Description of problem: During the beginning of the feature, there was a possibility to change the default serial-console port (2222), but now it's disabled, once configured during initial engine-setup, then impossible to change it later. Provide the option to change the default connectivity port to customer desired, as not all customers would like to use the same default serial-console port. Version-Release number of selected component (if applicable): Engine: ovirt-vmconsole-proxy-1.0.0-1.el6ev.noarch ovirt-engine-extension-aaa-jdbc-1.0.1-1.el6ev.noarch ovirt-host-deploy-1.4.0-1.el6ev.noarch ovirt-host-deploy-java-1.4.0-1.el6ev.noarch ovirt-vmconsole-1.0.0-1.el6ev.noarch rhevm-3.6.0.3-0.1.el6.noarch Linux version 2.6.32-573.7.1.el6.x86_64 (mockbuild.eng.bos.redhat.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Thu Sep 10 13:42:16 EDT 2015 Host: Linux version 3.10.0-327.el7.x86_64 (mockbuild.eng.bos.redhat.com) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Thu Oct 29 17:29:29 EDT 2015 libvirt-client-1.2.17-13.el7.x86_64 vdsm-4.17.10.1-0.el7.centos.noarch sanlock-3.2.4-1.el7.x86_64 mom-0.5.1-2.el7.noarch qemu-kvm-rhev-2.3.0-31.el7.x86_64 ovirt-vmconsole-host-1.0.1-0.0.master.20151105234454.git3e5d52e.el7.noarch ovirt-release36-snapshot-001-2.noarch ovirt-vmconsole-1.0.1-0.0.master.20151105234454.git3e5d52e.el7.noarch ovirt-release36-001-2.noarch How reproducible: 100% Steps to Reproduce: 1.Install the engine with serial-console enabled on engine. 2.Try changing the default 2222 serial console port to some other port by re-running the engine-setup. 3. Actual results: Changing serial-console default connectivity port is not possible. Expected results: Changing the port should be possible and also documentation should mention that 2222 is TCP port as ssh travels over it. Additional info:
Please stop opening rfes before discussion, your format for rfe is also incorrect, it is not your role to open rfes. I think I already responded. this can be done manually if someone insists, we won't add setup or any other method to do this. sshd options can be overridden using OPTIONS variable at: /etc/sysconfig/ovirt-vmconsole-host-sshd /etc/sysconfig/ovirt-vmconsole-proxy-sshd proxy ssh options can be overridden using /etc/ovirt-vmconsole/ovirt-vmconsole-proxy/conf.d/90-custom-options.conf --- console_attach_ssh_args="" --- selinux should be customized: semanage port -a -t ovirt_vmconsole_proxy_port_t -p tcp XXX semanage port -a -t ovirt_vmconsole_host_port_t -p tcp XXX
Alon, if there is a way to do it, it should move to docs so it'll be a documented, supported, procedure. I think it's not an easy way to do it (how do you customize selinux on RHEVH) and therefore might have value if we can make it easier for the customer. Anyway, let's start with a KB.
(In reply to Yaniv Kaul from comment #2) > Alon, if there is a way to do it, it should move to docs so it'll be a > documented, supported, procedure. > > I think it's not an easy way to do it (how do you customize selinux on > RHEVH) and therefore might have value if we can make it easier for the > customer. > Anyway, let's start with a KB. all specified in comment#1, not sure why this is important, we do not modify ports for spice or vnc or any other port. please reclose.
Francesco, can you put together a quick description/kbase how to do that?
(In reply to Michal Skrivanek from comment #4) > Francesco, can you put together a quick description/kbase how to do that? Done https://github.com/mojaves/ovirt-site/blob/sercon-options/source/documentation/admin-guide/serial-console-setup.html.md will issue proper pull request once formatting and english is polished.
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.
https://github.com/oVirt/ovirt-site/pull/222
Pull request merged. I'll add the same content in the docs of the ovirt-vmconsole package.
oVirt 4.0 beta has been released, moving to RC milestone.
additional docs added, could be MODIFIED now
Hi Nikolai, I'm not sure that the ovirt-host-deploy flow will leave the custom port untouched. It should, but I'd need to check again. I'd like to stress out that we are here improving the documentation for an exceptional flow - this mode of operation is not recommended. People are really expected to use the default settings here. I'd simplify the testcase: run automated setup as you described, check everything works (non regression?), then change the default settings to something else and check it still works with the non-default settings. Rationale for this simplification is that we are not yet ready for full-custom port settings, here we are documenting the steps for the sake of transparency rather than giving real complete flexibility.
Is there any documentation available, describing suggested way of changing the default port for serial-console?
