Re: [ovirt-users] Configuring ilo2 PM; passing ssh options

From: "Martin Perina" <mperina(a)redhat.com&gt; To: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de&gt; Cc: users(a)ovirt.org, "Eli Mesika" <emesika(a)redhat.com&gt; Sent: Monday, May 25, 2015 11:23:29 AM Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options ----- Original Message ----- > From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de&gt; > To: "Martin Perina" <mperina(a)redhat.com&gt; > Cc: users(a)ovirt.org, "Eli Mesika" <emesika(a)redhat.com&gt; > Sent: Sunday, May 24, 2015 10:02:34 AM > Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options > > > > On 23.05.2015 15:04, Martin Perina wrote: > > > > > > ----- Original Message ----- > >> From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de&gt; > >> To: "Martin Perina" <mperina(a)redhat.com&gt; > >> Cc: users(a)ovirt.org, "Eli Mesika" <emesika(a)redhat.com&gt; > >> Sent: Thursday, May 21, 2015 9:31:50 PM > >> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options > >> > >> > >> > >> On 21.05.2015 21:07, Martin Perina wrote: > >>> Hi Daniel, > >>> > >>> I'm cc'ing Eli as we are currently facing issue with fence agents > >>> regression for passing boolean flags to fence agents. > >> Thanks for getting back to me so quickly. > >>> > >>> I looked at man page of fence_ilo2 again and I haven't found > >>> --tls1.0 option at all. > >> Strange? FYI I am running CentOS7.1 hosts; installed fence: > >> fence-agents-ilo2-4.0.11-11.el7_1.x86_64 > >> > >> Here, clearly I have this option. The fence agent itself seems to use > >> gnutls successfully: > >> > >> # fence_ilo2 -a 10.11.0.212 --username=ovirt -p ****** -v -o status > >> --ssl-insecure --tls1.0 > >> > >> Running command: /usr/bin/gnutls-cli --priority > >> "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION" > >> --insecure --crlf -p 443 10.11.0.212 > >> > > > > Ahh, I looked at older version on F20. But I can't find --tls1.0 option > > even on man page for fence-agents-ilo2-4.0.11-11.el7_1.x86_64 :-( > > > > So if you really see this option, please take a look at the end of man > > page, where you can find STDIN format options names and add it along > > with ssl_insecure to options in Power Management tab of the hosts > > (instead > > of "tls1_0 use what you find in your man page): > Many thanks! Using the STDIN options solved this issue. I finally get: > Test succeeded: on > > I am using these options in the options field for the ilo2 fencing module: > > ssl_insecure=1,tls1.0=1 > > Also working: > ssl_insecure=1,notls=1 > > > > > ssl_insecure=1,tls1_0=1 > True. What still puzzles me is the tls1.0 option. In the my man pages > the STDIN option ins called 'tls1.0'. Also, can you check wherever you > have a 'notls' option to force SSL3.0? This also works for me. Ahh, sorry for the confusion. By mistake I looked at older fence-agents RPM :-( I looked again and now I also have "tls1.0". The "notls" options is contained also in the older version (like the one I have in my F20). > > I think all the info you gave here, esp. using the stdin binary options > in a way 'option=0|1' is quite essential to get fenceing working. I had > a quick look over some man pages and I think all the standard fence > agents are used in the same manner. Yes, this is the regression I wrote you about. Latest fence-agents dropped the support for passing boolean options without value (just sending "notls" was ok in prior versions), but the last version requires to send "notls=1" or "notls=true", otherwise the option is not used. We are currenlty preparing patches to handle it.

> Also, a hint might be in order that old ilo boards can't cope with TLS > and need it disabled. I think here [1] [2]? > > [1] http://www.ovirt.org/Automatic_Fencing > [2] > http://www.ovirt.org/OVirt_Administration_Guide#Host_Power_Management_Set... Hmm, thanks for the input, I will talk with Eli and Oved how to make the documentation more understandable.

