8:22 a.m.
Yes, i use same manual to change WebUI SSL.
ovirt-ca-file= is a same SSL file which use WebUI.
Yes, i restart ovirt-provider-ovn, i restart engine, i restart all what i can restart.
Nothing...
12 сент. 2018 г., в 16:11, Dominik Holler <dholler(a)redhat.com>
написал(а):
On Wed, 12 Sep 2018 14:23:54 +0300
"Mail SET Inc. Group" <mail(a)set-pro.net> wrote:
> Ok!
Not exactly, please use users(a)ovirt.org for such questions.
Other should benefit from this questions, too.
Please write the next mail to users(a)ovirt.org and keep me in CC.
> What i did:
>
> 1) install oVirt «from box» (4.2.5.2-1.el7);
> 2) generate own ssl for my engine using my FreeIPA CA, Install it and
What means "Install it"? You can use the doc from the following link
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.2/...
Ensure that ovirt-ca-file= in
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
points to the correct file and ovirt-provider-ovn is restarted.
> get tis issue;
>
>
> [root@engine ~]# tail -n 50 /var/log/ovirt-provider-ovn.log
> 2018-09-12 14:10:23,828 root [SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed (_ssl.c:579) Traceback (most recent call
> last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py",
> line 133, in _handle_request method, path_parts, content
> File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py",
> line 175, in handle_request return
> self.call_response_handler(handler, content, parameters) File
> "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in
> call_response_handler return response_handler(content, parameters)
> File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py",
> line 62, in post_tokens user_password=user_password) File
> "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 26, in
> create_token return auth.core.plugin.create_token(user_at_domain,
> user_password) File
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/plugin.py", line
> 48, in create_token timeout=self._timeout()) File
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75,
> in create_token username, password, engine_url, ca_file, timeout)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
> 91, in _get_sso_token timeout=timeout File
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54,
> in wrapper response = func(*args, **kwargs) File
> "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47,
> in wrapper raise BadGateway(e) BadGateway: [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
>
>
> [root@engine ~]# tail -n 20 /var/log/ovirt-engine/engine.log
> 2018-09-12 14:10:23,773+03 INFO
> [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock
> Acquired to object
>
'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]',
> sharedLocks=''}' 2018-09-12 14:10:23,778+03 INFO
> [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685]
> Running command: SyncNetworkProviderCommand internal: true.
> 2018-09-12 14:10:23,836+03 ERROR
> [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685]
> Command
> 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand'
> failed: EngineException: (Failed with error Bad Gateway and code
> 5050) 2018-09-12 14:10:23,837+03 INFO
> [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-47) [316db685] Lock
> freed to object
>
'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]',
> sharedLocks=''}' 2018-09-12 14:14:12,477+03 INFO
> [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default
> task-6) [] User admin@internal successfully logged in with scopes:
> ovirt-app-admin ovirt-app-api ovirt-app-portal
> ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all
> ovirt-ext=token-info:authz-search
> ovirt-ext=token-info:public-authz-search
> ovirt-ext=token-info:validate ovirt-ext=token:password-access
> 2018-09-12 14:14:12,587+03 INFO
> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default
> task-6) [1bf1b763] Running command: CreateUserSessionCommand
> internal: false. 2018-09-12 14:14:12,628+03 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-6) [1bf1b763] EVENT_ID: USER_VDC_LOGIN(30), User
> admin@internal-authz connecting from '10.0.3.61' using session
>
's8jAm7BUJGlicthm6yZBA3CUM8QpRdtwFaK3M/IppfhB3fHFB9gmNf0cAlbl1xIhcJ2WX+ww7e71Ri+MxJSsIg=='
> logged in. 2018-09-12 14:14:30,972+03 INFO
> [org.ovirt.engine.core.bll.provider.ImportProviderCertificateCommand]
> (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] Running
> command: ImportProviderCertificateCommand internal: false. Entities
> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type:
> SystemAction group CREATE_STORAGE_POOL with role type ADMIN
> 2018-09-12 14:14:30,982+03 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (default task-6) [ee3cc8a7-4485-4fdf-a0c2-e9d67b5cfcd3] EVENT_ID:
> PROVIDER_CERTIFICATE_IMPORTED(213), Certificate for provider
> ovirt-provider-ovn was imported. (User: admin@internal-authz)
> 2018-09-12 14:14:31,006+03 INFO
> [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand]
> (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Running
> command: TestProviderConnectivityCommand internal: false. Entities
> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type:
> SystemAction group CREATE_STORAGE_POOL with role type ADMIN
> 2018-09-12 14:14:31,058+03 ERROR
> [org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand]
> (default task-6) [a48d94ab-b0b2-42a2-a667-0525b4c652ea] Command
> 'org.ovirt.engine.core.bll.provider.TestProviderConnectivityCommand'
> failed: EngineException: (Failed with error Bad Gateway and code
> 5050) 2018-09-12 14:15:10,954+03 INFO
> [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService]
> (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread
> pool 'default' is using 0 threads out of 1, 5 threads waiting for
> tasks. 2018-09-12 14:15:10,954+03 INFO
> [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService]
> (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread
> pool 'engine' is using 0 threads out of 500, 16 threads waiting for
> tasks and 0 tasks in queue. 2018-09-12 14:15:10,954+03 INFO
> [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService]
> (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread
> pool 'engineScheduled' is using 0 threads out of 100, 100 threads
> waiting for tasks. 2018-09-12 14:15:10,954+03 INFO
> [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService]
> (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread
> pool 'engineThreadMonitoring' is using 1 threads out of 1, 0 threads
> waiting for tasks. 2018-09-12 14:15:10,954+03 INFO
> [org.ovirt.engine.core.bll.utils.ThreadPoolMonitoringService]
> (EE-ManagedThreadFactory-engineThreadMonitoring-Thread-1) [] Thread
> pool 'hostUpdatesChecker' is using 0 threads out of 5, 2 threads
> waiting for tasks. 2018-09-12 14:15:23,843+03 INFO
> [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock
> Acquired to object
>
'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]',
> sharedLocks=''}' 2018-09-12 14:15:23,849+03 INFO
> [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f]
> Running command: SyncNetworkProviderCommand internal: true.
> 2018-09-12 14:15:23,900+03 ERROR
> [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f]
> Command
> 'org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand'
> failed: EngineException: (Failed with error Bad Gateway and code
> 5050) 2018-09-12 14:15:23,901+03 INFO
> [org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand]
> (EE-ManagedThreadFactory-engineScheduled-Thread-61) [2455041f] Lock
> freed to object
>
'EngineLock:{exclusiveLocks='[14e4fb72-9764-4757-b37d-4d487995571a=PROVIDER]',
> sharedLocks=''}'
>
>
> [root@engine ~]#
> cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf #
> This file is automatically generated by engine-setup. Please do not
> edit manually [OVN REMOTE] ovn-remote=ssl:127.0.0.1:6641
> [SSL]
> https-enabled=true
> ssl-cacert-file=/etc/pki/ovirt-engine/ca.pem
> ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer
> ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass
> [OVIRT]
> ovirt-sso-client-secret=Ms7Gw9qNT6IkXu7oA54tDmxaZDIukABV
> ovirt-host=https://engine.set.local:443
> ovirt-sso-client-id=ovirt-provider-ovn
> ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
> [PROVIDER]
> provider-host=engine.set.local
>
>
>> 12 сент. 2018 г., в 13:59, Dominik Holler <dholler(a)redhat.com>
>> написал(а):
>>
>> On Wed, 12 Sep 2018 13:04:53 +0300
>> "Mail SET Inc. Group" <mail(a)set-pro.net> wrote:
>>
>>> Hello Dominik!
>>> I have a same issue with OVN provider and SSL
>>> https://www.mail-archive.com/users@ovirt.org/msg47020.html
>>> <https://www.mail-archive.com/users@ovirt.org/msg47020.html> But
>>> certificate changes not helps to resolve it. Maybe you can help me
>>> with this?
>>
>> Sure. Can you please share the relevant lines of
>> ovirt-provider-ovn.log and engine.log, and the information if you
>> are using the certificates generated by engine-setup with
>> users(a)ovirt.org ? Thanks,
>> Dominik
>>
>
2:53 p.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
Hello!
Get problems with clean installation 4.3.6.6-1.el7 and OVN
When i try to test OVN get notification:
«Import provider certificate»
Do you approve trusting self signed certificate subject CN=Certificate Authority,
O=SET.LOCAL, SHA-1 fingerprint a9d9b91160bb306667a521e6f2c66037ddc437cb?
When i’m press «Yes», see old problem:
Failed to communicate with the external provider, see log for additional details.
[root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
timeout=self._timeout())
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in
create_token
username, password, engine_url, ca_file, timeout)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in
_get_sso_token
timeout=timeout
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in
wrapper
response = func(*args, **kwargs)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in
wrapper
raise BadGateway(e)
BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
[root@engine ~]# cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
# This file is automatically generated by engine-setup. Please do not edit manually
[OVN REMOTE]
ovn-remote=ssl:127.0.0.1:6641
[SSL]
https-enabled=true
ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
[OVIRT]
ovirt-sso-client-id=ovirt-provider-ovn
ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
ovirt-host=https://engine.set.local:443/ovirt-engine/
ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
[NETWORK]
port-security-enabled-default=True
[PROVIDER]
provider-host=engine.set.local
[root@engine ~]# python -c "import requests; \
print requests.get('https://engine.set.local', \
verify='/etc/pki/ovirt-engine/apache-ca.pem')"
<Response [200]>
What’s wrong ?
