Cannot import a qcow2 image

Hello, I' m trying without success to import a qcow2 file into ovirt. I tried on a ISCSI datadomain and an nfs datadomain. I struggled quite a lot to have the "test connection" succed ( I write a small shell script to "deploy" letsencryt certificates into ovirt engine) Doc is not clear on the fact that certificates for imageio-proxy are different than for main engine… Now, the upload fails with Transfer was stopped by system. Reason: failed to add image ticket to ovirt-imageio-proxy. Image gets stuck in "transfer paused by system" Any idea ? ovrit is up to date: 4.2.4 on both engine and hosts.

On Tue, 3 Jul 2018, 15:44 , <etienne.charlier@reduspaceservices.eu> wrote:
Hello,
I' m trying without success to import a qcow2 file into ovirt. I tried on a ISCSI datadomain and an nfs datadomain.
I struggled quite a lot to have the "test connection" succed ( I write a small shell script to "deploy" letsencryt certificates into ovirt engine)
Doc is not clear on the fact that certificates for imageio-proxy are different than for main engine…
Now, the upload fails with
Transfer was stopped by system. Reason: failed to add image ticket to ovirt-imageio-proxy. Image gets stuck in "transfer paused by system"
Any idea ?
you probably have bad cretificate configuration in the proxy. Why not use the default certificates generated by engine setup? This is how we test the proxy.
ovrit is up to date: 4.2.4 on both engine and hosts. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FTC3PBZCRRTI2L...

On Tue, Jul 3, 2018 at 11:47 PM Nir Soffer <nsoffer@redhat.com> wrote:
On Tue, 3 Jul 2018, 15:44 , <etienne.charlier@reduspaceservices.eu> wrote:
Hello,
I' m trying without success to import a qcow2 file into ovirt. I tried on a ISCSI datadomain and an nfs datadomain.
I struggled quite a lot to have the "test connection" succed ( I write a small shell script to "deploy" letsencryt certificates into ovirt engine)
Doc is not clear on the fact that certificates for imageio-proxy are different than for main engine…
Now, the upload fails with
Transfer was stopped by system. Reason: failed to add image ticket to ovirt-imageio-proxy. Image gets stuck in "transfer paused by system"
Any idea ?
you probably have bad cretificate configuration in the proxy. Why not use the default certificates generated by engine setup? This is how we test the proxy.
Can you share the contents of: /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf And the proxy log at /var/log/ovirt-imageio-proxy/image-proxy.log Showing the time of the error (failed to add image ticket to ovirt-imageio-proxy.) Nir
ovrit is up to date: 4.2.4 on both engine and hosts. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FTC3PBZCRRTI2L...

Thanks for getting back to me. I wanted to "protect" my ovirt installation with letsencrypt certificates ( to have a "green" bar in my chrome browser.) I set up a bastion host where I configured letsencrypt. I copied the certificates over the ovirt engine machine and ran the script "convert.sh" ( see attachement). ( still need to automate it to handle certificate renew..) Once this was in place, the test connection button ( in upload image UI) gave me "green" "Connection to ovirt-imageio-proxy was successful." Here a copy of engine.log and ovirt-imageio-proxy log files. The ssl paths are dumped in the log file Thanks for your support Etienne ________________________________ De : Nir Soffer <nsoffer@redhat.com> Envoyé : mardi 3 juillet 2018 23:31 À : Etienne Charlier Cc : users@ovirt.org; Daniel Erez Objet : Re: [ovirt-users] Cannot import a qcow2 image On Tue, Jul 3, 2018 at 11:47 PM Nir Soffer <nsoffer@redhat.com<mailto:nsoffer@redhat.com>> wrote: On Tue, 3 Jul 2018, 15:44 , <etienne.charlier@reduspaceservices.eu<mailto:etienne.charlier@reduspaceservices.eu>> wrote: Hello, I' m trying without success to import a qcow2 file into ovirt. I tried on a ISCSI datadomain and an nfs datadomain. I struggled quite a lot to have the "test connection" succed ( I write a small shell script to "deploy" letsencryt certificates into ovirt engine) Doc is not clear on the fact that certificates for imageio-proxy are different than for main engine... Now, the upload fails with Transfer was stopped by system. Reason: failed to add image ticket to ovirt-imageio-proxy. Image gets stuck in "transfer paused by system" Any idea ? you probably have bad cretificate configuration in the proxy. Why not use the default certificates generated by engine setup? This is how we test the proxy. Can you share the contents of: /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf And the proxy log at /var/log/ovirt-imageio-proxy/image-proxy.log Showing the time of the error (failed to add image ticket to ovirt-imageio-proxy.) Nir ovrit is up to date: 4.2.4 on both engine and hosts. _______________________________________________ Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org<mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FTC3PBZCRRTI2L...

