5:57 p.m.
We're moving to a new facility and pretty much building the
infrastructure out from scratch. As such, the oVirt 4.4 cluster at our
old location has floated under notice because it has just worked for
years. In July it seems some of the certs expired (specifically the
engine apache cert) and we just noticed it. I followed a post for
changing the apache cert and that allowed us to login to the engine web
interface, but nothing in the interface showed as connected. VMs are
still running, I even rebooted one via ssh before realizing the
certificate issues. In "Events" in the engine, it was complaining about
certs being expired on the hosts. I found this post to this mailing
list and followed the instructions possibly in error:
https://lists.ovirt.org/archives/list/users@ovirt.org/thread/NHJNETOIMSHD...
Now the engine won't start at all and I'm afraid I'm one power outage
away from complete disaster. I need to keep the old location up and
functioning for another 4-6 months, so any insights would be greatly
appreciated.
Sincerely,
Jason P. Thomas
7:08 p.m.
Hi,
'engine won't start at all' can mean two things:
1) OS can't boot and thus you can't do SSH. Assuming that we are talking
self-hosted engine, then you need to use command like below on host that runs ovengine VM
(virsh -c qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list and
hosted-engine --vm-status might be helpful, VM should at least start to boot in order for
you to achieve connectivity via console):
hosted-engine --add-console-password --password=somepassword
and then connect via VNC to IP that you will see in output and password that you used
2) ovirt-engine service can't start
In that case it is likely that you will find reason of that in
journalctl -u ovirt-engine --no-pager
(/var/log/ovirt-engine/engine.log)
BR,
Konstantin
7:45 p.m.
Konstantin,
Right after I sent the email I got the engine running. The
libvirt-spice certs had incorrect ownership. It still is not connecting
to anything. Error in Events on the Engine is now: "VDSM
<hostname.fqdn> command Get Host Capabilities failed: General SSLEngine
problem"
So status right now is, all VMs are running. Engine web ui is
accessible. Engine shows all hosts as unassigned or Connecting or
NonResponsive with repeated entries of the above error in Events.
Sincerely,
Jason
On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
8 p.m.
Sounds like the Host Certs need to be updated.. Or possibly even the
Engine CA Cert.
-derek
On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
8:34 p.m.
Did you restart vdsm after updating the certs?
-derek
On Fri, August 4, 2023 2:12 pm, Jason P. Thomas wrote:
--
Derek Atkins 617-623-3745
derek(a)ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
11:30 p.m.
Hi,
I went through a similar ordeal half a year ago and forgot all the exact
procedures already but for me, in the end after following all the guides
and replacing the "standard" certs
it was either engine.p12 or apache.p12 keystore that also had outdated
certs (apparently mTLS is being used!).
Updating these keystores is not documented anywhere. No idea if you are
in the same situation but wanted to throw this out there.
Best regards, cen
On 4. 08. 23 20:12, Jason P. Thomas wrote:
> I updated the VDSM certs on the hosts and the apache cert on the
> engine. I'm guessing something is wrong with however the engine
> interacts with vdsm, I just don't know exactly what to do about it.
>
> Jason
>
> On 8/4/23 14:00, Derek Atkins wrote:
>> Sounds like the Host Certs need to be updated.. Or possibly even the
>> Engine CA Cert.
>>
>> -derek
>>
>> On Fri, August 4, 2023 1:45 pm, Jason P. Thomas wrote:
>>> Konstantin,
>>> Right after I sent the email I got the engine running. The
>>> libvirt-spice certs had incorrect ownership. It still is not
>>> connecting
>>> to anything. Error in Events on the Engine is now: "VDSM
>>> <hostname.fqdn> command Get Host Capabilities failed: General
SSLEngine
>>> problem"
>>>
>>> So status right now is, all VMs are running. Engine web ui is
>>> accessible. Engine shows all hosts as unassigned or Connecting or
>>> NonResponsive with repeated entries of the above error in Events.
>>>
>>> Sincerely,
>>> Jason
>>>
>>> On 8/4/23 13:08, konstantin.volenbovskyi--- via Users wrote:
>>>>> Now the engine won't start at all and I'm afraid I'm one
power outage
>>>>> away from complete disaster. I need to keep the old location up and
>>>>> functioning for another 4-6 months, so any insights would be greatly
>>>>> appreciated.
>>>> Hi,
>>>>
>>>> 'engine won't start at all' can mean two things:
>>>>
>>>> 1) OS can't boot and thus you can't do SSH. Assuming that we are
>>>> talking
>>>> self-hosted engine, then you need to use command like below on host
>>>> that
>>>> runs ovengine VM (virsh -c
>>>> qemu:///system?authfile=/etc/ovirt-hosted-engine/virsh_auth.conf list
>>>> and hosted-engine --vm-status might be helpful, VM should at least
>>>> start
>>>> to boot in order for you to achieve connectivity via console):
>>>> hosted-engine --add-console-password --password=somepassword
>>>> and then connect via VNC to IP that you will see in output and
>>>> password
>>>> that you used
>>>>
>>>> 2) ovirt-engine service can't start
>>>> In that case it is likely that you will find reason of that in
>>>> journalctl -u ovirt-engine --no-pager
>>>> (/var/log/ovirt-engine/engine.log)
>>>>
>>>> BR,
>>>> Konstantin
>>>> _______________________________________________
>>>> Users mailing list -- users(a)ovirt.org
>>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>>> oVirt Code of Conduct:
>>>> https://www.ovirt.org/community/about/community-guidelines/
>>>> List Archives:
>>>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PL4Q64G6IFU...
>>>>
>>> _______________________________________________
>>> Users mailing list -- users(a)ovirt.org
>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/H3M4O4TN67N...
>>>
>>>
>>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3GFW2SRSZB5...
3:13 p.m.
cen,
apache.p12 was the first snowflake in this avalanche. I did find
something showing how to generate a new one and install it. That
actually allowed me to access the engine web interface again. Kinda
useless since the engine can't talk to any of the nodes though. Haha.
Thanks for the info. I'll look into the engine.p12 between sessions of
updating my resume. Haha
Thanks,
Jason
On 8/8/23 17:30, cen wrote:
3:22 p.m.
cen,
apache.p12 was the first snowflake in this avalanche. I did find
something showing how to generate a new one and install it. That
actually allowed me to access the engine web interface again. Kinda
useless since the engine can't talk to any of the nodes though. Haha.
Thanks for the info. I'll look into the engine.p12 between sessions of
updating my resume. Haha
Thanks,
Jason
On 8/8/23 17:30, cen wrote:
670
days inactive
673
days old
11 comments
5 participants
participants (5)
-
cen -
Derek Atkins -
Jason P. Thomas -
Jason P. Thomas -
konstantin.volenbovskyiï¼ haufe.com