[ovirt-users] Configuring ilo2 PM; passing ssh options
Martin Perina
mperina at redhat.com
Mon May 25 04:23:29 EDT 2015
----- Original Message -----
> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> To: "Martin Perina" <mperina at redhat.com>
> Cc: users at ovirt.org, "Eli Mesika" <emesika at redhat.com>
> Sent: Sunday, May 24, 2015 10:02:34 AM
> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
>
>
>
> On 23.05.2015 15:04, Martin Perina wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> >> To: "Martin Perina" <mperina at redhat.com>
> >> Cc: users at ovirt.org, "Eli Mesika" <emesika at redhat.com>
> >> Sent: Thursday, May 21, 2015 9:31:50 PM
> >> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
> >>
> >>
> >>
> >> On 21.05.2015 21:07, Martin Perina wrote:
> >>> Hi Daniel,
> >>>
> >>> I'm cc'ing Eli as we are currently facing issue with fence agents
> >>> regression for passing boolean flags to fence agents.
> >> Thanks for getting back to me so quickly.
> >>>
> >>> I looked at man page of fence_ilo2 again and I haven't found
> >>> --tls1.0 option at all.
> >> Strange? FYI I am running CentOS7.1 hosts; installed fence:
> >> fence-agents-ilo2-4.0.11-11.el7_1.x86_64
> >>
> >> Here, clearly I have this option. The fence agent itself seems to use
> >> gnutls successfully:
> >>
> >> # fence_ilo2 -a 10.11.0.212 --username=ovirt -p ****** -v -o status
> >> --ssl-insecure --tls1.0
> >>
> >> Running command: /usr/bin/gnutls-cli --priority
> >> "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION"
> >> --insecure --crlf -p 443 10.11.0.212
> >>
> >
> > Ahh, I looked at older version on F20. But I can't find --tls1.0 option
> > even on man page for fence-agents-ilo2-4.0.11-11.el7_1.x86_64 :-(
> >
> > So if you really see this option, please take a look at the end of man
> > page, where you can find STDIN format options names and add it along
> > with ssl_insecure to options in Power Management tab of the hosts (instead
> > of "tls1_0 use what you find in your man page):
> Many thanks! Using the STDIN options solved this issue. I finally get:
> Test succeeded: on
>
> I am using these options in the options field for the ilo2 fencing module:
>
> ssl_insecure=1,tls1.0=1
>
> Also working:
> ssl_insecure=1,notls=1
>
> >
> > ssl_insecure=1,tls1_0=1
> True. What still puzzles me is the tls1.0 option. In the my man pages
> the STDIN option ins called 'tls1.0'. Also, can you check wherever you
> have a 'notls' option to force SSL3.0? This also works for me.
Ahh, sorry for the confusion. By mistake I looked at older fence-agents
RPM :-(
I looked again and now I also have "tls1.0". The "notls" options is contained
also in the older version (like the one I have in my F20).
>
> I think all the info you gave here, esp. using the stdin binary options
> in a way 'option=0|1' is quite essential to get fenceing working. I had
> a quick look over some man pages and I think all the standard fence
> agents are used in the same manner.
Yes, this is the regression I wrote you about. Latest fence-agents dropped
the support for passing boolean options without value (just sending "notls"
was ok in prior versions), but the last version requires to send "notls=1"
or "notls=true", otherwise the option is not used. We are currenlty preparing
patches to handle it.
> Also, a hint might be in order that old ilo boards can't cope with TLS
> and need it disabled. I think here [1] [2]?
>
> [1] http://www.ovirt.org/Automatic_Fencing
> [2]
> http://www.ovirt.org/OVirt_Administration_Guide#Host_Power_Management_Settings_Explained
Hmm, thanks for the input, I will talk with Eli and Oved how to make
the documentation more understandable.
Thanks
Martin Perina
>
> Thanks!
> >
> > Thanks
> >
> > Martin Perina
> >
> >> I put the whole command output below [1]
> >>
> >>
> >> To specify --ssl-insecure please add following
> >>> into options in Power Management tab of the host:
> >>>
> >>> ssl_insecure=1
> >> Thanks for pointing out how to actually use these options.
> >>>
> >>>
> >>> Martin Perina
> >>>
> >>> ----- Original Message -----
> >>>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> >>>> To: "Martin Perina" <mperina at redhat.com>
> >>>> Cc: users at ovirt.org
> >>>> Sent: Thursday, May 21, 2015 8:11:40 PM
> >>>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
> >>>>
> >>>>
> >>>>
> >>>> On 12.05.2015 09:16, Martin Perina wrote:
> >>>>> Hi Daniel,
> >>>> Hello Martin,
> >>>>
> >>>> sorry for answering that late. And thanks for pointing me to the man
> >>>> page! I always seem to forget that.
> >>>>>
> >>>>> options defined in PM tab are used to pass custom settings
> >>>>> of specific fence agent. In you case please take a look
> >>>>> at man page for fence_ilo2. I looked there briefly and
> >>>>> I'm afraid that your parameter is not supported.
> >>>>
> >>>> Ok, this command runs fine and uses XML:
> >>>> fence_ilo2 -a 10.11.0.212 --username=ovirt -p secret -v -o status
> >>>> --ssl-insecure --tls1.0
> >>>>
> >>>> However, using options --tls1.0 and --ssl-insecure does not work in the
> >>>> engine. What puzzles me: the fence agent seems to use an SSL connection
> >>>> and XML; while the GUI wants an SSH port form me?
> >>>>
> >>>> There I get the error:
> >>>> Unknown options ..
> >>>>
> >>>> now I only get
> >>>> Test succeeded - unknown (witch actually is not successful)
> >>>>
> >>>>
> >>>> Thanks!
