<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Apr 27, 2017 at 6:32 PM, Juan Hernández <span dir="ltr"><<a href="mailto:jhernand@redhat.com" target="_blank">jhernand@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">That is a known issue:<br>
<br>
fence_rhevm can only work as RHEV admin user not a regular user (that<br>
requires "Filter: true http header)<br>
<a href="https://bugzilla.redhat.com/1287059" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/<wbr>1287059</a><br>
<br>
That was fixed in fence-agents-4.0.11-47.el7, but I guess it wasn't<br>
backported to CentOS 6.<br>
<br>
I'd suggest that you open a bug for this component in the Red Hat<br>
Enterprise Linux bug tracker, requesting that the fix be back-ported.<br>
<br>
Meanwhile, if you are in a hurry, you can take the CentOS 7 fence_rhev<br>
script, which should work.<br>
<br>
You will most likely also need to add --ssl-indecure to the command line<br>
of the agent, because you will most likely be using the default self<br>
signed certificate authority used by the engine.<br>
<br>
Note that the latest version of this script uses the 'Filter: true'<br>
header to drop privileges. That means that even when using<br>
'admin@internal' you have to make sure that 'admin@internal' has<br>
permissions for the VM that you want to fence, otherwise it will not be<br>
able to find/fence it.<br>
</blockquote></div><br></div><div class="gmail_extra">Thanks for the feedback Juan.<br></div><div class="gmail_extra">I confirm that using fence_rhevm from latest CentOS 7 version it worked.<br></div><div class="gmail_extra">These were the lines in my cluster.conf<br></div><div class="gmail_extra"><br><pre class="gmail-screen"> <clusternode name="p2viclnorasvi1" nodeid="1" votes="1"><br> <fence><br> <method name="1"><br> <device name="ovirt_fencedelay" port="p2vorasvi1"/><br> </method><br> </fence><br> </clusternode><br> <clusternode name="p2viclnorasvi2" nodeid="2" votes="1"><br> <fence><br> <method name="1"><br> <device name="ovirt_fence" port="p2vorasvi2"/><br> </method><br> </fence><br> </clusternode><br> </clusternodes><br> <quorumd label="p2vcluorasvi" votes="1"><br> <heuristic interval="2" program="ping -c1 -w1 172.16.10.231" score="1" tko="200"/><br> </quorumd><br> <fencedevices><br> <fencedevice agent="fence_rhevm" delay="30" ipaddr="10.4.192.43" login="g.cecchi@internal" passwd_script="/usr/local/bin/pwd_dracnode01.sh" name="ovirt_fencedelay" ssl="on" ssl_insecure="on" shell_timeout="20" power_wait="10"/><br> <fencedevice agent="fence_rhevm" ipaddr="10.4.192.43" login="g.cecchi@internal" passwd_script="/usr/local/bin/pwd_dracnode02.sh" name="ovirt_fence" ssl="on" ssl_insecure="on" shell_timeout="20" power_wait="10"/><br> </fencedevices><br><br><span style="font-family:arial,helvetica,sans-serif">Using admin@internal didn't work even if I set the permissions at vm level too...<br></span></pre><pre class="gmail-screen"><span style="font-family:arial,helvetica,sans-serif">It worked with my username (g.cecchi) that has SuperUser system privilege and also at VM level.<br></span></pre><pre class="gmail-screen"><span style="font-family:arial,helvetica,sans-serif">Is it yet necessary to have a user with SuperUser privilege at system level?<br></span></pre><pre class="gmail-screen"><span style="font-family:arial,helvetica,sans-serif">Tomorrow (today... ;-) I'm going to open a bugzilla to backport the feature.<br></span></pre><pre class="gmail-screen"><span style="font-family:arial,helvetica,sans-serif">Thanks again,<br>Gianluca<br></span></pre></div></div>