(In reply to Nikolai Sednev from comment #15) > Is there any documentation available, describing suggested way of changing > the default port for serial-console? Yes. U/S is described here: http://www.ovirt.org/documentation/admin-guide/serial-console-setup/#Manual_Setup In the package source tree, you che find the same content in the README: https://github.com/oVirt/ovirt-vmconsole/blob/master/README (see "CUSTOMIZATION") For official RHEV docs, still checking, because of the need to convey the message "this is possible, but not recommended"
Following http://www.ovirt.org/documentation/admin-guide/serial-console-setup/#Manual_Setup I see that on each host I have to change /etc/sysconfig/ovirt-vmconsole-proxy-sshd, but it does not exists on my hosts.On proxy (engine) I see only this: cat /etc/ovirt-vmconsole/ovirt-vmconsole-proxy/conf.d/20-ovirt-vmconsole-proxy-helper.conf [proxy] key_list = exec "/usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py" --version "{version}" keys console_list = exec "/usr/libexec/ovirt-vmconsole-proxy-helper/ovirt-vmconsole-list.py" --version "{version}" consoles --entityid "{entityid}" Can you please provide a fully detailed working example, which changes, for example, from default port to 8181 port? Official Red-Hat documentation is still required.
(In reply to Nikolai Sednev from comment #17) This is an ovirt bug, I don't see how downstream documentation is relevant. Francesco, for the content - let's update the vmconsole-proxy-sshd text with the temaplte/default file in /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config. Similarly please metnion the temaplate/default for virt-vmconsole-proxy conf, and/or perhaps rephrase from "look for" to "add":)
Documentation improved: https://github.com/oVirt/ovirt-site/pull/337
I'm not fully understanding the documentation. Tried to change configuration manually on my host and the engine, while following this https://github.com/oVirt/ovirt-site/pull/337/files documentation and see already a few differences: 1)On RHEL7.2 host I don't see anything in /etc/sysconfig/ovirt-vmconsole-host-sshd, but I do see in /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/sshd_config and it shows as follows: AllowAgentForwarding no #AllowStreamLocalForwarding no AllowTcpForwarding no AllowUsers ovirt-vmconsole AuthorizedKeysFile /dev/null AuthorizedPrincipalsFile /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/authorized_principals ChallengeResponseAuthentication no ClientAliveCountMax 3 ClientAliveInterval 10 ForceCommand /usr/libexec/ovirt-vmconsole-host-shell GSSAPIAuthentication no HostCertificate /etc/pki/ovirt-vmconsole/host-ssh_host_rsa-cert.pub HostKey /etc/pki/ovirt-vmconsole/host-ssh_host_rsa HostbasedAuthentication no KbdInteractiveAuthentication no KerberosAuthentication no PasswordAuthentication no #PermitUserRC no PidFile /dev/null Port 2223 Protocol 2 PubkeyAuthentication yes RSAAuthentication no TrustedUserCAKeys /etc/pki/ovirt-vmconsole/ca.pub X11Forwarding no Probably you were referring to that configuration file? If yes, than I've tried to change the port to let's say 3334 and saved. 2)Now on engine, which is my serial-console-proxy I see the configuration file in here /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config instead of being shown as documented in here /etc/sysconfig/ovirt-vmconsole-proxy-sshd. I've tried to change the port to the same value of 3334. 3)Now, regarding "changing the *ssh* options", I'm not quite getting what to change and where,this is out of my understanding and I'll need your help with it. On engine (my proxy) I see only these: # ll -ls /etc/ovirt-vmconsole/ovirt-vmconsole-proxy/conf.d/ total 8 4 -rw-r--r--. 1 root root 262 Jun 21 08:56 20-ovirt-vmconsole-proxy-helper.conf 4 -rw-r--r--. 1 root root 132 Jun 1 07:57 NOTICE 4)SELinux on engine is not working in provided syntax at all: # semanage port -a -t ovirt_vmconsole_proxy_port_t -p tcp 3334 ValueError: Type ovirt_vmconsole_proxy_port_t is invalid, must be a port type But it is working on hosts. I've tried to restart services on both hosts and the engine: systemctl restart ovirt-vmconsole-proxy-sshd systemctl restart ovirt-vmconsole-host-sshd And tried then to establish ssh connectivity to new port and failed: [root@nsednev ~]# ssh -v -t -i $HOME/.ssh/id_rsa -p 3334 ovirt-vmconsole.lab.tlv.redhat.com connect OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Connecting to nsednev-he-1.qa.lab.tlv.redhat.com [10.35.97.61] port 3334. debug1: connect to address 10.35.97.61 port 3334: No route to host ssh: connect to host FQDN of my engine port 3334: No route to host