> >>>>>
> >>>>> I see that fence_ilo3_ssh and fence_ilo4_ssh should support
> >>>>> passing that option for SSH connection, so you could try them
> >>>>> if they work with you fence device.
> >>>>>
> >>>>> Martin Perina
> >>>>>
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> >>>>>> To: users at ovirt.org
> >>>>>> Sent: Monday, May 11, 2015 5:53:10 PM
> >>>>>> Subject: [ovirt-users] Configuring ilo2 PM; passing ssh options
> >>>>>>
> >>>>>> Hello,
> >>>>>>
> >>>>>> to make this short - i need to pass ssh options to get the connection
> >>>>>> to
> >>>>>> ilo2 working (MACs=hmac-sha1) [1].
> >>>>>>
> >>>>>> How can this be done? I think the 'options' field is clearly for
> >>>>>> something else?
> >>>>>>
> >>>>>> Using this option in .ssh/config works btw.
> >>>>>>
> >>>>>> Thanks!
> >>>>>> --
> >>>>>> Daniel Helgenberger
> >>>>>> m box bewegtbild GmbH
> >>>>>>
> >>>>>> P: +49/30/2408781-22
> >>>>>> F: +49/30/2408781-10
> >>>>>>
> >>>>>> ACKERSTR. 19
> >>>>>> D-10115 BERLIN
> >>>>>>
> >>>>>>
> >>>>>> www.m-box.de www.monkeymen.tv
> >>>>>>
> >>>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> >>>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
> >>>>>> _______________________________________________
> >>>>>> Users mailing list
> >>>>>> Users at ovirt.org
> >>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>
> >>>>>
> >>>>
> >>>> --
> >>>> Daniel Helgenberger
> >>>> m box bewegtbild GmbH
> >>>>
> >>>> P: +49/30/2408781-22
> >>>> F: +49/30/2408781-10
> >>>>
> >>>> ACKERSTR. 19
> >>>> D-10115 BERLIN
> >>>>
> >>>>
> >>>> www.m-box.de www.monkeymen.tv
> >>>>
> >>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> >>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
> >>>>
> >>>
> >>
> >> [1]
> >>
> >> Sent: <?xml version="1.0"?>
> >>
> >> Received: <?xml version="1.0"?>
> >>
> >> Processed 0 CA certificate(s).
> >> Resolving '10.11.0.212'...
> >> Connecting to '10.11.0.212:443'...
> >> - Certificate type: X.509
> >> - Got a certificate list of 1 certificates.
> >> - Certificate[0] info:
> >> - subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard
> >> Company,OU=ISS,CN=hv02', issuer
> >> `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', RSA
> >> key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05
> >> 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint
> >> `4db06bc1a74fe2894068d89ea76c0622b3e76bc1'
> >> Public Key ID:
> >> 428f85bc360c8778eb550e4b8ef1c65b111d7108
> >> Public key's random art:
> >> +--[ RSA 1024]----+
> >> | Eoo+. |
> >> | . o . .o. |
> >> | . = B + |
> >> | . & X . |
> >> | o # S |
> >> | . + = |
> >> | . . |
> >> | |
> >> | |
> >> +-----------------+
> >>
> >> - Status: The certificate is NOT trusted. The certificate issuer is
> >> unknown. The name in the certificate does not match the expected.
> >> *** PKI verification of server certificate failed...
> >> - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
> >> - Session ID:
> >> AA:C9:08:8C:F5:E7:E6:19:7D:BC:20:D4:A0:C0:DA:E4:0E:C1:C0:2A:BC:93:8E:B3:5F:20:B0:38:67:F2:01:5C
> >> - Version: TLS1.0
> >> - Key Exchange: RSA
> >> - Cipher: AES-128-CBC
> >> - MAC: SHA1
> >> - Compression: NULL
> >> - Handshake was completed
> >>
> >> - Simple Client Mode:
> >>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> </RIBCL>
> >> Sent: <RIBCL VERSION="2.0">
> >>
> >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
> >>
> >> Sent: <RIB_INFO MODE="read"><GET_FW_VERSION />
> >>
> >> Sent: </RIB_INFO>
> >>
> >> Received:
> >> <RIBCL VERSION="2.0">
> >>
> >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
> >>
> >> <RIB_INFO MODE="read"><GET_FW_VERSION />
> >>
> >> </RIB_INFO>
> >>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> </RIBCL>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> </RIBCL>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> </RIBCL>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> <GET_FW_VERSION
> >>
> >> Received: FIRMWARE_VERSION = "2.25"
> >> FIRMWARE_DATE = "Apr 14 2014"
> >> MANAGEMENT_PROCESSOR = "iLO2"
> >> LICENSE_TYPE = "iLO 2 Advanced"
> >> />
> >> Sent: </LOGIN>
> >>
> >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
> >>
> >> Sent: <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
> >>
> >> Sent: </SERVER_INFO></LOGIN>
> >>
> >> Received:
> >> </RIBCL>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> </RIBCL>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> </RIBCL>
> >> </LOGIN>
> >>
> >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "*********">
> >>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> </RIBCL>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> </RIBCL>
> >> <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
> >>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> </RIBCL>
> >> <?xml version="1.0"?>
> >> <RIBCL VERSION="2.22">
> >> <RESPONSE
> >> STATUS="0x0000"
> >> MESSAGE='No error'
> >> />
> >> <GET_HOST_POWER
> >> HOST_POWER="ON"
> >> Status: ON
> >>
> >
>
> --
> Daniel Helgenberger
> m box bewegtbild GmbH
>
> P: +49/30/2408781-22
> F: +49/30/2408781-10
>
> ACKERSTR. 19
> D-10115 BERLIN
>
>
> www.m-box.de www.monkeymen.tv
>
> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>
More information about the Users
mailing list