[ovirt-users] Configuring ilo2 PM; passing ssh options

Daniel Helgenberger daniel.helgenberger at m-box.de
Sun May 24 04:02:34 EDT 2015



On 23.05.2015 15:04, Martin Perina wrote:
>
>
> ----- Original Message -----
>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
>> To: "Martin Perina" <mperina at redhat.com>
>> Cc: users at ovirt.org, "Eli Mesika" <emesika at redhat.com>
>> Sent: Thursday, May 21, 2015 9:31:50 PM
>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
>>
>>
>>
>> On 21.05.2015 21:07, Martin Perina wrote:
>>> Hi Daniel,
>>>
>>> I'm cc'ing Eli as we are currently facing issue with fence agents
>>> regression for passing boolean flags to fence agents.
>> Thanks for getting back to me so quickly.
>>>
>>> I looked at man page of fence_ilo2 again and I haven't found
>>> --tls1.0 option at all.
>> Strange? FYI I am running CentOS7.1 hosts; installed fence:
>> fence-agents-ilo2-4.0.11-11.el7_1.x86_64
>>
>> Here, clearly I have this option. The fence agent itself seems to use
>> gnutls successfully:
>>
>> # fence_ilo2 -a 10.11.0.212 --username=ovirt -p ****** -v -o status
>> --ssl-insecure --tls1.0
>>
>> Running command: /usr/bin/gnutls-cli --priority
>> "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION"
>> --insecure --crlf -p 443 10.11.0.212
>>
>
> Ahh, I looked at older version on F20. But I can't find --tls1.0 option
> even on man page for fence-agents-ilo2-4.0.11-11.el7_1.x86_64 :-(
>
> So if you really see this option, please take a look at the end of man
> page, where you can find STDIN format options names and add it along
> with ssl_insecure to options in Power Management tab of the hosts (instead
> of "tls1_0 use what you find in your man page):
Many thanks! Using the STDIN options solved this issue. I finally get:
Test succeeded: on

I am using these options in the options field for the ilo2 fencing module:

ssl_insecure=1,tls1.0=1

Also working:
ssl_insecure=1,notls=1

>
>   ssl_insecure=1,tls1_0=1
True. What still puzzles me is the tls1.0 option. In the my man pages 
the STDIN option ins called 'tls1.0'. Also, can you check wherever you 
have a 'notls' option to force SSL3.0? This also works for me.

I think all the info you gave here, esp. using the stdin binary options 
in a way 'option=0|1' is quite essential to get fenceing working. I had 
a quick look over some man pages and I think all the standard fence 
agents are used in the same manner.
Also, a hint might be in order that old ilo boards can't cope with TLS 
and need it disabled. I think here [1] [2]?

[1] http://www.ovirt.org/Automatic_Fencing
[2] 
http://www.ovirt.org/OVirt_Administration_Guide#Host_Power_Management_Settings_Explained

