virt-v2v cannot authenticate with oVirt engine API with OAuth2
I've been reading through archives but not able to find what i need. Essentially what I'm trying to do is migrate a larger number of VMs from our OVM environment to a new OLVM setup. In an effort to reduce lots of replication and copying of the disk image (export, convert, copy over, import etc.) I found this article which shows a pretty slick way to do it in one shot https://blogs.oracle.com/scoter/post/how-to-migrate-oracle-vm-to-oracle-linu... The main command behind it all is the virt-v2v that makes it possible. It looks something like this: virt-v2v -i libvirtxml vm-test1.xml -o rhv-upload -oc https://<OLVM-server>/ovirt-engine/api -os <my storage> -op /tmp/ovirt-admin-password -of raw -oo rhv-cluster=Default -oo rhv-cafile=/root/ca.pem The problem I'm having is I cannot authenticate with my new OLVM server at the ovirt-engine/api URL. Since user/password is depricated and you must use OAuth 2.0 with a token I'm stuck. I have OLVM 4.5.4-1.0.27.el8 and from what I've read in oVirt 4.5 (not sure what version it started) they use keycloak oAuth 2.0 and the older ovirt-aaa-jdbc-tool is now deprecated. In doing some testing I found I can use curl and authenticate against the ovirt-engine/api and get a token like this: OVIRT_ENGINE_URL="https://<myolvm1>/ovirt-engine" USERNAME="admin@ovirt@internalsso" PASSWORD="<mypassword>" CLUSTER_NAME="Default" TOKEN=$(curl -k -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password &username=$USERNAME&password=$PASSWORD&scope=ovirt-app-api" $OVIRT_ENGINE_URL/sso/oauth/token | jq -r '.access_token') I was then able to query the API to validate my token works curl -k -H "Accept: application/json" -H "Authorization: Bearer $TOKEN" "$OVIRT_ENGINE_URL/api/clusters?search=name=$CLUSTER_NAME" The problem is virt-v2v does not support posting any form information or the token to authenticate. Best I can tell the -oc option is strictly the URL and if you want a username in there it's in the form of https://<name>@<server>. So even if I wrote a script and used curl to authenticate and get a token I still can't find a way to make virt-v2v use it. So I'm stuck how do I get virt-v2v working? Is there a way to re-enable the deprecated user/pass method of accessing the ovirt-engine/api ? or as a last resort a way to get virt-v2v supporting the token? Thanks for any insight Malcolm
I guess nobody else does this?
see https://github.com/libguestfs/virt-v2v/issues/42 On Mon, Feb 26, 2024 at 10:37 PM <malcolm.strydom@pacxa.com> wrote:
I guess nobody else does this? _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6UWV73GC7BX5BX...
see https://github.com/libguestfs/virt-v2v/issues/42
On Mon, Feb 26, 2024 at 10:37 PM <malcolm.strydom(a)pacxa.com> wrote:
Thank you. That looks to be discussing this very issue. I will read through that page and see what came of it.
Similarly to you, I ran into this problem with virt-v2v 1.42 using OLVM 4.5.4-1.0.29.el8. On submitting a request to Oracle via SR, they referred me to this: OLVM: How to Revert from Keycloak to AAA (Doc ID 2999963.1) So, there is a way to back out the KeyCloak oAuth 2.0 implementation and re-enable to aaa/jdbc. I haven't attempted this yet, but I'm inclined to, because I already having a working set of scripted tools that do a one-command-line migration successfully under the prior OLVM releases. If you're sufficiently dauntless, you could try a recompile of virt-v2v using a recent change vetted by the Red Hat developers most closely associated with virt-v2v: https://github.com/libguestfs/virt-v2v/pull/43 but this involves a number of dependent libraries, and would not be supported until it is released into an authorized software distribution.
I found the oracle doc and reverted my installation back from keycloak to AAA and got the migrations working. After we migrate some VMs we were able to revert back to keycloak. It doesn't seem the cleanest way to go and I get afraid if something goes wrong when you run the reconfiguration but so far it has worked for us.
participants (3)
-
Benny Zlotnik -
malcolm.strydom@pacxa.com -
randy.cunningham@sagelogix.com