migrating standalone engine to selfhosted and upgrade from 4.3 to 4.4 in one step
Hello, I have 4 host cluster managed with standalone engine in version 4.3 and I would like to migrate this standalone engine to 4.4 as hosted engine. I have two new hosts which I would like to use as base for new HE cluster. (new hosts are Intel based, old ones are AMD Opteron based - new cluster will have 4.4 compatibility, old one have to stay at 4.2 compatibility level). I red this https://www.ovirt.org/documentation/migrating_from_a_standalone_manager_to_a... but the question is: Can I migrate and upgrade in one step? Have anybody did that already? If it is not possible what is a suggested approach? Thanks for help Jiri
On 8/3/20 11:12 AM, Jiří Sléžka wrote:
Hello,
I have 4 host cluster managed with standalone engine in version 4.3 and I would like to migrate this standalone engine to 4.4 as hosted engine.
I have two new hosts which I would like to use as base for new HE cluster. (new hosts are Intel based, old ones are AMD Opteron based - new cluster will have 4.4 compatibility, old one have to stay at 4.2 compatibility level).
I red this
https://www.ovirt.org/documentation/migrating_from_a_standalone_manager_to_a...
but the question is: Can I migrate and upgrade in one step? Have anybody did that already? If it is not possible what is a suggested approach?
I just tried it. It looks like it could work at least until installation process want to login into engine. It looks like it does not use valid login name nor password. [ INFO ] TASK [ovirt.hosted_engine_setup : Expose engine VM webui over a local port via ssh port forwarding] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Evaluate temporary bootstrap engine URL] [ INFO ] ok: [localhost] [ INFO ] The bootstrap engine is temporary accessible over https://ovirt05.net.slu.cz:6900/ovirt-engine/ [ INFO ] TASK [ovirt.hosted_engine_setup : Detect VLAN ID] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Set Engine public key as authorized key without validating the TLS/SSL certificates] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : include_tasks] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Obtain SSO token using username/password credentials] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Ensure that the target datacenter is present] [ ERROR ] ovirtsdk4.AuthError: Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials.. [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials.."} I tried to login to https://ovirt05.net.slu.cz:6900/ovirt-engine/ and it probably accept username admin@internal and new password entered during hosted engine deploy but then it display error "The provided authorization grant for the auth code has expired." Maybe it is related to this bug (and custom 3rd party Apache certificate) https://bugzilla.redhat.com/show_bug.cgi?id=1715767 in my case it looks like on engine vm in file /etc/pki/ovirt-engine/apache-ca.pem is original certificate from backup which is for ovirt.slu.cz fqdn. For new hosted engine I use new fqdn ovirt.net.slu.cz. Should I change ovirt.slu.cz record to point to new ip address (it have to be one from ovirtmgmt subnet) and then try restore? Documentation is not much clear in this particular subject. Cheers, Jiri
Thanks for help
Jiri
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YH4J7GG7WLOLUF...
On 8/5/20 2:07 PM, Jiří Sléžka wrote:
On 8/3/20 11:12 AM, Jiří Sléžka wrote:
Hello,
I have 4 host cluster managed with standalone engine in version 4.3 and I would like to migrate this standalone engine to 4.4 as hosted engine.
I have two new hosts which I would like to use as base for new HE cluster. (new hosts are Intel based, old ones are AMD Opteron based - new cluster will have 4.4 compatibility, old one have to stay at 4.2 compatibility level).
I red this
https://www.ovirt.org/documentation/migrating_from_a_standalone_manager_to_a...
but the question is: Can I migrate and upgrade in one step? Have anybody did that already? If it is not possible what is a suggested approach?
I just tried it. It looks like it could work at least until installation process want to login into engine. It looks like it does not use valid login name nor password.
[ INFO ] TASK [ovirt.hosted_engine_setup : Expose engine VM webui over a local port via ssh port forwarding] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Evaluate temporary bootstrap engine URL] [ INFO ] ok: [localhost] [ INFO ] The bootstrap engine is temporary accessible over https://ovirt05.net.slu.cz:6900/ovirt-engine/ [ INFO ] TASK [ovirt.hosted_engine_setup : Detect VLAN ID] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Set Engine public key as authorized key without validating the TLS/SSL certificates] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : include_tasks] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Obtain SSO token using username/password credentials] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Ensure that the target datacenter is present] [ ERROR ] ovirtsdk4.AuthError: Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials.. [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials.."}
I tried to login to https://ovirt05.net.slu.cz:6900/ovirt-engine/ and it probably accept username admin@internal and new password entered during hosted engine deploy but then it display error "The provided authorization grant for the auth code has expired."