5:07 p.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
Few hours later i'm fixed SSL error, but get a new error
2019-10-02 01:02:38,369 root Starting server
2019-10-02 01:02:38,369 root Version: 1.2.22-1
2019-10-02 01:02:38,369 root Build date: 20190509114402
2019-10-02 01:02:38,369 root Githash: 38acbde
2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644 Request: POST /v2.0/tokens
2019-10-02 01:02:46,471 root Request body:
{"auth": {"passwordCredentials": {"username":
"admin@internal", "password": "<PASSWORD_HIDDEN>"}}}
2019-10-02 01:02:46,472 root Error during SSO authentication invalid_request : Missing
parameter: 'client_secret'
Traceback (most recent call last):
File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 138, in
_handle_request
method, path_parts, content
File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175,
in handle_request
return self.call_response_handler(handler, content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in
call_response_handler
return response_handler(content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 69,
in post_tokens
if not auth.validate_token(token):
File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 31, in
validate_token
return auth.core.plugin.validate_token(token)
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 36, in validate_token
return self._is_user_name(token, _admin_user_name())
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 47, in _is_user_name
timeout=AuthorizationByUserName._timeout())
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 131, in
get_token_info
timeout=timeout
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 55, in
wrapper
_check_for_error(response)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 181, in
_check_for_error
result['error'], details))
Unauthorized: Error during SSO authentication invalid_request : Missing parameter:
'client_secret'
1 окт. 2019 г., в 22:53, Mail SET Inc. Group <mail(a)set-pro.net>
написал(а):
Hello!
Get problems with clean installation 4.3.6.6-1.el7 and OVN
When i try to test OVN get notification:
«Import provider certificate»
Do you approve trusting self signed certificate subject CN=Certificate Authority,
O=SET.LOCAL, SHA-1 fingerprint a9d9b91160bb306667a521e6f2c66037ddc437cb?
When i’m press «Yes», see old problem:
Failed to communicate with the external provider, see log for additional details.
[root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
timeout=self._timeout())
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75, in
create_token
username, password, engine_url, ca_file, timeout)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91, in
_get_sso_token
timeout=timeout
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54, in
wrapper
response = func(*args, **kwargs)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47, in
wrapper
raise BadGateway(e)
BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
[root@engine ~]# cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
# This file is automatically generated by engine-setup. Please do not edit manually
[OVN REMOTE]
ovn-remote=ssl:127.0.0.1:6641
[SSL]
https-enabled=true
ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
[OVIRT]
ovirt-sso-client-id=ovirt-provider-ovn
ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
ovirt-host=https://engine.set.local:443/ovirt-engine/
<https://engine.set.local/ovirt-engine/>
ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
[NETWORK]
port-security-enabled-default=True
[PROVIDER]
provider-host=engine.set.local
[root@engine ~]# python -c "import requests; \
print requests.get('https://engine.set.local <https://engine.set.local/>';,
\
verify='/etc/pki/ovirt-engine/apache-ca.pem')"
<Response [200]>
What’s wrong ?
2:11 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
On Wed, Oct 2, 2019 at 12:13 AM Mail SET Inc. Group <mail(a)set-pro.net>
wrote:
Few hours later i'm fixed SSL error,
Would you share how you fixed the error?
This might also help to understand the next issue.
but get a new error
2019-10-02 01:02:38,369 root Starting server
2019-10-02 01:02:38,369 root Version: 1.2.22-1
2019-10-02 01:02:38,369 root Build date: 20190509114402
2019-10-02 01:02:38,369 root Githash: 38acbde
2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644 Request: POST
/v2.0/tokens
2019-10-02 01:02:46,471 root Request body:
{"auth": {"passwordCredentials": {"username":
"admin@internal",
"password": "<PASSWORD_HIDDEN>"}}}
2019-10-02 01:02:46,472 root Error during SSO authentication
invalid_request : Missing parameter: 'client_secret'
Traceback (most recent call last):
File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 138,
in _handle_request
method, path_parts, content
File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line
175, in handle_request
return self.call_response_handler(handler, content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in
call_response_handler
return response_handler(content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py",
line 69, in post_tokens
if not auth.validate_token(token):
File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 31, in
validate_token
return auth.core.plugin.validate_token(token)
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 36, in validate_token
return self._is_user_name(token, _admin_user_name())
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 47, in _is_user_name
timeout=AuthorizationByUserName._timeout())
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
131, in get_token_info
timeout=timeout
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 55,
in wrapper
_check_for_error(response)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
181, in _check_for_error
result['error'], details))
Unauthorized: Error during SSO authentication invalid_request : Missing
parameter: 'client_secret'
looks like the
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
does not fit to engine's db.
Maybe most easy would be to move the current
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
away from /etc/ovirt-provider-ovn/conf.d/ and re-trigger the configuration
by using the
parameter '--reconfigure-optional-components' of engine-setup.
Was the file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
modified outside engine-setup?
1 окт. 2019 г., в 22:53, Mail SET Inc. Group
<mail(a)set-pro.net>
написал(а):
Hello!
Get problems with clean installation 4.3.6.6-1.el7 and OVN
When i try to test OVN get notification:
«Import provider certificate»
Do you approve trusting self signed certificate subject CN=Certificate
Authority, O=SET.LOCAL, SHA-1 fingerprint
a9d9b91160bb306667a521e6f2c66037ddc437cb?
When i’m press «Yes», see old problem:
Failed to communicate with the external provider, see log for additional
details.
[root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
timeout=self._timeout())
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75,
in create_token
username, password, engine_url, ca_file, timeout)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91,
in _get_sso_token
timeout=timeout
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54,
in wrapper
response = func(*args, **kwargs)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47,
in wrapper
raise BadGateway(e)
BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:618)
[root@engine ~]# cat
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
# This file is automatically generated by engine-setup. Please do not edit
manually
[OVN REMOTE]
ovn-remote=ssl:127.0.0.1:6641
[SSL]
https-enabled=true
ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
[OVIRT]
ovirt-sso-client-id=ovirt-provider-ovn
ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
ovirt-host=https://engine.set.local:443/ovirt-engine/
<https://engine.set.local/ovirt-engine/>
ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
[NETWORK]
port-security-enabled-default=True
[PROVIDER]
provider-host=engine.set.local
[root@engine ~]# python -c "import requests; \
print requests.get('https://engine.set.local', \
verify='/etc/pki/ovirt-engine/apache-ca.pem')"
<Response [200]>
What’s wrong ?
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
5:17 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
Something strange happens..
What changes i do. I change Engine SSL using this
https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html
<https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL.html> manual
I'm don’t checked how work OVN before changes. Of course i modiied
'/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf' because i
changed engine certificate.
What i see today:
2019-10-02 13:02:47,854 root From: ::ffff:172.19.0.10:60482 Request: GET /v2.0/
2019-10-02 13:02:47,854 root [('SSL routines',
'ssl3_get_server_certificate', 'certificate verify failed')]
Traceback (most recent call last):
File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 138, in
_handle_request
method, path_parts, content
File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175,
in handle_request
return self.call_response_handler(handler, content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/neutron.py", line 35, in
call_response_handler
with NeutronApi() as ovn_north:
File "/usr/share/ovirt-provider-ovn/neutron/neutron_api.py", line 77, in
__init__
self.ovsidl, self.idl = ovn_connection.connect()
File "/usr/share/ovirt-provider-ovn/ovn_connection.py", line 43, in connect
ovnconst.OVN_NORTHBOUND
File
"/usr/lib/python2.7/site-packages/ovsdbapp/backend/ovs_idl/connection.py", line
127, in from_server
helper = idlutils.get_schema_helper(connection_string, schema_name)
File "/usr/lib/python2.7/site-packages/ovsdbapp/backend/ovs_idl/idlutils.py",
line 118, in get_schema_helper
stream.Stream.open(connection))
File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 226, in
open_block
error = stream.connect()
File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 802, in connect
self.socket.do_handshake()
File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1716, in
do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1456, in
_raise_ssl_error
_raise_current_error()
File "/usr/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in
exception_from_error_queue
raise exception_type(errors)
Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate
verify failed')]
My config:
# This file is automatically generated by engine-setup. Please do not edit manually
[OVN REMOTE]
ovn-remote=ssl:127.0.0.1:6641
[SSL]
https-enabled=true
#ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
#ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer
#ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass
ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
ssl-cert-file=/etc/pki/ovirt-engine/certs/ovirt-provider-ovn.cer
ssl-key-file=/etc/pki/ovirt-engine/keys/ovirt-provider-ovn.key.nopass
[OVIRT]
ovirt-host=https://engine.set.local:443
ovirt-base=/ovirt-engine
ovirt-auth-timeout=110
ovirt-sso-client-id=ovirt-provider-ovn
ovirt-sso-client-secret=PzrrA0GBGwBzlKcf2s3j6PZK1BONTQG6FR6UxPWNqYY
#ovirt-sso-client-secret=HO0GftT4aT1SvuDZhqB0NInAeHr5OsNu
ovirt-admin-user-name=admin@internal
ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem
[NETWORK]
port-security-enabled-default=True
[PROVIDER]
provider-host=engine.set.local
Now try '--reconfigure-optional-components' of engine-setup.
2 окт. 2019 г., в 10:11, Dominik Holler <dholler(a)redhat.com>
написал(а):
On Wed, Oct 2, 2019 at 12:13 AM Mail SET Inc. Group <mail(a)set-pro.net
<mailto:mail@set-pro.net>> wrote:
Few hours later i'm fixed SSL error,
Would you share how you fixed the error?
This might also help to understand the next issue.
but get a new error
2019-10-02 01:02:38,369 root Starting server
2019-10-02 01:02:38,369 root Version: 1.2.22-1
2019-10-02 01:02:38,369 root Build date: 20190509114402
2019-10-02 01:02:38,369 root Githash: 38acbde
2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644
<http://172.19.0.10:33644/> Request: POST /v2.0/tokens
2019-10-02 01:02:46,471 root Request body:
{"auth": {"passwordCredentials": {"username":
"admin@internal", "password": "<PASSWORD_HIDDEN>"}}}
2019-10-02 01:02:46,472 root Error during SSO authentication invalid_request : Missing
parameter: 'client_secret'
Traceback (most recent call last):
File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 138, in
_handle_request
method, path_parts, content
File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175,
in handle_request
return self.call_response_handler(handler, content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in
call_response_handler
return response_handler(content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 69,
in post_tokens
if not auth.validate_token(token):
File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 31, in
validate_token
return auth.core.plugin.validate_token(token)
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 36, in validate_token
return self._is_user_name(token, _admin_user_name())
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 47, in _is_user_name
timeout=AuthorizationByUserName._timeout())
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 131, in
get_token_info
timeout=timeout
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 55, in
wrapper
_check_for_error(response)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 181, in
_check_for_error
result['error'], details))
Unauthorized: Error during SSO authentication invalid_request : Missing parameter:
'client_secret'
looks like the
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
does not fit to engine's db.