Thanks!
>
> Thanks
>
> Martin Perina
>
>> I put the whole command output below [1]
>>
>>
>>    To specify --ssl-insecure please add following
>>> into options in Power Management tab of the host:
>>>
>>>     ssl_insecure=1
>> Thanks for pointing out how to actually use these options.
>>>
>>>
>>> Martin Perina
>>>
>>> ----- Original Message -----
>>>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
>>>> To: "Martin Perina" <mperina at redhat.com>
>>>> Cc: users at ovirt.org
>>>> Sent: Thursday, May 21, 2015 8:11:40 PM
>>>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
>>>>
>>>>
>>>>
>>>> On 12.05.2015 09:16, Martin Perina wrote:
>>>>> Hi Daniel,
>>>> Hello Martin,
>>>>
>>>> sorry for answering that late. And thanks for pointing me to the man
>>>> page! I always seem to forget that.
>>>>>
>>>>> options defined in PM tab are used to pass custom settings
>>>>> of specific fence agent. In you case please take a look
>>>>> at man page for fence_ilo2. I looked there briefly and
>>>>> I'm afraid that your parameter is not supported.
>>>>
>>>> Ok, this command runs fine and uses XML:
>>>> fence_ilo2 -a 10.11.0.212 --username=ovirt -p secret -v -o status
>>>> --ssl-insecure --tls1.0
>>>>
>>>> However, using options --tls1.0 and --ssl-insecure does not work in the
>>>> engine. What puzzles me: the fence agent seems to use an SSL connection
>>>> and XML; while the GUI wants an SSH port form me?
>>>>
>>>> There I get the error:
>>>> Unknown options ..
>>>>
>>>> now I only get
>>>> Test succeeded - unknown (witch actually is not successful)
>>>>
>>>>
>>>> Thanks!
>>>>>
>>>>> I see that fence_ilo3_ssh and fence_ilo4_ssh should support
>>>>> passing that option for SSH connection, so you could try them
>>>>> if they work with you fence device.
>>>>>
>>>>> Martin Perina
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
>>>>>> To: users at ovirt.org
>>>>>> Sent: Monday, May 11, 2015 5:53:10 PM
>>>>>> Subject: [ovirt-users] Configuring ilo2 PM; passing ssh options
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> to make this short - i need to pass ssh options to get the connection to
>>>>>> ilo2 working (MACs=hmac-sha1) [1].
>>>>>>
>>>>>> How can this be done? I think the 'options' field is clearly for
>>>>>> something else?
>>>>>>
>>>>>> Using this option in .ssh/config works btw.
>>>>>>
>>>>>> Thanks!
>>>>>> --
>>>>>> Daniel Helgenberger
>>>>>> m box bewegtbild GmbH
>>>>>>
>>>>>> P: +49/30/2408781-22
>>>>>> F: +49/30/2408781-10
>>>>>>
>>>>>> ACKERSTR. 19
>>>>>> D-10115 BERLIN
>>>>>>
>>>>>>
>>>>>> www.m-box.de  www.monkeymen.tv
>>>>>>
>>>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>>>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>>
>>>>
>>>> --
>>>> Daniel Helgenberger
>>>> m box bewegtbild GmbH
>>>>
>>>> P: +49/30/2408781-22
>>>> F: +49/30/2408781-10
>>>>
>>>> ACKERSTR. 19
>>>> D-10115 BERLIN
>>>>
>>>>
>>>> www.m-box.de  www.monkeymen.tv
>>>>
>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>>>
>>>
>>
>> [1]
>>
>> Sent: <?xml version="1.0"?>
>>
>> Received: <?xml version="1.0"?>
>>
>> Processed 0 CA certificate(s).
>> Resolving '10.11.0.212'...
>> Connecting to '10.11.0.212:443'...
>> - Certificate type: X.509
>> - Got a certificate list of 1 certificates.
>> - Certificate[0] info:
>>    - subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard
>> Company,OU=ISS,CN=hv02', issuer
>> `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', RSA
>> key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05
>> 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint
>> `4db06bc1a74fe2894068d89ea76c0622b3e76bc1'
>> 	Public Key ID:
>> 		428f85bc360c8778eb550e4b8ef1c65b111d7108
>> 	Public key's random art:
>> 		+--[ RSA 1024]----+
>> 		|        Eoo+.    |
>> 		|   . o . .o.     |
>> 		|  . = B +        |
>> 		|   . & X .       |
>> 		|    o # S        |
>> 		|   . + =         |
>> 		|    . .          |
>> 		|                 |
>> 		|                 |
>> 		+-----------------+
>>
>> - Status: The certificate is NOT trusted. The certificate issuer is
>> unknown. The name in the certificate does not match the expected.
>> *** PKI verification of server certificate failed...
>> - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
>> - Session ID:
>> AA:C9:08:8C:F5:E7:E6:19:7D:BC:20:D4:A0:C0:DA:E4:0E:C1:C0:2A:BC:93:8E:B3:5F:20:B0:38:67:F2:01:5C
>> - Version: TLS1.0
>> - Key Exchange: RSA
>> - Cipher: AES-128-CBC
>> - MAC: SHA1
>> - Compression: NULL
>> - Handshake was completed
>>
>> - Simple Client Mode:
>>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> </RIBCL>
>> Sent: <RIBCL VERSION="2.0">
>>
>> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
>>
>> Sent: <RIB_INFO MODE="read"><GET_FW_VERSION />
>>
>> Sent: </RIB_INFO>
>>
>> Received:
>> <RIBCL VERSION="2.0">
>>
>> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
>>
>> <RIB_INFO MODE="read"><GET_FW_VERSION />
>>
>> </RIB_INFO>
>>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> <GET_FW_VERSION
>>
>> Received:    FIRMWARE_VERSION = "2.25"
>>      FIRMWARE_DATE = "Apr 14 2014"
>>      MANAGEMENT_PROCESSOR = "iLO2"
>>      LICENSE_TYPE = "iLO 2 Advanced"
>>       />
>> Sent: </LOGIN>
>>
>> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
>>
>> Sent: <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
>>
>> Sent: </SERVER_INFO></LOGIN>
>>
>> Received:
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> </RIBCL>
>> </LOGIN>
>>
>> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "*********">
>>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> </RIBCL>
>> <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
>>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> </RIBCL>
>> <?xml version="1.0"?>
>> <RIBCL VERSION="2.22">
>> <RESPONSE
>>       STATUS="0x0000"
>>       MESSAGE='No error'
>>        />
>> <GET_HOST_POWER
>>       HOST_POWER="ON"
>> Status: ON
>>
>

-- 
Daniel Helgenberger
m box bewegtbild GmbH

P: +49/30/2408781-22
F: +49/30/2408781-10

ACKERSTR. 19
D-10115 BERLIN


www.m-box.de  www.monkeymen.tv

Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767


More information about the Users mailing list