This bug was initially created as a copy of Bug #1948376 - but tailored to migrations from 8.3 hosts (that are not set with client certificate) to 8.4 hosts
https://gerrit.ovirt.org/c/ovirt-engine/+/114315 ensures VMs from the host can migrate after upgrading the host using "Upgrade" button in Webadmin or after enrolling certificates for the host in Webadmin. This bug is about solving the other cases, most importantly hosts not yet upgraded and running VMs. Since they don't have the client certificate links they may not be able to migrate their VMs elsewhere and they cannot be switched to maintenance and get the problem fixed while running VMs. It has been proposed to make a playbook that would simply add the links to all the running hosts, without bringing them to maintenance. Such a playbook would resolve the problem above in case it occurs during the upgrade. The whole process is going to be documented, see BZ 1952078. I don't know about a good way to get the whole process automated but if anybody can find one then we can consider it. Let's summarize what's needed to make encrypted migration working with RHEL/AV 8.4: - Adding the links in certificate enrollment -- already done in BZ 1948376. - Making sure the links are present on upgraded hosts -- also handled by BZ 1948376, it should be checked whether anything more is needed. - Having a way to add the client certificate links to old hosts running VMs if needed. At worst, users can be instructed to add them manually, but a less manual way would be preferable.
Dana, what do you think about it?
yeah, I think it would be nice to automate it but we need to see to what degree: 1. to provide an Ansible playbook as part of another package (Ansible collections?) 2. to provide an Ansible playbook as part of ovirt-engine that can be triggered manually 3. to provide an Ansible playbook as part of ovirt-engine that can be triggered from the webadmin as this is only needed for encrypted migrations and only for upgrades from cluster-level < 4.6 to cluster-level 4.6 I would like to avoid too intrusive changes for this. Martin/Data, what do you think? IIUC, we currently don't provide playbook that should be executed manually as part of ovirt-engine, right? do we have such in Ansible-collection or other repo?
Data -> Dana (sorry)
the approach lgtm, continuing in reply to Liran's mail
Verified with: Before upgrade: ovirt-engine-4.4.5.11-0.1.el8ev.noarch vdsm-4.40.50.10-1.el8ev.x86_64 libvirt-6.6.0-13.2.module+el8.3.1+10483+85317cf0 host: kernel-4.18.0-240.22.1.el8_3.x86_64 After upgrade: ovirt-engine-4.4.6.6-0.10.el8ev.noarch vdsm-4.40.60.6-1.el8ev libvirt-7.0.0-13.module+el8.4.0+10604+5608c2b4 host: kernel-4.18.0-305.el8.x86_64 Steps: 1. Prepare 4.4.5 engine, 2 rhel8.3 hosts. 2. Create a Data Center with compatiblity version 4.5 on engine. 3. Add a Cluster, enable migration encryption. 4. Add the 2 rhel8.3 hosts to the Cluster, set their names to host1, host2 respectively. 5. Create VM vm1, run it on host1. 6. Create VM vm2, run it on host2. 7. Upgrade engine to 4.4.6 8. Prepare 8.4 repos on host1, upgrade host1 on engine. 9. Prepare 8.4 repos on host2, upgrade host2 on engine. Results: 1. Upgrade host1 from rhel8.3 to rhel8.4: - vm1 is successfully migrated from host1 to host2 which is rhel8.3 - client certificate links are added on host1 - upgrading host1 succeeds 2. Upgrade host2 from rhel8.3 to rhel8.4: - vm1 and vm2 are successfully migrated from host2 to host1 which is rhel8.4 - client certificate links are added on host2 - upgrading host2 succeeds