Maybe most easy would be to move the current
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
away from /etc/ovirt-provider-ovn/conf.d/ and re-trigger the configuration by using the
parameter '--reconfigure-optional-components' of engine-setup.
Was the file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf modified
outside engine-setup?
> 1 окт. 2019 г., в 22:53, Mail SET Inc. Group <mail(a)set-pro.net
<mailto:mail@set-pro.net>> написал(а):
>
> Hello!
> Get problems with clean installation 4.3.6.6-1.el7 and OVN
>
> When i try to test OVN get notification:
> «Import provider certificate»
> Do you approve trusting self signed certificate subject CN=Certificate Authority,
O=SET.LOCAL, SHA-1 fingerprint a9d9b91160bb306667a521e6f2c66037ddc437cb?
>
> When i’m press «Yes», see old problem:
> Failed to communicate with the external provider, see log for additional details.
>
> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
> timeout=self._timeout())
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75,
in create_token
> username, password, engine_url, ca_file, timeout)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91,
in _get_sso_token
> timeout=timeout
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54,
in wrapper
> response = func(*args, **kwargs)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47,
in wrapper
> raise BadGateway(e)
> BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
>
> [root@engine ~]# cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> # This file is automatically generated by engine-setup. Please do not edit manually
> [OVN REMOTE]
> ovn-remote=ssl:127.0.0.1:6641 <http://127.0.0.1:6641/>
> [SSL]
> https-enabled=true
> ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
> ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
> ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
> [OVIRT]
> ovirt-sso-client-id=ovirt-provider-ovn
> ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
> ovirt-host=https://engine.set.local:443/ovirt-engine/
<https://engine.set.local/ovirt-engine/>
> ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
> [NETWORK]
> port-security-enabled-default=True
> [PROVIDER]
> provider-host=engine.set.local
>
> [root@engine ~]# python -c "import requests; \
> print requests.get('https://engine.set.local
<https://engine.set.local/>';, \
> verify='/etc/pki/ovirt-engine/apache-ca.pem')"
> <Response [200]>
>
> What’s wrong ?
_______________________________________________
Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
To unsubscribe send an email to users-leave(a)ovirt.org
<mailto:users-leave@ovirt.org>
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
<https://www.ovirt.org/site/privacy-policy/>
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
<https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
5:29 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
--reconfigure-optional-components not helps. And the file
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf not exists after setup.
[root@engine ~]# rm /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
[root@engine ~]# engine-setup --reconfigure-optional-components
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files:
['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf',
'/etc/ovirt-engine-setup.conf.d/10-packaging.conf',
'/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf']
Log file:
/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
Version: otopi-1.8.3 (otopi-1.8.3-1.el7)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment setup (late)
[ INFO ] Stage: Environment customization
--== PRODUCT OPTIONS ==--
Set up Cinderlib integration
(Currently in tech preview)
(Yes, No) [No]:
[ INFO ] ovirt-provider-ovn already installed, skipping.
--== PACKAGES ==--
[ INFO ] Checking for product updates...
[ INFO ] No product updates found
--== NETWORK CONFIGURATION ==--
Setup can automatically configure the firewall on this system.
Note: automatic configuration of the firewall may overwrite current settings.
NOTICE: iptables is deprecated and will be removed in future releases
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ INFO ] firewalld will be configured as firewall manager.
--== DATABASE CONFIGURATION ==--
The detected DWH database size is 111 MB.
Setup can backup the existing database. The time and space required for the
database backup depend on its size. This process takes time, and in some cases (for
instance, when the size is few GBs) may take several hours to complete.
If you choose to not back up the database, and Setup later fails for some
reason, it will not be able to restore the database and all DWH data will be lost.
Would you like to backup the existing database before upgrading it? (Yes, No)
[Yes]:
Perform full vacuum on the oVirt engine history
database ovirt_engine_history@localhost?
This operation may take a while depending on this setup health and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
--== OVIRT ENGINE CONFIGURATION ==--
Perform full vacuum on the engine database engine@localhost?
This operation may take a while depending on this setup health and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
--== STORAGE CONFIGURATION ==--
--== PKI CONFIGURATION ==--
[WARNING] Failed to read or parse '/etc/pki/ovirt-engine/keys/apache.p12'
Perhaps it was changed since last Setup.
Error was:
Mac verify error: invalid password?
--== APACHE CONFIGURATION ==--
--== SYSTEM CONFIGURATION ==--
--== MISC CONFIGURATION ==--
--== END OF CONFIGURATION ==--
[ INFO ] Stage: Setup validation
During execution engine service will be stopped (OK, Cancel) [OK]:
[ INFO ] Hosted Engine HA is in Global Maintenance mode.
[WARNING] Less than 16384MB of memory is available
[ INFO ] Cleaning stale zombie tasks and commands
--== CONFIGURATION PREVIEW ==--
Default SAN wipe after delete : False
Firewall manager : firewalld
Update Firewall : True
Host FQDN : engine.set.local
Set up Cinderlib integration : False
Engine database secured connection : False
Engine database user name : engine
Engine database name : engine
Engine database host : localhost
Engine database port : 5432
Engine database host name validation : False
Engine installation : True
PKI organization : set.local
Set up ovirt-provider-ovn : True
Configure WebSocket Proxy : True
DWH installation : True
DWH database secured connection : False
DWH database host : localhost
DWH database user name : ovirt_engine_history
DWH database name : ovirt_engine_history
Backup DWH database : True
DWH database port : 5432
DWH database host name validation : False
Configure Image I/O Proxy : True
Configure VMConsole Proxy : True
Please confirm installation settings (OK, Cancel) [OK]:
[ INFO ] Cleaning async tasks and compensations
[ INFO ] Unlocking existing entities
[ INFO ] Checking the Engine database consistency
[ INFO ] Stage: Transaction setup
[ INFO ] Stopping engine service
[ INFO ] Stopping ovirt-fence-kdump-listener service
[ INFO ] Stopping dwh service
[ INFO ] Stopping Image I/O Proxy service
[ INFO ] Stopping vmconsole-proxy service
[ INFO ] Stopping websocket-proxy service
[ INFO ] Stage: Misc configuration (early)
[ INFO ] Stage: Package installation
[ INFO ] Stage: Misc configuration
[ INFO ] Upgrading CA
[ INFO ] Updating /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf to use apache key and
certificate
[ INFO ] Backing up database localhost:ovirt_engine_history to
'/var/lib/ovirt-engine-dwh/backups/dwh-20191002132135.4DV89M.dump'.
[ INFO ] Creating/refreshing DWH database schema
[ INFO ] Configuring Image I/O Proxy
[ INFO ] Configuring WebSocket Proxy
[ INFO ] Backing up database localhost:engine to
'/var/lib/ovirt-engine/backups/engine-20191002132145.CzmG31.dump'.
[ INFO ] Creating/refreshing Engine database schema
[ INFO ] Creating/refreshing Engine 'internal' domain database schema
Unregistering existing client registration info.
[ INFO ] Generating post install configuration file
'/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'
[ INFO ] Stage: Transaction commit
[ INFO ] Stage: Closing up
[ INFO ] Starting engine service
[ INFO ] Starting dwh service
[ INFO ] Restarting ovirt-vmconsole proxy service
--== SUMMARY ==--
[ INFO ] Restarting httpd
Web access is enabled at:
http://engine.set.local:80/ovirt-engine
https://engine.set.local:443/ovirt-engine
Internal CA 98:A1:43:62:A6:0E:FE:4E:13:FA:0E:3F:F8:68:0C:62:01:31:16:BA
SSH fingerprint: SHA256:NrIqDX9x7XrqE7CXpm/D9xpqnF9J162+42xiFiR5m1s
[WARNING] Less than 16384MB of memory is available
--== END OF SUMMARY ==--
[ INFO ] Stage: Clean up
Log file is located at
/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
[ INFO ] Generating answer file
'/var/lib/ovirt-engine/setup/answers/20191002132222-setup.conf'
[ INFO ] Stage: Pre-termination
[ INFO ] Stage: Termination
[ INFO ] Execution of setup completed successfully
[root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
error = stream.connect()
File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 802, in connect
self.socket.do_handshake()
File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1716, in
do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1456, in
_raise_ssl_error
_raise_current_error()
File "/usr/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in
exception_from_error_queue
raise exception_type(errors)
Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate
verify failed’)]
[root@engine ~]# ls -la /etc/ovirt-provider-ovn/conf.d/
итого 4
drwxr-xr-x. 2 root root 20 окт 2 13:19 .
drwxr-xr-x. 3 root root 70 окт 2 01:14 ..
-rw-r--r--. 1 root root 194 май 9 14:44 README
2 окт. 2019 г., в 10:11, Dominik Holler <dholler(a)redhat.com>
написал(а):
On Wed, Oct 2, 2019 at 12:13 AM Mail SET Inc. Group <mail(a)set-pro.net
<mailto:mail@set-pro.net>> wrote:
Few hours later i'm fixed SSL error,
Would you share how you fixed the error?
This might also help to understand the next issue.
but get a new error
2019-10-02 01:02:38,369 root Starting server
2019-10-02 01:02:38,369 root Version: 1.2.22-1
2019-10-02 01:02:38,369 root Build date: 20190509114402
2019-10-02 01:02:38,369 root Githash: 38acbde
2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644
<http://172.19.0.10:33644/> Request: POST /v2.0/tokens
2019-10-02 01:02:46,471 root Request body:
{"auth": {"passwordCredentials": {"username":
"admin@internal", "password": "<PASSWORD_HIDDEN>"}}}
2019-10-02 01:02:46,472 root Error during SSO authentication invalid_request : Missing
parameter: 'client_secret'
Traceback (most recent call last):
File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 138, in
_handle_request
method, path_parts, content
File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 175,
in handle_request
return self.call_response_handler(handler, content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in
call_response_handler
return response_handler(content, parameters)
File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py", line 69,
in post_tokens
if not auth.validate_token(token):
File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 31, in
validate_token
return auth.core.plugin.validate_token(token)
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 36, in validate_token
return self._is_user_name(token, _admin_user_name())
File
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
line 47, in _is_user_name
timeout=AuthorizationByUserName._timeout())
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 131, in
get_token_info
timeout=timeout
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 55, in
wrapper
_check_for_error(response)
File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 181, in
_check_for_error
result['error'], details))
Unauthorized: Error during SSO authentication invalid_request : Missing parameter:
'client_secret'
looks like the
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
does not fit to engine's db.
