[ovirt-users] Configuring ilo2 PM; passing ssh options

Eli Mesika emesika at redhat.com
Mon May 25 05:43:51 EDT 2015



----- Original Message -----
> From: "Martin Perina" <mperina at redhat.com>
> To: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> Cc: users at ovirt.org, "Eli Mesika" <emesika at redhat.com>
> Sent: Monday, May 25, 2015 11:23:29 AM
> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
> 
> 
> 
> ----- Original Message -----
> > From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> > To: "Martin Perina" <mperina at redhat.com>
> > Cc: users at ovirt.org, "Eli Mesika" <emesika at redhat.com>
> > Sent: Sunday, May 24, 2015 10:02:34 AM
> > Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
> > 
> > 
> > 
> > On 23.05.2015 15:04, Martin Perina wrote:
> > >
> > >
> > > ----- Original Message -----
> > >> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> > >> To: "Martin Perina" <mperina at redhat.com>
> > >> Cc: users at ovirt.org, "Eli Mesika" <emesika at redhat.com>
> > >> Sent: Thursday, May 21, 2015 9:31:50 PM
> > >> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
> > >>
> > >>
> > >>
> > >> On 21.05.2015 21:07, Martin Perina wrote:
> > >>> Hi Daniel,
> > >>>
> > >>> I'm cc'ing Eli as we are currently facing issue with fence agents
> > >>> regression for passing boolean flags to fence agents.
> > >> Thanks for getting back to me so quickly.
> > >>>
> > >>> I looked at man page of fence_ilo2 again and I haven't found
> > >>> --tls1.0 option at all.
> > >> Strange? FYI I am running CentOS7.1 hosts; installed fence:
> > >> fence-agents-ilo2-4.0.11-11.el7_1.x86_64
> > >>
> > >> Here, clearly I have this option. The fence agent itself seems to use
> > >> gnutls successfully:
> > >>
> > >> # fence_ilo2 -a 10.11.0.212 --username=ovirt -p ****** -v -o status
> > >> --ssl-insecure --tls1.0
> > >>
> > >> Running command: /usr/bin/gnutls-cli --priority
> > >> "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:%LATEST_RECORD_VERSION"
> > >> --insecure --crlf -p 443 10.11.0.212
> > >>
> > >
> > > Ahh, I looked at older version on F20. But I can't find --tls1.0 option
> > > even on man page for fence-agents-ilo2-4.0.11-11.el7_1.x86_64 :-(
> > >
> > > So if you really see this option, please take a look at the end of man
> > > page, where you can find STDIN format options names and add it along
> > > with ssl_insecure to options in Power Management tab of the hosts
> > > (instead
> > > of "tls1_0 use what you find in your man page):
> > Many thanks! Using the STDIN options solved this issue. I finally get:
> > Test succeeded: on
> > 
> > I am using these options in the options field for the ilo2 fencing module:
> > 
> > ssl_insecure=1,tls1.0=1
> > 
> > Also working:
> > ssl_insecure=1,notls=1
> > 
> > >
> > >   ssl_insecure=1,tls1_0=1
> > True. What still puzzles me is the tls1.0 option. In the my man pages
> > the STDIN option ins called 'tls1.0'. Also, can you check wherever you
> > have a 'notls' option to force SSL3.0? This also works for me.
> 
> Ahh, sorry for the confusion. By mistake I looked at older fence-agents
> RPM :-(
> 
> I looked again and now I also have "tls1.0". The "notls" options is contained
> also in the older version (like the one I have in my F20).
> 
> > 
> > I think all the info you gave here, esp. using the stdin binary options
> > in a way 'option=0|1' is quite essential to get fenceing working. I had
> > a quick look over some man pages and I think all the standard fence
> > agents are used in the same manner.
> 
> Yes, this is the regression I wrote you about. Latest fence-agents dropped
> the support for passing boolean options without value (just sending "notls"
> was ok in prior versions), but the last version requires to send "notls=1"
> or "notls=true", otherwise the option is not used. We are currenlty preparing
> patches to handle it.

This is planned to be fixed for 3.6 by an upgrade script (not including encrypted options)
BTW, according to Marek G who is the fence-agents maintainer sending boolean flags by their own 
was enabled for all agents but was actually working only for the ipmilan agent ... 

> 
> > Also, a hint might be in order that old ilo boards can't cope with TLS
> > and need it disabled. I think here [1] [2]?
> > 
> > [1] http://www.ovirt.org/Automatic_Fencing
> > [2]
> > http://www.ovirt.org/OVirt_Administration_Guide#Host_Power_Management_Settings_Explained
> 
> Hmm, thanks for the input, I will talk with Eli and Oved how to make
> the documentation more understandable.

I had added a comment to the troubleshooting section of [1] regarding that ...

