--_000_587E1915ECF57147AF48C7A5FC8AD308B1EB973FWITPP01MSG10BIT_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I want to configure NAT in Ovirt with this procedure : http://lists.ovirt.org/pipermail/users/2012-April/001751.html But I don't have the login password of virsh and for the PosgreSQL database= . I used the last version of oVirt with default installation with engine-setu= p Thanks. ________________________________ Ce message est confidentiel et est =E0 l'usage exclusif du destinataire ide= ntifi=E9 ci-dessus. Toute autre personne est, par les pr=E9sentes, avis=E9e= qu'il lui est strictement interdit de le diffuser, de le distribuer, d'en = d=E9voiler le contenu ou de le reproduire. Si vous avez re=E7u cette commun= ication par erreur, veuillez en informer l'exp=E9diteur par courrier =E9lec= tronique imm=E9diatement et d=E9truire l'original de ce message ainsi que t= oute copie. ________________________________ --_000_587E1915ECF57147AF48C7A5FC8AD308B1EB973FWITPP01MSG10BIT_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html dir=3D"ltr"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style id=3D"owaParaStyle" type=3D"text/css"> <!-- p {margin-top:0; margin-bottom:0} --> </style> </head> <body> <div style=3D"direction:ltr; font-family:Tahoma; color:#000000; font-size:1= 0pt">Hi,<br> <br> I want to configure NAT in Ovirt with this procedure :<br> <b id=3D"docs-internal-guid-4c415708-fe8c-049c-6ef7-4b677bf64e20" style=3D"= font-weight:normal"><a href=3D"http://lists.ovirt.org/pipermail/users/2012-= April/001751.html" style=3D"text-decoration:none"><span style=3D"font-size:= 15px; font-family:Consolas; color:#1155cc; background-color:#ffffff; font-w= eight:bold; font-style:normal; font-variant:normal; text-decoration:underli= ne; vertical-align:baseline; white-space:pre-wrap">http://lists.ovirt.org/p= ipermail/users/2012-April/001751.html</span></a><br> <br> But <b>I </b>don<b>'t have the login password of virsh and for the PosgreSQ= L database.<br> <br> I used the last version of oVirt with default installation with engine-setu= p<br> <br> Thanks.<br> </b></b></div> <hr> Ce message est confidentiel et est =E0 l'usage exclusif du destinataire ide= ntifi=E9 ci-dessus. Toute autre personne est, par les pr=E9sentes, avis=E9e= qu'il lui est strictement interdit de le diffuser, de le distribuer, d'en = d=E9voiler le contenu ou de le reproduire. Si vous avez re=E7u cette communication par erreur, veuillez en informer l= 'exp=E9diteur par courrier =E9lectronique imm=E9diatement et d=E9truire l'o= riginal de ce message ainsi que toute copie. <hr> </body> </html> --_000_587E1915ECF57147AF48C7A5FC8AD308B1EB973FWITPP01MSG10BIT_--
On 02/04/2014 09:20 PM, martin.trudel@cspq.gouv.qc.ca wrote:
Hi,
I want to configure NAT in Ovirt with this procedure : *http://lists.ovirt.org/pipermail/users/2012-April/001751.html
But *I *don*'t have the login password of virsh and for the PosgreSQL database.
I used the last version of oVirt with default installation with engine-setup
the steps described don't work for you as is? (step 6 explains where the user/password for libvirt/virsh are. the db part should just work as-is if you are using root (at least it used to)
Thanks. ** ------------------------------------------------------------------------ Ce message est confidentiel et est à l'usage exclusif du destinataire identifié ci-dessus. Toute autre personne est, par les présentes, avisée qu'il lui est strictement interdit de le diffuser, de le distribuer, d'en dévoiler le contenu ou de le reproduire. Si vous avez reçu cette communication par erreur, veuillez en informer l'expéditeur par courrier électronique immédiatement et détruire l'original de ce message ainsi que toute copie. ------------------------------------------------------------------------
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
It's actually step 5 :) Am 05.02.2014 07:50, schrieb Itamar Heim:
(step 6 explains where the user/password for libvirt/virsh are.
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
Well, I just tested this. and I can't connect to virsh with this information. I guess the mentioned user vdsm@rhevh might not be the actual one used in 3.3.2 anymore? (mail is from 2012 and mentions rhev, so..) or can't libvirt manage multiple authenticated users? Because I registered my own using: saslpasswd2 -a libvirt USERNAME which still works. Am 05.02.2014 09:15, schrieb Sven Kieske:
It's actually step 5 :)
Am 05.02.2014 07:50, schrieb Itamar Heim:
(step 6 explains where the user/password for libvirt/virsh are.
