On Mon, Feb 3, 2020 at 11:39 AM Strahil Nikolov <hunter86_bg(a)yahoo.com>
wrote:
On February 3, 2020 11:23:57 AM GMT+02:00, Dominik Holler <
dholler(a)redhat.com> wrote:
>On Wed, Oct 2, 2019 at 12:29 PM Mail SET Inc. Group <mail(a)set-pro.net>
>wrote:
>
>> --reconfigure-optional-components not helps. And the file
>/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> not exists after setup.
>>
>> [root@engine ~]# rm
>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>>
>>
>> [root@engine ~]# engine-setup --reconfigure-optional-components
>> [ INFO ] Stage: Initializing
>> [ INFO ] Stage: Environment setup
>> Configuration files:
>> ['/etc/ovirt-engine-setup.conf.d/10-packaging-jboss.conf',
>> '/etc/ovirt-engine-setup.conf.d/10-packaging.conf',
>> '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf']
>> Log file:
>>
>/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
>> Version: otopi-1.8.3 (otopi-1.8.3-1.el7)
>> [ INFO ] Stage: Environment packages setup
>> [ INFO ] Stage: Programs detection
>> [ INFO ] Stage: Environment setup (late)
>> [ INFO ] Stage: Environment customization
>>
>>
>> --== PRODUCT OPTIONS ==--
>>
>>
>> Set up Cinderlib integration
>> (Currently in tech preview)
>> (Yes, No) [No]:
>> [ INFO ] ovirt-provider-ovn already installed, skipping.
>>
>>
>>
>
>
>The old installation is still detected.
>
>1. backup /etc/ovirt-provider-ovn/
>2. restore the original
>/etc/ovirt-provider-ovn/ovirt-provider-ovn.conf,
>e.g. to
>
https://github.com/oVirt/ovirt-provider-ovn/blob/master/provider/ovirt-pr...
>3. /backup etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf,
>4. rename ovirt-provider-ovn external provider entity in oVirt
>webadmin,
>5. comment OVESETUP_OVN/ovirtProviderOvnId
>in /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf
>6. engine-setup --reconfigure-optional-components
>7. If modifications of the certificates are required, please create a
>new
>file in /etc/ovirt-provider-ovn/conf.d/ , e.g. 50-ssl-modifications
>
>Do these steps solve the problem for you?
>
>
>Dec 18 21:01:02 <dholler> password should be the usual admin@interal
>password
>
>
>>
>> --== PACKAGES ==--
>>
>>
>> [ INFO ] Checking for product updates...
>> [ INFO ] No product updates found
>>
>>
>> --== NETWORK CONFIGURATION ==--
>>
>>
>> Setup can automatically configure the firewall on this
>system.
>> Note: automatic configuration of the firewall may overwrite
>> current settings.
>> NOTICE: iptables is deprecated and will be removed in
>future
>> releases
>> Do you want Setup to configure the firewall? (Yes, No)
>[Yes]:
>> [ INFO ] firewalld will be configured as firewall manager.
>>
>>
>> --== DATABASE CONFIGURATION ==--
>>
>>
>> The detected DWH database size is 111 MB.
>> Setup can backup the existing database. The time and space
>> required for the database backup depend on its size. This process
>takes
>> time, and in some cases (for instance, when the size is few GBs) may
>take
>> several hours to complete.
>> If you choose to not back up the database, and Setup later
>fails
>> for some reason, it will not be able to restore the database and all
>DWH
>> data will be lost.
>> Would you like to backup the existing database before
>upgrading
>> it? (Yes, No) [Yes]:
>> Perform full vacuum on the oVirt engine history
>> database ovirt_engine_history@localhost?
>> This operation may take a while depending on this setup
>health
>> and the
>> configuration of the db vacuum process.
>> See
https://www.postgresql.org/docs/10/sql-vacuum.html
>> (Yes, No) [No]:
>>
>>
>> --== OVIRT ENGINE CONFIGURATION ==--
>>
>>
>> Perform full vacuum on the engine database
>engine@localhost?
>> This operation may take a while depending on this setup
>health
>> and the
>> configuration of the db vacuum process.