On Wed, Jul 4, 2018 at 11:08 AM Etienne Charlier < Etienne.Charlier@reduspaceservices.eu> wrote:
Thanks for getting back to me.
I wanted to "protect" my ovirt installation with letsencrypt certificates ( to have a "green" bar in my chrome browser.)
I think there is a misconception here. Using the engine builtin CA is more secure than any other CA, not less secure. You don't protect anything by using another CA. What you really need to do is to import the engine CA certificate to your browser, and this is also required for communicating with the proxy. Unless you know what you are doing, replacing the certificates with your own is going to be hard.
I set up a bastion host where I configured letsencrypt.
I copied the certificates over the ovirt engine machine and ran the script "convert.sh" ( see attachement). ( still need to automate it to handle certificate renew..)
Once this was in place, the test connection button ( in upload image UI) gave me "green" "Connection to ovirt-imageio-proxy was successful."
This means that the proxy is configured to use the new CA, but this is not enough to upload. The proxy has its own certificates, and they must be signed by the new CA. So to use your own certificates, you have to regenerate both the engine certificates, and the proxy certificates, and this process is not easy or documented yet. If you created everything correctly, you need to configure the proxy to use the new certificates. Finally, you need to restart ovirt-imgaeio-proxy, since it does not support reloading certificates or configuration changes yet. I think the best solution for you is to use engine builtin PKI, managed by engine-setup. To "protect" your ovirt installation, add the engine CA to your browser using this link: https://my.engine/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA You save this file locally, and then you import this certificate into your browser. Using Chrome, you do: 1. go to: Settings > Advanced > Manage Certificates > Authorities 2. click "Import" 3. select the certificate 4. check "Trust this certificate for identifying web sites" 5. confirm 6. restart the browser
Here a copy of engine.log and ovirt-imageio-proxy log files. The ssl paths are dumped in the log file
Thanks for your support Etienne
------------------------------ *De :* Nir Soffer <nsoffer@redhat.com> *Envoyé :* mardi 3 juillet 2018 23:31 *À :* Etienne Charlier *Cc :* users@ovirt.org; Daniel Erez *Objet :* Re: [ovirt-users] Cannot import a qcow2 image
On Tue, Jul 3, 2018 at 11:47 PM Nir Soffer <nsoffer@redhat.com> wrote:
On Tue, 3 Jul 2018, 15:44 , <etienne.charlier@reduspaceservices.eu> wrote:
Hello,
I' m trying without success to import a qcow2 file into ovirt. I tried on a ISCSI datadomain and an nfs datadomain.
I struggled quite a lot to have the "test connection" succed ( I write a small shell script to "deploy" letsencryt certificates into ovirt engine)
Doc is not clear on the fact that certificates for imageio-proxy are different than for main engine…
Now, the upload fails with
Transfer was stopped by system. Reason: failed to add image ticket to ovirt-imageio-proxy. Image gets stuck in "transfer paused by system"
Any idea ?
you probably have bad cretificate configuration in the proxy. Why not use the default certificates generated by engine setup? This is how we test the proxy.
Can you share the contents of: /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
And the proxy log at /var/log/ovirt-imageio-proxy/image-proxy.log Showing the time of the error (failed to add image ticket to ovirt-imageio-proxy.)
Nir
ovrit is up to date: 4.2.4 on both engine and hosts. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/FTC3PBZCRRTI2L...