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
On 5-2-2014 9:27, Sven Kieske wrote:
Well, I just tested this. and I can't connect to virsh with this information. I guess the mentioned user vdsm@rhevh might not be the actual one used in 3.3.2 anymore? (mail is from 2012 and mentions rhev, so..)
vdsm@ovirt seems to work :-) Joop
I can confirm that vdsm@ovirt does work. However, I have the strong feeling that the password in /etc/pki/vdsm/keys/libvirt_password is static for all installations. And gerrit proves me right: http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm/libvirt_password;h=0... So what is the purpose of authentication when that information is public? I created a BZ for this: https://bugzilla.redhat.com/show_bug.cgi?id=1061639 PS: I hope, whoever coded this, feels a little bit ashamed and perhaps buys a good book on writing secure code and reads it.. Am 05.02.2014 09:55, schrieb Joop:
On 5-2-2014 9:27, Sven Kieske wrote:
Well, I just tested this. and I can't connect to virsh with this information. I guess the mentioned user vdsm@rhevh might not be the actual one used in 3.3.2 anymore? (mail is from 2012 and mentions rhev, so..)
vdsm@ovirt seems to work :-)
Joop
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
On Wed, Feb 05, 2014 at 09:50:04AM +0000, Sven Kieske wrote:
I can confirm that vdsm@ovirt does work.
However, I have the strong feeling that the password in /etc/pki/vdsm/keys/libvirt_password is static for all installations.
And gerrit proves me right:
http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm/libvirt_password;h=0...
So what is the purpose of authentication when that information is public?
I created a BZ for this:
https://bugzilla.redhat.com/show_bug.cgi?id=1061639
PS: I hope, whoever coded this, feels a little bit ashamed and perhaps buys a good book on writing secure code and reads it..
I feel ashamed, but not due to the "security" issue here. Vdsm uses a unix domain socket to connect to libvirtd. That socket is owned by vdsm, so that only vdsm and root can use it. There is no security reason to use a password at all. I am ashamed for caving in and adding an obfuscation layer, designed only to deter local administrators from messing with libvirt under the feet of ovirt. This little hurdle does not deter from messing with qemu directly, but I suppose that qemu's command line does a good job anyway. Red Hat support folks repeatedly claim that this hurdle is more effective than putting a release note warning of the dangers in direct libvirt access. Dan.
Well I didn't know the exact background for this code and I can understand it from a management perspective, but from a sysadmin perspective it is useless (it does not prevent anything against an informed "attacker") and may be even lead to false security assumptions ("nobody can mess with libvirt, it's all authenticated"). But thanks for pointing out the reasoning behind this, I still don't like it, but I can understand it. (Funny side fact: the very first thing we did, when we found that libvirt just allows authenticated access was to find out how to create our own user, and every admin asks at first: how can I access libvirt, when something goes wrong?) Am 05.02.2014 13:45, schrieb Dan Kenigsberg:
On Wed, Feb 05, 2014 at 09:50:04AM +0000, Sven Kieske wrote:
I can confirm that vdsm@ovirt does work.
However, I have the strong feeling that the password in /etc/pki/vdsm/keys/libvirt_password is static for all installations.
And gerrit proves me right:
http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm/libvirt_password;h=0...
So what is the purpose of authentication when that information is public?
I created a BZ for this:
https://bugzilla.redhat.com/show_bug.cgi?id=1061639
PS: I hope, whoever coded this, feels a little bit ashamed and perhaps buys a good book on writing secure code and reads it..
I feel ashamed, but not due to the "security" issue here.
Vdsm uses a unix domain socket to connect to libvirtd. That socket is owned by vdsm, so that only vdsm and root can use it. There is no security reason to use a password at all.
I am ashamed for caving in and adding an obfuscation layer, designed only to deter local administrators from messing with libvirt under the feet of ovirt. This little hurdle does not deter from messing with qemu directly, but I suppose that qemu's command line does a good job anyway.
Red Hat support folks repeatedly claim that this hurdle is more effective than putting a release note warning of the dangers in direct libvirt access.
Dan.