> 
> Thanks
> 
> Martin Perina
> 
> > 
> > Thanks!
> > >
> > > Thanks
> > >
> > > Martin Perina
> > >
> > >> I put the whole command output below [1]
> > >>
> > >>
> > >>    To specify --ssl-insecure please add following
> > >>> into options in Power Management tab of the host:
> > >>>
> > >>>     ssl_insecure=1
> > >> Thanks for pointing out how to actually use these options.
> > >>>
> > >>>
> > >>> Martin Perina
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> > >>>> To: "Martin Perina" <mperina at redhat.com>
> > >>>> Cc: users at ovirt.org
> > >>>> Sent: Thursday, May 21, 2015 8:11:40 PM
> > >>>> Subject: Re: [ovirt-users] Configuring ilo2 PM; passing ssh options
> > >>>>
> > >>>>
> > >>>>
> > >>>> On 12.05.2015 09:16, Martin Perina wrote:
> > >>>>> Hi Daniel,
> > >>>> Hello Martin,
> > >>>>
> > >>>> sorry for answering that late. And thanks for pointing me to the man
> > >>>> page! I always seem to forget that.
> > >>>>>
> > >>>>> options defined in PM tab are used to pass custom settings
> > >>>>> of specific fence agent. In you case please take a look
> > >>>>> at man page for fence_ilo2. I looked there briefly and
> > >>>>> I'm afraid that your parameter is not supported.
> > >>>>
> > >>>> Ok, this command runs fine and uses XML:
> > >>>> fence_ilo2 -a 10.11.0.212 --username=ovirt -p secret -v -o status
> > >>>> --ssl-insecure --tls1.0
> > >>>>
> > >>>> However, using options --tls1.0 and --ssl-insecure does not work in
> > >>>> the
> > >>>> engine. What puzzles me: the fence agent seems to use an SSL
> > >>>> connection
> > >>>> and XML; while the GUI wants an SSH port form me?
> > >>>>
> > >>>> There I get the error:
> > >>>> Unknown options ..
> > >>>>
> > >>>> now I only get
> > >>>> Test succeeded - unknown (witch actually is not successful)
> > >>>>
> > >>>>
> > >>>> Thanks!
> > >>>>>
> > >>>>> I see that fence_ilo3_ssh and fence_ilo4_ssh should support
> > >>>>> passing that option for SSH connection, so you could try them
> > >>>>> if they work with you fence device.
> > >>>>>
> > >>>>> Martin Perina
> > >>>>>
> > >>>>>
> > >>>>> ----- Original Message -----
> > >>>>>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
> > >>>>>> To: users at ovirt.org
> > >>>>>> Sent: Monday, May 11, 2015 5:53:10 PM
> > >>>>>> Subject: [ovirt-users] Configuring ilo2 PM; passing ssh options
> > >>>>>>
> > >>>>>> Hello,
> > >>>>>>
> > >>>>>> to make this short - i need to pass ssh options to get the
> > >>>>>> connection
> > >>>>>> to
> > >>>>>> ilo2 working (MACs=hmac-sha1) [1].
> > >>>>>>
> > >>>>>> How can this be done? I think the 'options' field is clearly for
> > >>>>>> something else?
> > >>>>>>
> > >>>>>> Using this option in .ssh/config works btw.
> > >>>>>>
> > >>>>>> Thanks!
> > >>>>>> --
> > >>>>>> Daniel Helgenberger
> > >>>>>> m box bewegtbild GmbH
> > >>>>>>
> > >>>>>> P: +49/30/2408781-22
> > >>>>>> F: +49/30/2408781-10
> > >>>>>>
> > >>>>>> ACKERSTR. 19
> > >>>>>> D-10115 BERLIN
> > >>>>>>
> > >>>>>>
> > >>>>>> www.m-box.de  www.monkeymen.tv
> > >>>>>>
> > >>>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> > >>>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
> > >>>>>> _______________________________________________
> > >>>>>> Users mailing list
> > >>>>>> Users at ovirt.org
> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>> --
> > >>>> Daniel Helgenberger
> > >>>> m box bewegtbild GmbH
> > >>>>
> > >>>> P: +49/30/2408781-22
> > >>>> F: +49/30/2408781-10
> > >>>>
> > >>>> ACKERSTR. 19
> > >>>> D-10115 BERLIN
> > >>>>
> > >>>>
> > >>>> www.m-box.de  www.monkeymen.tv
> > >>>>
> > >>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> > >>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
> > >>>>
> > >>>
> > >>
> > >> [1]
> > >>
> > >> Sent: <?xml version="1.0"?>
> > >>
> > >> Received: <?xml version="1.0"?>
> > >>
> > >> Processed 0 CA certificate(s).