On Wed, Jul 4, 2018 at 6:50 PM, Nir Soffer <nsoffer@redhat.com> wrote:
On Wed, Jul 4, 2018 at 11:08 AM Etienne Charlier <Etienne.Charlier@ reduspaceservices.eu> wrote:
Thanks for getting back to me.
I wanted to "protect" my ovirt installation with letsencrypt certificates ( to have a "green" bar in my chrome browser.)
I think there is a misconception here. Using the engine builtin CA is more secure than any other CA, not less secure. You don't protect anything by using another CA.
Well, not sure I agree, but not sure that's the point... The engine-internal CA is only protected by a unix ACL, on the engine machine. So if you manage to get root on it, you can do anything with the engine CA. Most reasonable CAs (including hopefully most organization-internal ones) have more than one level in the authority chain, with the root cert's key being kept offline in some safe, so it's harder to break.
What you really need to do is to import the engine CA certificate to your browser, and this is also required for communicating with the proxy.
Unless you know what you are doing, replacing the certificates with your own is going to be hard.
Should not be - we have this doc, and should update it as needed: [1] https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ Actually it's indeed somewhat out-of-date. See also: [2] https://bugzilla.redhat.com/show_bug.cgi?id=1385617 which should be the only thing missing in: [3] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/htm... which is somewhat more up-to-date than [1] (has websocket-proxy).
I set up a bastion host where I configured letsencrypt.
I copied the certificates over the ovirt engine machine and ran the script "convert.sh" ( see attachement). ( still need to automate it to handle certificate renew..)
Once this was in place, the test connection button ( in upload image UI) gave me "green" "Connection to ovirt-imageio-proxy was successful."
This means that the proxy is configured to use the new CA, but this is not enough to upload. The proxy has its own certificates, and they must be signed by the new CA.
So to use your own certificates, you have to regenerate both the engine certificates, and the proxy certificates, and this process is not easy or documented yet.
Isn't this what above bug [2] is about? You wrote there that it's ok to configure the proxy to use same key/cert as apache. Thanks,
If you created everything correctly, you need to configure the proxy to use the new certificates.
Finally, you need to restart ovirt-imgaeio-proxy, since it does not support reloading certificates or configuration changes yet.
I think the best solution for you is to use engine builtin PKI, managed by engine-setup.
To "protect" your ovirt installation, add the engine CA to your browser using this link: https://my.engine/ovirt-engine/services/pki-resource? resource=ca-certificate&format=X509-PEM-CA
You save this file locally, and then you import this certificate into your browser.
Using Chrome, you do: 1. go to: Settings > Advanced > Manage Certificates > Authorities 2. click "Import" 3. select the certificate 4. check "Trust this certificate for identifying web sites" 5. confirm 6. restart the browser
Here a copy of engine.log and ovirt-imageio-proxy log files. The ssl paths are dumped in the log file
Thanks for your support Etienne
------------------------------ *De :* Nir Soffer <nsoffer@redhat.com> *Envoyé :* mardi 3 juillet 2018 23:31 *À :* Etienne Charlier *Cc :* users@ovirt.org; Daniel Erez *Objet :* Re: [ovirt-users] Cannot import a qcow2 image
On Tue, Jul 3, 2018 at 11:47 PM Nir Soffer <nsoffer@redhat.com> wrote:
On Tue, 3 Jul 2018, 15:44 , <etienne.charlier@reduspaceservices.eu> wrote:
Hello,
I' m trying without success to import a qcow2 file into ovirt. I tried on a ISCSI datadomain and an nfs datadomain.
I struggled quite a lot to have the "test connection" succed ( I write a small shell script to "deploy" letsencryt certificates into ovirt engine)
Doc is not clear on the fact that certificates for imageio-proxy are different than for main engine…
Now, the upload fails with
Transfer was stopped by system. Reason: failed to add image ticket to ovirt-imageio-proxy. Image gets stuck in "transfer paused by system"
Any idea ?
you probably have bad cretificate configuration in the proxy. Why not use the default certificates generated by engine setup? This is how we test the proxy.
Can you share the contents of: /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
And the proxy log at /var/log/ovirt-imageio-proxy/image-proxy.log Showing the time of the error (failed to add image ticket to ovirt-imageio-proxy.)
Nir
ovrit is up to date: 4.2.4 on both engine and hosts. _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community- guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/ message/FTC3PBZCRRTI2LBADOPOS2EYRCZ6EQA3/
-- Didi

Thanks a lot for your support! A reinstalled a fresh ovirt-engine and managed to import the certificate. A managed to upload an image even with the self signed certificates configured. I think a "simple" way to allow letsencrypt certificates to be used for "external access" web UI, API..; could be useful Anyway, thanks for your support Etienne

On Thu, Jul 5, 2018 at 4:55 PM <etienne.charlier@reduspaceservices.eu> wrote:
Thanks a lot for your support!
A reinstalled a fresh ovirt-engine and managed to import the certificate.
A managed to upload an image even with the self signed certificates configured.
I think a "simple" way to allow letsencrypt certificates to be used for "external access" web UI, API..; could be useful
I agree. Didi, can we integrate with letsencrypt to have engine/imageio certificates respected by browsers without additional configuration? The need to import the CA into your browser is to upload images is a big user experience issue. We see users failing to do it again and again. Nir
Anyway, thanks for your support Etienne _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WIQJ77EQ4V3ZTQ...