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
On 02/05/2014 09:27 AM, Sven Kieske wrote:
Well, I just tested this. and I can't connect to virsh with this information. I guess the mentioned user vdsm@rhevh might not be the actual one used in 3.3.2 anymore? (mail is from 2012 and mentions rhev, so..)
well, that's a question for vdsm-devel
or can't libvirt manage multiple authenticated users? Because I registered my own using:
saslpasswd2 -a libvirt USERNAME
which still works.
Am 05.02.2014 09:15, schrieb Sven Kieske:
It's actually step 5 :)
Am 05.02.2014 07:50, schrieb Itamar Heim:
(step 6 explains where the user/password for libvirt/virsh are.
On Wed, Feb 05, 2014 at 02:25:08PM +0100, Itamar Heim wrote:
On 02/05/2014 09:27 AM, Sven Kieske wrote:
Well, I just tested this. and I can't connect to virsh with this information. I guess the mentioned user vdsm@rhevh might not be the actual one used in 3.3.2 anymore? (mail is from 2012 and mentions rhev, so..)
well, that's a question for vdsm-devel
Yes, vdsm@rhevh is a remnant of the past (that can still be seen on the RHEV product). I believe that it can be very easily dropped from there, too. (And `/usr/sbin/saslpasswd2 -p -a libvirt -d vdsm@ovirt` moved to vdsm-tool, for symetry)
No, it does not work indeed. I cannot find the username in step 3. I found the password in Step 4: shibboleth. On step 18 it does not work because I cannot access the posgresql database. -----Message d'origine----- De : Itamar Heim [mailto:iheim@redhat.com] Envoyé : 5 février 2014 01:50 À : Trudel, Martin (CELL); users@ovirt.org Objet : Re: [Users] NAT configuration On 02/04/2014 09:20 PM, martin.trudel@cspq.gouv.qc.ca wrote:
Hi,
I want to configure NAT in Ovirt with this procedure : *http://lists.ovirt.org/pipermail/users/2012-April/001751.html
But *I *don*'t have the login password of virsh and for the PosgreSQL database.
I used the last version of oVirt with default installation with engine-setup
the steps described don't work for you as is? (step 6 explains where the user/password for libvirt/virsh are. the db part should just work as-is if you are using root (at least it used to)
Thanks. ** ---------------------------------------------------------------------- -- Ce message est confidentiel et est à l'usage exclusif du destinataire identifié ci-dessus. Toute autre personne est, par les présentes, avisée qu'il lui est strictement interdit de le diffuser, de le distribuer, d'en dévoiler le contenu ou de le reproduire. Si vous avez reçu cette communication par erreur, veuillez en informer l'expéditeur par courrier électronique immédiatement et détruire l'original de ce message ainsi que toute copie. ---------------------------------------------------------------------- --
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 02/07/2014 03:53 PM, martin.trudel@cspq.gouv.qc.ca wrote:
No, it does not work indeed.
I cannot find the username in step 3. I found the password in Step 4: shibboleth.
Try username: vdsm@ovirt
On step 18 it does not work because I cannot access the posgresql database.
You could do: # vi /var/lib/pgsql/data/pg_hba.conf local all postgres trust - Restart postgresql Please let us know if it works. Thanks!
-----Message d'origine----- De : Itamar Heim [mailto:iheim@redhat.com] Envoyé : 5 février 2014 01:50 À : Trudel, Martin (CELL); users@ovirt.org Objet : Re: [Users] NAT configuration
On 02/04/2014 09:20 PM, martin.trudel@cspq.gouv.qc.ca wrote:
Hi,
I want to configure NAT in Ovirt with this procedure : *http://lists.ovirt.org/pipermail/users/2012-April/001751.html
But *I *don*'t have the login password of virsh and for the PosgreSQL database.
I used the last version of oVirt with default installation with engine-setup
the steps described don't work for you as is? (step 6 explains where the user/password for libvirt/virsh are. the db part should just work as-is if you are using root (at least it used to)
Thanks. ** ---------------------------------------------------------------------- -- Ce message est confidentiel et est à l'usage exclusif du destinataire identifié ci-dessus. Toute autre personne est, par les présentes, avisée qu'il lui est strictement interdit de le diffuser, de le distribuer, d'en dévoiler le contenu ou de le reproduire. Si vous avez reçu cette communication par erreur, veuillez en informer l'expéditeur par courrier électronique immédiatement et détruire l'original de ce message ainsi que toute copie. ---------------------------------------------------------------------- --
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Cheers Douglas
On Tue, Feb 04, 2014 at 08:20:26PM +0000, martin.trudel@cspq.gouv.qc.ca wrote:
Hi,
I want to configure NAT in Ovirt with this procedure : http://lists.ovirt.org/pipermail/users/2012-April/001751.html
But I don't have the login password of virsh and for the PosgreSQL database.