>> See
https://www.postgresql.org/docs/10/sql-vacuum.html
>> (Yes, No) [No]:
>>
>>
>> --== STORAGE CONFIGURATION ==--
>>
>>
>>
>>
>> --== PKI CONFIGURATION ==--
>>
>>
>> [WARNING] Failed to read or parse
>'/etc/pki/ovirt-engine/keys/apache.p12'
>> Perhaps it was changed since last Setup.
>> Error was:
>> Mac verify error: invalid password?
>>
>>
>>
>>
>> --== APACHE CONFIGURATION ==--
>>
>>
>>
>>
>> --== SYSTEM CONFIGURATION ==--
>>
>>
>>
>>
>> --== MISC CONFIGURATION ==--
>>
>>
>>
>>
>> --== END OF CONFIGURATION ==--
>>
>>
>> [ INFO ] Stage: Setup validation
>> During execution engine service will be stopped (OK,
>Cancel)
>> [OK]:
>> [ INFO ] Hosted Engine HA is in Global Maintenance mode.
>> [WARNING] Less than 16384MB of memory is available
>> [ INFO ] Cleaning stale zombie tasks and commands
>>
>>
>> --== CONFIGURATION PREVIEW ==--
>>
>>
>> Default SAN wipe after delete : False
>> Firewall manager : firewalld
>> Update Firewall : True
>> Host FQDN : engine.set.local
>> Set up Cinderlib integration : False
>> Engine database secured connection : False
>> Engine database user name : engine
>> Engine database name : engine
>> Engine database host : localhost
>> Engine database port : 5432
>> Engine database host name validation : False
>> Engine installation : True
>> PKI organization : set.local
>> Set up ovirt-provider-ovn : True
>> Configure WebSocket Proxy : True
>> DWH installation : True
>> DWH database secured connection : False
>> DWH database host : localhost
>> DWH database user name :
>ovirt_engine_history
>> DWH database name :
>ovirt_engine_history
>> Backup DWH database : True
>> DWH database port : 5432
>> DWH database host name validation : False
>> Configure Image I/O Proxy : True
>> Configure VMConsole Proxy : True
>>
>>
>> Please confirm installation settings (OK, Cancel) [OK]:
>> [ INFO ] Cleaning async tasks and compensations
>> [ INFO ] Unlocking existing entities
>> [ INFO ] Checking the Engine database consistency
>> [ INFO ] Stage: Transaction setup
>> [ INFO ] Stopping engine service
>> [ INFO ] Stopping ovirt-fence-kdump-listener service
>> [ INFO ] Stopping dwh service
>> [ INFO ] Stopping Image I/O Proxy service
>> [ INFO ] Stopping vmconsole-proxy service
>> [ INFO ] Stopping websocket-proxy service
>> [ INFO ] Stage: Misc configuration (early)
>> [ INFO ] Stage: Package installation
>> [ INFO ] Stage: Misc configuration
>> [ INFO ] Upgrading CA
>> [ INFO ] Updating /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf
>to
>> use apache key and certificate
>> [ INFO ] Backing up database localhost:ovirt_engine_history to
>> '/var/lib/ovirt-engine-dwh/backups/dwh-20191002132135.4DV89M.dump'.
>> [ INFO ] Creating/refreshing DWH database schema
>> [ INFO ] Configuring Image I/O Proxy
>> [ INFO ] Configuring WebSocket Proxy
>> [ INFO ] Backing up database localhost:engine to
>> '/var/lib/ovirt-engine/backups/engine-20191002132145.CzmG31.dump'.
>> [ INFO ] Creating/refreshing Engine database schema
>> [ INFO ] Creating/refreshing Engine 'internal' domain database
>schema
>> Unregistering existing client registration info.
