Issue: Hosted-Engine will not deploy if SSH access is not enabled for the root user. Logs: Do you want to enable ssh access for the root user (yes, no, without-password) [yes]: no ... ESC[0;31m[ ERROR ]ESC[0m fatal: [localhost -> D7-Manager]: FAILED! => {"changed": false, "elapsed": 185, "msg": "timed out waiting for ping module test success: Invalid/incorrect password: FIPS mode initialized\r\nWarning: Permanently add ed 'd7-manager,192.168.222.4' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again."} ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Set destination directory path] ESC[92m[ INFO ]ESC[0m ok: [localhost -> localhost] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Create destination directory] ESC[92m[ INFO ]ESC[0m changed: [localhost -> localhost] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : include_tasks] ESC[92m[ INFO ]ESC[0m ok: [localhost] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Find the local appliance image] ESC[92m[ INFO ]ESC[0m ok: [localhost -> localhost] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Set local_vm_disk_path] ESC[92m[ INFO ]ESC[0m ok: [localhost -> localhost] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Give the vm time to flush dirty buffers] ESC[92m[ INFO ]ESC[0m ok: [localhost -> localhost] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Copy engine logs] ESC[92m[ INFO ]ESC[0m changed: [localhost] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Get local VM dir path] ESC[92m[ INFO ]ESC[0m ok: [localhost -> D7-Manager] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Remove local vm dir] ESC[92m[ INFO ]ESC[0m changed: [localhost -> localhost] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Remove temporary entry in /etc/hosts for the local VM] ESC[92m[ INFO ]ESC[0m changed: [localhost -> localhost] ESC[92m[ INFO ]ESC[0m TASK [ovirt.hosted_engine_setup : Notify the user about a failure] ESC[0;31m[ ERROR ]ESC[0m fatal: [localhost -> D7-Manager]: FAILED! => {"changed": false, "msg": "There was a failure deploying the engine on the local engine VM. The system may not be provisioned according to the playbook results: please check the logs for the issue, fix accordingly or re-deploy from scratch.\n"} ESC[0;31m[ ERROR ]ESC[0m Failed to execute stage 'Closing up': Failed executing ansible-playbook ... ESC[0;31m[ ERROR ]ESC[0m fatal: [localhost -> D7-Manager]: FAILED! => {"changed": false, "elapsed": 185, "msg": "timed out waiting for ping module test success: Invalid/incorrect password: FIPS mode initialized\r\nWarning: Permanently add ed 'd7-manager,192.168.222.4' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again."} Expected Behavior: hosted-engine shouldn't offer an option which could fail out due to selecting it / simply changing the behavior to disable root SSH after the hosted engine deployment is successful Observed Behavior: hosted-engine options available in the installer succeed
This is known requirement since forever, RHV Manager requires root SSH access to hypervisor hosts to be able to perform management tasks of hypervisors. We have an RFE to use privileged non-root user, but this is not planned for RHV 4.4. So suggesting either to close wontfix or mark as duplicate of this RFE.
I think that this is specific to the engine VM and not really on host side. Now engine-setup is executed on the engine VM via ovirt-ansible-engine-setup ansible role and so we definitively need ssh access to the engine VM at least in the boot stage. The real issue is that on the setup text UI we still have this question: Do you want to enable ssh access for the root user (yes, no, without-password) [yes]: and if the user chooses no the setup is definitively going to fail to to the lack of ssh needed for ansible (in the past engine-setup was executed via cloud-init and so ssh wasn't really needed). We have two options: 1. keep the question, always enable ssh on the engine VM and eventually de-configure it at the end of the setup if not needed anymore 2. drop the question and let the user manually disable ssh as a day-1 operation if not needed anymore
I would say the following option is a better user experience: 1. keep the question, always enable ssh on the engine VM and eventually de-configure it at the end of the setup if not needed anymore Asking a question that will ultimately lead to failure if the user chooses 'No' is a problematic setup design, so changing the wording from "Do you want to enable ssh access for the root user (yes, no, without-password) [yes]: " to "Do you want to disable ssh access for the root user after RHV-M installation completes (yes, no, without-password) [no]: " which would function the same way as it does currently, but would allow the user to not have the setup fail but still allow for the functionality of disabling root ssh access. Additionally, the error message shown on failure is a confusing and technically incorrect given access is blocked but not because of any incorrect password user input : ERROR ][0m fatal: [localhost -> D7-Manager]: FAILED! => {"changed": false, "elapsed": 185, "msg": "timed out waiting for ping module test success: Invalid/incorrect password: FIPS mode initialized\r\nWarning: Permanently added 'rhvmanager,192.168.1.4' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again."}
comment #3 looks good to me. I would add a warning that after root access will be disabled for ssh in order to login as root you'll need to use serial console instead.
Seems like Simone already merged a patch for this bug. Need to check if this is enough.
We still have to merge https://gerrit.ovirt.org/103702 and https://gerrit.ovirt.org/103721 in order to consume it.
(In reply to Simone Tiraboschi from comment #6) > We still have to merge https://gerrit.ovirt.org/103702 and > https://gerrit.ovirt.org/103721 in order to consume it. OK, thanks. I guess I need 3 bugs (ovirt-hosted-engine-setup (current), ovirt-ansible-hosted-engine-setup, cockpit-ovirt).
All patches merged, moving to modified. ovirt-ansible-hosted-engine-setup: Main patch. With it, deploy should succeed. The other two patches are not needed to make deploy succeed, but without them, root ssh access will not be blocked eventually. One is for ovirt-hosted-engine-setup, affects only CLI, other is for cockpit-ovirt, affects only cockpit web UI. QE: Please verify both cockpit and cli. I verified (before merging) only "no root access", didn't try "without-password". Perhaps try both. If you choose "no", you can still login from the console. 'hosted-engine --console' didn't work for (worth another bug, I guess, didn't open one yet). '--add-console-password --password=XXX' and then vncviewer (via an ssh tunnel, in my case) worked.
Verified in ovirt-hosted-engine-setup-2.4.4-1.el8ev.noarch SSH is available but cannot login as root (which is correct)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV RHEL Host (ovirt-host) 4.4), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:3246
Inside the host, if you avoid the Strict Host Key validation this way: cat .ssh/config Host hosted engine FQDN StrictHostKeyChecking no The execution is completed successfully, and you can proceed to the next step.