Thanks Martin Perina > > Thanks! > > > > Thanks > > > > Martin Perina > > > >> I put the whole command output below [1] > >> > >> > >> To specify --ssl-insecure please add following > >>> into options in Power Management tab of the host: > >>> > >>> ssl_insecure=1 > >> Thanks for pointing out how to actually use these options. > >>> > >>> > >>> Martin Perina > >>> > >>> ----- Original Message ----- > >>>> From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de&gt; > >>>> To: "Martin Perina" <mperina(a)redhat.com&gt; > >>>> Cc: users(a)ovirt.org > >>>> Sent: Thursday, May 21, 2015 8:11:40 PM > >>>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options > >>>> > >>>> > >>>> > >>>> On 12.05.2015 09:16, Martin Perina wrote: > >>>>> Hi Daniel, > >>>> Hello Martin, > >>>> > >>>> sorry for answering that late. And thanks for pointing me to the man > >>>> page! I always seem to forget that. > >>>>> > >>>>> options defined in PM tab are used to pass custom settings > >>>>> of specific fence agent. In you case please take a look > >>>>> at man page for fence_ilo2. I looked there briefly and > >>>>> I'm afraid that your parameter is not supported. > >>>> > >>>> Ok, this command runs fine and uses XML: > >>>> fence_ilo2 -a 10.11.0.212 --username=ovirt -p secret -v -o status > >>>> --ssl-insecure --tls1.0 > >>>> > >>>> However, using options --tls1.0 and --ssl-insecure does not work in > >>>> the > >>>> engine. What puzzles me: the fence agent seems to use an SSL > >>>> connection > >>>> and XML; while the GUI wants an SSH port form me? > >>>> > >>>> There I get the error: > >>>> Unknown options .. > >>>> > >>>> now I only get > >>>> Test succeeded - unknown (witch actually is not successful) > >>>> > >>>> > >>>> Thanks! > >>>>> > >>>>> I see that fence_ilo3_ssh and fence_ilo4_ssh should support > >>>>> passing that option for SSH connection, so you could try them > >>>>> if they work with you fence device. > >>>>> > >>>>> Martin Perina > >>>>> > >>>>> > >>>>> ----- Original Message ----- > >>>>>> From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de&gt; > >>>>>> To: users(a)ovirt.org > >>>>>> Sent: Monday, May 11, 2015 5:53:10 PM > >>>>>> Subject: [ovirt-users] Configuring ilo2 PM; passing ssh options > >>>>>> > >>>>>> Hello, > >>>>>> > >>>>>> to make this short - i need to pass ssh options to get the > >>>>>> connection > >>>>>> to > >>>>>> ilo2 working (MACs=hmac-sha1) [1]. > >>>>>> > >>>>>> How can this be done? I think the 'options' field is clearly for > >>>>>> something else? > >>>>>> > >>>>>> Using this option in .ssh/config works btw. > >>>>>> > >>>>>> Thanks! > >>>>>> -- > >>>>>> Daniel Helgenberger > >>>>>> m box bewegtbild GmbH > >>>>>> > >>>>>> P: +49/30/2408781-22 > >>>>>> F: +49/30/2408781-10 > >>>>>> > >>>>>> ACKERSTR. 19 > >>>>>> D-10115 BERLIN > >>>>>> > >>>>>> > >>>>>> www.m-box.de www.monkeymen.tv > >>>>>> > >>>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner > >>>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 > >>>>>> _______________________________________________ > >>>>>> Users mailing list > >>>>>> Users(a)ovirt.org > >>>>>> http://lists.ovirt.org/mailman/listinfo/users > >>>>>> > >>>>> > >>>> > >>>> -- > >>>> Daniel Helgenberger > >>>> m box bewegtbild GmbH > >>>> > >>>> P: +49/30/2408781-22 > >>>> F: +49/30/2408781-10 > >>>> > >>>> ACKERSTR. 19 > >>>> D-10115 BERLIN > >>>> > >>>> > >>>> www.m-box.de www.monkeymen.tv > >>>> > >>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner > >>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 > >>>> > >>> > >> > >> [1] > >> > >> Sent: <?xml version="1.0"?