Maybe most easy would be to move the current
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
away from /etc/ovirt-provider-ovn/conf.d/ and re-trigger the configuration by using the
parameter '--reconfigure-optional-components' of engine-setup.
Was the file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf modified
outside engine-setup?
> 1 окт. 2019 г., в 22:53, Mail SET Inc. Group <mail(a)set-pro.net
<mailto:mail@set-pro.net>> написал(а):
>
> Hello!
> Get problems with clean installation 4.3.6.6-1.el7 and OVN
>
> When i try to test OVN get notification:
> «Import provider certificate»
> Do you approve trusting self signed certificate subject CN=Certificate Authority,
O=SET.LOCAL, SHA-1 fingerprint a9d9b91160bb306667a521e6f2c66037ddc437cb?
>
> When i’m press «Yes», see old problem:
> Failed to communicate with the external provider, see log for additional details.
>
> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
> timeout=self._timeout())
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 75,
in create_token
> username, password, engine_url, ca_file, timeout)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 91,
in _get_sso_token
> timeout=timeout
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 54,
in wrapper
> response = func(*args, **kwargs)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line 47,
in wrapper
> raise BadGateway(e)
> BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
>
> [root@engine ~]# cat /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> # This file is automatically generated by engine-setup. Please do not edit manually
> [OVN REMOTE]
> ovn-remote=ssl:127.0.0.1:6641 <http://127.0.0.1:6641/>
> [SSL]
> https-enabled=true
> ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
> ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
> ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
> [OVIRT]
> ovirt-sso-client-id=ovirt-provider-ovn
> ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
> ovirt-host=https://engine.set.local:443/ovirt-engine/
<https://engine.set.local/ovirt-engine/>
> ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
> [NETWORK]
> port-security-enabled-default=True
> [PROVIDER]
> provider-host=engine.set.local
>
> [root@engine ~]# python -c "import requests; \
> print requests.get('https://engine.set.local
<https://engine.set.local/>';, \
> verify='/etc/pki/ovirt-engine/apache-ca.pem')"
> <Response [200]>
>
> What’s wrong ?
_______________________________________________
Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
To unsubscribe send an email to users-leave(a)ovirt.org
<mailto:users-leave@ovirt.org>
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
<https://www.ovirt.org/site/privacy-policy/>
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
<https://www.ovirt.org/community/about/community-guidelines/>
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
<https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
2:33 p.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
Hello!
Still have this problem. After updates and searching for resolution.. Need help with this.
3:23 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
On Wed, Oct 2, 2019 at 12:29 PM Mail SET Inc. Group <mail(a)set-pro.net>
wrote:
--reconfigure-optional-components not helps. And the file
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
not exists after setup.
[root@engine ~]# rm
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
[root@engine ~]# engine-setup --reconfigure-optional-components
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files:
['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf',
'/etc/ovirt-engine-setup.conf.d/10-packaging.conf',
'/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf']
Log file:
/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
Version: otopi-1.8.3 (otopi-1.8.3-1.el7)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment setup (late)
[ INFO ] Stage: Environment customization
--== PRODUCT OPTIONS ==--
Set up Cinderlib integration
(Currently in tech preview)
(Yes, No) [No]:
[ INFO ] ovirt-provider-ovn already installed, skipping.
The old installation is still detected.
1. backup /etc/ovirt-provider-ovn/
2. restore the original /etc/ovirt-provider-ovn/ovirt-provider-ovn.conf,
e.g. to
https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/ovirt-pr...
3. /backup etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf,
4. rename ovirt-provider-ovn external provider entity in oVirt webadmin,
5. comment OVESETUP_OVN/ovirtProviderOvnId
in /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf
6. engine-setup --reconfigure-optional-components
7. If modifications of the certificates are required, please create a new
file in /etc/ovirt-provider-ovn/conf.d/ , e.g. 50-ssl-modifications
Do these steps solve the problem for you?
Dec 18 21:01:02 <dholler> password should be the usual admin@interal
password
--== PACKAGES ==--
[ INFO ] Checking for product updates...
[ INFO ] No product updates found
--== NETWORK CONFIGURATION ==--
Setup can automatically configure the firewall on this system.
Note: automatic configuration of the firewall may overwrite
current settings.
NOTICE: iptables is deprecated and will be removed in future
releases
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ INFO ] firewalld will be configured as firewall manager.
--== DATABASE CONFIGURATION ==--
The detected DWH database size is 111 MB.
Setup can backup the existing database. The time and space
required for the database backup depend on its size. This process takes
time, and in some cases (for instance, when the size is few GBs) may take
several hours to complete.
If you choose to not back up the database, and Setup later fails
for some reason, it will not be able to restore the database and all DWH
data will be lost.
Would you like to backup the existing database before upgrading
it? (Yes, No) [Yes]:
Perform full vacuum on the oVirt engine history
database ovirt_engine_history@localhost?
This operation may take a while depending on this setup health
and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
--== OVIRT ENGINE CONFIGURATION ==--
Perform full vacuum on the engine database engine@localhost?
This operation may take a while depending on this setup health
and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
--== STORAGE CONFIGURATION ==--
--== PKI CONFIGURATION ==--
[WARNING] Failed to read or parse '/etc/pki/ovirt-engine/keys/apache.p12'
Perhaps it was changed since last Setup.
Error was:
Mac verify error: invalid password?
--== APACHE CONFIGURATION ==--
--== SYSTEM CONFIGURATION ==--
--== MISC CONFIGURATION ==--
--== END OF CONFIGURATION ==--
[ INFO ] Stage: Setup validation
During execution engine service will be stopped (OK, Cancel)
[OK]:
[ INFO ] Hosted Engine HA is in Global Maintenance mode.
[WARNING] Less than 16384MB of memory is available
[ INFO ] Cleaning stale zombie tasks and commands
--== CONFIGURATION PREVIEW ==--
Default SAN wipe after delete : False
Firewall manager : firewalld
Update Firewall : True
Host FQDN : engine.set.local
Set up Cinderlib integration : False
Engine database secured connection : False
Engine database user name : engine
Engine database name : engine
Engine database host : localhost
Engine database port : 5432
Engine database host name validation : False
Engine installation : True
PKI organization : set.local
Set up ovirt-provider-ovn : True
Configure WebSocket Proxy : True
DWH installation : True
DWH database secured connection : False
DWH database host : localhost
DWH database user name : ovirt_engine_history
DWH database name : ovirt_engine_history
Backup DWH database : True
DWH database port : 5432
DWH database host name validation : False
Configure Image I/O Proxy : True
Configure VMConsole Proxy : True
Please confirm installation settings (OK, Cancel) [OK]:
[ INFO ] Cleaning async tasks and compensations
[ INFO ] Unlocking existing entities
[ INFO ] Checking the Engine database consistency
[ INFO ] Stage: Transaction setup
[ INFO ] Stopping engine service
[ INFO ] Stopping ovirt-fence-kdump-listener service
[ INFO ] Stopping dwh service
[ INFO ] Stopping Image I/O Proxy service
[ INFO ] Stopping vmconsole-proxy service
[ INFO ] Stopping websocket-proxy service
[ INFO ] Stage: Misc configuration (early)
[ INFO ] Stage: Package installation
[ INFO ] Stage: Misc configuration
[ INFO ] Upgrading CA
[ INFO ] Updating /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf to
use apache key and certificate
[ INFO ] Backing up database localhost:ovirt_engine_history to
'/var/lib/ovirt-engine-dwh/backups/dwh-20191002132135.4DV89M.dump'.
[ INFO ] Creating/refreshing DWH database schema
[ INFO ] Configuring Image I/O Proxy
[ INFO ] Configuring WebSocket Proxy
[ INFO ] Backing up database localhost:engine to
'/var/lib/ovirt-engine/backups/engine-20191002132145.CzmG31.dump'.
[ INFO ] Creating/refreshing Engine database schema
[ INFO ] Creating/refreshing Engine 'internal' domain database schema
Unregistering existing client registration info.
[ INFO ] Generating post install configuration file
'/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'
[ INFO ] Stage: Transaction commit
[ INFO ] Stage: Closing up
[ INFO ] Starting engine service
[ INFO ] Starting dwh service
[ INFO ] Restarting ovirt-vmconsole proxy service
--== SUMMARY ==--
[ INFO ] Restarting httpd
Web access is enabled at:
http://engine.set.local:80/ovirt-engine
https://engine.set.local:443/ovirt-engine
Internal CA
98:A1:43:62:A6:0E:FE:4E:13:FA:0E:3F:F8:68:0C:62:01:31:16:BA
SSH fingerprint:
SHA256:NrIqDX9x7XrqE7CXpm/D9xpqnF9J162+42xiFiR5m1s
[WARNING] Less than 16384MB of memory is available
--== END OF SUMMARY ==--
[ INFO ] Stage: Clean up
Log file is located at
/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
[ INFO ] Generating answer file
'/var/lib/ovirt-engine/setup/answers/20191002132222-setup.conf'
[ INFO ] Stage: Pre-termination
[ INFO ] Stage: Termination
[ INFO ] Execution of setup completed successfully
[root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
error = stream.connect()
File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 802, in
connect
self.socket.do_handshake()
File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1716, in
do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1456, in
_raise_ssl_error
_raise_current_error()
File "/usr/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in
exception_from_error_queue
raise exception_type(errors)
Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate
verify failed’)]
[root@engine ~]# ls -la /etc/ovirt-provider-ovn/conf.d/
итого 4
drwxr-xr-x. 2 root root 20 окт 2 13:19 .
drwxr-xr-x. 3 root root 70 окт 2 01:14 ..
-rw-r--r--. 1 root root 194 май 9 14:44 README
2 окт. 2019 г., в 10:11, Dominik Holler <dholler(a)redhat.com> написал(а):
On Wed, Oct 2, 2019 at 12:13 AM Mail SET Inc. Group <mail(a)set-pro.net>
wrote:
> Few hours later i'm fixed SSL error,
>
Would you share how you fixed the error?