Maybe it is related to this bug (and custom 3rd party Apache certificate)
https://bugzilla.redhat.com/show_bug.cgi?id=1715767
in my case it looks like on engine vm in file
/etc/pki/ovirt-engine/apache-ca.pem
is original certificate from backup which is for ovirt.slu.cz fqdn. For new hosted engine I use new fqdn ovirt.net.slu.cz. Should I change ovirt.slu.cz record to point to new ip address (it have to be one from ovirtmgmt subnet) and then try restore? Documentation is not much clear in this particular subject.
well, I will answer myself * setting fqdn is not probably important at this time, self hosted engine is prepared with modified /etc/hosts * main problem was that I am using 3rd party certificate for long time so I didn't mention this documentation section https://ovirt.org/documentation/administration_guide/#Replacing_the_Manager_... especially section 14 which describe how to configure engine-backup to backup also custom CA certificate. But this part is badly formatted as described in https://bugzilla.redhat.com/show_bug.cgi?id=1859505 relevant BZ is also https://bugzilla.redhat.com/show_bug.cgi?id=1841203 which point me to the right direction Cheers, Jiri
Cheers,
Jiri
Thanks for help
Jiri
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YH4J7GG7WLOLUF...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SWKF5CF3UHVRDE...
On 8/7/20 9:50 AM, Jiří Sléžka wrote:
On 8/5/20 2:07 PM, Jiří Sléžka wrote:
On 8/3/20 11:12 AM, Jiří Sléžka wrote:
Hello,
I have 4 host cluster managed with standalone engine in version 4.3 and I would like to migrate this standalone engine to 4.4 as hosted engine.
I have two new hosts which I would like to use as base for new HE cluster. (new hosts are Intel based, old ones are AMD Opteron based - new cluster will have 4.4 compatibility, old one have to stay at 4.2 compatibility level).
I red this
https://www.ovirt.org/documentation/migrating_from_a_standalone_manager_to_a...
but the question is: Can I migrate and upgrade in one step? Have anybody did that already? If it is not possible what is a suggested approach?
I just tried it. It looks like it could work at least until installation process want to login into engine. It looks like it does not use valid login name nor password.
[ INFO ] TASK [ovirt.hosted_engine_setup : Expose engine VM webui over a local port via ssh port forwarding] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Evaluate temporary bootstrap engine URL] [ INFO ] ok: [localhost] [ INFO ] The bootstrap engine is temporary accessible over https://ovirt05.net.slu.cz:6900/ovirt-engine/ [ INFO ] TASK [ovirt.hosted_engine_setup : Detect VLAN ID] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Set Engine public key as authorized key without validating the TLS/SSL certificates] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : include_tasks] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Obtain SSO token using username/password credentials] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Ensure that the target datacenter is present] [ ERROR ] ovirtsdk4.AuthError: Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials.. [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials.."}
I tried to login to https://ovirt05.net.slu.cz:6900/ovirt-engine/ and it probably accept username admin@internal and new password entered during hosted engine deploy but then it display error "The provided authorization grant for the auth code has expired."
Maybe it is related to this bug (and custom 3rd party Apache certificate)
https://bugzilla.redhat.com/show_bug.cgi?id=1715767
in my case it looks like on engine vm in file
/etc/pki/ovirt-engine/apache-ca.pem
is original certificate from backup which is for ovirt.slu.cz fqdn. For new hosted engine I use new fqdn ovirt.net.slu.cz. Should I change ovirt.slu.cz record to point to new ip address (it have to be one from ovirtmgmt subnet) and then try restore? Documentation is not much clear in this particular subject.
well, I will answer myself
* setting fqdn is not probably important at this time, self hosted engine is prepared with modified /etc/hosts
* main problem was that I am using 3rd party certificate for long time so I didn't mention this documentation section
https://ovirt.org/documentation/administration_guide/#Replacing_the_Manager_...
especially section 14 which describe how to configure engine-backup to backup also custom CA certificate. But this part is badly formatted as described in
https://bugzilla.redhat.com/show_bug.cgi?id=1859505
relevant BZ is also https://bugzilla.redhat.com/show_bug.cgi?id=1841203 which point me to the right direction
just for record. I had to change dns record for fqdn during deploy process - after HE vm was copied to shared storage (FC in my case) and before or during " Check engine VM health" ... [ INFO ] TASK [ovirt.hosted_engine_setup : Start ovirt-ha-agent service on the host] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Exit HE maintenance mode] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Check engine VM health] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Get target engine VM address] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Reconfigure OVN central address] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : include_tasks] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Obtain SSO token using username/password credentials] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Check for the local bootstrap VM] ... now I am able to login with admin@local credentials and see original vms and hosts running and accessible. There are some glitches (like our ldap aaa configuration throws server_error: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(The server selected protocol version TLS10 is not accepted by client preferences [TLS12]), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb) which I believe are solvable so migrating from ovirt4.3 standalone to ovirt4.4 selfhosted in one step is possible and functional It would be nice feature have possibility to wipe and reuse old HE storage during hosted-engine --deploy process. Cheers, Jiri
Cheers,
Jiri
Cheers,
Jiri
Thanks for help
Jiri
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/YH4J7GG7WLOLUF...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/SWKF5CF3UHVRDE...
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/VS5HXYKSAQFBFE...
