11:07 p.m.
I've been reading through archives but not able to find what i need. Essentially what
I'm trying to do is migrate a larger number of VMs from our OVM environment to a new
OLVM setup. In an effort to reduce lots of replication and copying of the disk image
(export, convert, copy over, import etc.) I found this article which shows a pretty slick
way to do it in one shot
https://blogs.oracle.com/scoter/post/how-to-migrate-oracle-vm-to-oracle-l...
The main command behind it all is the virt-v2v that makes it possible. It looks something
like this:
virt-v2v -i libvirtxml vm-test1.xml -o rhv-upload -oc
https://<OLVM-server>/ovirt-engine/api -os <my storage> -op
/tmp/ovirt-admin-password -of raw -oo rhv-cluster=Default -oo rhv-cafile=/root/ca.pem
The problem I'm having is I cannot authenticate with my new OLVM server at the
ovirt-engine/api URL. Since user/password is depricated and you must use OAuth 2.0 with a
token I'm stuck.
I have OLVM 4.5.4-1.0.27.el8 and from what I've read in oVirt 4.5 (not sure what
version it started) they use keycloak oAuth 2.0 and the older ovirt-aaa-jdbc-tool is now
deprecated.
In doing some testing I found I can use curl and authenticate against the ovirt-engine/api
and get a token like this:
OVIRT_ENGINE_URL="https://<myolvm1>/ovirt-engine"
USERNAME="admin@ovirt@internalsso"
PASSWORD="<mypassword>"
CLUSTER_NAME="Default"
TOKEN=$(curl -k -X POST -H "Accept: application/json" -H "Content-Type:
application/x-www-form-urlencoded" -d "grant_type=password
&username=$USERNAME&password=$PASSWORD&scope=ovirt-app-api"
$OVIRT_ENGINE_URL/sso/oauth/token | jq -r '.access_token')
I was then able to query the API to validate my token works
curl -k -H "Accept: application/json" -H "Authorization: Bearer
$TOKEN" "$OVIRT_ENGINE_URL/api/clusters?search=name=$CLUSTER_NAME"
The problem is virt-v2v does not support posting any form information or the token to
authenticate. Best I can tell the -oc option is strictly the URL and if you want a
username in there it's in the form of https://<name>@<server>. So even if
I wrote a script and used curl to authenticate and get a token I still can't find a
way to make virt-v2v use it.
So I'm stuck how do I get virt-v2v working? Is there a way to re-enable the
deprecated user/pass method of accessing the ovirt-engine/api ? or as a last resort a way
to get virt-v2v supporting the token?
Thanks for any insight
Malcolm
10:33 p.m.
New subject: virt-v2v cannot authenticate with oVirt engine API with OAuth2
I guess nobody else does this?
9:13 a.m.
New subject: virt-v2v cannot authenticate with oVirt engine API with OAuth2
see https://github.com/libguestfs/virt-v2v/issues/42
On Mon, Feb 26, 2024 at 10:37 PM <malcolm.strydom(a)pacxa.com> wrote:
I guess nobody else does this?
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6UWV73GC7BX...
7:45 p.m.
New subject: virt-v2v cannot authenticate with oVirt engine API with OAuth2
see https://github.com/libguestfs/virt-v2v/issues/42
On Mon, Feb 26, 2024 at 10:37 PM <malcolm.strydom(a)pacxa.com> wrote:
Thank you. That looks to be discussing this very issue. I will read through that page
and see what came of it.
6:08 p.m.
New subject: virt-v2v cannot authenticate with oVirt engine API with OAuth2
Similarly to you, I ran into this problem with virt-v2v 1.42 using OLVM 4.5.4-1.0.29.el8.
On submitting a request to Oracle via SR, they referred me to this: OLVM: How to Revert
from Keycloak to AAA (Doc ID 2999963.1)
So, there is a way to back out the KeyCloak oAuth 2.0 implementation and re-enable to
aaa/jdbc. I haven't attempted this yet, but I'm inclined to, because I already
having a working set of scripted tools that do a one-command-line migration successfully
under the prior OLVM releases.
If you're sufficiently dauntless, you could try a recompile of virt-v2v using a recent
change vetted by the Red Hat developers most closely associated with virt-v2v:
https://github.com/libguestfs/virt-v2v/pull/43 but this involves a number of dependent
libraries, and would not be supported until it is released into an authorized software
distribution.
8:39 p.m.
New subject: virt-v2v cannot authenticate with oVirt engine API with OAuth2
I found the oracle doc and reverted my installation back from keycloak to AAA and got the
migrations working. After we migrate some VMs we were able to revert back to keycloak.
It doesn't seem the cleanest way to go and I get afraid if something goes wrong when
you run the reconfiguration but so far it has worked for us.
246
days inactive
282
days old
5 comments
3 participants
participants (3)
-
Benny Zlotnik -
malcolm.strydom@pacxa.com -
randy.cunningham@sagelogix.com