
Dear all, I'm using ovirt 4.3.2 with its engine on a virtual machine. The nodes are all Centos 7.7. Both engine and hypervisor systems work on a 10.0.0.0 private network. Now I would like to let users access the ovirt web page (user portal) and for this I must necessarily add a second network interface to the engine by inserting a public ip. I can't use NAT. Can you give me any advice for this operation ? Can I add the network interface and then run engine-setup ? Will oVirt be accessible from both ip addresses at the end of this operation ? Lots of thanks. Enrico -- _______________________________________________________________________ Enrico Becchetti Servizio di Calcolo e Reti Istituto Nazionale di Fisica Nucleare - Sezione di Perugia Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY) Phone:+39 075 5852777 Skype:enrico_becchetti Mail: Enrico.Becchetti<at>pg.infn.it ______________________________________________________________________

On Fri, Mar 5, 2021 at 10:18 AM Enrico Becchetti <enrico.becchetti@pg.infn.it> wrote:
Dear all, I'm using ovirt 4.3.2 with its engine on a virtual machine. The nodes are all Centos 7.7.
Is this a hosted-engine?
Both engine and hypervisor systems work on a 10.0.0.0 private network. Now I would like to let users access the ovirt web page (user portal) and for this I must necessarily add a second network interface to the engine by inserting a public ip. I can't use NAT. Can you give me any advice for this operation ? Can I add the network interface and then run engine-setup ? Will oVirt be accessible from both ip addresses at the end of this operation ?
Generally speaking: 1. You should be able to add an IP address to the existing NIC. If this is a hosted-engine, this might be simpler than adding a NIC. Of course, this might not be relevant in your case, depending on network topology, conf, etc. 2. The engine itself does not care at all about which IP addresses are used to connect to it. Neither is httpd that is running there as a frontend to it - it listens on all addresses. So just add the address somehow, perhaps restart httpd if needed (but I do not think so), and everything should work. 3. The engine _does_ care about the _name_. So make sure you use the existing name. For this, you'll have to change your DNS, or /etc/hosts, as applicable. 4. If it's complex for you to keep the existing name (e.g. because you want to make it work from both old and new addresses, etc.), you can also add another name that the engine will agree to be connected to, using SSO_ALTERNATE_ENGINE_FQDNS, see e.g. [1]. Best regards, [1] https://www.ovirt.org/develop/networking/changing-engine-hostname.html
Lots of thanks. Enrico
-- _______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY) Phone:+39 075 5852777 Skype:enrico_becchetti Mail: Enrico.Becchetti<at>pg.infn.it ______________________________________________________________________ _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZW2SGNYGA4MEGU...
-- Didi

Hi, I've added a new ip public address and SSO_ALTERNATE_ENGINE_FQDNS, after that I run engine-setup. and now ovirt can also be access with a new name but the last item is about X509 certificate. How can I add a second certificate for this new url ? Best regards. Enrico Il 07/03/21 08:51, Yedidyah Bar David ha scritto:
On Fri, Mar 5, 2021 at 10:18 AM Enrico Becchetti <enrico.becchetti@pg.infn.it> wrote:
Dear all, I'm using ovirt 4.3.2 with its engine on a virtual machine. The nodes are all Centos 7.7. Is this a hosted-engine? no Both engine and hypervisor systems work on a 10.0.0.0 private network. Now I would like to let users access the ovirt web page (user portal) and for this I must necessarily add a second network interface to the engine by inserting a public ip. I can't use NAT. Can you give me any advice for this operation ? Can I add the network interface and then run engine-setup ? Will oVirt be accessible from both ip addresses at the end of this operation ? Generally speaking:
1. You should be able to add an IP address to the existing NIC. If this is a hosted-engine, this might be simpler than adding a NIC. Of course, this might not be relevant in your case, depending on network topology, conf, etc.
2. The engine itself does not care at all about which IP addresses are used to connect to it. Neither is httpd that is running there as a frontend to it - it listens on all addresses. So just add the address somehow, perhaps restart httpd if needed (but I do not think so), and everything should work.