> > >> > >> Received: <?xml version="1.0"?> > >> > >> Processed 0 CA certificate(s). > >> Resolving '10.11.0.212'... > >> Connecting to '10.11.0.212:443'... > >> - Certificate type: X.509 > >> - Got a certificate list of 1 certificates. > >> - Certificate[0] info: > >> - subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard > >> Company,OU=ISS,CN=hv02', issuer > >> `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', RSA > >> key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05 > >> 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint > >> `4db06bc1a74fe2894068d89ea76c0622b3e76bc1' > >> Public Key ID: > >> 428f85bc360c8778eb550e4b8ef1c65b111d7108 > >> Public key's random art: > >> +--[ RSA 1024]----+ > >> | Eoo+. | > >> | . o . .o. | > >> | . = B + | > >> | . & X . | > >> | o # S | > >> | . + = | > >> | . . | > >> | | > >> | | > >> +-----------------+ > >> > >> - Status: The certificate is NOT trusted. The certificate issuer is > >> unknown. The name in the certificate does not match the expected. > >> *** PKI verification of server certificate failed... > >> - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1) > >> - Session ID: > >> AA:C9:08:8C:F5:E7:E6:19:7D:BC:20:D4:A0:C0:DA:E4:0E:C1:C0:2A:BC:93:8E:B3:5F:20:B0:38:67:F2:01:5C > >> - Version: TLS1.0 > >> - Key Exchange: RSA > >> - Cipher: AES-128-CBC > >> - MAC: SHA1 > >> - Compression: NULL > >> - Handshake was completed > >> > >> - Simple Client Mode: > >> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> </RIBCL> > >> Sent: <RIBCL VERSION="2.0"> > >> > >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d"> > >> > >> Sent: <RIB_INFO MODE="read"><GET_FW_VERSION /> > >> > >> Sent: </RIB_INFO> > >> > >> Received: > >> <RIBCL VERSION="2.0"> > >> > >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d"> > >> > >> <RIB_INFO MODE="read"><GET_FW_VERSION /> > >> > >> </RIB_INFO> > >> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> </RIBCL> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> </RIBCL> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> </RIBCL> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> <GET_FW_VERSION > >> > >> Received: FIRMWARE_VERSION = "2.25" > >> FIRMWARE_DATE = "Apr 14 2014" > >> MANAGEMENT_PROCESSOR = "iLO2" > >> LICENSE_TYPE = "iLO 2 Advanced" > >> /> > >> Sent: </LOGIN> > >> > >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d"> > >> > >> Sent: <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/> > >> > >> Sent: </SERVER_INFO></LOGIN> > >> > >> Received: > >> </RIBCL> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> </RIBCL> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> </RIBCL> > >> </LOGIN> > >> > >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "*********"> > >> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> </RIBCL> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> </RIBCL> > >> <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/> > >> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> </RIBCL> > >> <?xml version="1.0"?> > >> <RIBCL VERSION="2.22"> > >> <RESPONSE > >> STATUS="0x0000" > >> MESSAGE='No error' > >> /> > >> <GET_HOST_POWER > >> HOST_POWER="ON" > >> Status: ON > >> > > > > -- > Daniel Helgenberger > m box bewegtbild GmbH > > P: +49/30/2408781-22 > F: +49/30/2408781-10 > > ACKERSTR. 19 > D-10115 BERLIN > > > www.m-box.de www.monkeymen.tv > > Geschäftsführer: Martin Retschitzegger / Michaela Göllner > Handeslregister: Amtsgericht Charlottenburg / HRB 112767 >