This might also help to understand the next issue.
> but get a new error
>
> 2019-10-02 01:02:38,369 root Starting server
> 2019-10-02 01:02:38,369 root Version: 1.2.22-1
> 2019-10-02 01:02:38,369 root Build date: 20190509114402
> 2019-10-02 01:02:38,369 root Githash: 38acbde
> 2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644 Request:
> POST /v2.0/tokens
> 2019-10-02 01:02:46,471 root Request body:
> {"auth": {"passwordCredentials": {"username":
"admin@internal",
> "password": "<PASSWORD_HIDDEN>"}}}
> 2019-10-02 01:02:46,472 root Error during SSO authentication
> invalid_request : Missing parameter: 'client_secret'
> Traceback (most recent call last):
> File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line
> 138, in _handle_request
> method, path_parts, content
> File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py",
> line 175, in handle_request
> return self.call_response_handler(handler, content, parameters)
> File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line 33, in
> call_response_handler
> return response_handler(content, parameters)
> File "/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py",
> line 69, in post_tokens
> if not auth.validate_token(token):
> File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line 31,
> in validate_token
> return auth.core.plugin.validate_token(token)
> File
>
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
> line 36, in validate_token
> return self._is_user_name(token, _admin_user_name())
> File
>
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
> line 47, in _is_user_name
> timeout=AuthorizationByUserName._timeout())
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
> 131, in get_token_info
> timeout=timeout
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
> 55, in wrapper
> _check_for_error(response)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
> 181, in _check_for_error
> result['error'], details))
> Unauthorized: Error during SSO authentication invalid_request : Missing
> parameter: 'client_secret'
>
>
>
looks like the
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
does not fit to engine's db.
Maybe most easy would be to move the current
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
away from /etc/ovirt-provider-ovn/conf.d/ and re-trigger the
configuration by using the
parameter '--reconfigure-optional-components' of engine-setup.
Was the file /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
modified outside engine-setup?
> 1 окт. 2019 г., в 22:53, Mail SET Inc. Group <mail(a)set-pro.net>
> написал(а):
>
> Hello!
> Get problems with clean installation 4.3.6.6-1.el7 and OVN
>
> When i try to test OVN get notification:
> «Import provider certificate»
> Do you approve trusting self signed certificate subject CN=Certificate
> Authority, O=SET.LOCAL, SHA-1 fingerprint
> a9d9b91160bb306667a521e6f2c66037ddc437cb?
>
> When i’m press «Yes», see old problem:
> Failed to communicate with the external provider, see log for additional
> details.
>
> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
> timeout=self._timeout())
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
> 75, in create_token
> username, password, engine_url, ca_file, timeout)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
> 91, in _get_sso_token
> timeout=timeout
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
> 54, in wrapper
> response = func(*args, **kwargs)
> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py", line
> 47, in wrapper
> raise BadGateway(e)
> BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
> (_ssl.c:618)
>
> [root@engine ~]# cat
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> # This file is automatically generated by engine-setup. Please do not
> edit manually
> [OVN REMOTE]
> ovn-remote=ssl:127.0.0.1:6641
> [SSL]
> https-enabled=true
> ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
> ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
> ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
> [OVIRT]
> ovirt-sso-client-id=ovirt-provider-ovn
> ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
> ovirt-host=https://engine.set.local:443/ovirt-engine/
> <https://engine.set.local/ovirt-engine/>
> ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
> [NETWORK]
> port-security-enabled-default=True
> [PROVIDER]
> provider-host=engine.set.local
>
> [root@engine ~]# python -c "import requests; \
> print requests.get('https://engine.set.local', \
> verify='/etc/pki/ovirt-engine/apache-ca.pem')"
> <Response [200]>
>
> What’s wrong ?
>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
4:39 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
On February 3, 2020 11:23:57 AM GMT+02:00, Dominik Holler <dholler(a)redhat.com>
wrote:
On Wed, Oct 2, 2019 at 12:29 PM Mail SET Inc. Group
<mail(a)set-pro.net>
wrote:
> --reconfigure-optional-components not helps. And the file
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> not exists after setup.
>
> [root@engine ~]# rm
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>
>
> [root@engine ~]# engine-setup --reconfigure-optional-components
> [ INFO ] Stage: Initializing
> [ INFO ] Stage: Environment setup
> Configuration files:
> ['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf',
> '/etc/ovirt-engine-setup.conf.d/10-packaging.conf',
> '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf']
> Log file:
>
/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
> Version: otopi-1.8.3 (otopi-1.8.3-1.el7)
> [ INFO ] Stage: Environment packages setup
> [ INFO ] Stage: Programs detection
> [ INFO ] Stage: Environment setup (late)
> [ INFO ] Stage: Environment customization
>
>
> --== PRODUCT OPTIONS ==--
>
>
> Set up Cinderlib integration
> (Currently in tech preview)
> (Yes, No) [No]:
> [ INFO ] ovirt-provider-ovn already installed, skipping.
>
>
>
The old installation is still detected.
1. backup /etc/ovirt-provider-ovn/
2. restore the original
/etc/ovirt-provider-ovn/ovirt-provider-ovn.conf,
e.g. to
https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/ovirt-pr...
3. /backup etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf,
4. rename ovirt-provider-ovn external provider entity in oVirt
webadmin,
5. comment OVESETUP_OVN/ovirtProviderOvnId
in /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf
6. engine-setup --reconfigure-optional-components
7. If modifications of the certificates are required, please create a
new
file in /etc/ovirt-provider-ovn/conf.d/ , e.g. 50-ssl-modifications
Do these steps solve the problem for you?
Dec 18 21:01:02 <dholler> password should be the usual admin@interal
password
>
> --== PACKAGES ==--
>
>
> [ INFO ] Checking for product updates...
> [ INFO ] No product updates found
>
>
> --== NETWORK CONFIGURATION ==--
>
>
> Setup can automatically configure the firewall on this
system.
> Note: automatic configuration of the firewall may overwrite
> current settings.
> NOTICE: iptables is deprecated and will be removed in
future
> releases
> Do you want Setup to configure the firewall? (Yes, No)
[Yes]:
> [ INFO ] firewalld will be configured as firewall manager.
>
>
> --== DATABASE CONFIGURATION ==--
>
>
> The detected DWH database size is 111 MB.
> Setup can backup the existing database. The time and space
> required for the database backup depend on its size. This process
takes
> time, and in some cases (for instance, when the size is few GBs) may
take
> several hours to complete.
> If you choose to not back up the database, and Setup later
fails
> for some reason, it will not be able to restore the database and all
DWH
> data will be lost.
> Would you like to backup the existing database before
upgrading
> it? (Yes, No) [Yes]:
> Perform full vacuum on the oVirt engine history
> database ovirt_engine_history@localhost?
> This operation may take a while depending on this setup
health
> and the
> configuration of the db vacuum process.
> See https://www.postgresql.org/docs/10/sql-vacuum.html
> (Yes, No) [No]:
>
>
> --== OVIRT ENGINE CONFIGURATION ==--
>
>
> Perform full vacuum on the engine database
engine@localhost?
> This operation may take a while depending on this setup
health
> and the
> configuration of the db vacuum process.
> See https://www.postgresql.org/docs/10/sql-vacuum.html
> (Yes, No) [No]:
>
>
> --== STORAGE CONFIGURATION ==--
>
>
>
>
> --== PKI CONFIGURATION ==--
>
>
> [WARNING] Failed to read or parse
'/etc/pki/ovirt-engine/keys/apache.p12'
> Perhaps it was changed since last Setup.
> Error was:
> Mac verify error: invalid password?
>
>
>
>
> --== APACHE CONFIGURATION ==--
>
>
>
>
> --== SYSTEM CONFIGURATION ==--
>
>
>
>
> --== MISC CONFIGURATION ==--
>
>
>
>
> --== END OF CONFIGURATION ==--
>
>
> [ INFO ] Stage: Setup validation
> During execution engine service will be stopped (OK,
Cancel)
> [OK]:
> [ INFO ] Hosted Engine HA is in Global Maintenance mode.
> [WARNING] Less than 16384MB of memory is available
> [ INFO ] Cleaning stale zombie tasks and commands
>
>
> --== CONFIGURATION PREVIEW ==--
>
>
> Default SAN wipe after delete : False
> Firewall manager : firewalld
> Update Firewall : True
> Host FQDN : engine.set.local
> Set up Cinderlib integration : False
> Engine database secured connection : False
> Engine database user name : engine
> Engine database name : engine
> Engine database host : localhost
> Engine database port : 5432
> Engine database host name validation : False
> Engine installation : True
> PKI organization : set.local
> Set up ovirt-provider-ovn : True
> Configure WebSocket Proxy : True
> DWH installation : True
> DWH database secured connection : False
> DWH database host : localhost
> DWH database user name :
ovirt_engine_history
> DWH database name :
ovirt_engine_history
> Backup DWH database : True
> DWH database port : 5432
> DWH database host name validation : False
> Configure Image I/O Proxy : True
> Configure VMConsole Proxy : True
>
>
> Please confirm installation settings (OK, Cancel) [OK]:
> [ INFO ] Cleaning async tasks and compensations
> [ INFO ] Unlocking existing entities
> [ INFO ] Checking the Engine database consistency
> [ INFO ] Stage: Transaction setup
> [ INFO ] Stopping engine service
> [ INFO ] Stopping ovirt-fence-kdump-listener service
> [ INFO ] Stopping dwh service
> [ INFO ] Stopping Image I/O Proxy service
> [ INFO ] Stopping vmconsole-proxy service
> [ INFO ] Stopping websocket-proxy service
> [ INFO ] Stage: Misc configuration (early)
> [ INFO ] Stage: Package installation
> [ INFO ] Stage: Misc configuration
> [ INFO ] Upgrading CA
> [ INFO ] Updating /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
to
> use apache key and certificate
> [ INFO ] Backing up database localhost:ovirt_engine_history to
> '/var/lib/ovirt-engine-dwh/backups/dwh-20191002132135.4DV89M.dump'.