> > >> Resolving '10.11.0.212'...
> > >> Connecting to '10.11.0.212:443'...
> > >> - Certificate type: X.509
> > >> - Got a certificate list of 1 certificates.
> > >> - Certificate[0] info:
> > >>    - subject `C=US,ST=Texas,L=Houston,O=Hewlett-Packard
> > >> Company,OU=ISS,CN=hv02', issuer
> > >> `C=US,ST=Texas,L=Houston,O=Hewlett-Packard Company,OU=ISS,CN=hv02', RSA
> > >> key 1024 bits, signed using RSA-MD5 (broken!), activated `2002-12-05
> > >> 20:25:26 UTC', expires `2022-12-05 20:25:26 UTC', SHA-1 fingerprint
> > >> `4db06bc1a74fe2894068d89ea76c0622b3e76bc1'
> > >> 	Public Key ID:
> > >> 		428f85bc360c8778eb550e4b8ef1c65b111d7108
> > >> 	Public key's random art:
> > >> 		+--[ RSA 1024]----+
> > >> 		|        Eoo+.    |
> > >> 		|   . o . .o.     |
> > >> 		|  . = B +        |
> > >> 		|   . & X .       |
> > >> 		|    o # S        |
> > >> 		|   . + =         |
> > >> 		|    . .          |
> > >> 		|                 |
> > >> 		|                 |
> > >> 		+-----------------+
> > >>
> > >> - Status: The certificate is NOT trusted. The certificate issuer is
> > >> unknown. The name in the certificate does not match the expected.
> > >> *** PKI verification of server certificate failed...
> > >> - Description: (TLS1.0)-(RSA)-(AES-128-CBC)-(SHA1)
> > >> - Session ID:
> > >> AA:C9:08:8C:F5:E7:E6:19:7D:BC:20:D4:A0:C0:DA:E4:0E:C1:C0:2A:BC:93:8E:B3:5F:20:B0:38:67:F2:01:5C
> > >> - Version: TLS1.0
> > >> - Key Exchange: RSA
> > >> - Cipher: AES-128-CBC
> > >> - MAC: SHA1
> > >> - Compression: NULL
> > >> - Handshake was completed
> > >>
> > >> - Simple Client Mode:
> > >>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> </RIBCL>
> > >> Sent: <RIBCL VERSION="2.0">
> > >>
> > >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
> > >>
> > >> Sent: <RIB_INFO MODE="read"><GET_FW_VERSION />
> > >>
> > >> Sent: </RIB_INFO>
> > >>
> > >> Received:
> > >> <RIBCL VERSION="2.0">
> > >>
> > >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
> > >>
> > >> <RIB_INFO MODE="read"><GET_FW_VERSION />
> > >>
> > >> </RIB_INFO>
> > >>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> </RIBCL>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> </RIBCL>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> </RIBCL>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> <GET_FW_VERSION
> > >>
> > >> Received:    FIRMWARE_VERSION = "2.25"
> > >>      FIRMWARE_DATE = "Apr 14 2014"
> > >>      MANAGEMENT_PROCESSOR = "iLO2"
> > >>      LICENSE_TYPE = "iLO 2 Advanced"
> > >>       />
> > >> Sent: </LOGIN>
> > >>
> > >> Sent: <LOGIN USER_LOGIN = "ovirt" PASSWORD = "dJPVmJG64zMVD3d">
> > >>
> > >> Sent: <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
> > >>
> > >> Sent: </SERVER_INFO></LOGIN>
> > >>
> > >> Received:
> > >> </RIBCL>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> </RIBCL>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> </RIBCL>
> > >> </LOGIN>
> > >>
> > >> <LOGIN USER_LOGIN = "ovirt" PASSWORD = "*********">
> > >>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> </RIBCL>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> </RIBCL>
> > >> <SERVER_INFO MODE = "read"><GET_HOST_POWER_STATUS/>
> > >>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> </RIBCL>
> > >> <?xml version="1.0"?>
> > >> <RIBCL VERSION="2.22">
> > >> <RESPONSE
> > >>       STATUS="0x0000"
> > >>       MESSAGE='No error'
> > >>        />
> > >> <GET_HOST_POWER
> > >>       HOST_POWER="ON"
> > >> Status: ON
> > >>
> > >
> > 
> > --
> > Daniel Helgenberger
> > m box bewegtbild GmbH
> > 
> > P: +49/30/2408781-22
> > F: +49/30/2408781-10
> > 
> > ACKERSTR. 19
> > D-10115 BERLIN
> > 
> > 
> > www.m-box.de  www.monkeymen.tv
> > 
> > Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> > Handeslregister: Amtsgericht Charlottenburg / HRB 112767
> > 
> 


More information about the Users mailing list