again and I haven't found --tls1.0 option at all. Strange? FYI I am running CentOS7.1 hosts; installed fence: fence-agents-ilo2-4.0.11-11.el7_1.x86_64
Here, clearly I have this option. The fence agent itself seems to use gnutls successfully:
# fence_ilo2 -a 10.11.0.212 --username=ovirt -p ****** -v -o status --ssl-insecure --tls1.0
Running command: /usr/bin/gnutls-cli --priority "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION" --insecure --crlf -p 443 10.11.0.212
Ahh, I looked at older version on F20. But I can't find --tls1.0 option even on man page for fence-agents-ilo2-4.0.11-11.el7_1.x86_64 :-(
So if you really see this option, please take a look at the end of man page, where you can find STDIN format options names and add it along with ssl_insecure to options in Power Management tab of the hosts (instead of "tls1_0 use what you find in your man page):
Many thanks! Using the STDIN options solved this issue. I finally get: Test succeeded: on
I am using these options in the options field for the ilo2 fencing module:
ssl_insecure=1,tls1.0=1
Also working: ssl_insecure=1,notls=1
ssl_insecure=1,tls1_0=1
True. What still puzzles me is the tls1.0 option. In the my man pages the STDIN option ins called 'tls1.0'. Also, can you check wherever you have a 'notls' option to force SSL3.0? This also works for me.
Ahh, sorry for the confusion. By mistake I looked at older fence-agents RPM :-(
I looked again and now I also have "tls1.0". The "notls" options is contained also in the older version (like the one I have in my F20).
I think all the info you gave here, esp. using the stdin binary options in a way 'option=0|1' is quite essential to get fenceing working. I had a quick look over some man pages and I think all the standard fence agents are used in the same manner.
Yes, this is the regression I wrote you about. Latest fence-agents dropped the support for passing boolean options without value (just sending "notls" was ok in prior versions), but the last version requires to send "notls=1" or "notls=true", otherwise the option is not used. We are currenlty preparing patches to handle it.
This is planned to be fixed for 3.6 by an upgrade script (not including encrypted options) BTW, according to Marek G who is the fence-agents maintainer sending boolean flags by their own was enabled for all agents but was actually working only for the ipmilan agent ...
Also, a hint might be in order that old ilo boards can't cope with TLS and need it disabled. I think here [1] [2]?
[1] http://www.ovirt.org/Automatic_Fencing [2] http://www.ovirt.org/OVirt_Administration_Guide#Host_Power_Management_Settin...
Hmm, thanks for the input, I will talk with Eli and Oved how to make the documentation more understandable.
I had added a comment to the troubleshooting section of [1] regarding that ...
Thanks
Martin Perina
Thanks!
Thanks
Martin Perina
I put the whole command output below [1]
To specify --ssl-insecure please add following
into options in Power Management tab of the host:
ssl_insecure=1 Thanks for pointing out how to actually use these options.
Martin Perina
----- Original Message -----
From: "Daniel Helgenberger" <daniel.helgenberger@m-box.de> To: "Martin Perina" <mperina@redhat.com> Cc: users@ovirt.org Sent: Thursday, May 21, 2015 8:11:40 PM Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
On 12.05.2015 09:16, Martin Perina wrote: > Hi Daniel, Hello Martin,
sorry for answering that late. And thanks for pointing me to the man page! I always seem to forget that. > > options defined in PM tab are used to pass custom settings > of specific fence agent. In you case please take a look > at man page for fence_ilo2. I looked there briefly and > I'm afraid that your parameter is not supported.
Ok, this command runs fine and uses XML: fence_ilo2 -a 10.11.0.212 --username=ovirt -p secret -v -o status --ssl-insecure --tls1.0
However, using options --tls1.0 and --ssl-insecure does not work in the engine. What puzzles me: the fence agent seems to use an SSL connection and XML; while the GUI wants an SSH port form me?
There I get the error: Unknown options ..
now I only get Test succeeded - unknown (witch actually is not successful)
Thanks! > > I see that fence_ilo3_ssh and fence_ilo4_ssh should support > passing that option for SSH connection, so you could try them > if they work with you fence device. > > Martin Perina > > > ----- Original Message ----- >> From: "Daniel Helgenberger" <daniel.helgenberger@m-box.de> >> To: users@ovirt.org >> Sent: Monday, May 11, 2015 5:53:10 PM >> Subject: [ovirt-users] Configuring ilo2 PM; passing ssh options >> >> Hello, >> >> to make this short - i need to pass ssh options to get the >> connection >> to >> ilo2 working (MACs=hmac-sha1) [1]. >> >> How can this be done? I think the 'options' field is clearly for >> something else? >> >> Using this option in .ssh/config works btw. >> >> Thanks! >> -- >> Daniel Helgenberger >> m box bewegtbild GmbH >> >> P: +49/30/2408781-22 >> F: +49/30/2408781-10 >> >> ACKERSTR. 19 >> D-10115 BERLIN >> >> >> www.m-box.de www.monkeymen.tv >> >> Geschäftsführer: Martin Retschitzegger / Michaela Göllner >> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
[1]
Sent: <?xml version="1.0"?>
Received: <?xml version="1.0"?>
Processed 0 CA certificate(s). Resolving '10.11.0.212'... Connecting to '10.11.0.212:443'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', issuer `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', RSA key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint `4db06bc1a74fe2894068d89ea76c0622b3e76bc1' Public Key ID: 428f85bc360c8778eb550e4b8ef1c65b111d7108 Public key's random art: +--[ RSA 1024]----+ | Eoo+. | | . o . .o. | | . = B + | | . & X . | | o # S | | . + = | | . . | | | | | +-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. *** PKI verification of server certificate failed... - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1) - Session ID: AA:C9:08:8C:F5:E7:E6:19:7D:BC:20:D4:A0:C0:DA:E4:0E:C1:C0:2A:BC:93:8E:B3:5F:20:B0:38:67:F2:01:5C - Version: TLS1.0 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed
- Simple Client Mode:
<?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> </RIBCL> Sent: <RIBCL VERSION="2.0">
Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
Sent: <RIB_INFO MODE="read"><GET_FW_VERSION />
Sent: </RIB_INFO>
Received: <RIBCL VERSION="2.0">
<LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
<RIB_INFO MODE="read"><GET_FW_VERSION />
</RIB_INFO>
<?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> </RIBCL> <?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> </RIBCL> <?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> </RIBCL> <?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> <GET_FW_VERSION
Received: FIRMWARE_VERSION = "2.25" FIRMWARE_DATE = "Apr 14 2014" MANAGEMENT_PROCESSOR = "iLO2" LICENSE_TYPE = "iLO 2 Advanced" /> Sent: </LOGIN>
Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
Sent: <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
Sent: </SERVER_INFO></LOGIN>
Received: </RIBCL> <?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> </RIBCL> <?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> </RIBCL> </LOGIN>
<LOGIN USER_LOGIN = "ovirt" PASSWORD = "*********">
<?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> </RIBCL> <?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> </RIBCL> <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
<?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> </RIBCL> <?xml version="1.0"?> <RIBCL VERSION="2.22"> <RESPONSE STATUS="0x0000" MESSAGE='No error' /> <GET_HOST_POWER HOST_POWER="ON" Status: ON
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767