>> [ INFO ] Generating post install configuration file
>> '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'
>> [ INFO ] Stage: Transaction commit
>> [ INFO ] Stage: Closing up
>> [ INFO ] Starting engine service
>> [ INFO ] Starting dwh service
>> [ INFO ] Restarting ovirt-vmconsole proxy service
>>
>>
>> --== SUMMARY ==--
>>
>>
>> [ INFO ] Restarting httpd
>> Web access is enabled at:
>>
http://engine.set.local:80/ovirt-engine
>>
https://engine.set.local:443/ovirt-engine
>> Internal CA
>> 98:A1:43:62:A6:0E:FE:4E:13:FA:0E:3F:F8:68:0C:62:01:31:16:BA
>> SSH fingerprint:
>> SHA256:NrIqDX9x7XrqE7CXpm/D9xpqnF9J162+42xiFiR5m1s
>> [WARNING] Less than 16384MB of memory is available
>>
>>
>> --== END OF SUMMARY ==--
>>
>>
>> [ INFO ] Stage: Clean up
>> Log file is located at
>>
>/var/log/ovirt-engine/setup/ovirt-engine-setup-20191002131904-4iwth0.log
>> [ INFO ] Generating answer file
>> '/var/lib/ovirt-engine/setup/answers/20191002132222-setup.conf'
>> [ INFO ] Stage: Pre-termination
>> [ INFO ] Stage: Termination
>> [ INFO ] Execution of setup completed successfully
>>
>>
>> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
>> error = stream.connect()
>> File "/usr/lib64/python2.7/site-packages/ovs/stream.py", line 802,
>in
>> connect
>> self.socket.do_handshake()
>> File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1716,
>in
>> do_handshake
>> self._raise_ssl_error(self._ssl, result)
>> File "/usr/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1456,
>in
>> _raise_ssl_error
>> _raise_current_error()
>> File "/usr/lib/python2.7/site-packages/OpenSSL/_util.py", line 54,
>in
>> exception_from_error_queue
>> raise exception_type(errors)
>> Error: [('SSL routines', 'ssl3_get_server_certificate',
'certificate
>> verify failed’)]
>>
>>
>> [root@engine ~]# ls -la /etc/ovirt-provider-ovn/conf.d/
>> итого 4
>> drwxr-xr-x. 2 root root 20 окт 2 13:19 .
>> drwxr-xr-x. 3 root root 70 окт 2 01:14 ..
>> -rw-r--r--. 1 root root 194 май 9 14:44 README
>>
>>
>>
>> 2 окт. 2019 г., в 10:11, Dominik Holler <dholler(a)redhat.com>
>написал(а):
>>
>>
>>
>> On Wed, Oct 2, 2019 at 12:13 AM Mail SET Inc. Group
><mail(a)set-pro.net>
>> wrote:
>>
>>> Few hours later i'm fixed SSL error,
>>>
>>
>> Would you share how you fixed the error?
>> This might also help to understand the next issue.
>>
>>
>>
>>> but get a new error
>>>
>>> 2019-10-02 01:02:38,369 root Starting server
>>> 2019-10-02 01:02:38,369 root Version: 1.2.22-1
>>> 2019-10-02 01:02:38,369 root Build date: 20190509114402
>>> 2019-10-02 01:02:38,369 root Githash: 38acbde
>>> 2019-10-02 01:02:46,471 root From: ::ffff:172.19.0.10:33644 Request:
>>> POST /v2.0/tokens
>>> 2019-10-02 01:02:46,471 root Request body:
>>> {"auth": {"passwordCredentials": {"username":
"admin@internal",
>>> "password": "<PASSWORD_HIDDEN>"}}}
>>> 2019-10-02 01:02:46,472 root Error during SSO authentication
>>> invalid_request : Missing parameter: 'client_secret'
>>> Traceback (most recent call last):
>>> File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py",
>line
>>> 138, in _handle_request
>>> method, path_parts, content
>>> File
>"/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py",
>>> line 175, in handle_request
>>> return self.call_response_handler(handler, content, parameters)
>>> File "/usr/share/ovirt-provider-ovn/handlers/keystone.py", line
>33, in
>>> call_response_handler
>>> return response_handler(content, parameters)
>>> File
>"/usr/share/ovirt-provider-ovn/handlers/keystone_responses.py",
>>> line 69, in post_tokens
>>> if not auth.validate_token(token):
>>> File "/usr/share/ovirt-provider-ovn/auth/plugin_facade.py",
line
>31,
>>> in validate_token
>>> return auth.core.plugin.validate_token(token)
>>> File
>>>
>"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
>>> line 36, in validate_token
>>> return self._is_user_name(token, _admin_user_name())
>>> File
>>>
>"/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/authorization_by_username.py",
>>> line 47, in _is_user_name
>>> timeout=AuthorizationByUserName._timeout())
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 131, in get_token_info
>>> timeout=timeout
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 55, in wrapper
>>> _check_for_error(response)
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 181, in _check_for_error
>>> result['error'], details))
>>> Unauthorized: Error during SSO authentication invalid_request :
>Missing
>>> parameter: 'client_secret'
>>>
>>>
>>>
>>
>> looks like the
>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> does not fit to engine's db.