> [ INFO ] Creating/refreshing DWH database schema
> [ INFO ] Configuring Image I/O Proxy
> [ INFO ] Configuring WebSocket Proxy
> [ INFO ] Backing up database localhost:engine to
> '/var/lib/ovirt-engine/backups/engine-20191002132145.CzmG31.dump'.
> [ INFO ] Creating/refreshing Engine database schema
> [ INFO ] Creating/refreshing Engine 'internal' domain database
schema
> Unregistering existing client registration info.
> [ INFO ] Generating post install configuration file
> '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'
> [ INFO ] Stage: Transaction commit
> [ INFO ] Stage: Closing up
> [ INFO ] Starting engine service
> [ INFO ] Starting dwh service
> [ INFO ] Restarting ovirt-vmconsole proxy service
>
>
> --== SUMMARY ==--
>
>
> [ INFO ] Restarting httpd
> Web access is enabled at:
> http://engine.set.local:80/ovirt-engine
> https://engine.set.local:443/ovirt-engine
> Internal CA
> 98:A1:43:62:A6:0E:FE:4E:13:FA:0E:3F:F8:68:0C:62:01:31:16:BA
> SSH fingerprint:
> SHA256:NrIqDX9x7XrqE7CXpm/D9xpqnF9J162+42xiFiR5m1s
> [WARNING] Less than 16384MB of memory is available
>
>
> --== END OF SUMMARY ==--
>
>
> [ INFO ] Stage: Clean up
> Log file is located at
>
/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
> [ INFO ] Generating answer file
> '/var/lib/ovirt-engine/setup/answers/20191002132222-setup.conf'
> [ INFO ] Stage: Pre-termination
> [ INFO ] Stage: Termination
> [ INFO ] Execution of setup completed successfully
>
>
> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
> error = stream.connect()
> File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 802,
in
> connect
> self.socket.do_handshake()
> File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1716,
in
> do_handshake
> self._raise_ssl_error(self._ssl, result)
> File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1456,
in
> _raise_ssl_error
> _raise_current_error()
> File "/usr/lib/python2.7/site-packages/OpenSSL/_util.py", line 54,
in
> exception_from_error_queue
> raise exception_type(errors)
> Error: [('SSL routines', 'ssl3_get_server_certificate',
'certificate
> verify failed’)]
>
>
> [root@engine ~]# ls -la /etc/ovirt-provider-ovn/conf.d/
> итого 4
> drwxr-xr-x. 2 root root 20 окт 2 13:19 .
> drwxr-xr-x. 3 root root 70 окт 2 01:14 ..
> -rw-r--r--. 1 root root 194 май 9 14:44 README
>
>
>
> 2 окт. 2019 г., в 10:11, Dominik Holler <dholler(a)redhat.com>
написал(а):
>
>
>
> On Wed, Oct 2, 2019 at 12:13 AM Mail SET Inc. Group
<mail(a)set-pro.net>
> wrote:
>
>> Few hours later i'm fixed SSL error,
>>
>
> Would you share how you fixed the error?
> This might also help to understand the next issue.
>
>
>
>> but get a new error
>>
>> 2019-10-02 01:02:38,369 root Starting server
>> 2019-10-02 01:02:38,369 root Version: 1.2.22-1
>> 2019-10-02 01:02:38,369 root Build date: 20190509114402
>> 2019-10-02 01:02:38,369 root Githash: 38acbde
>> 2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644 Request:
>> POST /v2.0/tokens
>> 2019-10-02 01:02:46,471 root Request body:
>> {"auth": {"passwordCredentials": {"username":
"admin@internal",
>> "password": "<PASSWORD_HIDDEN>"}}}
>> 2019-10-02 01:02:46,472 root Error during SSO authentication
>> invalid_request : Missing parameter: 'client_secret'
>> Traceback (most recent call last):
>> File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py",
line
>> 138, in _handle_request
>> method, path_parts, content
>> File
"/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py",
>> line 175, in handle_request
>> return self.call_response_handler(handler, content, parameters)
>> File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line
33, in
>> call_response_handler
>> return response_handler(content, parameters)
>> File
"/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py",
>> line 69, in post_tokens
>> if not auth.validate_token(token):
>> File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py", line
31,
>> in validate_token
>> return auth.core.plugin.validate_token(token)
>> File
>>
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
>> line 36, in validate_token
>> return self._is_user_name(token, _admin_user_name())
>> File
>>
"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
>> line 47, in _is_user_name
>> timeout=AuthorizationByUserName._timeout())
>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
line
>> 131, in get_token_info
>> timeout=timeout
>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
line
>> 55, in wrapper
>> _check_for_error(response)
>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
line
>> 181, in _check_for_error
>> result['error'], details))
>> Unauthorized: Error during SSO authentication invalid_request :
Missing
>> parameter: 'client_secret'
>>
>>
>>
>
> looks like the
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> does not fit to engine's db.
>
> Maybe most easy would be to move the current
> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> away from /etc/ovirt-provider-ovn/conf.d/ and re-trigger the
> configuration by using the
> parameter '--reconfigure-optional-components' of engine-setup.
>
> Was the file
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
> modified outside engine-setup?
>
>
>> 1 окт. 2019 г., в 22:53, Mail SET Inc. Group <mail(a)set-pro.net>
>> написал(а):
>>
>> Hello!
>> Get problems with clean installation 4.3.6.6-1.el7 and OVN
>>
>> When i try to test OVN get notification:
>> «Import provider certificate»
>> Do you approve trusting self signed certificate subject
CN=Certificate
>> Authority, O=SET.LOCAL, SHA-1 fingerprint
>> a9d9b91160bb306667a521e6f2c66037ddc437cb?
>>
>> When i’m press «Yes», see old problem:
>> Failed to communicate with the external provider, see log for
additional
>> details.
>>
>> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
>> timeout=self._timeout())
>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
line
>> 75, in create_token
>> username, password, engine_url, ca_file, timeout)
>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
line
>> 91, in _get_sso_token
>> timeout=timeout
>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
line
>> 54, in wrapper
>> response = func(*args, **kwargs)
>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
line
>> 47, in wrapper
>> raise BadGateway(e)
>> BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
failed
>> (_ssl.c:618)
>>
>> [root@engine ~]# cat
>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> # This file is automatically generated by engine-setup. Please do
not
>> edit manually
>> [OVN REMOTE]
>> ovn-remote=ssl:127.0.0.1:6641
>> [SSL]
>> https-enabled=true
>> ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
>> ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
>> ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
>> [OVIRT]
>> ovirt-sso-client-id=ovirt-provider-ovn
>> ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
>> ovirt-host=https://engine.set.local:443/ovirt-engine/
>> <https://engine.set.local/ovirt-engine/>
>> ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
>> [NETWORK]
>> port-security-enabled-default=True
>> [PROVIDER]
>> provider-host=engine.set.local
>>
>> [root@engine ~]# python -c "import requests; \
>> print requests.get('https://engine.set.local', \
>> verify='/etc/pki/ovirt-engine/apache-ca.pem')"
>> <Response [200]>
>>
>> What’s wrong ?
>>
>>
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
>> https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
>
>
>
Hi Dominik,
Can this approach be used to 'reset' OVN to original state ?
Best Regards,
Strahil Nikolov
5:06 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
On Mon, Feb 3, 2020 at 11:39 AM Strahil Nikolov <hunter86_bg(a)yahoo.com>
wrote:
On February 3, 2020 11:23:57 AM GMT+02:00, Dominik Holler <
dholler(a)redhat.com> wrote:
>On Wed, Oct 2, 2019 at 12:29 PM Mail SET Inc. Group <mail(a)set-pro.net>
>wrote:
>
>> --reconfigure-optional-components not helps. And the file
>/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> not exists after setup.
>>
>> [root@engine ~]# rm
>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>>
>>
>> [root@engine ~]# engine-setup --reconfigure-optional-components
>> [ INFO ] Stage: Initializing
>> [ INFO ] Stage: Environment setup
>> Configuration files:
>> ['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf',
>> '/etc/ovirt-engine-setup.conf.d/10-packaging.conf',
>> '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf']
>> Log file:
>>
>/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
>> Version: otopi-1.8.3 (otopi-1.8.3-1.el7)
>> [ INFO ] Stage: Environment packages setup
>> [ INFO ] Stage: Programs detection
>> [ INFO ] Stage: Environment setup (late)
>> [ INFO ] Stage: Environment customization
>>
>>
>> --== PRODUCT OPTIONS ==--
>>
>>
>> Set up Cinderlib integration
>> (Currently in tech preview)
>> (Yes, No) [No]:
>> [ INFO ] ovirt-provider-ovn already installed, skipping.
>>
>>
>>
>
>
>The old installation is still detected.
>
>1. backup /etc/ovirt-provider-ovn/
>2. restore the original
>/etc/ovirt-provider-ovn/ovirt-provider-ovn.conf,
>e.g. to
>
https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/ovirt-pr...
>3. /backup etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf,
>4. rename ovirt-provider-ovn external provider entity in oVirt
>webadmin,
>5. comment OVESETUP_OVN/ovirtProviderOvnId
>in /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf
>6. engine-setup --reconfigure-optional-components
>7. If modifications of the certificates are required, please create a
>new
>file in /etc/ovirt-provider-ovn/conf.d/ , e.g. 50-ssl-modifications
>
>Do these steps solve the problem for you?
>
>
>Dec 18 21:01:02 <dholler> password should be the usual admin@interal
>password
>
>
>>
>> --== PACKAGES ==--
>>
>>
>> [ INFO ] Checking for product updates...
>> [ INFO ] No product updates found
>>
>>
>> --== NETWORK CONFIGURATION ==--
>>
>>
>> Setup can automatically configure the firewall on this
>system.
>> Note: automatic configuration of the firewall may overwrite
>> current settings.
>> NOTICE: iptables is deprecated and will be removed in
>future
>> releases
>> Do you want Setup to configure the firewall? (Yes, No)
>[Yes]:
>> [ INFO ] firewalld will be configured as firewall manager.
>>
>>
>> --== DATABASE CONFIGURATION ==--
>>
>>
>> The detected DWH database size is 111 MB.
>> Setup can backup the existing database. The time and space
>> required for the database backup depend on its size. This process
>takes
>> time, and in some cases (for instance, when the size is few GBs) may
>take
>> several hours to complete.