On Fri, Aug 7, 2020 at 1:37 PM Jiří Sléžka <jiri.slezka@slu.cz> wrote:
On 8/7/20 9:50 AM, Jiří Sléžka wrote:
On 8/5/20 2:07 PM, Jiří Sléžka wrote:
On 8/3/20 11:12 AM, Jiří Sléžka wrote:
Hello,
I have 4 host cluster managed with standalone engine in version 4.3 and I would like to migrate this standalone engine to 4.4 as hosted engine.
I have two new hosts which I would like to use as base for new HE cluster. (new hosts are Intel based, old ones are AMD Opteron based - new cluster will have 4.4 compatibility, old one have to stay at 4.2 compatibility level).
I red this
https://www.ovirt.org/documentation/migrating_from_a_standalone_manager_to_a...
but the question is: Can I migrate and upgrade in one step? Have anybody did that already? If it is not possible what is a suggested approach?
I just tried it. It looks like it could work at least until installation process want to login into engine. It looks like it does not use valid login name nor password.
[ INFO ] TASK [ovirt.hosted_engine_setup : Expose engine VM webui over a local port via ssh port forwarding] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Evaluate temporary bootstrap engine URL] [ INFO ] ok: [localhost] [ INFO ] The bootstrap engine is temporary accessible over https://ovirt05.net.slu.cz:6900/ovirt-engine/ [ INFO ] TASK [ovirt.hosted_engine_setup : Detect VLAN ID] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Set Engine public key as authorized key without validating the TLS/SSL certificates] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : include_tasks] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Obtain SSO token using username/password credentials] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Ensure that the target datacenter is present] [ ERROR ] ovirtsdk4.AuthError: Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials.. [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error during SSO authentication access_denied : Cannot authenticate user 'None@N/A': No valid profile found in credentials.."}
I tried to login to https://ovirt05.net.slu.cz:6900/ovirt-engine/ and it probably accept username admin@internal and new password entered during hosted engine deploy but then it display error "The provided authorization grant for the auth code has expired."
Maybe it is related to this bug (and custom 3rd party Apache certificate)
https://bugzilla.redhat.com/show_bug.cgi?id=1715767
in my case it looks like on engine vm in file
/etc/pki/ovirt-engine/apache-ca.pem
is original certificate from backup which is for ovirt.slu.cz fqdn. For new hosted engine I use new fqdn ovirt.net.slu.cz. Should I change ovirt.slu.cz record to point to new ip address (it have to be one from ovirtmgmt subnet) and then try restore? Documentation is not much clear in this particular subject.
well, I will answer myself
* setting fqdn is not probably important at this time, self hosted engine is prepared with modified /etc/hosts
Not sure what exactly you mean - but ok. We should probably write some general section about engine's fqdn, name resolution, etc., what should use which name during which point of an upgrade, etc. Can you please clarify your exact situation/flow, in this case? Perhaps as a first draft of such a section :-) ?
* main problem was that I am using 3rd party certificate for long time so I didn't mention this documentation section
https://ovirt.org/documentation/administration_guide/#Replacing_the_Manager_...
especially section 14 which describe how to configure engine-backup to backup also custom CA certificate. But this part is badly formatted as described in
Yes, sorry for that.
relevant BZ is also https://bugzilla.redhat.com/show_bug.cgi?id=1841203 which point me to the right direction
just for record.
I had to change dns record for fqdn during deploy process - after HE vm was copied to shared storage (FC in my case) and before or during " Check engine VM health"
Can you please clarify?
... [ INFO ] TASK [ovirt.hosted_engine_setup : Start ovirt-ha-agent service on the host] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Exit HE maintenance mode] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Check engine VM health] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Get target engine VM address] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Reconfigure OVN central address] [ INFO ] changed: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : include_tasks] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Obtain SSO token using username/password credentials] [ INFO ] ok: [localhost] [ INFO ] TASK [ovirt.hosted_engine_setup : Check for the local bootstrap VM] ...
now I am able to login with admin@local credentials and see original vms and hosts running and accessible.
Good!
There are some glitches (like our ldap aaa configuration throws server_error: The connection reader was unable to successfully complete TLS negotiation: SSLHandshakeException(The server selected protocol version TLS10 is not accepted by client preferences [TLS12]), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb) which I believe are solvable
Please update about the solution, if you find it, or more details, otherwise. If general enough, might be worth adding to the doc somewhere (restore procedure, or 3rd-party-ssl procedure - something like existing step 14).
so migrating from ovirt4.3 standalone to ovirt4.4 selfhosted in one step is possible and functional
It would be nice feature have possibility to wipe and reuse old HE storage during hosted-engine --deploy process.
In theory you can do this already, IMO - after taking the backup, move to global maint, shutdown engine vm, wipe storage, then restore - and provide same storage location. If it's empty, it should accept it. I didn't try this myself. If you do have the space, IMO it's safer to install/restore to new space, and remove the old only after the upgrade/migration finished and you decide everything looks ok. Thanks for the report! Best regards, -- Didi
participants (2)
-
Jiří Sléžka -
Yedidyah Bar David