>>
>> Maybe most easy would be to move the current
>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> away from /etc/ovirt-provider-ovn/conf.d/ and re-trigger the
>> configuration by using the
>> parameter '--reconfigure-optional-components' of engine-setup.
>>
>> Was the file
>/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>> modified outside engine-setup?
>>
>>
>>> 1 окт. 2019 г., в 22:53, Mail SET Inc. Group <mail(a)set-pro.net>
>>> написал(а):
>>>
>>> Hello!
>>> Get problems with clean installation 4.3.6.6-1.el7 and OVN
>>>
>>> When i try to test OVN get notification:
>>> «Import provider certificate»
>>> Do you approve trusting self signed certificate subject
>CN=Certificate
>>> Authority, O=SET.LOCAL, SHA-1 fingerprint
>>> a9d9b91160bb306667a521e6f2c66037ddc437cb?
>>>
>>> When i’m press «Yes», see old problem:
>>> Failed to communicate with the external provider, see log for
>additional
>>> details.
>>>
>>> [root@engine ~]# tail -f /var/log/ovirt-provider-ovn.log
>>> timeout=self._timeout())
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 75, in create_token
>>> username, password, engine_url, ca_file, timeout)
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 91, in _get_sso_token
>>> timeout=timeout
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 54, in wrapper
>>> response = func(*args, **kwargs)
>>> File "/usr/share/ovirt-provider-ovn/auth/plugins/ovirt/sso.py",
>line
>>> 47, in wrapper
>>> raise BadGateway(e)
>>> BadGateway: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
>failed
>>> (_ssl.c:618)
>>>
>>> [root@engine ~]# cat
>>> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
>>> # This file is automatically generated by engine-setup. Please do
>not
>>> edit manually
>>> [OVN REMOTE]
>>> ovn-remote=ssl:127.0.0.1:6641
>>> [SSL]
>>> https-enabled=true
>>> ssl-cacert-file=/etc/pki/ovirt-engine/apache-ca.pem
>>> ssl-cert-file=/etc/pki/ovirt-engine/certs/apache.cer
>>> ssl-key-file=/etc/pki/ovirt-engine/keys/apache.key.nopass
>>> [OVIRT]
>>> ovirt-sso-client-id=ovirt-provider-ovn
>>> ovirt-ca-file=/etc/pki/ovirt-engine/certs/engine.cer
>>> ovirt-host=https://engine.set.local:443/ovirt-engine/
>>> <
https://engine.set.local/ovirt-engine/>
>>> ovirt-sso-client-secret=vy80-QmCNNv6wP7JFvN9GWhPmYvo0lBNl5J8hpiGRa4
>>> [NETWORK]
>>> port-security-enabled-default=True
>>> [PROVIDER]
>>> provider-host=engine.set.local
>>>
>>> [root@engine ~]# python -c "import requests; \
>>> print requests.get('https://engine.set.local', \
>>> verify='/etc/pki/ovirt-engine/apache-ca.pem')"
>>> <Response [200]>
>>>
>>> What’s wrong ?
>>>
>>>
>>> _______________________________________________
>>> Users mailing list -- users(a)ovirt.org
>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>> Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
>>> oVirt Code of Conduct:
>>>
https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>>
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/IDUB3LOJHLR...
>>
>>
>>
Hi Dominik,
Can this approach be used to 'reset' OVN to original state ?
No, this would just reset the integration into oVirt.
If you like to reset the ovn-nb,
I would use ovn-nbctl on command line to delete all entities in the nb data
base.
Just be aware that this could create inconsistent states, but if you delete
all logical network entities, this is no problem.
I recommend to create a backup with engine-backup before using ovn-nbct.