>> If you choose to not back up the database, and Setup later
>fails
>> for some reason, it will not be able to restore the database and all
>DWH
>> data will be lost.
>> Would you like to backup the existing database before
>upgrading
>> it? (Yes, No) [Yes]:
>> Perform full vacuum on the oVirt engine history
>> database ovirt_engine_history@localhost?
>> This operation may take a while depending on this setup
>health
>> and the
>> configuration of the db vacuum process.
>> See https://www.postgresql.org/docs/10/sql-vacuum.html
>> (Yes, No) [No]:
>>
>>
>> --== OVIRT ENGINE CONFIGURATION ==--
>>
>>
>> Perform full vacuum on the engine database
>engine@localhost?
>> This operation may take a while depending on this setup
>health
>> and the
>> configuration of the db vacuum process.
>> See https://www.postgresql.org/docs/10/sql-vacuum.html
>> (Yes, No) [No]:
>>
>>
>> --== STORAGE CONFIGURATION ==--
>>
>>
>>
>>
>> --== PKI CONFIGURATION ==--
>>
>>
>> [WARNING] Failed to read or parse
>'/etc/pki/ovirt-engine/keys/apache.p12'
>> Perhaps it was changed since last Setup.
>> Error was:
>> Mac verify error: invalid password?
>>
>>
>>
>>
>> --== APACHE CONFIGURATION ==--
>>
>>
>>
>>
>> --== SYSTEM CONFIGURATION ==--
>>
>>
>>
>>
>> --== MISC CONFIGURATION ==--
>>
>>
>>
>>
>> --== END OF CONFIGURATION ==--
>>
>>
>> [ INFO ] Stage: Setup validation
>> During execution engine service will be stopped (OK,
>Cancel)
>> [OK]:
>> [ INFO ] Hosted Engine HA is in Global Maintenance mode.
>> [WARNING] Less than 16384MB of memory is available
>> [ INFO ] Cleaning stale zombie tasks and commands
>>
>>
>> --== CONFIGURATION PREVIEW ==--
>>
>>
>> Default SAN wipe after delete : False
>> Firewall manager : firewalld
>> Update Firewall : True
>> Host FQDN : engine.set.local
>> Set up Cinderlib integration : False
>> Engine database secured connection : False
>> Engine database user name : engine
>> Engine database name : engine
>> Engine database host : localhost
>> Engine database port : 5432
>> Engine database host name validation : False
>> Engine installation : True
>> PKI organization : set.local
>> Set up ovirt-provider-ovn : True
>> Configure WebSocket Proxy : True
>> DWH installation : True
>> DWH database secured connection : False
>> DWH database host : localhost
>> DWH database user name :
>ovirt_engine_history
>> DWH database name :
>ovirt_engine_history
>> Backup DWH database : True
>> DWH database port : 5432
>> DWH database host name validation : False
>> Configure Image I/O Proxy : True
>> Configure VMConsole Proxy : True
>>
>>
>> Please confirm installation settings (OK, Cancel) [OK]:
>> [ INFO ] Cleaning async tasks and compensations
>> [ INFO ] Unlocking existing entities
>> [ INFO ] Checking the Engine database consistency
>> [ INFO ] Stage: Transaction setup
>> [ INFO ] Stopping engine service
>> [ INFO ] Stopping ovirt-fence-kdump-listener service
>> [ INFO ] Stopping dwh service
>> [ INFO ] Stopping Image I/O Proxy service
>> [ INFO ] Stopping vmconsole-proxy service
>> [ INFO ] Stopping websocket-proxy service
>> [ INFO ] Stage: Misc configuration (early)
>> [ INFO ] Stage: Package installation
>> [ INFO ] Stage: Misc configuration
>> [ INFO ] Upgrading CA
>> [ INFO ] Updating /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
>to
>> use apache key and certificate
>> [ INFO ] Backing up database localhost:ovirt_engine_history to
>> '/var/lib/ovirt-engine-dwh/backups/dwh-20191002132135.4DV89M.dump'.
>> [ INFO ] Creating/refreshing DWH database schema
>> [ INFO ] Configuring Image I/O Proxy
>> [ INFO ] Configuring WebSocket Proxy
>> [ INFO ] Backing up database localhost:engine to
>> '/var/lib/ovirt-engine/backups/engine-20191002132145.CzmG31.dump'.
>> [ INFO ] Creating/refreshing Engine database schema
>> [ INFO ] Creating/refreshing Engine 'internal' domain database
>schema
>> Unregistering existing client registration info.
>> [ INFO ] Generating post install configuration file
>> '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'
>> [ INFO ] Stage: Transaction commit
>> [ INFO ] Stage: Closing up
>> [ INFO ] Starting engine service
>> [ INFO ] Starting dwh service
>> [ INFO ] Restarting ovirt-vmconsole proxy service
>>
>>
>> --== SUMMARY ==--
>>
>>
>> [ INFO ] Restarting httpd
>> Web access is enabled at:
>> http://engine.set.local:80/ovirt-engine
>> https://engine.set.local:443/ovirt-engine
>> Internal CA
>> 98:A1:43:62:A6:0E:FE:4E:13:FA:0E:3F:F8:68:0C:62:01:31:16:BA
>> SSH fingerprint:
>> SHA256:NrIqDX9x7XrqE7CXpm/D9xpqnF9J162+42xiFiR5m1s
>> [WARNING] Less than 16384MB of memory is available
>>
>>
>> --== END OF SUMMARY ==--
>>
>>
>> [ INFO ] Stage: Clean up
>> Log file is located at
>>
>/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
>> [ INFO ] Generating answer file
>> '/var/lib/ovirt-engine/setup/answers/20191002132222-setup.conf'
>> [ INFO ] Stage: Pre-termination
>> [ INFO ] Stage: Termination
>> [ INFO ] Execution of setup completed successfully
>>
>>
>> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
>> error = stream.connect()
>> File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 802,
>in
>> connect
>> self.socket.do_handshake()
>> File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1716,
>in
>> do_handshake
>> self._raise_ssl_error(self._ssl, result)
>> File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1456,
>in
>> _raise_ssl_error
>> _raise_current_error()
>> File "/usr/lib/python2.7/site-packages/OpenSSL/_util.py", line 54,
>in
>> exception_from_error_queue
>> raise exception_type(errors)
>> Error: [('SSL routines', 'ssl3_get_server_certificate',
'certificate
>> verify failed’)]
>>
>>
>> [root@engine ~]# ls -la /etc/ovirt-provider-ovn/conf.d/
>> итого 4
>> drwxr-xr-x. 2 root root 20 окт 2 13:19 .
>> drwxr-xr-x. 3 root root 70 окт 2 01:14 ..
>> -rw-r--r--. 1 root root 194 май 9 14:44 README
>>
>>
>>
>> 2 окт. 2019 г., в 10:11, Dominik Holler <dholler(a)redhat.com>
>написал(а):
>>
>>
>>
>> On Wed, Oct 2, 2019 at 12:13 AM Mail SET Inc. Group
><mail(a)set-pro.net>
>> wrote:
>>
>>> Few hours later i'm fixed SSL error,
>>>
>>
>> Would you share how you fixed the error?
>> This might also help to understand the next issue.
>>
>>
>>
>>> but get a new error
>>>
>>> 2019-10-02 01:02:38,369 root Starting server
>>> 2019-10-02 01:02:38,369 root Version: 1.2.22-1
>>> 2019-10-02 01:02:38,369 root Build date: 20190509114402
>>> 2019-10-02 01:02:38,369 root Githash: 38acbde
>>> 2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644 Request:
>>> POST /v2.0/tokens
>>> 2019-10-02 01:02:46,471 root Request body:
>>> {"auth": {"passwordCredentials": {"username":
"admin@internal",
>>> "password": "<PASSWORD_HIDDEN>"}}}
>>> 2019-10-02 01:02:46,472 root Error during SSO authentication
>>> invalid_request : Missing parameter: 'client_secret'
>>> Traceback (most recent call last):
>>> File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py",
>line
>>> 138, in _handle_request
>>> method, path_parts, content
>>> File
>"/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py",
>>> line 175, in handle_request
>>> return self.call_response_handler(handler, content, parameters)
>>> File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line
>33, in
>>> call_response_handler
>>> return response_handler(content, parameters)
>>> File
>"/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py",
>>> line 69, in post_tokens
>>> if not auth.validate_token(token):
>>> File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py",
line
>31,
>>> in validate_token
>>> return auth.core.plugin.validate_token(token)
>>> File
>>>
>"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
>>> line 36, in validate_token
>>> return self._is_user_name(token, _admin_user_name())
>>> File
>>>
>"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
>>> line 47, in _is_user_name
>>> timeout=AuthorizationByUserName._timeout())
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 131, in get_token_info
>>> timeout=timeout
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 55, in wrapper
>>> _check_for_error(response)
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 181, in _check_for_error
>>> result['error'], details))
>>> Unauthorized: Error during SSO authentication invalid_request :
>Missing
>>> parameter: 'client_secret'
>>>
>>>
>>>
>>
>> looks like the
>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> does not fit to engine's db.
>>
>> Maybe most easy would be to move the current
>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> away from /etc/ovirt-provider-ovn/conf.d/ and re-trigger the
>> configuration by using the
>> parameter '--reconfigure-optional-components' of engine-setup.
>>
>> Was the file
>/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> modified outside engine-setup?
>>
>>
>>> 1 окт. 2019 г., в 22:53, Mail SET Inc. Group <mail(a)set-pro.net>
>>> написал(а):
>>>
>>> Hello!
>>> Get problems with clean installation 4.3.6.6-1.el7 and OVN
>>>
>>> When i try to test OVN get notification:
>>> «Import provider certificate»
>>> Do you approve trusting self signed certificate subject
>CN=Certificate
>>> Authority, O=SET.LOCAL, SHA-1 fingerprint
>>> a9d9b91160bb306667a521e6f2c66037ddc437cb?
>>>
>>> When i’m press «Yes», see old problem:
>>> Failed to communicate with the external provider, see log for
>additional
>>> details.
