Description of problem: Our documentation says [1] to install mod_auth_gssapi for configuring single-sign-on. Since recently, engine-backup also backs up the configuration file that the documentation says to create, to include (also) the command: GssapiCredStore keytab:/etc/httpd/http.keytab On upgrade from a system that followed this, engine-setup fails when starting httpd, and httpd log complains about this command (GssapiCredStore), because the module is missing. We should IMO include in the appliance all the packages we document to install, even optionally. For this specific case, the list is: ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap mod_auth_gssapi mod_session We should probably review all documentation for similar cases. [1] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/configuring_ldap_and_kerberos_for_single_sign-on Version-Release number of selected component (if applicable): 4.4 How reproducible: Always Steps to Reproduce: 1. Setup 4.3 hosted-engine 2. Follow docs (above [1]) to configure single-sign-on 3. Upgrade to 4.4 Actual results: Fails hosted-engine log has: 2020-08-06 15:22:07,968+0300 INFO otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 TASK [ovirt.engine-setup : Run engine-setup with answerfile] 2020-08-06 15:23:18,434+0300 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:103 {'msg': 'non-zero return code', 'cmd': ['engine-setup', '--accept-defaults', '--config-append=/root/ovirt-engine-answers'], 'stdout': "[ INFO ] Stage: Initializing\n[ INFO ] Stage: Environment setup\n ... (all in a single line. Perhaps we should also try to split it in the log...) [ ERROR ] Failed to execute stage 'Closing up': Failed to start service 'httpd'\n Expected results: Succeeds Additional info: A workaround is probably (still verifying) to create a file e.g. /usr/share/ansible/roles/ovirt.hosted_engine_setup/hooks/enginevm_before_engine_setup/install-gssapi.yml with content: - name: Install mod_auth_gssapi package: name: mod_auth_gssapi state: present
If I understood correctly, the only required package to make upgrade succeed in this case is mod_auth_gssapi. Pushed https://gerrit.ovirt.org/110693 adding it to appliance. Since our documentation suggest also - ovirt-engine-extension-aaa-misc - ovirt-engine-extension-aaa-ldap (added explicitly despite it's already included by ovirt-engine-extension-aaa-ldap-setup we already require there) - mod_session I pushed https://gerrit.ovirt.org/110698 separately. I tend to agree we should have them in. Size increase is minimal and shouldn't cause issues if not utilized. Martin any objection? > We should probably review all documentation for similar cases. Can you handle didi?
(In reply to Sandro Bonazzola from comment #1) > If I understood correctly, the only required package to make upgrade succeed > in this case is mod_auth_gssapi. > Pushed https://gerrit.ovirt.org/110693 adding it to appliance. > > Since our documentation suggest also > - ovirt-engine-extension-aaa-misc > - ovirt-engine-extension-aaa-ldap (added explicitly despite it's already > included by ovirt-engine-extension-aaa-ldap-setup we already require there) > - mod_session > > I pushed https://gerrit.ovirt.org/110698 separately. > I tend to agree we should have them in. > Size increase is minimal and shouldn't cause issues if not utilized. > Martin any objection? > Artur, any other package needed for Keycloak/RHSSO integration? > > > We should probably review all documentation for similar cases. > > Can you handle didi? Eli Marcus is working on Keycloak/RHSSO integration in BZ1658698
For keycloak integration we need mod_auth_openidc. For centos8 this is available as module. dnf module enable mod_auth_openidc:2.3 -y dnf install mod_auth_openidc
(In reply to Artur Socha from comment #3) > For keycloak integration we need mod_auth_openidc. For centos8 this is > available as module. > > dnf module enable mod_auth_openidc:2.3 -y > dnf install mod_auth_openidc ovirt-engine-extension-aaa-misc is required as well.
Can someone please confirm the workaround in this KCS? https://access.redhat.com/solutions/5305591.
(In reply to Artur Socha from comment #4) > (In reply to Artur Socha from comment #3) > > For keycloak integration we need mod_auth_openidc. For centos8 this is > > available as module. > > > > dnf module enable mod_auth_openidc:2.3 -y > > dnf install mod_auth_openidc > > ovirt-engine-extension-aaa-misc is required as well. Are these needed if we restore a database from an engine which was using them? Will engine die if they'renot in? Or can they be re-added in a second step?
They all can be added later. Without those packages user will not be able to login but the engine's service will be up and running.
(In reply to Artur Socha from comment #8) > They all can be added later. Without those packages user will not be able to > login but the engine's service will be up and running. One more thing that has just come to my mind. In case of re-adding ovirt-engine-extension-aaa-misc engine's restart will be needed. Similarly when mod_auth_openidc is installed httpd must be restarted.
any patch missing? If not please move to MODIFIED