From a user point of view ... Letsencrypt or another certificate authority ... it should not matter... Just having one set of files ( cer/key/ca-chain) with a clear name referenced from "all config files" would be the easiest... Once you get the certs from you provider, you just overwrite the files with your own , restart the services and "that's it" ;-) Letsencrypt renewing does not have to be handled on ovirt host (on a bastion host where LE is configured, a simple script can be run to update the certs and restart the services...) My 0.02€ Etienne

On Fri, Jul 6, 2018 at 9:35 AM, <etienne.charlier@reduspaceservices.eu> wrote:
From a user point of view ...
Letsencrypt or another certificate authority ... it should not matter...
Just having one set of files ( cer/key/ca-chain) with a clear name referenced from "all config files" would be the easiest...
Please realize that the engine CA is _mainly_ used to sign hosts' keys. We do not want to let the user do this with a 3rd party (well, until we fix bz 1134219 <https://bugzilla.redhat.com/show_bug.cgi?id=1134219>, see my other reply). Signing all the other keys is only done "because we can" :-), to simplify things by default.
Once you get the certs from you provider, you just overwrite the files with your own , restart the services and "that's it" ;-)
That's the one-line summary of: https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ <https://bugzilla.redhat.com/show_bug.cgi?id=1134219> or at least that's the intention.
Letsencrypt renewing does not have to be handled on ovirt host (on a bastion host where LE is configured, a simple script can be run to update the certs and restart the services...)
Indeed.
My 0.02€ Etienne _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community- guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/ message/QJIAZ25JQYO76OI5T3CAS2E4CKLS2LMU/
-- Didi

On Thu, Jul 5, 2018 at 5:20 PM, Nir Soffer <nsoffer@redhat.com> wrote:
On Thu, Jul 5, 2018 at 4:55 PM <etienne.charlier@reduspaceservices.eu> wrote:
Thanks a lot for your support!
A reinstalled a fresh ovirt-engine and managed to import the certificate.
A managed to upload an image even with the self signed certificates configured.
I think a "simple" way to allow letsencrypt certificates to be used for "external access" web UI, API..; could be useful
I agree.
Didi, can we integrate with letsencrypt to have engine/imageio certificates respected by browsers without additional configuration?
I never looked specifically at this. We do have these open bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1336873 https://bugzilla.redhat.com/show_bug.cgi?id=1134219 If we want to specifically handle LE, please open a bug. Not sure we should.
The need to import the CA into your browser is to upload images is a big user experience issue. We see users failing to do it again and again.
I guess we have here two different issues: 1. By default, we (by default) generate a different key/cert pair for imageio, rather than use the one for httpd. So a user accepting the cert for httpd still fails to use the cert for imageio, until it's accepted as well. Perhaps we should use by default the same pair? No idea why we decided to use a separate pair. Please open an RFE to use the same pair as httpd. 2. The procedure to use a 3rd-party CA does not mention imageio. That's already discussed earlier in this thread. Best regards, -- Didi

Hello, A few comments from a novice...: * Internal "stuff" ( ca & certificates used to secure traffic between engine and hosts) should stay internal; users/admin shouldn't be aware of this. * visible "stuff" ( ca & certs used to protect UI and API) should be easily modifiable One way of fulfilling those "requirements": ** One set of key/cert files shared between "all" public endpoints ( API, UI, WEBsockets, ImageIo....) ** Easily replaceable ( eg: known file location and a matter of reloading services after having updated the files) IMHO, letstencrypt specific stuff is not needed: we could write a "plugin" for acme.sh (running on another bastion host) responsible for pushing the renewed certs on engine vm when needed.
participants (4)
-
Etienne Charlier
-
etienne.charlier@reduspaceservices.eu
-
Nir Soffer
-
Yedidyah Bar David