I used the last version of oVirt with default installation with engine-setup
Note that now it is possible to use vdsm-hook-extnet instead of changing Engine's database (step 12 and forth). You do not have your NAT network defined in oVirt, but you can define a vNIC Profile with the property extnet=natbr0 and whatever network you have defined (say ovirtmgmt). When you attach a vnic of a VM to your vNIC profile and start the VM, the hook script kicks into action and points the vnic to natbr0. Dan.
Can you tell me the procedure to install and configure the vdsm-hook-extnet ? -----Message d'origine----- De : Dan Kenigsberg [mailto:danken@redhat.com] Envoyé : 5 février 2014 08:02 À : Trudel, Martin (CELL) Cc : users@ovirt.org Objet : Re: [Users] NAT configuration On Tue, Feb 04, 2014 at 08:20:26PM +0000, martin.trudel@cspq.gouv.qc.ca wrote:
Hi,
I want to configure NAT in Ovirt with this procedure : http://lists.ovirt.org/pipermail/users/2012-April/001751.html
But I don't have the login password of virsh and for the PosgreSQL database.
I used the last version of oVirt with default installation with engine-setup
Note that now it is possible to use vdsm-hook-extnet instead of changing Engine's database (step 12 and forth). You do not have your NAT network defined in oVirt, but you can define a vNIC Profile with the property extnet=natbr0 and whatever network you have defined (say ovirtmgmt). When you attach a vnic of a VM to your vNIC profile and start the VM, the hook script kicks into action and points the vnic to natbr0. Dan. ________________________________ Ce message est confidentiel et est à l'usage exclusif du destinataire identifié ci-dessus. Toute autre personne est, par les présentes, avisée qu'il lui est strictement interdit de le diffuser, de le distribuer, d'en dévoiler le contenu ou de le reproduire. Si vous avez reçu cette communication par erreur, veuillez en informer l'expéditeur par courrier électronique immédiatement et détruire l'original de ce message ainsi que toute copie. ________________________________
On 02/07/2014 10:56 PM, martin.trudel@cspq.gouv.qc.ca wrote:
Can you tell me the procedure to install and configure the vdsm-hook-extnet ?
for general hook information: http://www.ovirt.org/VDSM-Hooks http://www.ovirt.org/VDSM-Hooks_Catalogue for this specific hook: http://gerrit.ovirt.org/gitweb?p=vdsm.git;a=blob;f=vdsm_hooks/extnet/README;...
-----Message d'origine----- De : Dan Kenigsberg [mailto:danken@redhat.com] Envoyé : 5 février 2014 08:02 À : Trudel, Martin (CELL) Cc : users@ovirt.org Objet : Re: [Users] NAT configuration
On Tue, Feb 04, 2014 at 08:20:26PM +0000, martin.trudel@cspq.gouv.qc.ca wrote:
Hi,
I want to configure NAT in Ovirt with this procedure : http://lists.ovirt.org/pipermail/users/2012-April/001751.html
But I don't have the login password of virsh and for the PosgreSQL database.
I used the last version of oVirt with default installation with engine-setup
Note that now it is possible to use vdsm-hook-extnet instead of changing Engine's database (step 12 and forth). You do not have your NAT network defined in oVirt, but you can define a vNIC Profile with the property extnet=natbr0 and whatever network you have defined (say ovirtmgmt).
When you attach a vnic of a VM to your vNIC profile and start the VM, the hook script kicks into action and points the vnic to natbr0.
Dan. ________________________________ Ce message est confidentiel et est à l'usage exclusif du destinataire identifié ci-dessus. Toute autre personne est, par les présentes, avisée qu'il lui est strictement interdit de le diffuser, de le distribuer, d'en dévoiler le contenu ou de le reproduire. Si vous avez reçu cette communication par erreur, veuillez en informer l'expéditeur par courrier électronique immédiatement et détruire l'original de ce message ainsi que toute copie. ________________________________ _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (6)
-
Dan Kenigsberg -
Douglas Schilling Landgraf -
Itamar Heim -
Joop -
martin.trudel@cspq.gouv.qc.ca -
Sven Kieske