3. The engine _does_ care about the _name_. So make sure you use the existing name. For this, you'll have to change your DNS, or /etc/hosts, as applicable.
4. If it's complex for you to keep the existing name (e.g. because you want to make it work from both old and new addresses, etc.), you can also add another name that the engine will agree to be connected to, using SSO_ALTERNATE_ENGINE_FQDNS, see e.g. [1].
Best regards,
[1] https://www.ovirt.org/develop/networking/changing-engine-hostname.html
Lots of thanks. Enrico
-- _______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY) Phone:+39 075 5852777 Skype:enrico_becchetti Mail: Enrico.Becchetti<at>pg.infn.it ______________________________________________________________________ _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZW2SGNYGA4MEGU...
-- _______________________________________________________________________ Enrico Becchetti Servizio di Calcolo e Reti Istituto Nazionale di Fisica Nucleare - Sezione di Perugia Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY) Phone:+39 075 5852777 Skype:enrico_becchetti Mail: Enrico.Becchetti<at>pg.infn.it ______________________________________________________________________

On 23. 3. 2021, at 7:55, Enrico Becchetti <enrico.becchetti@pg.infn.it> wrote:
Hi,
I've added a new ip public address and SSO_ALTERNATE_ENGINE_FQDNS, after that I run engine-setup. and now ovirt can also be access with a new name but the last item is about X509 certificate. How can I add a second certificate for this new url ?
I think you’d have to use your own CA, the internal one doesn’t generate certificates with other names. or as Didi suggested modify your DNS to use same FQDN for both ways
Best regards. Enrico
Il 07/03/21 08:51, Yedidyah Bar David ha scritto:
On Fri, Mar 5, 2021 at 10:18 AM Enrico Becchetti <enrico.becchetti@pg.infn.it <mailto:enrico.becchetti@pg.infn.it>> wrote:
Dear all, I'm using ovirt 4.3.2 with its engine on a virtual machine. The nodes are all Centos 7.7. Is this a hosted-engine? no Both engine and hypervisor systems work on a 10.0.0.0 private network. Now I would like to let users access the ovirt web page (user portal) and for this I must necessarily add a second network interface to the engine by inserting a public ip. I can't use NAT. Can you give me any advice for this operation ? Can I add the network interface and then run engine-setup ? Will oVirt be accessible from both ip addresses at the end of this operation ? Generally speaking:
1. You should be able to add an IP address to the existing NIC. If this is a hosted-engine, this might be simpler than adding a NIC. Of course, this might not be relevant in your case, depending on network topology, conf, etc.
2. The engine itself does not care at all about which IP addresses are used to connect to it. Neither is httpd that is running there as a frontend to it - it listens on all addresses. So just add the address somehow, perhaps restart httpd if needed (but I do not think so), and everything should work.
3. The engine _does_ care about the _name_. So make sure you use the existing name. For this, you'll have to change your DNS, or /etc/hosts, as applicable.
4. If it's complex for you to keep the existing name (e.g. because you want to make it work from both old and new addresses, etc.), you can also add another name that the engine will agree to be connected to, using SSO_ALTERNATE_ENGINE_FQDNS, see e.g. [1].
Best regards,
[1] https://www.ovirt.org/develop/networking/changing-engine-hostname.html
Lots of thanks. Enrico
-- _______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY) Phone:+39 075 5852777 Skype:enrico_becchetti Mail: Enrico.Becchetti<at>pg.infn.it ______________________________________________________________________ _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZW2SGNYGA4MEGU...
-- _______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY) Phone:+39 075 5852777 Skype:enrico_becchetti <skype:enrico_becchetti> Mail: Enrico.Becchetti<at>pg.infn.it ______________________________________________________________________ _______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html <https://www.ovirt.org/privacy-policy.html> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ <https://www.ovirt.org/community/about/community-guidelines/> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MTSY7BKGWKFGBQ... <https://lists.ovirt.org/archives/list/users@ovirt.org/message/MTSY7BKGWKFGBQXREFO4IBZESB62ESWG/>

I've got a new X509 valid certificate signed from official CA , so my question is , Can I add this cert inside engine ? Thanks again Enrico Il 23/03/21 09:45, Michal Skrivanek ha scritto:
On 23. 3. 2021, at 7:55, Enrico Becchetti <enrico.becchetti@pg.infn.it <mailto:enrico.becchetti@pg.infn.it>> wrote:
Hi,
I've added a new ip public address and SSO_ALTERNATE_ENGINE_FQDNS, after that I run engine-setup. and now ovirt can also be access with a new name but the last item is about X509 certificate. How can I add a second certificate for this new url ?