(In reply to Nikolai Sednev from comment #20) > I'm not fully understanding the documentation. > > Tried to change configuration manually on my host and the engine, while > following this https://github.com/oVirt/ovirt-site/pull/337/files > documentation and see already a few differences: > > 1)On RHEL7.2 host I don't see anything in > /etc/sysconfig/ovirt-vmconsole-host-sshd, Correct, this file may be missing entirely. With this file, you can add/change environment variables to be used by the ovirt-vmconsole-host-sshd process. For example, it is documented you can change the service's OPTIONS. There are few ways to do this 1. directly change the way the service is launched, editing /usr/lib/systemd/system/ovirt-vmconsole-host-sshd.service this is possible but strongly discouraged, there are supported ways to change the service's parameters, like 2. tune the service's default configuration, editing /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/sshd_config again, this is possible but strongly discouraged: if you upgrade the package, you'll lose your customization. 3. The supported way is to add/edit /etc/sysconfig/ovirt-vmconsole-host-sshd, which will not be overridden by package upgrades. So, the service's configuration works as follows: a. it is run using the generic systemd configuration from /usr/lib/systemd/system/ovirt-vmconsole-host-sshd.service b. uses the default configuration on /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/sshd_config c. takes overrides from /etc/sysconfig/ovirt-vmconsole-host-sshd on top of the default configuration I'm not documenting this because, besides the location of the file paths (and *this* is documented), this is the way all the system services work, so it is not ovirt-vmconsole specific. but I do see in > /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/ > sshd_config and it shows as follows: > AllowAgentForwarding no > #AllowStreamLocalForwarding no > AllowTcpForwarding no > AllowUsers ovirt-vmconsole > AuthorizedKeysFile /dev/null > AuthorizedPrincipalsFile > /usr/share/ovirt-vmconsole/ovirt-vmconsole-host/ovirt-vmconsole-host-sshd/ > authorized_principals > ChallengeResponseAuthentication no > ClientAliveCountMax 3 > ClientAliveInterval 10 > ForceCommand /usr/libexec/ovirt-vmconsole-host-shell > GSSAPIAuthentication no > HostCertificate /etc/pki/ovirt-vmconsole/host-ssh_host_rsa-cert.pub > HostKey /etc/pki/ovirt-vmconsole/host-ssh_host_rsa > HostbasedAuthentication no > KbdInteractiveAuthentication no > KerberosAuthentication no > PasswordAuthentication no > #PermitUserRC no > PidFile /dev/null > Port 2223 > Protocol 2 > PubkeyAuthentication yes > RSAAuthentication no > TrustedUserCAKeys /etc/pki/ovirt-vmconsole/ca.pub > X11Forwarding no > > Probably you were referring to that configuration file? If yes, than I've > tried to change the port to let's say 3334 and saved. This works, as documented above, but it is not the best way to proceed. > > 2)Now on engine, which is my serial-console-proxy I see the configuration > file in here > /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/ > sshd_config instead of being shown as documented in here > /etc/sysconfig/ovirt-vmconsole-proxy-sshd. I've tried to change the port to > the same value of 3334. Same consideration as above, but this is not correct. Here you changed the port the *proxy* service listens to. It works as follows: [any client anywhere] -> [[proxy sshd] -> [proxy ssh client]] -> [host sshd] The proxy side automatically handles one ssh client connection to the ovirt-vmconsole-host sshd. The user doesn't need to know (except for one specific case, please keep reading), it is all handled automatically. BUT, if the user wishes to change the ovirt-vmconsole host sshd, then it needs to change the client configuration to make this connection attempt to use the right port. It seems that you changed the port the *proxy server* listens to, hence the connection proxy -> host is most likely broken now. > 3)Now, regarding "changing the *ssh* options", I'm not quite getting what to > change and where,this is out of my understanding and I'll need your help > with it. > > On engine (my proxy) I see only these: > # ll -ls /etc/ovirt-vmconsole/ovirt-vmconsole-proxy/conf.d/ > total 8 > 4 -rw-r--r--. 1 root root 262 Jun 21 08:56 > 20-ovirt-vmconsole-proxy-helper.conf > 4 -rw-r--r--. 1 root root 132 Jun 1 07:57 NOTICE create a file like /etc/ovirt-vmconsole/ovirt-vmconsole-proxy/conf.d/90-custom-options.conf with this content console_attach_ssh_args="-p 3334" > 4)SELinux on engine is not working in provided syntax at all: > # semanage port -a -t ovirt_vmconsole_proxy_port_t -p tcp 3334 > ValueError: Type ovirt_vmconsole_proxy_port_t is invalid, must be a port type Tried on the proxy host on one of my boxes: [root@c7 ~]# semanage port -a -t ovirt_vmconsole_proxy_port_t -p tcp 3334 [root@c7 ~]# semanage port -a -t ovirt_vmconsole_proxy_port_t -p tcp 2223 [root@c7 ~]# rpm -qa | grep vmconsole ovirt-vmconsole-proxy-1.0.2-1.el7.centos.noarch ovirt-engine-setup-plugin-vmconsole-proxy-helper-3.6.7.5-1.el7.centos.noarch ovirt-vmconsole-1.0.2-1.el7.centos.noarch ovirt-engine-vmconsole-proxy-helper-3.6.7.5-1.el7.centos.noarch [root@c7 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) I don't have a RHEL7.2 box handy but I'm quite confident it will work, will check asap. > But it is working on hosts. > > I've tried to restart services on both hosts and the engine: > systemctl restart ovirt-vmconsole-proxy-sshd > systemctl restart ovirt-vmconsole-host-sshd > > And tried then to establish ssh connectivity to new port and failed: > [root@nsednev ~]# ssh -v -t -i $HOME/.ssh/id_rsa -p 3334 This is expected considering the configuration glitches.