>>>
>>> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
>>> timeout=self._timeout())
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 75, in create_token
>>> username, password, engine_url, ca_file, timeout)
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 91, in _get_sso_token
>>> timeout=timeout
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 54, in wrapper
>>> response = func(*args, **kwargs)
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 47, in wrapper
>>> raise BadGateway(e)
>>> BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
>failed
>>> (_ssl.c:618)
>>>
>>> [root@engine ~]# cat
>>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>>> # This file is automatically generated by engine-setup. Please do
>not
>>> edit manually
>>> [OVN REMOTE]
>>> ovn-remote=ssl:127.0.0.1:6641
>>> [SSL]
>>> https-enabled=true
>>> ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
>>> ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
>>> ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>> [OVIRT]
>>> ovirt-sso-client-id=ovirt-provider-ovn
>>> ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
>>> ovirt-host=https://engine.set.local:443/ovirt-engine/
>>> <https://engine.set.local/ovirt-engine/>
>>> ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
>>> [NETWORK]
>>> port-security-enabled-default=True
>>> [PROVIDER]
>>> provider-host=engine.set.local
>>>
>>> [root@engine ~]# python -c "import requests; \
>>> print requests.get('https://engine.set.local', \
>>> verify='/etc/pki/ovirt-engine/apache-ca.pem')"
>>> <Response [200]>
>>>
>>> What’s wrong ?
>>>
>>>
>>> _______________________________________________
>>> Users mailing list -- users(a)ovirt.org
>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>>
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
>>
>>
>>
Hi Dominik,
Can this approach be used to 'reset' OVN to original state ?
No, this would just reset the integration into oVirt.
If you like to reset the ovn-nb,
I would use ovn-nbctl on command line to delete all entities in the nb data
base.
Just be aware that this could create inconsistent states, but if you delete
all logical network entities, this is no problem.
I recommend to create a backup with engine-backup before using ovn-nbct.
Best Regards,
Strahil Nikolov
6:05 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
Hi Dominik!
So, this solution helps!
But, if i do step #7 it returns to pervious (bad) state and i need to do all 6 steps
again.
Thank u 4 help!!!
6:35 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
On Mon, Feb 3, 2020 at 1:07 PM <mail(a)set-pro.net> wrote:
Hi Dominik!
So, this solution helps!
But, if i do step #7 it returns to pervious (bad) state and i need to do
all 6 steps again.
Step 7 is now independent from the other steps.
You are welcome to post the error message where the certificates fail.
https://github.com/oVirt/ovirt-provider-ovn/blob/master/README.adoc
explains the ssl configuration of the ovirt-provider-ovn.
Thank u 4 help!!!
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LQAQFSSPE6E...
6:43 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
Installation log:
engine-setup --reconfigure-optional-components
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files:
['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf',
'/etc/ovirt-engine-setup.conf.d/10-packaging.conf',
'/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf']
Log file:
/var/log/ovirt-engine/setup/ovirt-engine-setup-20200203141445-e8fjh7.log
Version: otopi-1.8.4 (otopi-1.8.4-1.el7)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment setup (late)
[ INFO ] Stage: Environment customization
--== PRODUCT OPTIONS ==--
Set up Cinderlib integration
(Currently in tech preview)
(Yes, No) [No]:
--== PACKAGES ==--
[ INFO ] Checking for product updates...
[ INFO ] No product updates found
--== NETWORK CONFIGURATION ==--
Setup can automatically configure the firewall on this system.
Note: automatic configuration of the firewall may overwrite current settings.
NOTICE: iptables is deprecated and will be removed in future releases
Do you want Setup to configure the firewall? (Yes, No) [Yes]:
[ INFO ] firewalld will be configured as firewall manager.
--== DATABASE CONFIGURATION ==--
The detected DWH database size is 327 MB.
Setup can backup the existing database. The time and space required for the
database backup depend on its size. This process takes time, and in some cases (for
instance, when the size is few GBs) may take several hours to complete.
If you choose to not back up the database, and Setup later fails for some
reason, it will not be able to restore the database and all DWH data will be lost.
Would you like to backup the existing database before upgrading it? (Yes, No)
[Yes]:
Perform full vacuum on the oVirt engine history
database ovirt_engine_history@localhost?
This operation may take a while depending on this setup health and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
--== OVIRT ENGINE CONFIGURATION ==--
Perform full vacuum on the engine database engine@localhost?
This operation may take a while depending on this setup health and the
configuration of the db vacuum process.
See https://www.postgresql.org/docs/10/sql-vacuum.html
(Yes, No) [No]:
oVirt OVN provider user[admin@internal]:
oVirt OVN provider password:
--== STORAGE CONFIGURATION ==--
--== PKI CONFIGURATION ==--
[WARNING] Failed to read or parse '/etc/pki/ovirt-engine/keys/apache.p12'
Perhaps it was changed since last Setup.
Error was:
Mac verify error: invalid password?
--== APACHE CONFIGURATION ==--
--== SYSTEM CONFIGURATION ==--
--== MISC CONFIGURATION ==--
--== END OF CONFIGURATION ==--
[ INFO ] Stage: Setup validation
During execution engine service will be stopped (OK, Cancel) [OK]:
[ INFO ] Hosted Engine HA is in Global Maintenance mode.
[WARNING] Less than 16384MB of memory is available
[ INFO ] Cleaning stale zombie tasks and commands
--== CONFIGURATION PREVIEW ==--
Default SAN wipe after delete : False
Firewall manager : firewalld
Update Firewall : True
Host FQDN : engine.set.local
Set up Cinderlib integration : False
Engine database secured connection : False
Engine database user name : engine
Engine database name : engine
Engine database host : localhost
Engine database port : 5432
Engine database host name validation : False
Engine installation : True
PKI organization : set.local
Set up ovirt-provider-ovn : True
Configure WebSocket Proxy : True
DWH installation : True
DWH database secured connection : False
DWH database host : localhost
DWH database user name : ovirt_engine_history
DWH database name : ovirt_engine_history
Backup DWH database : True
DWH database port : 5432
DWH database host name validation : False
Configure Image I/O Proxy : True
Configure VMConsole Proxy : True
Please confirm installation settings (OK, Cancel) [OK]:
[ INFO ] Cleaning async tasks and compensations
[ INFO ] Unlocking existing entities
[ INFO ] Checking the Engine database consistency
[ INFO ] Stage: Transaction setup
[ INFO ] Stopping engine service
[ INFO ] Stopping ovirt-fence-kdump-listener service
[ INFO ] Stopping dwh service
[ INFO ] Stopping Image I/O Proxy service
[ INFO ] Stopping vmconsole-proxy service
[ INFO ] Stopping websocket-proxy service
[ INFO ] Stage: Misc configuration (early)
[ INFO ] Stage: Package installation
[ INFO ] Stage: Misc configuration
[ INFO ] Upgrading CA
[ INFO ] Updating /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf to use apache key and
certificate
[ ERROR ] Failed to import provider certificate into the external provider keystore
[ INFO ] Backing up database localhost:ovirt_engine_history to
'/var/lib/ovirt-engine-dwh/backups/dwh-20200203143914.gWtVQt.dump'.
[ INFO ] Creating/refreshing DWH database schema
[ INFO ] Configuring Image I/O Proxy
[ INFO ] Configuring WebSocket Proxy
[ INFO ] Backing up database localhost:engine to
'/var/lib/ovirt-engine/backups/engine-20200203143933.zqclHW.dump'.
[ INFO ] Creating/refreshing Engine database schema
[ INFO ] Creating/refreshing Engine 'internal' domain database schema
Unregistering existing client registration info.
[ INFO ] Adding default OVN provider to database
[ INFO ] Adding OVN provider secret to database
[ INFO ] Generating post install configuration file
'/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'
[ INFO ] Stage: Transaction commit
[ INFO ] Stage: Closing up
[ INFO ] Starting engine service
[ INFO ] Starting dwh service
[ INFO ] Restarting ovirt-vmconsole proxy service
--== SUMMARY ==--
[ INFO ] Restarting httpd
Web access is enabled at:
http://engine.set.local:80/ovirt-engine
https://engine.set.local:443/ovirt-engine
ovirt-provider-ovn configuration file was created in:
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
A sample configuration file for future reference was created in:
/etc/ovirt-engine/ovirt-provider-ovn-conf.example
The following commands failed to execute.
Please execute them manually as root:
. /usr/share/ovirt-engine/bin/engine-prolog.sh
export pass="${ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_PASSWORD}"
keytool -import -alias ovirt-provider-ovn -keystore
/var/lib/ovirt-engine/external_truststore -file /etc/pki/ovirt-engine/ca.pem -noprompt
-storepass:env pass
Internal CA 98:A1:43:62:A6:0E:FE:4E:13:FA:0E:3F:F8:68:0C:62:01:31:16:BA
SSH fingerprint: SHA256:NrIqDX9x7XrqE7CXpm/D9xpqnF9J162+42xiFiR5m1s
[WARNING] Less than 16384MB of memory is available
--== END OF SUMMARY ==--
[ INFO ] Stage: Clean up
Log file is located at
/var/log/ovirt-engine/setup/ovirt-engine-setup-20200203141445-e8fjh7.log
[ INFO ] Generating answer file
'/var/lib/ovirt-engine/setup/answers/20200203144041-setup.conf'
[ INFO ] Stage: Pre-termination
[ INFO ] Stage: Termination
[ INFO ] Execution of setup completed successfully
Ffter install i'm test provider and it's ok. Then i create
/etc/ovirt-provider-ovn/conf.d/50-ssl-modifications.conf with this content:
[SSL]
ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
[OVIRT]
ovirt-sso-client-secret=PzrrA0GBGwBzlKcf2s3j6PZK1BONTQG6FR6UxPWNqYY
Restart provider and test again. Got message "Failed to communicate with the external
provider, see log for additional details."
I try to delete created file^ but it not help, and i do your 6 steps again.
6:01 a.m.
New subject: Failed to synchronize networks of Provider ovirt-provider-ovn
Hi!
Can you tell me how to do step 4
"rename ovirt-provider-ovn external provider entity in oVirt webadmin"
604
days inactive
2475
days old
13 comments
5 participants
participants (5)
-
Dominik Holler -
grig.4n@gmail.com -
Mail SET Inc. Group -
mail@set-pro.net
-
Strahil Nikolov