+++ This bug was initially created as a clone of Bug #1866811 +++ Description of problem: Our documentation says [1] to install mod_auth_gssapi for configuring single-sign-on. Since recently, engine-backup also backs up the configuration file that the documentation says to create, to include (also) the command: GssapiCredStore keytab:/etc/httpd/http.keytab On upgrade from a system that followed this, engine-setup fails when starting httpd, and httpd log complains about this command (GssapiCredStore), because the module is missing. We should IMO include in the appliance all the packages we document to install, even optionally. For this specific case, the list is: ovirt-engine-extension-aaa-misc ovirt-engine-extension-aaa-ldap mod_auth_gssapi mod_session We should probably review all documentation for similar cases. [1] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/configuring_ldap_and_kerberos_for_single_sign-on Version-Release number of selected component (if applicable): 4.4 How reproducible: Always Steps to Reproduce: 1. Setup 4.3 hosted-engine 2. Follow docs (above [1]) to configure single-sign-on 3. Upgrade to 4.4 Actual results: Fails hosted-engine log has: 2020-08-06 15:22:07,968+0300 INFO otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:109 TASK [ovirt.engine-setup : Run engine-setup with answerfile] 2020-08-06 15:23:18,434+0300 DEBUG otopi.ovirt_hosted_engine_setup.ansible_utils ansible_utils._process_output:103 {'msg': 'non-zero return code', 'cmd': ['engine-setup', '--accept-defaults', '--config-append=/root/ovirt-engine-answers'], 'stdout': "[ INFO ] Stage: Initializing\n[ INFO ] Stage: Environment setup\n ... (all in a single line. Perhaps we should also try to split it in the log...) [ ERROR ] Failed to execute stage 'Closing up': Failed to start service 'httpd'\n Expected results: Succeeds Additional info: A workaround is probably (still verifying) to create a file e.g. /usr/share/ansible/roles/ovirt.hosted_engine_setup/hooks/enginevm_before_engine_setup/install-gssapi.yml with content: - name: Install mod_auth_gssapi package: name: mod_auth_gssapi state: present
The mod_auth_gssapi package doesn't seem to be available in the repo: [ INFO ] TASK [ovirt.hosted_engine_setup : Install mod_auth_gssapi] [ ERROR ] fatal: [localhost -> rhv.mgmt.toal.ca]: FAILED! => {"changed": false, "failures": ["No package mod_auth_gssapi available."], "msg": "Failed to install some of the specified packages", "rc": 1, "results": []} Thus the workaround doesn't work.
(In reply to Patrick Toal from comment #1) > The mod_auth_gssapi package doesn't seem to be available in the repo: > [ INFO ] TASK [ovirt.hosted_engine_setup : Install mod_auth_gssapi] > [ ERROR ] fatal: [localhost -> rhv.mgmt.toal.ca]: FAILED! => {"changed": > false, "failures": ["No package mod_auth_gssapi available."], "msg": "Failed > to install some of the specified packages", "rc": 1, "results": []} > > Thus the workaround doesn't work. You are right - we also had to register the VM, using ansible module redhat_subscription, and also add all the packages mentioned in comment 0. This worked.
I think I'll also add to the appliance: ovirt-engine-extension-logger-log4j Martin, any risk in doing this? Not sure it's mandatory (for upgrades), but if it's harmless, let's add it.
(In reply to Yedidyah Bar David from comment #3) > I think I'll also add to the appliance: > > ovirt-engine-extension-logger-log4j > > Martin, any risk in doing this? Not sure it's mandatory (for upgrades), but > if it's harmless, let's add it. I see no risks because it does not have any specific dependencies both in terms of other packages or special configuration. If configuration not provided it shall not be used.
(In reply to Artur Socha from comment #4) > (In reply to Yedidyah Bar David from comment #3) > > I think I'll also add to the appliance: > > > > ovirt-engine-extension-logger-log4j > > > > Martin, any risk in doing this? Not sure it's mandatory (for upgrades), but > > if it's harmless, let's add it. > > I see no risks because it does not have any specific dependencies both in > terms of other packages or special configuration. > If configuration not provided it shall not be used. I agree, no risk. This extension is used much less than aaa-ldap or aaa-misc.
any patch missing? If not please move to MODIFIED
*** Bug 1879423 has been marked as a duplicate of this bug. ***
Hi Didi, please review this Doc Text for the Erratum: Previously, upgrade from RHV 4.3 to RHV 4.4 failed while restoring SSO configuration requiring the gssapi module. In this release, the mod_auth_gssapi package is included in the RHV Manager appliance, and upgrading succeeds even when SSO configuration is included.
Generally ok, but, this bug affects any hosted-engine backup/restore, not just upgrade. So perhaps mention that. In 4.4, upgrade is simply the "common" case of a restore - most people (probably?) do not try to restore their backups to see if they work :-(.
(In reply to Yedidyah Bar David from comment #12) > Generally ok, but, this bug affects any hosted-engine backup/restore, not > just upgrade. So perhaps mention that. In 4.4, upgrade is simply the > "common" case of a restore - most people (probably?) do not try to restore > their backups to see if they work :-(. here is an updated text: Previously, restoring from backup or upgrading from RHV 4.3 to RHV 4.4 failed while restoring SSO configuration requiring the gssapi module. In this release, the mod_auth_gssapi package is included in the RHV Manager appliance, and upgrading or restoring from backup succeeds even when SSO configuration is included.
From applaince kickstarter file: dnf_install(["mod_auth_gssapi"]) so appliance should contain file, tomorrow I will check on machine created by appliance
Package is in installed appliance
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV Appliance (rhvm-appliance) 4.4.z Async [ovirt-4.4.2]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3826