Worked for me after Francesco's helped me up with the configurations. So we've changed from default TCP 2222 port to 3334 TCP port on both engine(serial-console-proxy) and on host.Then I've reconnected from my laptop to the engine and then chosen one of the VMS as appears bellow: [root@nsednev ~]# ssh -v -t -i $HOME/.ssh/id_rsa -p 3334 ovirt-vmconsole@myengineFQDN connect OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Connecting to myengineFQDN [IPofmyengine] port 3334. debug1: Connection established. debug1: permanently_set_uid: 0/0 . . . . Available Serial Consoles: 00 A[6a1183b9-24ea-444e-bfd8-3a117dbd9e4e] 01 B[07d90003-c6d5-4bc0-8642-c001f892aa5f] 02 HostedEngine[280c4195-08ee-4385-a031-6288702a6aad] 03 VM1[43500052-354c-4217-957d-ca0d9d7612db] SELECT> 03 Red Hat Enterprise Linux Server 7.2 (Maipo) Kernel 3.10.0-327.28.2.el7.x86_64 on an x86_64 RHEL7 login: root Password: Last login: Mon Jul 4 15:57:42 on ttyS0 [root@RHEL7 ~]# Components on host: ovirt-setup-lib-1.0.2-1.el7ev.noarch rhev-release-4.0.0-19-001.noarch ovirt-vmconsole-host-1.0.3-1.el7ev.noarch ovirt-hosted-engine-ha-2.0.0-1.el7ev.noarch ovirt-imageio-common-0.3.0-0.el7ev.noarch qemu-kvm-rhev-2.3.0-31.el7_2.17.x86_64 ovirt-engine-sdk-python-3.6.7.0-1.el7ev.noarch libvirt-client-1.2.17-13.el7_2.5.x86_64 ovirt-host-deploy-1.5.0-1.el7ev.noarch ovirt-imageio-daemon-0.3.0-0.el7ev.noarch ovirt-hosted-engine-setup-2.0.0.2-1.el7ev.noarch sanlock-3.2.4-2.el7_2.x86_64 mom-0.5.5-1.el7ev.noarch ovirt-vmconsole-1.0.3-1.el7ev.noarch rhev-release-4.0.1-1-001.noarch vdsm-4.18.5.1-1.el7ev.x86_64 Linux version 3.10.0-327.22.2.el7.x86_64 (mockbuild.eng.bos.redhat.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Thu Jun 9 10:09:10 EDT 2016 Linux 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 9 10:09:10 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux Server release 7.2 (Maipo) Engine: rhevm-doc-4.0.0-2.el7ev.noarch rhevm-setup-plugins-4.0.0.1-1.el7ev.noarch rhevm-spice-client-x64-msi-4.0-2.el7ev.noarch rhevm-4.0.2-0.2.rc1.el7ev.noarch rhev-release-4.0.0-19-001.noarch rhev-release-4.0.1-1-001.noarch rhevm-guest-agent-common-1.0.12-2.el7ev.noarch rhevm-dependencies-4.0.0-1.el7ev.noarch rhevm-branding-rhev-4.0.0-2.el7ev.noarch rhevm-spice-client-x86-msi-4.0-2.el7ev.noarch rhev-guest-tools-iso-4.0-2.el7ev.noarch Linux version 3.10.0-327.22.2.el7.x86_64 (mockbuild.eng.bos.redhat.com) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Thu Jun 9 10:09:10 EDT 2016 Linux 3.10.0-327.22.2.el7.x86_64 #1 SMP Thu Jun 9 10:09:10 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux Server release 7.2 (Maipo)
oVirt 4.0.0 has been released, closing current release.