I think you’d have to use your own CA, the internal one doesn’t generate certificates with other names. or as Didi suggested modify your DNS to use same FQDN for both ways
Best regards. Enrico
Il 07/03/21 08:51, Yedidyah Bar David ha scritto:
On Fri, Mar 5, 2021 at 10:18 AM Enrico Becchetti <enrico.becchetti@pg.infn.it <mailto:enrico.becchetti@pg.infn.it>> wrote:
Dear all, I'm using ovirt 4.3.2 with its engine on a virtual machine. The nodes are all Centos 7.7. Is this a hosted-engine? no Both engine and hypervisor systems work on a 10.0.0.0 private network. Now I would like to let users access the ovirt web page (user portal) and for this I must necessarily add a second network interface to the engine by inserting a public ip. I can't use NAT. Can you give me any advice for this operation ? Can I add the network interface and then run engine-setup ? Will oVirt be accessible from both ip addresses at the end of this operation ? Generally speaking:
1. You should be able to add an IP address to the existing NIC. If this is a hosted-engine, this might be simpler than adding a NIC. Of course, this might not be relevant in your case, depending on network topology, conf, etc.
2. The engine itself does not care at all about which IP addresses are used to connect to it. Neither is httpd that is running there as a frontend to it - it listens on all addresses. So just add the address somehow, perhaps restart httpd if needed (but I do not think so), and everything should work.
3. The engine _does_ care about the _name_. So make sure you use the existing name. For this, you'll have to change your DNS, or /etc/hosts, as applicable.
4. If it's complex for you to keep the existing name (e.g. because you want to make it work from both old and new addresses, etc.), you can also add another name that the engine will agree to be connected to, using SSO_ALTERNATE_ENGINE_FQDNS, see e.g. [1].
Best regards,
[1] https://www.ovirt.org/develop/networking/changing-engine-hostname.html <https://www.ovirt.org/develop/networking/changing-engine-hostname.html>
Lots of thanks. Enrico
-- _______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY) Phone:+39 075 5852777 Skype:enrico_becchetti <Skype:enrico_becchetti> Mail: Enrico.Becchetti<at>pg.infn.it ______________________________________________________________________ _______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html <https://www.ovirt.org/privacy-policy.html> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ <https://www.ovirt.org/community/about/community-guidelines/> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZW2SGNYGA4MEGU... <https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZW2SGNYGA4MEGUCA2ONQ3RVBRWIYMUJZ/>
-- _______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY) Phone:+39 075 5852777Skype:enrico_becchetti <skype:enrico_becchetti> Mail: Enrico.Becchetti<at>pg.infn.it ______________________________________________________________________ _______________________________________________ Users mailing list --users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email tousers-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement:https://www.ovirt.org/privacy-policy.html <https://www.ovirt.org/privacy-policy.html> oVirt Code of Conduct:https://www.ovirt.org/community/about/community-guidelines/ <https://www.ovirt.org/community/about/community-guidelines/> List Archives:https://lists.ovirt.org/archives/list/users@ovirt.org/message/MTSY7BKGWKFGBQ... <https://lists.ovirt.org/archives/list/users@ovirt.org/message/MTSY7BKGWKFGBQXREFO4IBZESB62ESWG/>
-- _______________________________________________________________________ Enrico Becchetti Servizio di Calcolo e Reti Istituto Nazionale di Fisica Nucleare - Sezione di Perugia Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY) Phone:+39 075 5852777 Skype:enrico_becchetti Mail: Enrico.Becchetti<at>pg.infn.it ______________________________________________________________________
participants (3)
-
Enrico Becchetti
-
Michal Skrivanek
-
Yedidyah Bar David